Microsoft's Latest Critical Fixes Included Buggy Windows Patch

Messages on Microsoft's newsgroups about problems began accumulating as early as Wednesday Oct. 12, within 24 hours of the patches' debut. Late Friday, Microsoft acknowledged the buggy patch in one of its infrequent security advisories, and said that customers had reported a wide variety of strange behaviors after installing one of the three critical patches released that week.

In a more detailed Knowledgebase document on its support site, Microsoft noted that the problems affect users who have changed the default permission settings of the COM+ catalog, which are files located in the %windir%\registration folder. Users who have modified the COM+ settings reported all kinds of oddities, ranging from the Windows Firewall not starting to users seeing a blank screen after installing the patch.

"Yes we are aware of some of the information floating around about problems after installing the MS05-051 update on Windows 2000 systems," wrote Mike Reavey of the Microsoft Security Response Center on the MSRC's blog.

Actually, the problems affect more than Windows 2000. By Microsoft's own accounting, the strange behaviors can occur on Windows 2000 Server, Windows XP, or Windows Server 2003.

To fix the problems produced by the patch, users must restore the default permissions to the COM+ catalog. Microsoft spelled out how to do this, and offered a pair of commands for the Cacls.exe command line utility to automate the restoration.

The buggy patch was not only one of several critical fixes deployed last week by Microsoft in its scheduled release for October, but was deemed the most dire by several security analysts. They believed that one of the four vulnerabilities plugged by the patch could be easily exploited by hackers, especially on Windows 2000 machines, and would might result in a worm within days.

So far, however, no exploit has been known to surface publicly, although several have been created and disseminated by commercial vulnerability and exploit researchers to their customers.

While Microsoft stressed that only a small number of users were directly affected by the flawed fix -- Reavey wrote "this situation is fairly limited in the number of customers who have reported it" -- the news of another problematic patch may stop some from installing it.

That could spell trouble, reported Netcraft, a U.K.-based Web performance vendor. Almost 1 in every 5 Fortune 100 companies serve their corporate Web sites from Windows 2000 systems, noted Netcraft.

Earlier last week, talk of exploits caused Stephen Toulouse, who heads the MSRC, to recommend that users of older OSes, Windows 2000 in particular, were especially vulnerable, and needed to patch pronto.

"If you are running the older versions of the operating systems, like Windows 2000, we strongly urge you to deploy the critical updates for that platform, like MS05-051, as soon as possible!"

According to AssetMetrix, a Canadian-based asset monitoring software developer, nearly half of U.S. business still run Windows 2000-powered PCs.

The problems with the MS05-051 bulletin are the second such episode in the past three months. In August, Microsoft released a corrupted patch for Internet Explorer, and had to re-issue the fixes.

Also last week, talk surfaced among users on Microsoft's newsgroups that another critical patch, MS05-052, a cumulative fix for Internet Explorer, was causing trouble. Microsoft said it was investigating those claims, but so far has produced no advisory or additional information.