Microsoft Acknowledges Botched Security Update


Microsoft has pulled a portion of a recent security update as its engineering team investigates how a botched update caused Windows systems to fail.

The software maker acknowledged the problem in an alert to users late Thursday, indicating that the update causes system errors in conjunction with certain third-party software. The update is contained in one of nine security bulletins issued this week as part of Microsoft's April 2013 Patch Tuesday release.

"The system errors do not result in any data loss nor affect all Windows customers," wrote Dustin Childs, group manager for response communications at Microsoft Trustworthy Computing.

[Related: 5 Signs Enterprise Software Security Is Improving]

The update to the Windows Kernel-mode Driver fixes four Windows flaws. Childs said the security update remains available, but the engineering team removed the portion of the update that is causing the problems. The botched update is rated moderate and was applied to Windows Vista, Windows Server 2008 and Windows Server 2008 R2 systems.

The issue has been documented in Brazil by Linha Defensiva, a security threat news site, which also maintains an antimalware removal service. The site said it has seen issues on 32-bit Windows 7 systems. Its researchers believe the problem stems from an Internet banking plug-in. It also said the issue crashes Kaspersky Lab's antivirus software. Kaspersky has acknowledged the problem.

The issue may be a bigger problem with consumers who typically have automated updates turned on. Enterprises typically put patches through extensive testing to verify their impact with custom software and other applications, said Don Gray, chief security strategist at Omaha, Neb.-based Solutionary. Gray said there is no guarantee that a patch is not going to impact a system.

"The only way to guarantee it is to run it in your environment with your software and do regression testing and, truthfully, most organizations don't have that kind of capability," Gray said. "Most people will install the patch to see if all the services run; they're not going to go through a full-blown regression test unless it’s a highly critical system."

Microsoft has issued security updates in the past that have caused system problems, instability or worse: the dreaded "Blue Screen." Last year, a botched security update to address vulnerabilities exploited by the Duqu Trojan caused issues with some users. The Duqu data-stealing malware is associated with a targeted nation-state cyberespionage campaign.

PUBLISHED APRIL 12, 2013