RealTime IT News

Microsoft Revises 'Critical' Patches (Again)

For the second time in as many weeks, Microsoft has issued major revisions to several 'critical' security patches because of problems associated with Debug Programs (SeDebugPrivilege).

The weekly tweaks to the company's first monthly mega-alert have become an embarrassment for the software giant, which promised in early October to issue updates on a "very unpredictable schedule."

The "major revisions" issued on Thursday have been released to correct problems in the MS03-042, MS03-043, and MS03-045 patches. (See details here).

The MS03-042 patch, which plugs a 'critical' buffer overflow issue in the Windows Troubleshooter ActiveX Control, has been re-issued because of problems related to CPU resource usage.

"When this problem occurs, the Processes tab in Windows Task Manager may indicate that Update.exe is using most or all the CPU resources," the company explained in a Knowledge Base notice.

The Debug Problems afflict all three faulty patches -- MS03-043, which is a buffer overrun in Messenger Service that could lead to code execution and MS03-044, which could allow PC takeover because of buffer overflows in the ListBox and ComboBox Control.

A week ago, "major revisions" of these patches were released because of compatibility problems with third party software. "The compatibility problems only affect (certain) language versions of the patch and only those versions of the patch are being re-released," Microsoft said, noting that the new security patches support both the Setup switches originally documented as well as a set of new Setup switches.

A spokesperson for Microsoft told internetnews.com the latest patch revisions only affect a small percentage of users who experienced problems during the installation process. "Anyone who successfully installed these patches need not take any action...It isn't a case where everyone has to stop what they're doing an re-install the patches again," the spokesperson said.

"These revisions help to get the patches installed properly and efficiently," he declared.

Iain Mulholland, Security Program Manager at Microsoft's Security Response Center, explained that the updated bulletins correct a user right issue that some customers experienced with the original patch.

While the once-per-month schedule for patches will remain in place, Mulholland said the company will continue to communicate new information to customers between patch releases. "Security response requires a compromise between time and testing and Microsoft's security response process does not end once a bulletin is released. We continue to work with customers to ensure that patches successfully install on our customers' endless variety of system configurations and third party applications," Mulholland added.

The problematic patches and Microsoft's patch-testing processes are a black eye for the company, which has put software security issues on the front burner in recent weeks. At the inaugural Microsoft Worldwide Partner Conference in New Orleans in early October, Microsoft chief executive Steve Ballmer made it clear the company would release monthly security patches except for emergency situations.

"We have been putting out our patches on a very unpredictable schedule. We will now go to monthly patches -- no more than monthly. If we don't need monthly, we won't have them. But no more than once a month, except for emergency patches which will be made available essentially immediately," Ballmer said.

"That predictability is something you and our customers have highlighted to us we need to do, because people are feeling like they have to drop everything and deploy every patch at all times," Ballmer added.