UPDATED: Microsoft said a limited range of consumer software is to blame for its latest security update unintentionally backfiring on Office and IE users.
The update was among five the company released last week. Some analysts say the software giant’s solution doesn’t go far enough and is courting disaster.
Digital photography software from HP and a personal firewall from Sunbelt Software rejected a new file Microsoft introduced as part of a security fix for a flaw in Windows Explorer. The glitch causes Office to stop saving and opening files and prevents IE from visiting Web pages.
The problems reported appear limited to consumer-oriented software, Microsoft stresses on its security blog. MS06-015 included a new file, VERCLSID.EXE, which validates shell extensions before being used by Windows Explorer or Windows Shell.
A vulnerability in Windows Explorer, which Microsoft deemed “important,” allowed remote attackers to convince the shell to start HTML applications, thereby gaining total system control. However, the solution seems to be creating problems for some applications.
In explaining the glitch, Microsoft said HP’s Share-to-Web software causes VERCLSID.EXE to stop responding.
The software, used by HP’s PhotoSmart software, HP DeskJet printers that include a card reader, HP cameras and scanners, as well as some HP CD-DVD burners, can also cause trouble for Windows Explorer and IE, according to Microsoft.
Windows users may lose access to their “My Documents” and “My Pictures” folders. Office could stop opening or saving files in “My Documents.”
Attempting to open or save a document could cause Office to stop responding, according to Microsoft. Additionally, the problem causes typing an address into IE to have no effect.
Also, users of Sunbelt’s Kerio Personal Firewall will need to reconfigure that application to recognize the new Microsoft file. Without the change, the file is flagged and waits for user approval.
To resolve the issue, Microsoft is suggesting HP users manually edit the Windows registry “white list” included with the security update. The edit will instruct VERCLSID.EXE to not scan the HP shell extension.
Microsoft had no comment beyond the blog posting, according to a company spokesman.
HP did not return a request for comment by press time.
Although the software giant gives instructions, analysts warn the process isn’t for the faint of heart.
Joe Wilcox, analyst with JupiterResearch, said a misstep could make Windows unusable.
Although Microsoft says the scope of the glitch is limited to consumers, Wilcox said the type of applications –- digital imaging and security –- are more important.
While a couple of applications are known today, many more could be found to be affected tomorrow, according to the analyst.
“The possible interactions are immeasurable,” Wilcox said. Still, Microsoft has made much of its new-found focus on security and editing the Windows registry is not enough in this case. “You have to release an updated patch,” said Wilcox.
