For the second time in as many weeks, Microsoft has issued major
revisions to several ‘critical’ security patches because of problems
associated with Debug Programs (SeDebugPrivilege).
The weekly tweaks to the company’s first monthly
mega-alert have become an embarrassment for the software giant, which
promised in early October to issue updates on a “very unpredictable
schedule.”
The “major revisions” issued on Thursday have been released to correct
problems in the MS03-042, MS03-043, and MS03-045 patches. (See
details here).
The MS03-042 patch, which plugs a ‘critical’ buffer overflow issue in the Windows
Troubleshooter ActiveX Control, has been re-issued because of problems
related to CPU resource usage.
“When this problem occurs, the Processes tab in Windows Task Manager may
indicate that Update.exe is using most or all the CPU resources,” the
company explained in a Knowledge Base
notice.
The Debug Problems afflict all three faulty patches — MS03-043, which is
a buffer overrun in Messenger Service that could lead to code execution and
MS03-044, which could allow PC takeover because of buffer overflows in the
ListBox and ComboBox Control.
A week ago, “major revisions” of these patches were released
because of compatibility problems with third party software. “The
compatibility problems only affect (certain) language versions of the patch
and only those versions of the patch are being re-released,” Microsoft said,
noting that the new security patches support both the Setup switches
originally documented as well as a set of new Setup switches.
A spokesperson for Microsoft told internetnews.com the latest
patch revisions only affect a small percentage of users who experienced
problems during the installation process. “Anyone who successfully
installed these patches need not take any action…It isn’t a case where
everyone has to stop what they’re doing an re-install the patches again,”
the spokesperson said.
“These revisions help to get the patches installed properly and efficiently,” he declared.
Iain Mulholland, Security Program Manager at Microsoft’s Security Response Center, explained that the updated bulletins correct a user right issue that some customers experienced with the original patch.
While the once-per-month schedule for patches will remain in place, Mulholland said the company will continue to communicate new information to customers between patch releases. “Security response requires a compromise between time and testing and Microsoft’s security response process does not end once a bulletin is released. We continue to work with customers to ensure that patches successfully install on our customers’ endless variety of system configurations and third party applications,” Mulholland added.
The problematic patches and Microsoft’s patch-testing processes are a
black eye for the company, which has put software security issues on the
front burner in recent weeks. At the inaugural Microsoft Worldwide Partner
Conference in New Orleans in early October, Microsoft chief executive Steve
Ballmer made it clear the company would release monthly security patches
except for emergency situations.
“We have been putting out our patches on a very unpredictable schedule.
We will now go to monthly patches — no more than monthly. If we don’t need
monthly, we won’t have them. But no more than once a month, except for
emergency patches which will be made available essentially immediately,”
Ballmer said.
“That predictability is something you and our customers have highlighted
to us we need to do, because people are feeling like they have to drop
everything and deploy every patch at all times,” Ballmer added.