Language Selection

English French German Italian Portuguese Spanish

Faulty M$ Update Rekindles Patch Quality Concerns

Filed under
Microsoft

For Microsoft, delivering high-quality security patches in a timely manner has always been a lose-lose predicament.

If patches for major software vulnerabilities take too long, customers are at the mercy of zero-day threats. When patches are rushed out without proper quality assurance testing, they invariably become a system administrator's worst nightmare.

Earlier this week, when Microsoft Corp. announced plans to re-release a "critical" bulletin because of patch quality problems, the move triggered a new round of eye-rolling among security research pros.

The bulletin, MS05-019, first released in April, contains patches that have caused major connectivity problems for network administrators.

The connectivity errors range from the inability of Exchange servers to talk to their domain controllers; failure of domain controller replication across WAN (wide area network) links; and inability to connect to terminal servers or to file share access.

Microsoft also acknowledged that networking programs that send TCP packets or UDP packets over raw IP sockets "may stop working" after the security update is applied on a computer running Windows XP SP1 (Service Pack 1).

A knowledge base article has been posted to highlight the problems, and hotfixes have been offered to provide temporary respite, but despite Microsoft's insistence that the problems affect only a small number of customers, security experts said the re-release of a high-severity bulletin points to a weakness in Microsoft's patch creation process.

"A hotfix for a patch? I hope it works properly, or what's next? A hotmend for the hotfix for the patch?" asked Corey Nachreiner, a network security analyst at WatchGuard Technologies Inc.

In an interview with Ziff Davis Internet News, Nachreiner said some of his company's clients have complained that the patches have broken VPN connections, a problem he described as "a big deal" for the SMB (small and medium-sized business) market segment.

Because the patch is rated critical by Microsoft, Nachreiner said he cannot recommend uninstalling the patch.

"It means that a lot of customers are scrambling to get hotfixes to keep their systems connected."

Officials at Microsoft insisted the company is doing "far more for this one than necessary" to help ensure every customer has the most recent changes to the update.

Full Story.

More in Tux Machines

Android Leftovers

Gaming News: SHOGUN, Reus, Two Worlds and More

Security Leftovers: WCry/Ransomwar, WannaCry, Athena

OSS Leftovers

  • Nextcloud 12 Officially Released, Adds New Architecture for Massive Scalability
    Nextcloud informs Softpedia today about the official availability of the final release of Nextcloud 12, a major milestone of the self-hosting cloud server technology that introduces numerous new features and improvements. The biggest new feature of the Nextcloud 12 release appears to be the introduction of a new architecture for massive scalability, called Global Scale, which is a next-generation open-source technology for syncing and sharing files. Global Scale increases scalability from tens of thousands of users to hundreds of millions on a single instance, while helping universities and other institutions significantly reduce the costs of their existing large installations.
  • ReactOS 0.4.5 Open-Source Windows-Compatible OS Launches with Many Improvements
    ReactOS 0.4.5 is a maintenance update that adds numerous changes and improvements over the previous point release. The kernel has been updated in this version to improve the FreeLoader and UEFI booting, as well as the Plug and Play modules, adding support for more computers to boot ReactOS without issues.
  • Sprint Debuts Open Source NFV/SDN Platform Developed with Intel Labs
    AT&T has been the headliner in the carrier race to software defined networking (SDN) and network function virtualization (NFV). But Sprint is putting its own stamp on the space this week with its debut of a new open source SDN/NFV mobile core solution.
  • Google’s New Home for All Things Open Source Runs Deep
    Google is not only one of the biggest contributors to the open source community but also has a strong track record of delivering open source tools and platforms that give birth to robust technology ecosystems. Just witness the momentum that Android and Kubernetes now have. Recently, Google launched a new home for its open source projects, processes, and initiatives. The site runs deep and has several avenues worth investigating. Here is a tour and some highlights worth noting.
  • Making your first open source contribution
  • Simplify expense reports with Smart Receipts
    The app is called Smart Receipts, it's licensed AGPL 3.0, and the source code is available on GitHub for Android and iOS.
  • How the TensorFlow team handles open source support
    Open-sourcing is more than throwing code over the wall and hoping somebody uses it. I knew this in theory, but being part of the TensorFlow team at Google has opened my eyes to how many different elements you need to build a community around a piece of software.
  • IRC for the 21st Century: Introducing Riot
    Internet relay chat (IRC) is one of the oldest chat protocols around and still popular in many open source communities. IRC's best strengths are as a decentralized and open communication method, making it easy for anyone to participate by running a network of their own. There are also a variety of clients and bots available for IRC.