Related Links

Related Stories

  • Patch Tuesday Preview: September 2013
    There are 14 security bulletins scheduled by Microsoft for next week's September Patch Tuesday: four are labeled critical, and the other ten are labeled important. 'Critical' indicates a potential for exploitation without user interaction.
  • Microsoft Patches Patch Tuesday’s Patch for Exchange Server
    This month’s Patch Tuesday security updates from Microsoft included critical updates for Exchange Server 2008. Security experts were quick to recommend that this patch should be one given priority by system administrators – but within days Microsoft was forced to withdraw it.
  • Patch Tuesday Preview: August 2013
    Microsoft's advance notification for next week's August Patch Tuesday comprises eight updates – one more than last month – but this month only three are critical compared to seven last month.
  • If you haven’t yet, do not install Patch Tuesday’s MS13-036 bulletin
    One of the patches pushed out by Microsoft this Patch Tuesday has been withdrawn following reports of problems, including the infamous Blue Screen of Death (BSOD).
  • Patch Tuesday preview: April 2013
    Next week’s Microsoft Patch Tuesday comprises nine bulletins. Only two are rated ‘critical’ with seven rated ‘important’. All versions of Windows are affected, some Office and server components, and Windows Defender on Windows 8 and RT.

Top 5 Stories


Microsoft's Patch Tuesday Goes Wrong Again

12 September 2013

Microsoft's predicted 14 security bulletins for September's Patch Tuesday ended up as just 13 delivered and - for many users - just 12 that solve more problems than they create.

"The 14 bulletins predicted have been cut to 13, with the .NET patch landing on the cutting room floor," explains Ross Barrett, senior manager of security engineering at Rapid7. "A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component."

While this might have happened for the .NET patch, any late testing by Microsoft failed to pick up a separate issue with an Outlook patch delivered with the updates. Late on Tuesday afternoon Trevor Sullivan reported to the Office TechCenter, "I just applied today's Microsoft updates, and now that I've done so, the Outlook 'Folder Pane' is empty. I can't view my list of e-mail accounts, folders, favorites, etc."

This kicked off a long thread with other users reporting similar problems. "Just installed the update, and the Folder pane is gone. If I hide it and make it come back, I can see it semi-transparently for half a second," was another comment.

Microsoft rapidly pulled the offending update. Any user who hasn't yet applied September's updates can do so without fear of losing the Outlook folder pane. "Shortly after publishing the September Public Update, we received notifications of a potential issue with Outlook 2013 after installing the non-security update KB2817630. Based on those reports we immediately removed the patch from Microsoft Update," reported Microsoft yesterday.

It is understandable -- but embarrassing -- that Microsoft missed the problem: it involves an incompatibility between outlook.exe and mso.dll; but if "If both versions are earlier (lower) than 4535.1000, or both versions are later (higher) than 4535.1000, the problem does not manifest."

In reality, the bug only appears to empty the folder pane. According to Microsoft's explanation, "a mismatched reference to a data structure causes the 'Minimize' button in the navigation pane to render incorrectly, typically extremely large to the point that the navigation pane is 'invisible' to the user."

In this particular instance, no great harm is done by the removal of the patch -- it does not fix a security issue. In theory, however, problems with security patches can cause a Catch 22 scenario for sys admins. On the one hand, the old argument of never being a guinea pig is proven - it could be best to let others forge ahead and demonstrate the worth or find the problems before personally proceeding. But to wait could leave systems unprotected against active exploits, or allow criminals time to reverse engineer the patch and develop a new exploit.

The problem for Microsoft users is that this is the third time in recent months in which Microsoft's patches have been problematic -- making it increasingly likely that admins will choose to go against security best practice, and actually delay future patching.

This article is featured in:
Application Security  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×