“What went wrong?” asked Chester Wisniewski senior security advisor at Sophos. “The short answer is the update broke the message index service preventing Exchange email users from searching their mailboxes.”
This left admins in a difficult position. If they installed the patch, they would break their system. If they did not install the patch, they would leave themselves more than ordinarily exposed. “Administrators who wish to hold off on applying the fix should consider disabling this attachment viewing [the component broken by the patch] feature as the vulnerabilities have been publicly disclosed.”
In reality, Microsoft caught the problem very quickly and published a remediation technique that involved the use of just a few registry keys.
Yesterday Microsoft issued its patched patch, correcting an issue that “caused AD FS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed; the rerelease removes this requirement.” Admins are recommended to install the new patch as soon as possible. The original update was classified as 'critical', the new update is classified as 'important.'
“This isn’t the first time that Microsoft has been forced to re-release a security patch after problems were found in the original version, and it surely won’t be the last,” comments Graham Cluley. Windows IT Pro points out that this month there were six altogether. “This month's botched updates,” it reported, “include: KB2876063, KB2859537, KB2873872, KB2843638, KB2843639, and KB2868846.”
Microsoft’s main problem, it suggests, is the conflict between the need for speed and quality; especially since “no matter how Microsoft architects a product to work, customers will continually use them the way they see fit – which is often times very different than Microsoft intended.”
Updates are tough, it acknowledges, but warns, “Microsoft needs to get a handle on this now, before we're 2 years into an accelerated product release cycle and customer's environments are sitting broken.”