Microsoft's Patch Tuesday Goes Wrong Again

"The 14 bulletins predicted have been cut to 13, with the .NET patch landing on the cutting room floor," explains Ross Barrett, senior manager of security engineering at Rapid7. "A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component."

While this might have happened for the .NET patch, any late testing by Microsoft failed to pick up a separate issue with an Outlook patch delivered with the updates. Late on Tuesday afternoon Trevor Sullivan reported to the Office TechCenter, "I just applied today's Microsoft updates, and now that I've done so, the Outlook 'Folder Pane' is empty. I can't view my list of e-mail accounts, folders, favorites, etc."

This kicked off a long thread with other users reporting similar problems. "Just installed the update, and the Folder pane is gone. If I hide it and make it come back, I can see it semi-transparently for half a second," was another comment.

Microsoft rapidly pulled the offending update. Any user who hasn't yet applied September's updates can do so without fear of losing the Outlook folder pane. "Shortly after publishing the September Public Update, we received notifications of a potential issue with Outlook 2013 after installing the non-security update KB2817630. Based on those reports we immediately removed the patch from Microsoft Update," reported Microsoft yesterday.

It is understandable -- but embarrassing -- that Microsoft missed the problem: it involves an incompatibility between outlook.exe and mso.dll; but if "If both versions are earlier (lower) than 4535.1000, or both versions are later (higher) than 4535.1000, the problem does not manifest."

In reality, the bug only appears to empty the folder pane. According to Microsoft's explanation, "a mismatched reference to a data structure causes the 'Minimize' button in the navigation pane to render incorrectly, typically extremely large to the point that the navigation pane is 'invisible' to the user."

In this particular instance, no great harm is done by the removal of the patch -- it does not fix a security issue. In theory, however, problems with security patches can cause a Catch 22 scenario for sys admins. On the one hand, the old argument of never being a guinea pig is proven - it could be best to let others forge ahead and demonstrate the worth or find the problems before personally proceeding. But to wait could leave systems unprotected against active exploits, or allow criminals time to reverse engineer the patch and develop a new exploit.

The problem for Microsoft users is that this is the third time in recent months in which Microsoft's patches have been problematic -- making it increasingly likely that admins will choose to go against security best practice, and actually delay future patching.

What’s hot on Infosecurity Magazine?