If you've been having severe problems over the past week with Internet Explorer and Office applications, it could likely trace back to a major conflict between a recently distributed critical Microsoft security patch and Hewlett-Packard software shipped with numerous HP products.
Microsoft acknowledged the glitches in an official TechNet posting that describes a conflict between the patch and HP's Share-to-Web software, which ships with HP PhotoSmart software, DeskJet printers that have card readers, cameras, scanners, and some CD burners.
Microsoft believes that the problem is primarily affecting consumer users and is having "little to no impact on corporate networks," wrote Microsoft Security Program Manager Mike Reavey in a posting to the Microsoft Security Response center blog over the weekend.
First released on April 11, the KB908531 security patch closes a critical security hole in Windows Explorer that could give a remote attacker complete control of your computer. However, users began posting reports on various Microsoft forums of serious issues--like Office-application and IE lock-ups--almost immediately after the release.
This is not the only problem being reported concerning Microsoft's latest set of patches. An Internet Explorer update, also released last week, includes significant changes to the way the browser processes ActiveX components. Those changes have caused serious problems with Oracle's Siebel client software, as well as a variety of issues with dynamic content like Flash animations and Java applets.
A Fix, a Flaw
The good news is that the software giant has provided a workaround (to find it, go to the Resolution section of this blog entry). The fix does involve using the Registry Editor, which can be tricky. To try it, click Start, Run, type regedit, and press <Enter> to open the Registry Editor. Then type in the Registry key described in the blog. Note: PC World recommends backing up your Registry before making changes. Go here for information on how to do this.
If using the Registry Editor sounds daunting, Microsoft said it will offer free phone support for this issue at 866/727-2338 (in the United States and Canada).
However, this snafu puts Microsoft in a deeply unfortunate position. The company has taken some heat lately for waiting for the regular patch day to release critical security patches. Its response was that it had to take sufficient time to test patches for potential bugs and incompatibilities--like with common HP software.
The release of a flawed patch like this doesn't just poke holes in that argument. It also leads some users, including many of those who reported problems on Microsoft forums, to remove the security patch and even disable automatic Windows Update patching altogether.
PCW's Advice: Keep Automatic Updates
I cover the security beat here for PC World, and I also edit Stuart J. Johnston's popular Bugs & Fixes column. And I have to say that disabling automatic patching entirely is a very bad idea. You need Windows patches to protect your computer, particularly if you use Internet Explorer. Hackers are getting faster at exploiting new vulnerabilities. As Stuart notes in his upcoming June column, so-called zero-day attacks, where widespread attacks precede a patch, are becoming more common.
Here's what I suggest: Change your Windows Update settings to automatically download any new updates, but to also wait for your say-so before installing them. You'll get a little yellow shield in your system tray when updates are ready to install. That way, you'll know the cause if your computer begins acting up immediately after.
If trouble arises, you could then check Microsoft's site or, say, PCworld.com for reported problems (and ideally a workaround) concerning the patch in question. In a worst-case scenario, you could remove that particular patch by going to Add or Remove Programs in the Control Panel, and clicking Show Updates at the top of the window. Windows patches show up individually under 'Windows (version)--Software Updates'. But keep in mind that removing a security patch would reopen a potentially serious vulnerability on your PC.
Robert McMillan of IDG News Service contributed to this story.