Microsoft to Reissue Buggy Security Patch

SAN FRANCISCO -- Microsoft plans to reissue a security patch for its Windows operating system that caused serious headaches for some users.

The MS06-015 security update was released last week, but Microsoft customers soon reported that it was causing applications to crash, thanks to a conflict between the patch and nVidia's video drivers and Hewlett-Packard's Share-to-Web photo-sharing software.

The revised update is being tested now, and is expected to be released April 25, the same day that Microsoft is scheduled to release its nonsecurity updates for the month.

The Solution

"What we have done is re-engineered the MS06-015 update to avoid the conflict altogether with the older Hewlett Packard and nVidia software," writes Microsoft security response center program manager Stephen Toulouse in a blog posting today. "What the new update essentially does is simply add the affected third party software to an 'exception list' so that the problem does not occur."

The update will also provide an automated way of fixing the Windows registry configuration database on affected systems, a workaround that had been previously suggested by Microsoft.

MS06-015 fixes a critical vulnerability in the way Windows Explorer handles Component Object Model objects. This vulnerability could be used by attackers to seize control of an unpatched machine, and though some users have resolved their problems by simply uninstalling the buggy update, this course of action is not advised by Microsoft.

Hewlett-Packard's (HP's) Share-to-Web software is no longer distributed, but it was included with a variety of HP products including the company's scanners, cameras, CD and DVD devices, PhotoSmart software, and DeskJet printers, Microsoft says in an article addressing the issue.

Other Problems

Users have also reported that Sunbelt Software's Kerio Personal Firewall tries to stop the MS06-015 update from running an application called Verclsid.exe. Users who have this problem should configure Kerio so that it allows Versclid.exe to run, Microsoft says.

Those who have had problems with the patch are advised to try the workarounds suggested in the knowledge base article or to upgrade or simply uninstall affected software until the revised patch arrives, Toulouse says.

Microsoft's automatic update services will be able to detect whether or not users require the revised patch and will only offer the software to users who need it. "If you have already installed MS06-015 and are not having the problem, there's no action here for you," Toulouse says.

This is not the only Microsoft update that has given users headaches this month. ActiveX changes made in a second Internet Explorer patch, numbered MS06-013, have caused major problems with Oracle's Siebel 7 client. Microsoft has released a "compatibility patch" that undoes these ActiveX changes, and Oracle has said it will release a patch that resolves the issue sometime next month.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
  
Shop Tech Products at Amazon