Computerworld

Security firm: Microsoft patch problematic for some

Some users are apparently running into problems with a Microsoft patch issued last week to fix a critical hole in the Windows 2000 operating system, according to an alert posted on the SANS Internet Storm Center (ISC) Web site.

The patch in question is detailed in Microsoft Security Bulletin MS05-051 and is designed to address a total of four separate vulnerabilities -- two of which are rated as "critical" by Microsoft.

One of the critical flaws involves a Windows 2000 component called the Microsoft Distributed Transaction Coordinator (MSDTC) that runs by default and is used to manage database, messaging and file system transactions. The other critical flaw detailed in the same bulletin exists in the Component Object Model (COM+) service built into Windows 2000 to handle resource management tasks. The flaws exist in multiple Windows versions but were rated as critical for Windows 2000 and Windows XP Service Pack 1.

Both flaws were considered particularly dangerous by security experts because they allow attackers to take complete control of vulnerable systems and require no user interaction to be exploited. They are also similar to the vulnerability in a plug-and-play component of Windows 2000 that the creators of the Zotob worm and its variants took advantage of in August to create havoc for some large companies.

Johannes Ullrich, chief technology officer at the ISC, said the organization has so far received over two dozen reports from people saying they had run into a variety of problems when attempting to install the patch associated with MS05-051.

The reported problems listed on the ISC site include an inability to use the Search tool in the operating system's Start Menu, a blank screen upon log-in to the Windows Update site and disruption of Symantec Corp.'s LiveUpdate virus-updating tool and the SpySweeper antispyware product from Webroot Inc.

"These are the sort of problems that we typically see when patches don't cooperate well with various third-party software and some of the less used functions of Windows," Ullrich said. "At this point, the problems with Symantec LiveUpdate and SpySweeper are the most severe," he said.

He added that the problems reported so far appear to be "very user-dependent," with no clear indication yet of why some users are reporting problems with certain functions and software while others aren't. The size and complexity of this month's patches -- Microsoft released nine updates fixing a total of 14 problems this week -- could be one reason for the problems, Ullrich said (see "Update: Microsoft reports three 'critical' Windows security flaws").

In an e-mailed statement, Microsoft said it is aware of reports of "isolated deployment issues with security update MS05-051, and is working with the limited amount of customers affected to help resolve the issue." The company has posted a Knowledge Base article online with more information about the issue.

A Symantec spokesman said his company's Quality Assurance team is aware of the reports and is trying to replicate the problems. "They have not been able to replicate any of the problems up to this point," he said. "We have not seen any problems up to now that point to this patch."

Reports of the patch problems come amid growing concerns of a worm outbreak targeted at the MSDTC and COM+ vulnerabilities. Fueling those concerns was the development of an exploit earlier this week that takes advantage of both the flaws (see "Exploit already available for Windows vulnerability").

The exploits were developed by Immunity Inc., a Miami-based security research firm. Immunity released the exploit code to members of its partner program, which includes vendors of intrusion-detection and -prevention products, so they could use the information to update their tools.

In addition, there has been a significant increase in computer scanning activity -- apparently by hackers looking for targets to attack once an exploit becomes widely available, Ullrich said. "If you run Windows 2000, you should be very concerned," he said.