Microsoft's new patch raises questions about its tools

Questions are being raised about how well Microsoft's own tools for scanning and patching are working to apply its most recent patch, MS04-003, to correct security vulnerabilities associated with what's called the Microsoft Data Access Component.

Popular online forum NTBugtraq this week filled with discussion about problems many users are experiencing when applying Microsoft's MDAC patch to servers and workstations.

One vendor, ConfigureSoft Inc., has its own take on the issue. According to Randy Streu, the company's vice president of product management, the problem isn't the patch itself but three of Microsoft's scanning and patch tools: Baseline Security Analyzer, SUS and Windows Update. All three are misfiring in the MDAC patching process. MDAC is a software component broadly used in Microsoft applications to gain database access.

According to ConfigureSoft, the tools are failing to tell the user they have to upgrade their machines, for instance by adding a particular Microsoft Service Pack, in order to apply the patch.

"These tools don't detect the dependency issue. It's the complications of 15 or so combinations for MDAC -- versions like 2.5, 2.6, or 2.7 that might need a particular Service Pack," says Streu. ConfigureSoft, which makes its own tool Security Manager Update, has been testing the application of the patch with the Microsoft tools.

Without the right Service Pack level, "the patch won't take," said Streu. The three Microsoft tools "won't even let you know you need to install the patch."

HFNetChk, a free tool made by Shavlik Technologies that's posted on Microsoft's Web site, does work properly with the MDAC patch, according to ConfigureSoft.

Microsoft said it was looking into some complaints it had heard associated with MDAC but said there had been no widespread problems reported in installing MDAC. Microsoft does encourage customers in the U.S. and Canada with patching problems to call product support at 1-866-PCSAFETY. Microsoft also said it is looking further into the questions raised about its patching tools and MDAC.