Microsoft Issues Patch With Problems

Customers unhappy, say testing should have caught it, company failed.

As it struggles to improve its reputation in the security community with sweeping internal and external initiatives, Microsoft Corp. is still trying to get the small things right.

A patch Microsoft issued two weeks ago had to be removed from its security Web site last week after it was discovered that the fix caused systems running Windows 2000 to become unstable. Microsoft posted a new patch Monday afternoon, four days after the original fix was issued.

A similar patch for systems running Windows NT 4.0 is not affected.

Microsoft issued the patch for a problem in the RDP (Remote Data Protocol) used in the terminal service in Windows 2000 and NT 4.0. The service handles a set of RDP packets incorrectly and, as a result, can cause the server to fail.

The vulnerability is relatively minor and was termed a low-to-moderate risk in Microsofts new severity rating system.

Although the problematic patch was on the Microsoft Web site for only a few hours, the users who downloaded and installed it were not happy.

One customer said the patch prevented Terminal Services from working, forcing him to remove the patch and reinstall a .dll and reboot.

"I think it is appalling that Microsoft released [Version] 1.0 of this patch, and it caused both complete system failures and the inability to use the service it was supposed to correct," said Russ Cooper, surgeon general of Tru-Secure Corp., in Herndon, Va. "Any reasonable testing should have caught the fact that the patch caused these problems. I think Microsoft has totally failed to fulfill the commitment they made in the announcement of the STPP [Strategic Technology Protection Program]."

The situation could have been much worse had the faulty patch been sent out via the automatic distribution system that Microsoft will soon deploy as part of the STPP.

The Redmond, Wash., company issued an apology in the bulletin announcing the error.

"The issue is a result of human error in the patch building process. Microsoft deeply apologizes for any problems this has caused. We assure that a thorough investigation is being conducted into the cause of this problem, and aggressive steps are being taken to prevent it from happening again," the statement says.

This is not the first time Microsoft has run into such a problem. Earlier this year, the software company released three patches in less than a week for the same flaw in its Exchange Outlook Web Access e-mail client. Each of the first two supposed fixes contained regression errors that not only didnt fix the problem but also caused the Exchange servers to hang.

To remove the error-causing patch, issued with security bulletin MS01-052, Microsoft recommends that users go into the Add/Remove utility in the Control Panel.