Two patches released in Microsofts April batch of security updates are causing system hangs, Windows crashes and the appearance of strange dialog boxes.
The problems stem from a nonsecurity modification to Internet Explorer and a critical fix for a code execution hole in Windows Explorer and affect third-party programs from Google, Siebel and Microsofts own Windows Media Player.
On April 15, Microsoft released a knowledge base article to acknowledge “problems” in Windows Explorer or the Windows shell after the MS06-015 security update is installed.
That update, Microsoft said, includes a new binary called VERCLSID.EXE that validates shell extensions before they are instantiated by the Windows Shell or Windows Explorer.
On some consumer-facing programs running Hewlett-Packards Share-to-Web software and Sunbelts Kerio Personal Firewall, the new binary stops responding.
“The scope is limited at the moment, but the impact might be that an application could hang when conducting certain operations, like opening a file from the File open dialog in an application,” said Mike Reavey, program manager in the Microsoft Security Response Center.
/zimages/1/28571.gifTo read more about Microsofts patch quality nightmares,click here.
The issue is having “little to no impact on corporate networks,” Reavey added.
Windows users deploying the MS06-015 update have also complained about problems accessing special folders like “My Documents” or “My Pictures.”
In addition, the update is causing Microsoft Office applications to stop responding when Office files are saved or opened in the “My Documents” folder; system freezes when opening a file through an applications file/open menu; and lockups when typing a URL into IE.
According to PatchLink, of Scottsdale, Ariz., the MS06-013 mega-patch, which includes a significant modification to the way IE renders certain ActiveX controls, is also causing workflow issues for its enterprise clients.
The ActiveX changes result from the ongoing patent dispute between Microsoft and Eolas Technologies and will now require IE users to manually interact with certain embedded multimedia content.
According to a PatchLink spokesperson, businesses using all Siebel 7 High Interactivity Clients must click several times to interact with the program because of the way the ActiveX change was made. Siebel and Microsoft are working together to identify a solution, and a Siebel product update will be released in the spring of 2006 to address the issue.
Windows users running the Google Toolbar are also reporting an access violation error when a window containing an inactive ActiveX control is closed. Google is expected to ship an automatic update to fix the problem, which affects Google Toolbar Version 3.0.129.2 and prior.
The PatchLink spokesperson said problems were also reported in ActiveX controls that use Java Platform, Standard Edition 1.3 or 1.4.
/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.