Security Patch Can Make Windows 2000 Unstable

A security patch issued by Microsoft Corp. last Thursday contains an error that can cause Windows 2000 systems to become unstable.

The patch has been removed from the companys security site, and Microsoft is in the process of rebuilding the code to fix the error. A similar patch for systems running Windows NT 4.0 is not affected.

Microsoft issued the patch for a problem in the RDP (Remote Data Protocol) used in the terminal service in Windows 2000 and NT 4.0. The service handles a set of RDP packets incorrectly and as a result can cause the server to fail.

The vulnerability is a relatively minor one and was given only a moderate risk in Microsofts new severity rating system.

Although the problematic patch was only on Microsofts Web site for a few hours, the Redmond, Wash., company issued a strongly worded apology in the bulletin announcing the error.

“The issue is a result of human error in the patch building process. Microsoft deeply apologizes for any problems this has caused. We assure that a thorough investigation is being conducted into the cause of this problem and aggressive steps are being taken to prevent it from happening again,” the statement says.

This is not the first time Microsoft has run into such a problem. Earlier this year, the software giant released three patches in less than a week for the same flaw in its Exchange Outlook Web Access e-mail client. Each of the first two supposed fixes contained regression errors that not only didnt fix the current problem, but caused the Exchange servers to hang.

The bug, which was first identified in April and affects Exchange 5.5 and 2000, involves a flaw in the way that Outlook Web Access and Internet Explorer exchange message attachments and could enable an attacker to run a script on an affected machine that would give him some limited access to the machine.

To remove the error-causing patch, Microsoft recommends that users go into the Add/Remove programs utility in the Control Panel.