From: Mike '/m' 

Some more MS patch gotchas...

http://www.emailbattles.com/archive/battles/security_aadfjggbjh_bb/

===
Microsoft's Automatic Update Spreads The Disease, Then Cures It

Microsoft's MS06-015 patch was released on PatchDay, 11 April 2006.
Depending on how you look at it, Security Update 908531 (Security Bulletin
MS06-015) has been either a spectacular failure or a stunning success.

The Case for Spectacular Failure
PatchDay +4: Microsoft Security Response Chief Mike Reavey admitted that
"an application could hang when conducting certain operations, like
opening a file from the File-open dialog in an application."

The scope of the disaster, Reavey figured, was limited to "some
Hewlett Packard devices that so far appear to be consumer level."

Users complained that the patch was so poorly documented, that there was no
way to prepare for it.

PatchDay +7: Reavey acknowledged that the disaster was less contained than
he had at first reported. "Changes introduced in MS06-015 could cause
an application to stop responding during specific interactions with older
versions of Hewlett Packard's Share-to-web software utility, or older
NVIDIA video card drivers."

He pointed the afflicted to Knowledgebase Article 918165 for succor, where
additional symptoms were noted. Registry edits were suggested for those
experiencing any or all of these troubles: Some files cannot be opened or
saved in folders like My Documents or My Pictures, and attempting to do so
can actually lock up the applications that try it.
Clicking Open on the File menu stimulates an application lock-up. Nothing
happens when you type an address in the Address box in Microsoft Internet
Explorer, right-click a file and then click Send To, or expand a folder in
Windows Explorer.
Luckily, those who tried 918165 reported that they were able to restore
functionality to Excel, Outlook, and Word... by removing the 918165
registry edits.

PatchDay +10: As the slow motion train wreck progressed, Stephen Toulouse
took over for Reavey: "We're seeing around 95% of the current customer
issues being addressed by implementing the steps specific to the Hewlett
Packard Share-to-web software, but we wanted to make sure we were providing
the info on how limited the scope of the problem with older NVIDIA drivers
is as well."

PatchDay +14: Toulouse announced Microsoft's second stab at MS06-15 and
advised, "If you are configured for Automatic Update, no need to take
any actions. It will detect if you have the problem and deliver the update
to you. If you have not yet installed MS06-015, the revised version will be
offered to you."

But then, Auto Update carries its own baggage. An earlier Email Battles
report, Does Windows Patch Without Permission?, documented user complaints
that Windows had automatically updated itself without permission.

Ironically, the only Windows users who are truly safe from
Microsoft-inflicted disasters like MS06-015 are those who can manage to
prevent Automatic Update from functioning.

And as for that poor documentation? Reavey claims it's a feature, as
"providing more detail on internal product changes could serve to aid
attackers."

...Or users.

The Case for Stunning Success
For users and administrators, the MS06-015 debacle serves up a powerful
reminder that, by allowing blind updating of Windows by the Perpetrator,
you open your system to trouble you otherwise wouldn't have.

Instead, wait a few days after a patch release, then check the body count
before patching.

Of course, that requires a level of security management that few of today's
users are willing or able to apply.

Amidst it all, Microsoft wants to be your security company. Scary, isn't it?
===


(lots of links in the article that I did not copy over)

  /m


On Tue, 25 Apr 2006 22:12:15 -0400, "Rich Gauszka"
 wrote:

>You know it's also amazing that besides pushing out the Windows Genuine
>Advantage Update today Microsoft also pushed out the KB900485 which forced a
>reboot. Just a case of Microsoft forcing all Windows XP users to reboot
>their computers today just so they could cath some illegal users?  Just Bill
>Beelzebub Gates showing he owns our computers? I can easily believe both.
>Time to really start looking at alternatives
>
>
>"Geo"  wrote in message news:444ec9c6$3{at}w3....
>> "Rich Gauszka"  wrote in message
>> news:444ea0e9$1{at}w3....
>>
>>>
http://www.okgazette.com/news/templates/cover.asp?articleid=423&zoneid=7
>>
>> "The goal of this is not to allow any company to go through
and scan your
>> computer," Jolley said. "If they are, it has to be for a
specific purpose.
>> If you don't want them doing that, don't agree to (the user's
agreement)."
>>
>>
>> Riiiiigght..
>>
>> Geo.
>>
>>
>

--- BBBS/NT v4.01 Flag-5