By packaging a functionality change for Internet Explorer with a needed security update, Microsoft has alienated some IT pros, security vendors complained Wednesday.
Along with the 10 patches in Tuesday’s MS06-013 security bulletin, Microsoft bundled changes to IE’s handling of ActiveX controls.
Those changes, which were prompted by a 2003 $US521 million judgment against Microsoft in a patent lawsuit brought by Eolas Technologies and the University of California, will require users to manually activate controls on some sites.
Some sites that rely on popular ActiveX controls, such as Apple’s QuickTime, RealNetworks’ RealPlayer, and Adobe’s Flash and Acrobat, are likely to give users fits.
How It Effects :
With the changes rolled out in a mandatory security fix, any IE user who downloads and installs Tuesday’s security patches – either manually or via an automated system such as Microsoft Update – will likely need to modify how they use those sites which haven’t been rewritten.
What should users expect?
— By default, IE will now consider embedded ActiveX content as inactive. Thus on unmodified sites, ActiveX content will not run. In other words, music won’t play or a Flash component won’t launch.
— To activate an interactive ActiveX control, move the mouse over the content – which now will be boxed – and click on the pop-up tool tip dialog.
— Alternately, users can press the Tab key until the focus is set on the content’s box, then press either the spacebar or Enter key to activate.
— Each control on each page must be manually activated in this way.
Adobe has posted a short Flash-based demo that shows the activation process. (Ironic note: If you’re using IE after the Tuesday update has been applied, you must active the Flash demo manually.)
Microsoft Responds :
Microsoft has acknowledged that not all Web site developers will have modified their pages to account for IE’s new behavior – the easiest way for developers to sidestep user activation is to call the ActiveX controls via JavaScript – and so will also release a patch on Tuesday to delay the changes.
“We will create a “compatibility patch†(deployed like a hotfix) that allows customers to turn off the change for a limited period of time through the June update cycle (2nd Tuesday in June),” wrote Mike Nash, Microsoft’s head of security, in a blog posting last month.
The patch will put off the activation requirements until June 13.
“[This is] to provide time for enterprise customers to resolve compatibility issues,” added Nash.
[break=Microsoft Offers Registry Fix to Patch IE, Office]
Microsoft Offers Registry Fix to Patch IE, Office
Microsoft this weekend released a support document outlining lockup and unresponsive software problems that an April 11 security fix causes, but the only workaround involves editing Windows’ registry, a chore usually left to advanced users.
Initial reports Friday of crashes and lockups caused by the MS06-015 security bulletin ranged from lockups of third-party software to Internet Explorer going dead.
MS06-015 was one of five bulletins released Tuesday, April 11. The critical patch was deployed to fix a flaw in Windows Explorer, the operating system’s file navigation application, that could let an attack hijack a PC.
In the document posted to Microsoft’s Knowledgebase support database, Microsoft acknowledged a slew of additional problems, including an inability to open Office documents from the “My Documents” folder, applications crashing when attempts to open files through the File/Open command are made, and inaccessible “My Documents” and “My Pictures” folders.
Microsoft blamed the problems on Hewlett-Packard software for scanners, cameras, and printers, but also said that Sunbelt Software’s Kerio Personal Firewall prevented a recrafted Verclsid.exe file from executing.
It also downplayed the difficulties. “Our information at this time leads us to believe that this is having little to no impact on corporate networks,” wrote Mike Reavey, operations manager of the Microsoft Security Response Center, on the group’s blog.
To correct the conflict, Microsoft only offered a workaround that required users to dive into the Windows registry, then add an entry there. If the registry becomes corrupted or is improperly edited, the affected PC may not boot into Windows.
Microsoft didn’t promise that the HP issue was the end of the trouble. “It has not been determined if there are other third-party COM controls or shell extensions that may also cause this problem,” the company said in the document.
Past security bulletins have had to be reissued. In October 2005, for example, the company revised two different patches.
[break=Microsoft probes Outlook Express patch trouble]
Microsoft probes Outlook Express patch trouble
Does bad luck indeed come in threes? A Microsoft security fix for Outlook Express could be the third of last week’s patches to cause trouble for some users.
Microsoft has received some reports of trouble with the update, a company representative said Thursday. Microsoft had already acknowledged that two of the other five updates it released on “Patch Tuesday” last week can, in some cases, cause problems for users.
Microsoft is still investigating the issues related to the Outlook Express patch. “Nothing is confirmed yet,” the representative said in an e-mailed statement.
In discussion forums on Microsoft’s Web site, users report several issues with the e-mail client after installing the latest update. The trouble includes inaccessible address books, problems opening and sending messages in the “unsent messages” folder and trouble using templates.
The patch for Outlook Express fixes a problem in the way the application handles Windows Address Book files. Opening a specially crafted WAB file can result in execution of malicious code, giving an attacker control of the Windows PC, Microsoft said last week in Security Bulletin MS06-016.
Other patches that have given some users headaches are a comprehensive fix for Internet Explorer, which can break some Web applications, and an update for Windows, which can cause trouble on computers that run certain Hewlett-Packard photo-sharing software or the Kerio firewall.
[break=Microsoft To Release Fixed Patch Next Week]
Microsoft To Release Fixed Patch Next Week
*On Tuesday, Microsoft will reissue the MS06-015 update, which has caused lockups and other problems with HP devices and some drivers. *
Microsoft plans to re-release a patch ithat caused some snags and Internet Explorer lockups with older Hewlett-Packard devices and NVIDIA drivers.
On April 25th, Microsoft will issue a targeted re-release of the MS06-015 update. The fix will be available though Microsoft Update or automatically delivered to affected computers through Automatic Update, the company said.
“Microsoft has completed its initial investigation into issues involving older third party software that customers may have experienced after the installation of MS06-015,” a spokesman said in a statement issued Thursday.
The patch impacted partners and customers using older Hewlett Packard Share-to-Web software and older NVIDIA drivers prior to version 61.94, Microsoft said.
Microsoft said existing customers who have applied the MS06-015 update without any problem should take no further action.
The company also said Microsoft’s Knowledge Base contains article 918165, which lists the software this issue affects, as well as available workarounds such as Microsoft’s recently-released registry key entries that correct the problem.
[break=Microsoft Unveils Repatched Patch]
Microsoft Unveils Repatched Patch.
As promised, Microsoft Tuesday released an updated edition of its April 11 MS06-016 security bulletin to eliminate a host of bad behaviors that the original fix caused on systems running older Hewlett-Packard software or NVIDIA graphics drivers.
The 2.0 patch, which is still dubbed MS06-015, will be offered to users only if it detects the conflicting HP or NVIDIA software, Microsoft has said.
“For customers who have already applied the update and are experiencing problems, the revised update will be available through Windows Update and Microsoft Update,” Microsoft said in the updated bulletin. “The targeted re-release will be automatically delivered to affected computers through Automatic Update if it has been enabled.”
No one else should see the update pop up, Microsoft said. “Customers who have already applied the MS06-015 update who are not experiencing problems need take no action.”
The revised patch hasn’t changed, but instead adds several new keys to the Windows registry. Earlier, Microsoft had recommended manually editing the registry, a potentially dangerous chore, as a workaround for the MS06-015 troubles.
Other patches unveiled earlier this month have also been questioned by users. Numerous users of Outlook Express, Microsoft’s entry-level e-mail client, have complained that the MS06-016 bulletin caused address books to vanish and mail to be interrupted. Microsoft has said it is looking into the matter, but has not published an advisory or issued any other statement.