Recall_PatchMicrosoft® released eight updates to address 23 vulnerabilities, but within hours, serious problems were emerging.

The software update process is intended to make systems more secure and head off potential problems for users and admins but as with anything else that gets done in a hurry, sometimes those good intentions go awry. That’s what happened this month with several updates that were issued on August 13 as part of Microsoft’s monthly Patch Tuesday release. Eight updates were released to address 23 vulnerabilities, but within hours, serious problems were emerging as a result of applying the new patches and Microsoft began withdrawing the patches.

The first update to be yanked was MS-13-061/KB2876216, which was designed to fix three vulnerabilities in WebReady Document Viewing and Data Loss Prevention features of Exchange Server 2007, 2010 and 2013 and was one of three updates rated critical.  As luck would have it, I was on a ship in the middle of the Caribbean when the news broke. By the time I got back to the office, there were reports of troubles with more of last Tuesday’s patches.

The Exchange update causes a corruption of the Exchange index database, which can impact users who attempt to search for email stored on their company networks. Servers display a “failed” message for the content index database and you may find that the Microsoft Exchange Search Host Controller service has gone missing and has been replaced by a service called Host Controller service for Exchange. Because of the similarity of the names, admins might not have immediately noticed this change.

The screenshot below shows the correct service name. If you can’t find this service in the list, look for the alternate name; this indicates that the patch has modified your database and you need to proceed with “fixing the fix.”

DebScreenshot

The good news is that if you installed the update, there’s a workaround to restore the service name. The bad news is that it requires you to edit the registry. Microsoft released KB2879739 with instructions for implementing the workaround.

The second patch problem emerged as companies applying the patches discovered that some of the updates were causing Active Directory Federation Services (ADFS) to stop working. Microsoft confirmed that updates KB 2843638, 2843639 and 2868846 (security bulletin MS-13-066) were the culprits. Installing 2843639 without having previously installed 2790338 was creating issues, and Microsoft published a list of “additional steps required to install this security update.” UPDATE: Microsoft has updated the original bulletin (MS13-066) and provided an update (2843638) for the vulnerability in Active Directory Federation Services.  

The problematic patches have been removed from Windows Update and the Download Center.

Microsoft and other software vendors walk a fine line between the rush to get security fixes out as quickly as possible in order to protect customers from potential exploits of existing vulnerabilities and the need to test those fixes as thoroughly as possible to detect “unintended consequences” such as those associated with several of this month’s updates. It’s important for corporate IT departments to have a program in place for testing patches on their own system configurations before deploying them on a widespread basis over the production network. Automating patch management makes the whole process easier; making sure your patch management software supports testing and having a regular testing program in place will make your life easier when the inevitable accident happens.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side), and be the first to get them!