DecemberPatchTuesdayFollowup_BoxSoftware updates, a.k.a. patches, are designed to fix flaws or make improvements to the code; they address security vulnerabilities, performance issues, reliability concerns, and so forth. Unfortunately, sometimes in the process of making changes to plug a security hole or make some feature work better, an update causes new problems.

It seems as if we’ve been seeing more and more of that recently. Microsoft has had a string of bad luck when it comes to patch problems, to the point where it has become almost routine for them to revoke and re-issue patches a few days or weeks after release because of reported problems.  Some users found themselves dealing with the negative consequences of updates in June, August, September and October. We were hoping that the last slate of patches for 2014 might escape this fate, but no such luck.

A week after the release of the December updates, a number of computer users have reported problems caused by installing various patches on certain operating systems and software configurations.

On December 12, Microsoft revoked the patch for Exchange Server 2010 that had been issued three days earlier, and then issued a new version. This was KB 2986475, the Exchange Server 2010 SP3 update rollup 8.  Some of those who installed the original version found that Outlook was no longer able to connect to the Exchange Server – a serious problem given that so many companies use Outlook as their email client. Exchange Server 2007 and 2013 updates didn’t have the same effect.

KB 3004394 is another December update that has been the cause of unintended consequences. This update was intended to improve the updating of root certificates in Windows. When applied to Windows 7 SP1 and Windows Server 2008 R2 SP1, it can prevent the computers from being able to install any subsequent updates. The update hasn’t been reported to cause any problems for other operating systems. Microsoft has issued a fix for the fix, KB 3024777.

The next trouble-making December update was KB2553154, a security update for Microsoft Office 2010 that was designed to fix a security vulnerability by which an attacker could remotely execute code by persuading a user to open a specially crafted file.  Two days after its release, Microsoft announced that the update could disable ActiveX controls, which might or might not be a desirable thing depending on your situation. After installing the update, you might get one of various error messages. The company announced a workaround for the problem that it published in KB 3025036, which involves deleting cached versions of the control type libraries (extender files).

There have also been reports here and there about IE 9 crashes, following the installation of this month’s cumulative update for IE. This “known issue” is described in KB 3008923.

Software vendors are under pressure to get updates out as quickly as possible, especially when they involve security vulnerabilities that could be discovered and exploited before a fix is available. That may result in a less thorough testing period than would occur otherwise. Because there are so many different software combinations and configurations that are running on so many different hardware setups, it’s impossible to replicate every possible hardware/software system in the testing process, so it’s inevitable that some code will slip through that causes problems on some systems.

It’s not a good thing, though, when users and IT professionals have to wonder every month whether it’s safe to install the updates, or whether they’re better off taking the risk and delaying while someone else serves as the “guinea pig,” to avoid the down time and aggravation that go along with a fix that ends up having to be fixed.

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.