May patch problemsOnce again, in the wake of this month’s supersized patch release, we’re hearing from readers who have been experiencing problems after installing the updates. Some of the reports are too vague to troubleshoot, but others are pretty specific.

One thing that they all have in common is frustration over applying patches that are intended to protect their systems only to find that those patches cause some kind of loss of functionality.

One reader wrote that the update caused some of the fonts on a Windows 7 system to no longer be recognized so that text isn’t displayed correctly. This isn’t the first time users have reported font corruption caused by an update. Back in February, there were widespread complaints that KB3013455 affected TrueType fonts, creating font degradation problems on some machines. Users found that removing the patch in most cases returned the font displays to normal.

I am not seeing a large number of these reports on the web this time, and Microsoft hasn’t addressed this as a problem, so we are not even certain which update is causing the problem. I haven’t been able to reproduce the problem on any of my own computers. In situations like this, often the only solution (which is not a pleasant one) is to uninstall one update at a time to attempt to pin down which one is causing the trouble.

Often, though, the most likely suspects are obvious and in this case, I would certainly start with MS15-044 (KB3057110), which is an update that changes the way the Windows DirectWrite library handles OpenType and TrueType fonts.

Note that uninstalling this update will, however, make your system vulnerable to the exploit that it was designed to prevent, which is for a critical remote code execution vulnerability. Microsoft hasn’t published any workarounds or mitigations for this vulnerability that you could use instead of the update.

Another problem that is being reported on the web (again, these are not widespread reports) has to do with desktop icons missing after application of the updates. This is one where we really would have to proceed by process of elimination since there is no obvious culprit this time. I would first make sure to check settings to ensure that it isn’t a simple matter of settings being changed.

I have also seen a few reports of corrupted system files being detected by SFC /scannow after the installation of KB3022345. This is not a security update, but one that enables the Diagnostic Tracking Service in Windows 8.1. It was originally issued back in April, then new versions were issued in May. Some of the reports indicate that the users experienced system crashes after installation.

It is unfortunate that the nature of software development is such that security vulnerabilities almost always creep in here and there, and this is true of all software vendors. Have a look at the number of security fixes in one of Apple’s OS X updates in last month’s Third Party Patch Roundup for some perspective. Regardless of vendor, when security issues are discovered in-house or reported by independent security researchers, there is a good deal of pressure on the software vendor to issue a fix sooner rather than later. This is especially true when some researchers, such as those with Google, have policies by which they will publicly disclose the vulnerabilities if they haven’t been fixed by the vendor within a certain time period.

The software company is then in a Catch-22 situation. Do they rush the update out as soon as they have it ready, so as to protect systems from an exploit that might take advantage of it?  Or do they test it on as many systems and different configurations as they can, to make sure that it doesn’t cause unintended problems when it conflicts with certain settings or installed programs?  Even with very thorough testing, there is no way that vendors can anticipate every possible configuration, so there is still a chance that any given patch might cause some problems with some computers.

That’s the reason most enterprises make a practice of not rolling out new patches to all of their machines right away, but instead setting up test labs and trying the patches out on non-production computers so they can catch problems without causing a loss of functionality to machines that the business depends on to get its important work done. This may not be feasible, though, for most individuals and small businesses.

Things may also change in the near future as Microsoft turns away from Patch Tuesday and starts rolling out patches as they become available through a new service called Windows Update for Business (read more about what might be the end of Patch Tuesdays here).

It seems as long as there is software, there will be security patches and as long as there are security patches, there will be patch problems.

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.