Microsoft botches six Windows patches in latest Automatic Update

Microsoft acknowledges problems with KB 2876063, KB 2859537, KB 2873872, KB 2843638, KB 2843639, and KB 2868846, all released earlier this week

In an amazing tour de force, Microsoft's Automatic Update chute released at least six bad patches on Tuesday. Here's what's amazing: It's just 48 hours or so since the bomb bay doors opened, and Microsoft has acknowledged problems with all of these patches. That's a first, I think -- and the biggest positive development in the Automatic Update minefield I've seen in a long time.

The gory details:

  • MS13-061/KB 2876063 -- a remote code execution hole in Exchange Server -- has been pulled. The problem only affects Exchange 2013. From the Exchange team blog:

Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed. For those that have already installed the MS13-061 security update for Exchange Server 2013, we already have KB 2879739 that provides the steps on how to resolve this issue. However, due to this issue and that it affects all Mailbox server installations, we have decided to pull the MS13-061 security update temporarily. Note: This issue does not occur in Exchange 2010 or Exchange 2007.

To give credit where due, Microsoft may or may not be the source of the problem. According to the SANS Internet Storm Center, "Oracle ... disclosed the vulnerabilities in their patch updates in April and July 2013. Microsoft licensed the vulnerable libraries from Oracle. There are also functional changes non security changes rolled up into this update."

  • MS13-063/KB 2859537 -- another botched Windows Kernel patch -- has not been pulled (at least it's still being offered on the systems I work with), but Microsoft has acknowledged at least one problem in the KB article:

Some users may experience issues with certain games after they install security update 2859537. In some cases, users may not successfully start and sign in to the games. Microsoft is researching this problem and will post more information in this article when the information becomes available.

Apparently, with this patch applied, the game Rift crashes immediately after authentication, as does Defiance. Softpedia reports that the patch causes BSODs on Windows 7 systems. One poster on the Microsoft Answers forum says it triggers an Error 0xc0000005, and "it's not possible to run almost all applications include IE, Personalize screen, components from control panel and many other 'native windows features and applications.'" There's an avalanche of bug reports online, many in Russian.

Microsoft is aware of problems with the security updates described in MS13-066 that affect Active Directory Federation Services (ADFS) 2.0. The problems could cause ADFS to stop working. Microsoft has removed the updates for ADFS 2.0 from Windows Update and the Download Center. Microsoft is researching this problem and will post more information in this article when the information becomes available.

In addition:

You may experience functionality issues with security update 2843639 if you do not have update 2790338 already applied. We recommend that that customers who are experiencing these issues install update 2790338. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 2790338 Description of Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0

Here's the punch line. The SANS Internet Storm Center religiously tracks which Microsoft patches cover holes that are publicly known. For this month's bunch, only two of the eight security bulletins -- MS13-061 and MS13-063 -- have known active exploits; the others have no publicly known exploits. You guessed it: Both security bulletins are causing major headaches.

Microsoft has had no end of problems with patches lately, with at least four botched patches just last month. For a change, this time the company is fessing up to it -- quickly and as best I can tell accurately, and the mea culpas are posted where they're supposed to be posted.

That's a start.

This story, "Microsoft botches six Windows patches in latest Automatic Update," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform