Nearly half of Microsoft's 2010 security patches have known problems

Yet Microsoft updates rarely seem to bring down users' systems

Last month's fix of a broken Windows Server patch got me thinking -- just how often does Microsoft release a patch that it knows has problems? The answer: nearly half the time. How often are those problems so severe they fry your system? That's less clear, but it seems as if the answer is, "not all that often."

Microsoft has so far released 45 updates in 2010, some fixing multiple vulnerabilities. Of them, 20 were released with a known problem (see list below) but of those, only two had issues severe enough to warrant a fix and re-release of the patch altogether. Those two patches were MS10-024 and MS10-025. Both were originally released during April's patch cycle. 024 was re-released in July after users began reporting that the patch hosed their systems and that Microsoft's workarounds didn't work. 025, also originally released in the April Patch Tuesday, was re-released two weeks later.

"The [025] bulletin was rated critical and affected Windows Media Services. On April 21st, Microsoft pulled the bulletin from their webpage as they found the patch did not fully fix the vulnerability as intended.  On April 27th, Microsoft re-released the bulletin as it addressed the vulnerability as originally intended.  With this bulletin, this had a pretty low impact on administrators as it only affected Windows 2000 SP4 with Windows Media Services installed.  This service is not installed by default, so this type of software scenario is typically quite rare," explains Jason Miller, data and security team manager for patch management vendor, Shavlik Technologies, Minneapolis.

The number of re-releases isn't a good indicator of how many bulletins hose a users's systems. As Miller notes, each bulletin may fix multiple vulnerabilities and if Microsoft changes one patch, it may not re-release the whole bulletin. Users might get a cumulative patch bulletin for the product (common for Internet Explorer, for instance). One would assume that these new fixes are rolled into the next service pack, too.

Additionally, Microsoft will re-release a bulletin not because the patch is faulty but because it is updating the list of software known to be affected (usually adding, not subtracting) or because Windows Update is just plain confused. "There are cases where a patch will be detected as missing when it is actually installed.  Microsoft has made changes to patches addressing these detection and deployment issues.  If the patch has already been applied, no action is required by the administrator as the vulnerability has been fixed," Miller adds.

Still, I wanted some measure of how many patches cause problems. So I counted the number of bulletins released in 2010 with stated known issues. This doesn't indicate how badly these issues might affect the performance of the machine it was meant to fix. For instance, below is the known issue and its fix for MS10-040, a June patch rated "important" that fixes a hole in IIS.

This security update could cause IIS application pools to not start on installations of Windows Server 2003 SP2 where IIS 6 may contain some SP1 binaries. In this case, the System log displays the following error message when the IIS service is started:

Event ID 1009, Description: A process serving application pool 'DefaultAppPool' terminated unexpectedly. The process id was '1234'

To resolve this problem, reapply Windows Server 2003 SP2 on the affected computers, and then install this security update.

This sounds like a patch that could hose a system, and yet the fix sounds reasonable -- make sure your WS2003 SP2 computers are fully running SP2.

According to my research, these are the 2010 patches with known issues:

A tip from a reader leads me to believe that despite known issues on all the above patches, Microsoft updates don't hose a system all that often. (Thank you George Heindel from Custom Computers.) A couple of weeks ago, a TechRepublic article posted the results of a unscientific poll that asked readers how often Windows patches break their system. Of the 841 respondents, 72% said patches hardly ever, or never, gave them problems. Only 5% reported that patches broke their systems every month -- poor souls.

Check out these other posts from Microsoft Subnet

• All of today's Microsoft news and blogs
• Why Microsoft and HP need each other
• Microsoft was against software patents before it was for them
• Has Microsoft Courier come back to life?
• Microsoft was against software patents before it was for them
• How to create custom AD LDS attributes
• Microsoft's cloud is slower than Google's, Amazon's, benchmark says
• Finalists Named for the Imagine Cup 2010 Competition!

Like RSS? Subscribe to all Microsoft Subnet bloggers.
Like e-mail? Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Like Twitter? Follow All Microsoft Subnet bloggers on Twitter @microsoftsubnet

Follow Julie Bort on Twitter @Julie188 or connect with me on my Facebook Like Page

• Microsoft
• Microsoft patches
• Microsoft security
• patche management
• patches that break Windows