Microsoft to re-issue buggy security patch

Microsoft plans to re-issue a security patch for its Windows operating system that caused serious headaches for some users.

The MS06-015 security update was released last week, but Microsoft customers soon reported that it was causing applications to crash thanks to a conflict between the patch and NVidia’s video drivers and HP’s Share-to-Web photo-sharing software.

The new update is presently being tested, and is expected to be released next Tuesday, the same day that Microsoft is scheduled to release its non-security updates for the month.

“What we have done is re-engineered the MS06-015 update to avoid the conflict altogether with the older Hewlett Packard and NVidia software,” wrote Microsoft security response center program manager Stephen Toulouse in a Friday blog posting. “What the new update essentially does is simply add the affected third party software to an ‘exception list’ so that the problem does not occur.”

The update will also provide an automated way of fixing the Windows registry configuration database on affected systems, a work-around that had been previously suggested by Microsoft.

MS06-015 fixes a critical vulnerability in the way Windows Explorer handles Component Object Model objects. This vulnerability could be used by attackers to seize control of an unpatched machine, and though some users have resolved their problems by simply uninstalling the buggy update, this course of action is not advised by Microsoft.

HP’s Share-to-Web software is no longer distributed, but it was included with a variety of HP products including the company’s scanners, cameras, CD and DVD devices, PhotoSmart software and DeskJet printers, Microsoft said in an article addressing the issue.

Users have also reported problems with Sunbelt Software’s Kerio Personal Firewall, which tries to stop the MS06-015 update from running an application called Verclsid.exe. Users who have this problem should configure Kerio so that it allows Versclid.exe to run, Microsoft said.

Those who have had problems with the patch are advised to try the workarounds suggested in the knowledge base article or to upgrade or simply uninstall affected software until the revised patch arrives, Toulouse said.

Microsoft’s automatic update services will be able to detect whether or not users require the revised patch and will only offer the software to users who need it. “If you have already installed MS06-015 and are not having the problem, there’s no action here for you,” Toulouse said.

This is not the only Microsoft update that has given users problems this month. ActiveX changes made in a second Internet Explorer patch, numbered MS06-013, has caused major problems with Oracle’s Siebel 7 client. Microsoft has released a “compatibility patch” which undoes these ActiveX changes, and Oracle has said it will release a patch that resolves the issue sometime next month.