News

Patch Locks Out Some IE Users

Harold Decker usually installs Microsoft's security patches the day after the release, one Wednesday a month with no fanfare.

• By Jabulani Leffall
• December 18, 2007

But this time around, he found himself locked out of Internet Explorer 6, shortly after installing a cumulative fix for the application included in the December roll-out.

"I got calls from users and I started looking around the Web for ways to fix the problem and suddenly I realized that it wasn't just me, there were at least four machines that were going through the same thing," said Decker, operations manager at San Diego-based Gold Peak Industries, who oversees about 35 Windows XP SP2 workstations.

A critical patch in last week's release, Microsoft Security Bulletin MS07-069, was supposed to cover at least four privately reported holes in the application, the most serious of which could allow remote code execution if a user viewed a specially crafted Web page using IE. Instead, some users both last week and early this week were staring at error messages with the words "url.mon.dll" or dialog boxes saying IE couldn't find or connect to "servers."

"In some instances, the browser would just crash," recalled Decker. "And in some cases you open it and it hangs for a minute and then you get an error message and you couldn't get on certain sites like 'Sign on San Diego,' FedEx and Loews. I just uninstalled it and said to myself, 'let Microsoft fix it.'"

The patch in question required a restart; security experts believe the IE lockouts could have had something to do with the way the patch was loaded on certain workstations or corporate networks, with some code on different enterprise systems being out of sync with the fix. Paul Zimski, senior director of marketing strategy for Scottsdale, Ariz.-based Lumension Security, makers of PatchLink software, believes Decker took the best course of direct action.

"When you can't browse the Web at all, our advice would be to back out of the patch immediately," said Zimski. "I think this really illustrates that patching has become so much of a part of what we do every month that users and administrators can get complacent, just installing patches without considering whether it's good for business or not."

Zimski, like most security experts, said that the safest bet is testing the patch integrity in a non-production environment before deployment. Zimski said patches can go wrong sometimes but it's not a common occurrence.

Microsoft owned up to the difficulties in a statement saying it would address the problems through an investigation.

"Our customer service and support teams are investigating public claims of a deployment issue with Microsoft Security Bulletin MS07-069," said Mark Miller, Microsoft's Director of Security Response, in an e-mail.

Microsoft also suggested it would update both its Knowledge Base article on the subject and its Security Response Center blog with any new information. But even those updates have been hard to get; a Dec. 14 blog posting by IE Program Manager Kieron Shorrock noted that there were initial problems with loading the MS07-69 bulletin Web page: "We have received reports that pages are slow to load, not found or timing out."

Meanwhile, Decker won't change his routine and will continue loading updates every month. However, he'll be more cautious and simply back out again if faced with similar problems in the future.

"When you back out, you run the risk of maybe not being secure; but if it affects your operation, you don't have much of a choice," he said.