News

October Patch Disables Office Communications Server

After a mammoth Patch Tuesday rollout last week, Microsoft now finds itself responding to problems with a fix for Office Communications Server (OCS) and Live Communications Server (LCS).

Right now, the cure may be worse than the bug. The patch causes OCS and LCS licenses to prematurely expire. Microsoft is recommending that IT pros hold off on applying a certain security bulletin until the kinks are worked out, or apply the patch to a test installation.

The security fix -- MS09-056: "Vulnerabilities in CryptoAPI could allow spoofing" -- is aimed at a bug in Windows cryptographic technology. Developers rely on CryptoAPI technology to help ensure security in Windows-based applications.

Users discovered the problem after OCS -- one of the main components of Microsoft's unified communications product line -- failed to start after applying the fix. Thus, a patch designed to thwart spoofing gave some IT pros a spoof of a different kind.

Upon investigation, some IT administrators noticed that the OCS product had expired -- as if it had passed its 180-day trial period. However, these installations were licensed and not a trial versions. The patch code somehow resets the product expiration date, apparently.

Phil Lieberman, president and founder of Lieberman Software, speculated that the way some enterprises have configured OCS in their stack allows for this type of mishap to happen.

"This patch disaster is a perfect example of why phone equipment is generally provided as an embedded system that does not receive automatic updates over the Internet," Lieberman said. "The whole way that OCS is installed, packaged, updated and interfaced represents a break from the rest of the telecom industry. In my opinion, tying telecom systems (like OCS) into the public Internet and allowing them to autonomously receive updates is nuts."

For its part, Microsoft cautions in an updated knowledgebase article 974571 that "services required by Communications Server are not started after users install the security update and then restart the computer." This is particularly the case, Redmond said, for users running Live Communications Server 2005 or Office Communications Server 2007.

On the whole, this is a case where a patch broke the functionality of a product, according to Jason Miller, security and data team leader at Shavlik Technologies.

"This is a prime example of why administrators should test each patch before rolling it out to their networks," Miller said.

If administrators don't want to risk OCS freezing up or going down, then they shouldn't install the patch and should wait until Microsoft releases a new one, Miller advised. For those applying the patch, Miller said that even though installing it may "break functionality" in OCS, it will still mitigate risk with a potential downside to organizations.

"There are a lot of reports of companies uninstalling this patch on these systems," Miller added. "These companies rely heavily on voice over IP, conferencing and instant messaging. Having this asset nonfunctional for any amount of time cannot be accepted in those organizations."

A similar product expiration issue was seen in May with SharePoint Server 2007, although it happened with early installations of Service Pack 2. The update reset the product's licensing, making it seem as if it were a trial version of the software. Microsoft has since fixed that problem.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Google To Acquire Cloud Startup Wiz for $32 Billion

    Google has announced a pending agreement to acquire Wiz Inc., a cloud security platform, in an all-cash deal worth $32 billion.

  • FTC Expands Microsoft Antitrust Investigation Under Trump Administration

    The Federal Trade Commission (FTC) is pressing ahead with a broad investigation into Microsoft's business practices, an inquiry that began in the final weeks of the Biden administration.

  • Microsoft to Shut Down Skype Services

    Microsoft will discontinue its Skype telecommunications and video calling services on May 5, 2025, marking the end of the platform's decades-long run.