Microsoft to Patch Problem Patch

slowroller writes to mention an eWeek article about a new patch to fix issues raised in their most recent release. From the article: "The company's plan is to target the rerelease only to Windows users who are affected. In a blog entry, Toulouse said the company's patch deployment technologies will have "detection logic" built into them to only offer the revised update to customers who don't have MS06-015 or are having the problem. The glitches, which Microsoft claims affect only a tiny fraction of the 120 million installations of the patch, stem from a new binary called VERCLSID.EXE that validates shell extensions before they are instantiated by the Windows Shell or Windows Explorer. On systems running Hewlett-Packard's Share-to-Web software, Sunbelt's Kerio Personal Firewall and some NVIDIA Drivers, users complained that the new binary stopped responding."

yay!

[bensafrickingenius]

Recursive patching at last!

Re:Again? What?

[i.of.the.storm]

No, the patch was simply conflicting with a few pieces of software. If you aren't affected, you won't get the patched patch. The original bug was fixed with the original patch. This patch's patch simply whitelists a couple of programs known to cause issues with the patch.

Two Patch Tuesdays

[Vskye]

For some Windows users, there will be two Patch Tuesdays in April.
 
So, you can get two patchs and two tacos on the same day? Wow, now if MS can do the pizza deal, I might just install their OS! ;)

Here is the problem

[dick+pubes]

The big problem when they do this is compatibility testing. I work at numerous companies where we need to read through each patch to see what they 'fix'. Now when Microsoft does this we will just have to guess what they might break in a legacy application deployed across the world.

Re:Millions of different system configurations.

[MustardMan]

No - Microsoft doesn't release patches fast enough and they don't do adequate testing. They don't win on either count.

Re:Affected

[AuMatar]

HP doesn't even write half their own crap anymore. When I worked in HP firmware (last year), the software teams were a joke in our division. No matter what we did, we knew our stuff was better than software.

This is the patch that never ends

[Hawthorne01]

yes it goes on and on my friend. Some people started using it, not knowing what it was, and they'll continue using it forever just because...This is the patch that never ends, yes it goes on and on my friend... :-)

Annoying Problem

I've already encountered two computers on my companies network that were having this annoying problem. There are probably other systems that will pop up with this problem next week. Here's a few different temporary fixes, but I'm not sure how effective they are for more than a few days (or atleast until Microsoft offers a patch):

1. Directly from MS.

2. Rename C:\WINDOWS\SYSTEM32\VERCLSID.EXE to something else (i.e. VERCLSID.OLD) and turn off automatic updates.. otherwise it will try to update Windows again and re-add the executable.

3. Reinstall the HP application. I didn't think that this would work since it appears to reinstall Share-to-Web software, but everything seemed fine afterwards.. so far for one day atleast.

The real annoying thing about this bug is that I think it effects everything using the explorer shell. Click on the arrow at the end of your address bar in IE? Locks the app. Click on arrow to expand your drives while trying to attach a file to email? Locks the app. I'm sure it does the same thing all over the OS when you are trying to do the same function, but those are the only two I really came across before I wanted to fix the problem ASAP.

Heh - "tiny" fraction could still be "lots"

[NotQuiteReal]

Many product vendors would love to have a tiny fraction of the 120 million installations - it would be more than their entire market!

I know this is not a popular opinion here, but MSFT really does have a tough job, if you are objective about it, from an engineering point of view.

Re:Heh - "tiny" fraction could still be "lots"

[mcrbids]

I know this is not a popular opinion here, but MSFT really does have a tough job, if you are objective about it, from an engineering point of view.

Hear here!

I agree 100%!

As a software engineer of a rapidly growing company, it's amazing to me how much higher the standard of testing and accountability has to be with each major product release. Our company has been growing exponentially, at least 2x annually. Just a year or two ago, a bug meant a few phone calls, but in the last year or so, it's gotten to where a single bug (even a minor one) can easily swamp our telephones!

The first release was like, a proof of concept more than not. It wasn't even feature complete at release - we relied on an update mechanism built in at the last minute to cover for the fact that not all the features were completed!

Not many phone calls from that issue, I might add. But, in the last year or two, a single bug affecting a relatively small percentage of our users still loads us down with dozens of issues ticketed in a single morning.

Ugh!

Since our deliverable is web-based, fixing a bug is still very fast, but we're working furiously to improve quality control testing prior to release. I can only imagine what a company with the market size of Microsoft has to deal with - when the vast majority of computing resources are in your hands, the task of dealing with bugs and updates must be simply gargantuan.

How do they do it with such a shoddy codebase?

Re:Millions of different system configurations.

[aussersterne]

Microsoft is a multibillion dollar corporation stuffed full of multibillion dollar men. They have a monopoly on the marketplace, power half of the world, and want to power the rest.

They can, will, and had better do both:

- Release patches quickly
- Release patches with adequate testing

If they don't, they should be punished.

Re:Make your own decisions

[swmccracken]

How about Corporate: Microsoft provide a server program that you can install that downloads the updates and stores them locally.

Your corporate administrator then configures that server and manually approves and rejects updates to be deployed though the Automatic Update clients connected to your server. (Optionally approving a patch for deployment to only certain groups of computers, say the IT Department could be beta testers.)

It's called Windows Software Update Services, and has been out for quite some time. In other words, all you're asking for in the first half already exists. :-)

The second part you're talking about is deployment of patches that aren't released through automatic updates - and yes, I agree, they're often problematic. It sounds like you manually installed a non-security hotfix, which was then clobbered by a later security patch (and the bugfix wasn't included in the security patch).

Microsoft seem to believe that non-security bugfixes don't belong in security patches unless a lot of people are affected, but it means that for people that need those security patches and bugfixes, it becomes quite a mess trying to maintain them (and may require manual management, as you've found the hard way. :-( ) I think they're tryng to be cautious, which I can understand (although they've in theory fixed this for XPSP2 and 2K3, as those patches are supposed to include "general distribution release" and "quick fix engineering" versions, automatically installing the QFE version if there already is a QFE hotfix installed, otherwise installing the GDR version.)

A classic example of all this is that there's a registry key you can set that causes IE patches to install bugfixed versions. (I'm not kidding.)

Re:Again? What?

[Rosco+P.+Coltrane]

No, the patch was simply conflicting with a few pieces of software. If you aren't affected, you won't get the patched patch. The original bug was fixed with the original patch. This patch's patch simply whitelists a couple of programs known to cause issues with the patch.

man: Well, what've you got?

Waitress: Well, there's egg and bacon; egg sausage and bacon; egg and patch; egg bacon and patch; egg bacon sausage and patch; patch bacon sausage and patch; patch egg patch patch bacon and patch; patch sausage patch patch bacon patch tomato and patch;

Vikings: Patch patch patch patch...

Waitress: ...patch patch patch egg and patch; patch patch patch patch patch patch baked beans patch patch patch...

Vikings: Patch! Lovely patch! Lovely patch!

Waitress: ...or Lobster Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and aubergines garnished with truffle pate, brandy and with a fried egg on top and patch.

That's last as in "Most recent"

[symbolset]

All these articles are dupes. See it again the evening of June 30, as that's when the next semi-annual 0-day festival kicks off in time for the major holiday weekend. It's almost as if these hackers are tormenting you on your holidays for a purpose. Oh, wait...

The two keys to recovering from malware / a botched patch / user error are: 1. Have an image that's known to be clean without doubt. A fresh install with no network connection will usually suffice, Novell historical trivia notwithstanding. A system with absolutely anything installed and then uninstalled, no matter how carefully, just won't work. One that's touched a LAN, even behind a NAT router, isn't "known to be clean". 2. When you blow out your system image, don't corrupt your data files. Obviously if your data is on a drive that's been removed, it's safe. Not everyone is willing to go that far -- all data stored somewhere besides on your system (C:\) drive is a must.

You will need "Drive Image" software. Examples include PowerQuest DriveImage, Altiris RapidDeploy, Norton Ghost. This software list is not a recommendation -- do your own homework on what suits your needs. Maybe someone will reply with suggestions. This software takes a point-in-time snapshot of the data on your system drive, called an "image". You're going to need access to a drive to store your system images. A basic XP image is about 1.5GB compressed, with applications will vary. I've seen with Office and Photoshop with common options go to 6GB, multiple massive games go as high as 30GB. Plan ahead, especially if you want to take periodic backup images or application rollback images. Some people take drive images of their data file drives now and then for backups also.

You're going to need to move your data files someplace safe, like a server or a separate partition. A dedicated drive works well. You're going to need installation CD's for the OS and all your applications, and all of the patches you can get on convenient media. Pendrive or cd work well usually.

Before installing Windows, disconnect from the network. If you're imaging to a network drive, know what you're doing. If your system starts to boot to Windows while connected before your working image is taken, start over.

Install Windows. During install, do not connect to the network. Use the telephone activation option. Get all your updates from the technet executables on local media as previously mentioned. Get the firewall up and running. Don't connect to the network. Point your My Documents folder to the place your datafiles are. Do your base security configuration --firewall settings, replace all the pages in Explorer with about:blank, etc. Do NOT connect to the network.

Take a system image. This is what you recover to if you need a major application overhaul, the "Base" image. If you are storing the image on the network you must make great care while doing this that the system does not boot to the installed OS with the network connected. Your OS install is in a very vulnerable state. If you have to restore to this image, you won't have to re-validate Windows.

If you connected the network during the previous step for network imaging, disconnect it before rebooting.

If you have other applications that require activation and allow telephone activation, you might want to install them now and take an "activated but still network clean" image.

All the software that will install without the network, install and update it. Install Spybot Search & Destroy, with the Tea Timer option. Don't connect to the network. Install Ad-aware or whatever else you're using. Don't connect to the network. Take a system image. This is your "Working" image.

Now you can connect to the network. Immediately go to Windows update and get the latest patches, and their patches, and the patches for those patches. If any of the patched patches' patches have updates, get those too. During this step you'll probably reboot over and over. In Spybot Search & Destroy ge

Re:Affected

[baadger]

Oooo ooo I want to slam HP too.

The HP 'drivers' for my all-in-one machine come in at 180 megabytes! The interface is sheer bloat, it installs a handful of totally unnecessary (Disabling them has little consequence) services and startup processes, and there is still no x64 driver!

The HP sponsored linux drivers (HPLIP) work well on Linux 64, and it is nice to see Linux up on Windows for once in terms of hardware support.

That felt good.

Re:Millions of different system configurations.

[Splab]

You do realise that some things simply take a certain amount of time and no matter how much money or how many people you throw at the problem they will not get done any quicker, don't you?

If only people would realize that, especially managers. "Ohh so you need x hours to do that? Well I'll just go call this helper for y hours, then you only need x-y hours, so we'll ship on friday"... Glad I'm not doing that anymore. Incidently, we did have a few issues with the patch, but what it revealed for us isn't that there might be a problem with MS patches, but that theres a big problem with testing at our facility before rolling out patches.

MS might screw up, but it's our job to make sure that what they give us works before we roll it out.