Admins run into trouble with Microsoft updates

The days following a Microsoft security update are typically followed by reports of deployment problems, and May 2007 has proven to be no exception.

Since the software giant's 8 May patch rollout, various blogs and discussion boards have been full of reports about everything from DNS service failures to Windows Server Update Services (WSUS) malfunctions.

At least one IT professional reported that after applying this month's patches to a bunch of domain controllers, the DNS service on one of them was failing repeatedly.

Even after you patch it your browser will [still] have security issues and if you have other mitigations in place, the rush should not be on to be the first to install. Susan Bradley, Microsoft MVPSBS Diva blog

"I have it set to recover, so it comes back on, but it fails again after a few minutes," he said in a patch management email forum hosted by Roseville, Minn.-based Shavlik Technologies.

Meanwhile, Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., wrote in her MS07-027, a cumulative update for Internet Explorer.

She said there are two issues with the patch -- Some Windows 2000 machines were being offered a 2004 patch, and some Vista machines were getting a "navcancl" error message after patching. As a temporary solution, she recommended IT administrators start Internet Explorer 7 using the following commands: start->run iexplore.exe -nohome -extoff; then right click on the toolbar area and click the menu bar if it's disabled; and then select tools->options->advanced->security->disable phishing filter.

Even though the Internet Explorer patch is rated critical, she said IT administrators should not hurry it onto their systems at the expense of thorough testing.

Microsoft updates: Microsoft issues critical updates, patches DNS zero-day flaw: Microsoft issued patches to plug 19 holes, including a critical zero-day DNS Server Service flaw as part of its monthly Patch Tuesday bulletin. DNS worm strikes at Microsoft flaw: A new worm called Rinbot.BC exploits the Microsoft DNS flaw by installing an IRC bot on infected machines and scanning for other vulnerable servers. Microsoft investigates DNS server flaw: Attackers could exploit a DNS flaw in Microsoft Windows 2000 Server and Windows Server 2003 and run malicious code on the system. A workaround is suggested until a patch is issued.

"Even after you patch it your browser will [still] have security issues and if you have other mitigations in place, the rush should not be on to be the first to install," she wrote in her blog. She said administrators should remember they are "installing changed code on a system that Microsoft CANNOT fully test for because they DO NOT have your system, your software, your surfing habits, etc."

Administrators are also reporting problems with WSUS following Microsoft's Tuesday patch release, which addressed 19 flaws that included a zero-day DNS server flaw and flaws in Microsoft Exchange, Internet Explorer, Microsoft Excel, Word and Office.

The WSUS team has been dealing for some time with a problem they call the 'svchost/msi issue.' One of the problems here is that during automatic patch updates on a Windows XP machine, CPU usage goes into overdrive. "Of course, the computer is virtually unusable" when that happens, someone using the name Foxy-Perth wrote on the Windows Update support forum.

The problem persists even though Microsoft has tried to address it will a hotfix.