A Patch Begets a Patch...Begets Another Patch? -- Redmondmag.com

A Patch Begets a Patch...Begets Another Patch?

By Scott Bekker
06/14/2001

Microsoft Corp. Wednesday rereleased -- again -- the patch for a recent exploit in Outlook Web Access (OWA), a Web-based interface for a Microsoft Exchange Server 5.5 and Exchange Server 2000.

Our story thus far: On Wednesday, June 6, Microsoft released version 1.0 of a software patch to fix an exploit in OWA. In a bulletin (http://www.microsoft.com/technet/security/bulletin/ms01-030.asp) published on its Security Web site, Microsoft itself recommended that users who rolled-out OWA - i.e., most Exchange 5.5 and Exchange 2000 deployments - should "install the patch immediately."

Fast forward two days: On Friday, June 8, the OWA security update disappeared temporarily from Microsoft's "Download" Web site, replaced by a cryptic message which indicated that the patch was "temporarily unavailable" but which promised that it would "be returned to the Web shortly." The day before, Thursday, June 5, at least two users posted messages to the Windows NT Systems Administrators mailing list (http://www.sunbeltsoftware.com/ntsysadmin_list_charter.htm) in which they complained that the patch caused their Exchange servers to crash shortly after they installed it. Coincidence?

Apparently not. On Saturday, Microsoft confirmed that version 1.0 of the OWA patch was flawed - according to a revision notice that was appended to the original security bulletin, the likely culprit was identified as a "regression" error - and issued a new 2.0 version of the update that had (ostensibly) been tested and certified. Microsoft also enlarged the scope of the original security bulletin to include Exchange 5.5 servers for the first, time, as well.

Here's where it gets interesting: On Wednesday, June 13, Microsoft released a new 3.0 version of the OWA security update. Why did it do so? Apparently, for the simple reason that the 2.0 version of the patch was itself flawed and contained "outdated files" which could ultimately crash an Exchange Server.

It is not known when Microsoft will have a version 4.0 patch available to fix its most recent update. -- Stephen Swoyer

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.