Security Advisor

Microsoft's September Patch Problems

How trustworthy does IT view Microsoft's patches?

• By Kurt Mackie
• 09/18/2013

Microsoft's September patch release didn't go off without a hitch. IT pros had lots of complaints. One problem was associated with a nonsecurity update (KB2817630) for Microsoft Office 2013 that caused an Outlook folder pane to disappear. It was due to incompatible versions of Outlook being on a system, Microsoft explained, and it mostly affected organizations with Automatic Updates enabled. The patch was pulled after three hours. Microsoft now recommends uninstalling the initially released patch and it plans to republish it with the proper dynamic link library files associated, although it's not clear when that will happen.

IT pros also complained about getting updates offered multiple times, or not offered at all, through Windows Server Update Services or System Center Configuration Manager. Microsoft responded by issuing new updates that addressed the problem. It was a problem with the "detection logic" of the targeting patterns rather than with flawed patches, Microsoft explained in a Q&A.

There even was a holdover problem from the August patch release to a Windows kernel flaw in which some users saw blue screens of death after applying security update 2859537. Microsoft's Q&A said there were just "limited reports" about the problem, which is still under investigation.

In any case, the September patch problems elicited a response from Susan Bradley, moderator of patchmanagement.org and a Microsoft Most Valuable Professional. She wrote an open letter to Microsoft CEO Steve Ballmer in a mail list post asking for an investigation into patch quality control at Microsoft, saying that problems with patches were leading to an "increasing distrust of updating." She added that "The issues this month in particular leave end users and Patch Admins with no other recourse than to not patch and even disable automatic updates until we are assured that issues have been fixed."

While Steve Ballmer apparently did not respond, Gray Knowlton, a principal group program manager at Microsoft did respond in a mail list reply. He admitted that Microsoft had released patches with targeting problems. He also acknowledged that there was a "cross-patch dependency" problem with the patch that affected Outlook. He described the problems as "anomalies in our release operation" and promised that the October patch would turn out better.

Perhaps the glitches were anomalies. However, IT pros may have cause to be nervous. Microsoft has been signaling a faster software release cadence on top of its monthly patch cycle. Its monthly Exchange update rollup releases have often arrived with glitches, causing headaches for IT pros. The company has also been redefining its terms somewhat, so while Windows 8.1 is an operating system update, it's treated as a service pack for Windows 8 users, giving IT pros two years to move and stay supported. Meanwhile, Microsoft is ending its TechNet subscription program, which IT pros likely were using to create long-standing test environments.

What's an IT pro to do? Do you test every Microsoft patch that you apply or just cross your fingers and hope for the best? What can Microsoft do to make things better?