Microsoft Pushes Non-Security Security Update

What do you want first, the bad news or the good? Let's start with the bad: Microsoft Corp. last night released a new security advisory, the second this week. The good news is that it doesn't actually deal with a known exploit, worm, or virus. In other words, it doesn't technically deal with security at all.

Instead, last night's advisory concerns the release of a new fix for the Windows Installer (MSI). In spite of its non-security status, Microsoft says the MSI patch is a "high priority" security update because it fixes a memory leak that can cause resource utilization levels to spike when users scan their systems using either Windows Update or Microsoft Update. The bug is the cause of several known issues, according to Microsoft. In some cases, Windows becomes unresponsive and CPU usage for the svchost process spikes to 100 percent. In other cases, users might receive an access violation error in svchost.exe. (This usually causes the Windows Server and Workstation services to stop.) In still other cases, Windows Update or Microsoft Update take hours to complete.

Call it self-imposed denial-of-service (DoS), of a sort.

"This update applies to currently supported versions of Windows except Windows Vista," writes researcher Christopher Budd on the Microsoft Security Response Center (MSRC) blog. Although Microsoft plans to push the fix via Windows Update and Microsoft Update, it doesn't expect any Catch-22-worthy irony. "I want to note that this update will install correctly even if you're experiencing this issue. However, the issue may prevent you from installing other updates (including security updates) until you apply this new update, so we encourage customers to apply this right away," Budd explains.

Nor does Microsoft see any irony in its having released a security advisory that deals with a non-security update. "Security advisories address security changes that may not require a security bulletin but may still affect customers' overall security," the advisory reads. "In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security."

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.