Microsoft Pushes Non-Security Security Update

What do you want first, the bad news or the good? Let's start with the bad: Microsoft Corp. last night released a new security advisory, the second this week. The good news is that it doesn't actually deal with a known exploit, worm, or virus. In other words, it doesn't technically deal with security at all.

Instead, last night's advisory concerns the release of a new fix for the Windows Installer (MSI). In spite of its non-security status, Microsoft says the MSI patch is a "high priority" security update because it fixes a memory leak that can cause resource utilization levels to spike when users scan their systems using either Windows Update or Microsoft Update. The bug is the cause of several known issues, according to Microsoft. In some cases, Windows becomes unresponsive and CPU usage for the svchost process spikes to 100 percent. In other cases, users might receive an access violation error in svchost.exe. (This usually causes the Windows Server and Workstation services to stop.) In still other cases, Windows Update or Microsoft Update take hours to complete.

Call it self-imposed denial-of-service (DoS), of a sort.

"This update applies to currently supported versions of Windows except Windows Vista," writes researcher Christopher Budd on the Microsoft Security Response Center (MSRC) blog. Although Microsoft plans to push the fix via Windows Update and Microsoft Update, it doesn't expect any Catch-22-worthy irony. "I want to note that this update will install correctly even if you're experiencing this issue. However, the issue may prevent you from installing other updates (including security updates) until you apply this new update, so we encourage customers to apply this right away," Budd explains.

Nor does Microsoft see any irony in its having released a security advisory that deals with a non-security update. "Security advisories address security changes that may not require a security bulletin but may still affect customers' overall security," the advisory reads. "In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security."

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Microsoft Previews Windows VM Authentications via Azure Active Directory

    Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.