Microsoft to Reissue Buggy Security Patch

SAN FRANCISCO-- Microsoft plans to reissue a security patch for its Windows operating system that caused serious headaches for some users.
The MS06-015 security update was released last week, but Microsoft customers soon reported that it was causing applications to crash, thanks to a conflict between the patch and nVidia's video drivers and Hewlett-Packard's Share-to-Web photo-sharing software.
The revised update is being tested now, and is expected to be released April 25, the same day that Microsoft is scheduled to release its nonsecurity updates for the month.
The Solution
"What we have done is re-engineered the MS06-015 update to avoid the conflict altogether with the older Hewlett Packard and nVidia software," writes Microsoft security response center program manager Stephen Toulouse in a blog posting today. "What the new update essentially does is simply add the affected third party software to an 'exception list' so that the problem does not occur."
The update will also provide an automated way of fixing the Windows registry configuration database on affected systems, a workaround that had been previously suggested by Microsoft.
MS06-015 fixes a critical vulnerability in the way Windows Explorer handles Component Object Model objects. This vulnerability could be used by attackers to seize control of an unpatched machine, and though some users have resolved their problems by simply uninstalling the buggy update, this course of action is not advised by Microsoft.
Hewlett-Packard's (HP's) Share-to-Web software is no longer distributed, but it was included with a variety of HP products including the company's scanners, cameras, CD and DVD devices, PhotoSmart software, and DeskJet printers, Microsoft says in an article addressing the issue.
Other Problems
Users have also reported that Sunbelt Software's Kerio Personal Firewall tries to stop the MS06-015 update from running an application called Verclsid.exe. Users who have this problem should configure Kerio so that it allows Versclid.exe to run, Microsoft says.
Those who have had problems with the patch are advised to try the workarounds suggested in the knowledge base article or to upgrade or simply uninstall affected software until the revised patch arrives, Toulouse says.
Microsoft's automatic update services will be able to detect whether or not users require the revised patch and will only offer the software to users who need it. "If you have already installed MS06-015 and are not having the problem, there's no action here for you," Toulouse says.
This is not the only Microsoft update that has given users headaches this month. ActiveX changes made in a second Internet Explorer patch, numbered MS06-013, have caused major problems with Oracle's Siebel 7 client. Microsoft has released a "compatibility patch" that undoes these ActiveX changes, and Oracle has said it will release a patch that resolves the issue sometime next month.

Robert McMillan, IDG News Service Fri Apr 21, 5:00 PM ET

Vista debut hits a delay

The software maker said it will still wrap up development of the operating system this year and make it available to volume-licensing customers in November. However, Microsoft said a delay of a few weeks in Vista's schedule meant that some PC makers would be able to launch this year and others would not. As a result, Windows chief Jim Allchin said the company is delaying the broad launch of the product until January.

"We needed just a few more weeks, and that put us in a bubble...where some partners would be impacted more than others," Allchin said during a Tuesday afternoon conference call with reporters and analysts.

The delay is the latest setback for Vista. Microsoft scaled back several key features of the operating system last year in order to try to ensure a 2006 release. The operating system, which has been in development for years, was delayed by, among other things, the fact that Microsoft had to put so much time and testing effort into Windows XP Service Pack 2, a largely security-oriented upgrade to the current version of Windows.

Allchin said that although PC makers were not universal in wanting the delay, there were concerns from some companies that they could not ensure a holiday quarter launch if Microsoft pushed back its development schedule even slightly.

Analysts have been warning that Microsoft's schedule left little room for error if it was to make a fourth-quarter launch.

As recently as January, Allchin expressed confidence that Microsoft would make its deadline, although he reiterated his caveat that quality issues could lead to a postponement.

The delay would likely hurt retail PC vendors the most, said Stephen Baker, vice president of industry analysis at NPD Techworld. Dell, which sells most of its PCs directly, could probably handle a delay of a few weeks without too much trouble. Hewlett-Packard and Gateway, on the other hand, have to have their PCs ready for retail partners weeks ahead of when they will actually go on sale, and can't change gears as quickly, he said.

"It scares you," Baker said, when asked about the impact of the delay on fourth-quarter PC sales. The PC industry's largest quarter of the year always comes around the holiday shopping season, and expectations were high for that period this year, given the expected introduction of the new operating system.

Microsoft does not expect the move to affect this year's overall PC sales, Allchin said.

"There's no (change) to the PC forecast from our perspective," he said. "You can ask the partners what they think."

Allchin also said the product will still launch in the same earnings period for Microsoft, whose fiscal year runs from July to June. That means Microsoft's overall business for next year shouldn't be affected, he said.

Tweaks in the works
Allchin said some of the additional time would be used to ensure security levels, and the company is also working on ironing out usability issues.

"We're trying to crank up the security level higher than ever," Allchin said. "This came down to a few weeks. We're trying to do the responsible thing here."

Microsoft released its most recent test version of Vista in February. Late that month, the company also announced plans for six distinct editions of the operating system.

Allchin said Tuesday that Microsoft still plans next quarter to launch a broader test version of Vista, with the new version to be tested by about 2 million people.

Microsoft had hoped to have a massive marketing push around Vista and Office 2007, which is slated for the second half of this year. It is not immediately clear how the delay will affect those plans.

Allchin, whose official title is co-president of Microsoft's platform, products and services division, is slated to retire later this year.

CNET News.com's Tom Krazit contributed to this report.