The bulletins came to my inbox. Two patches. One for Office, one for DACLs. (What’s a DACL?) But that isn’t all. Microsoft Update has a few more patches it wants me to install.
In addition to the ever-present Windows Malicious Software Removal Tool for March (KB 890830), and the monthly update for the Outlook 2003 Junk E-Mail Filter (KB 913161), we have a few other patches in Microsoft Update’s “high priority patches” list. It reminds me that it’s not just security patches that are up there in the top section.
Will Office patches prevent the next worm?
Our first patch should have us “beancounters” in a bit of a patching frenzy, as it affects our main “database” program: Excel. And not just Excel on our desktops, but in spreadsheets that can be hosted on any Web site via a “viewer” file.
Thus, browsing on the Web could be enough to cause damage. Already the pundits are discussing whether this will cause “drive-by downloads” of malware, as described by CMPnetAsia.
The interesting thing about MS06-012 (905413) is that it reportedly includes a patch for a bug that was once offered up on eBay before it was yanked by that company back in December.
I went to Microsoft Update expecting just this Excel patch to be installed on my test system. Instead, I was prompted to install KB 913471 for Office XP to fix spelling issues in languages that I don’t speak.
It then prompted me to install KB 905754 for Word 2002, KB 905758 for Powerpoint 2002, KB 905755 for Excel 2002, KB 905649 for Outlook, and finally, KB 905756 for Excel 2003.
This is one of Redmond’s “mondo issue patches” where not one, not two, but six security issues are being fixed. It points out that, on my test system, I seriously need to go through the Add/Remove Programs control panel and uninstall the old versions of Office that I thought I no longer had. I’ll then run the Windows Installer CleanUp Utility at KB 290301 to completely clean out the old files.
Examining the patches for known issues found by Microsoft ahead of time, it was interesting to see the number of performance fixes that have been rolled up into these security patches. So far the only issues noted in these patches are install issues. A good source of information to troubleshoot these kinds of problems is KB 906602.
DACLs may raise your hackles
A few weeks back, a security advisory was released regarding the default permissions on certain services used in your machine. This involves DACLs (discretionary access control lists). If you’re currently running anything other than Windows XP SP1 or Windows 2003 with no service pack, you can skip these patch details completely, as you are not affected.
I could tell you to review KB 914758, which indicates that MS06-011 is a one-way, uninstallable patch. It also reverts the patches machine back to its default permissions.
But it might be easier for you to finally get around to installing SP2 on your XP boxes and SP1 on your Window 2003 machines. If your software vendors have certified you on these platforms, it’s better in the long run, anyway.
Outlook patch fixes MS06-003 problem
I tend to think that the upper section of Microsoft Update is “just” security patches. But this week, it’s obvious that it also includes patches deemed to fix performance issues.
Along with KB 913471, described above (which corrects Office XP spelling issues), and the usual updated Outlook Junk Mail Filter (which resets your default e-mail client to Outlook), this month also includes KB 913807. This fixes an MS06-003 problem that conflicts with Visual Basic programs. I previously discussed MS06-003 in my Jan. 12 column. The problem the patch fixes is further described in Alun Jones’s blog.
ISA 2004 SP2 hotfix corrects Web access
In my Mar. 2 Patch Watch column, I reported that ISA 2004 SP2 was not properly handling Web sites like Delta.com, Sun.com, and iTunes. At that time, the only fix we had was to uninstall SP2. Unless you had updated to Installer 3.0, this meant some hazards of uninstallation in the process.
Now there’s a hotfix available. KB 915045, as discussed in Thomas Shinder’s blog, is available by calling Microsoft Product Support Services. (See the PSS support page for numbers.) KB 915045 is not a public article at this time.
The real issue is not with the service pack, but the Web coding practices of these sites. This is described in detail in Shinder’s explanation.
Support hours extended for Old World admins
If you called the IT Professional support line in the last couple of days, you found that you got a slightly different message. The message indicated that normal support hours were Monday through Friday, 6 a.m. to 6 p.m. Pacific time, and that after-hours business critical support was available at later times.
On March 13, Microsoft made the world a little flatter by extending its support hours in an announcement. Previously, only the U.S. and Canada had 24/7 support at a rate of $245. Everyone else around the world was dependent on the business hours and practices of their local offices. So if it was 6 p.m. in Perth, your Microsoft engineer had no obligation to stick around and help you. You were stuck until morning.
Now, any business-critical event can get support. There’s a price to pay: the rate doubles for off-hour coverage. If you have MS’s Software Assurance license, review your agreement. You may have access to support calls under that plan, as well.
What’s not changing is the ability for IT professionals to obtain hotfixes at the usual phone number. Even if it’s not necessarily a “business-critical” down situation, the hotfix is still available, as usual, for free.
The engineer taking the call will remind you that the hotfix has not been “regression tested.” So be sure to install it on a test machine first. But if you know the hotfix by its Knowledge Base article number, it’s still relatively easy to obtain it — even with the change in support for North America. What the change does do is acknowledge that both software sales and support are needed worldwide.
Hotmail patch for IE7 beta is troubling
A disturbing trend for me is the increasing push to put beta software on our systems. While there are parts of Google and Windows Live that have “beta” nearly permanently engraved onto their pages, because they’re Web sites you’re not installing software on your systems.
In Microsoft Update’s middle section of patches, the optional software section, there’s a sign that we’re putting too much beta code on real live systems. KB 904942 is a patch to fix an issue with authentication to certain sites like Hotmail after the beta for Internet Explorer 7 is installed.