Microsoft goofs up Patch Tuesday, forced to re-release security patches

Buggy Microsoft OfficeOh dear oh dear oh dear.

Regular readers of grahamcluley.com will know that we're very keen for computer users to keep on top of the latest security patches, ensuring that their systems are defended from potential attack by hackers.

But what happens when the patches go wrong?

Unfortunately, Microsoft has (once again) found itself in the embarrassing position of admitting problems with some of its latest Patch Tuesday fixes.

A blog post by the firm confirms that it has re-released a host of security updates, after the patches wanted to be installed over and over and over and over again...

Since the shipment of the September 2013 Security Bulletin Release, we have received reports of updates being offered for installation multiple times, or certain cases where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).

We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.

Here is the list of bulletins that have been reissued in order to fix the updating bug:

Microsoft Security Bulletin MS13-067:

    Security Update for Microsoft Office SharePoint Server 2007 (KB2760589)

Microsoft Security Bulletin MS13-072:

    Security Update for Microsoft Office 2007 suites (KB2760411)
    Security Update for Microsoft Office 2010 (KB2767913)

Microsoft Security Bulletin MS13-073:

    Security Update for Excel 2003 (KB2810048)
    Security Update for Microsoft Office Excel 2007 (KB2760583)
    Security Update for Microsoft Office Excel Viewer 2007 (KB2760590)
    Security Update for Microsoft Office 2007 suites (KB2760588)

Microsoft Security Bulletin MS13-074:

    Security Update for Microsoft Office 2013 (KB2810009) 64-Bit Edition

Non-security updates:

    Update for Microsoft PowerPoint 2010 (KB2553145)
    Update for Microsoft PowerPoint Viewer 2010 (KB2553351)

Furthermore, Microsoft has now confirmed the mutterings I reported last week about problems with a non-security update for Outlook 2013 that caused the folder pane to disappear.

Microsoft described the problem as being caused by "a version incompatibility between outlook.exe and mso.dll".

Outlook bug

If both versions are earlier (lower) than 4535.1000, or both versions are later (higher) than 4535.1000, the problem does not manifest. If one file is updated but the other is not, the problem is evident. The incompatible state is created by installing either the September Public Update OR the August Cumulative update, but not both. Users of MSI-based products that have automatic updates enabled are those that are most likely to have encountered the issue.

Microsoft has pulled the offending Outlook 2013 update, while it works on creating a version that works properly.

Following so soon after last month's buggy security update, one has to wonder what's going wrong at Microsoft Quality Control.

The company can't afford to keep messing up like this. The risk is that millions of users around the world will begin to question Microsoft's ability to properly patch security vulnerabilities, and lose trust in the firm.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

5 Responses

  1. Spryte

    September 16, 2013 at 3:56 am #

    Yes even my Friday update was flaky…

    I thought it would just need a reboot (as it said), but guess what?
    After installing the necessary updates and letting the old Vista laptop reboot,,, No WiFi !?!?
    So I thought perhaps it needs a full shutdown.
    Shut it down for a couple of minutes and after powering back on my WiFi worked?!?

    But then again, it was Friday the 13th.

  2. J Martin Ward

    September 16, 2013 at 8:00 pm #

    "The company can’t afford to keep messing up like this. The risk is that millions of users around the world will begin to question Microsoft’s ability to properly patch security vulnerabilities, and lose trust in the firm."

    Of course it can. As Bruce Schneier pointed out in "Secrets and Lies": "Real security improvement will only come through liability: holding software manufacturers accountable for the security and, more generally, the quality of their products." Microsoft is the most egregious example of a corporation holding a virtual monopoly over a product for which it disclaims all responsibility. You can't sue Microsoft for security inadequacies, and millions of people all over the world are tied in to Microsoft products for which they have no practical alternative, so a few botched patches are neither here nor there as far as Microsoft is concerned. Their attitude to their "customers" – the non-corporate ones at any rate – is simply to offer them a few online forums to sound off in, monitored by supposed MS support experts whose invariable response to any problem that they don't understand is to recommend booting into safe mode and disabling drivers.

    Get real, Mr Cluley. Many users around the world questioned Microsoft's security capabilities and lost trust in Microsoft years ago, but have to use their software and work around the problems. Microsoft isn't going to lose its customer base and go bust any time soon.

  3. Jay

    September 16, 2013 at 9:51 pm #

    MS not the only ones to goof – the table above makes no sense.

    Mso.dll 4535.1000 falls in both columns.

    • Graham Cluley in reply to Jay.

      September 16, 2013 at 10:08 pm #

      Well, it's Microsoft's table…

      I grabbed it from here: http://blogs.technet.com/b/office_sustained_engineering/archive/2013/09/11/outlook-folder-pane-disappears-after-installing-september-2013-public-update.aspx

      But yeah, it does seem kinda confusing!

      • Mark in reply to Graham Cluley.

        September 17, 2013 at 12:07 pm #

        I reckon it's correct – between wouldn't include the top and bottom.

Leave a Reply