Beware of MS06-013, not just a security fix
Posted by jkouns
About a week ago I started receiving emails from vendors warning that if the upcoming Internet Explorer patch was installed it would break all of their applications. Some of the emails were fairly detailed and even explained that once the patch was installed there was no going back since it could not be uninstalled. I had not heard of anything prior to the emails but figured this month was going to be extra painful.
When reading the details for MS06-013 it becomes clear real quick that something is a bit off on this one when you get to the Caveats section.
From Microsoft’s website:
Caveats: Microsoft Knowledge Base Article 912812 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 912812. […] Compatibility Patch – To help enterprise customers who need more time to prepare for the ActiveX update changes discussed in Microsoft Knowledge Base Article 912945 and included in Microsoft Security Bulletin MS06-013, Microsoft is releasing a Compatibility Patch on April 11, 2006. As soon as it is deployed, the Compatibility Patch will temporarily return Internet Explorer to the previous functionality for handling ActiveX controls. This Compatibility Patch will function until an Internet Explorer update is released as part of the June update cycle, at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent. This compatibility patch may require an additional restart for systems it is deployed on. For more information, see Microsoft Knowledge Base Article 917425.
It appears that Microsoft has packaged a non-security update with the “Cumulative Security Update” that is going to change the way ActiveX controls work in order to circumvent a recent patent lawsuit. The spin on this being included in the patch appears to be increased ActiveX security.
The bottom line is that if you want to patch Internet Explorer this month you also are going to have a good chance of breaking quite a few applications as these other change has been packaged with the update. It appears to be impossible to get a patch that just corrects the vulnerabilities. Ah, but there is some hope as Microsoft did release that “Compatibility Patch” that will give you until June to fix everything!
What am I missing here?
Here is a good article that explains the issues.
Interestingly enough, this is not suprising!!! As you may have read online, Microsoft has also helped write a new law in Oklahoma which is up for vote. While the law is intended to cover spyware and its invasive nature, they managed to include the following into the law. “If you click that “accept” button on the routine user’s agreement, the proposed law would allow any company from whom you bought upgradable software the freedom to come onto your computer for “detection or prevention of the unauthorized use of or fraudulent or other illegal activities in connection with a network, service, or computer software, including scanning for and removing computer software prescribed under this act.”
So this doesn’t really suprise me. Microsoft has been engaging in some intersting activity lately. I think the IE update mentioned here, is a bit shady. It’s a tough choice, either break applications support or stay potentially vulnerable to a pretty nasty bug. I find it somewhat irresponsible of Microsoft to put customers at a crossroad decision such as this.
http://www.eweek.com/print_article2/0,1217,a=175694,00.asp Microsoft’s Security Disclosures Come Under Fire April 13, 2006 By Ryan Naraine
Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins?
Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of “misleading” customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11.
[..]
Can see Matt’s Blog entry: http://blogs.securiteam.com/index.php/archives/394
Also Marc Bevand’s comments: http://archives.neohapsis.com/archives/dailydave/2006-q2/0062.html