For some reason I felt the need today to run Microsoft Update (big brother to Windows Update) on my Windows XP computer. No particular reason, just felt it in my bones, even though I had run it recently. Sure enough, it found a missing bug fix. It thinks the bug fix is critical, me, I'm not so sure.
Anyone who runs Windows Update manually, as I do, knows not to trust it all that much. It has, for example, found missing patches for software that was not installed. In April, I blogged about how, converting a secure computer into an exploitable one.
This particular bug (a.k.a. KB932823) doesn't seem at all critical. The sole extent of the problem (see You may be unable to use Windows Internet Explorer 7 to download files on a computer that is running Windows Server 2003 or Windows XP) is that Internet Explorer 7 may not download a file when requested to do so. Here is the problem symptom, as described by Microsoft:
"You may be unable to use Windows Internet Explorer 7 to download files on a computer that is running Windows Server 2003 or Windows XP. For example, after you click Save in the File Download dialog box, the file is not downloaded."
In other words, it's not a security related thing at all.
And, there are two workarounds. One, provided by Microsoft in the problem description, involves configuring Advanced Text Services. The other is simply running another web browser.
The patch for Windows XP was released May 28th, but the problem description was last reviewed 2.5 months ago. I searched Microsoft's website and found nothing new written about it. Microsoft tracks the latest security updates here. It was last updated May 13th and says nothing about the release of KB932823 on May 28th. The Microsoft Update Product Team blog also says nothing about this bug fix. Not exactly a hot item.
Microsoft releases patches once a month, on what us nerds call Patch Tuesday. For a bug fix to be released immediately, as opposed to waiting for the next Patch Tuesday, it has to be the most critical of the critical. Doesn't happen often. And, apparently, should not have happened now. By all measures, this is a trivial dinky problem.
Still, why not just let Windows/Microsoft Update install the patch anyway?
For one thing, any time you install software you are taking a risk. That Microsoft released this as an immediate critical patch makes it fairly obvious they don't have their act together, so I would trust this patch even less than normal.
And, there have been reports that this patch has caused problems (here and here and here). Then again, these problem reports have to be taken with a grain of salt, unless you know the people reporting them.
The bug, it seems to me, is with Windows/Microsoft Update, rather than with IE7.
Update June 2, 2008: Seefor more on this.