More trouble with Microsoft patches

Some Windows 2000 users apparently applied the wrong fix for a critical flaw, leaving their computers vulnerable while the users think they patched up.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

See full bio

Joris Evers

Oct. 21, 2005 6:41 a.m. PT

2 min read

Microsoft's latest batch of security fixes keeps causing trouble for some users.

A "critical" patch for a problem in a Windows component for streaming media, called DirectShow, apparently isn't as straightforward as Microsoft thought. Some Windows 2000 users have applied the incorrect patch, leaving their computers vulnerable even though they think they've patched up, Microsoft said Thursday.

"A limited amount of customers, who may have obtained the wrong security update for their version of DirectX, may think they are protected when, in fact, they are not," a Microsoft representative said in an e-mailed statement. "This only affects users who have selected the wrong package manually." DirectX contains DirectShow.

Microsoft on Wednesday published its second advisory in as many weeks for users to deal with trouble arising from this month's patch release. Last week the software maker said another critical patch could cause problems for users who changed specific Windows security settings.

The latest patching issue deals with the fixes in security bulletin MS05-050. The problem occurs when Windows 2000 users who have DirectX 8.0 or 9.0 mistakenly apply the patch for DirectX 7.0. The computer will still be vulnerable to the flaw, while the user won't be notified that the system is not updated, Microsoft said.

Windows 2000 users who obtain security patches automatically through Microsoft's patching tools or who accurately followed the steps in the security bulletin are protected, the Microsoft representative said.

Users probably applied the wrong patch because Microsoft's security bulletin was unclear, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. "The vendor, no matter who, has to be responsible for being crystal clear on remediation," he said.

While Microsoft could have perhaps published a clearer bulletin, administrators are ultimately responsible for their systems, said Susan Bradley, an independent security consultant and Microsoft Most Valuable Professional.

"At the end of the day Microsoft is not responsible for my network, I am," Bradley said in an e-mail interview. "If I don't have a clear understanding of what I have installed, whose fault is that?"

Microsoft offers guidance for Windows 2000 users who think they may have applied the wrong update in an article on its Web site.