Critical Microsoft Patches Cause Havoc

Stuart J. Johnston
PC World
Wednesday, May 24, 2006; 12:10 AM

Healer, heal thyself: This month three Microsoft security fixes ended up causing a lot of folks serious problems with Internet Explorer, Office, and Outlook Express.

A recent patch for Windows Explorer, distributed via Windows Update, essentially rendered Office unusable for many people, preventing them from opening or saving files. For others, IE's address bar refused to accept manually entered URLs.

The trouble mainly affected users who have the HP Share-to-Web program, which is no longer distributed. It came with HP PhotoSmart software, any HP DeskJet printer with a card reader, and HP scanners; some HP cameras and optical drives also bundled the software. And certain PCs running older nVidia graphics cards had problems as well.

Microsoft has issued a new patch via Windows Update . If you have Automatic Updates enabled, it will automatically determine if you need the "patched" patch. (See the tips below for more on configuring Automatic Updates.)

Meanwhile, a patch for IE plugged eight critical holes in the browser but also altered IE's behavior in response to an ongoing patent lawsuit brought by a California university. The update adjusts the way IE handles commonly used ActiveX controls, particularly for plug-ins such as the Macromedia Flash Player.

For the browser change to work correctly, Web sites have to make corresponding changes. Otherwise, every ActiveX control on a site requires an extra click to activate.

Microsoft has been trying to get the word out to Web site managers, but of course many of the millions of sites out there didn't get updated. And users, who received little notice about the change, were caught off guard when many sites suddenly seemed broken.

Microsoft released a temporary workaround that undoes the ActiveX control patch while leaving the security update intact. The fix is due to be phased out soon because of the continuing patent battle, but for now you can get it here .

As if those bugs weren't enough, users have reported that their Outlook Express 6 address book vanished after they installed a Microsoft security patch for that program.

Microsoft has said only that it is looking into the problem. Users on the company's forum say they were able to retrieve their address books by uninstalling the patch. Luckily, the bug it fixes isn't critical, so removing the patch seems to be an acceptable way to get OE's address book working again.

Avoid Patch Crash: Tips for Staying Safe

Don't let buggy patches goad you into disabling Automatic Updates. Instead, take charge with these steps.

1. Install at your command Set Windows Update to automatically download patches, but to install them only when you say so. Open the Control Panel, chooseSystem,and then click theAutomatic Updatestab. SelectDownload updates for me, but let me choose when to install them,and clickOK.

2. Check for problems When you're prompted to install patches, selectCustom Install (Advanced)to see a short description of each patch, as well as its Microsoft Knowledge Base (KB) number. Use that KB number to search for any reported problems at Microsoft's Security Response Center Blog or the company's Windows Update security newsgroup .

3. Prep a rollback Set a restore point before installing patches so you can always revert to a working configuration. You can also remove most patches via the Windows Add/Remove Programs utility, which lists the date and KB number for each installed patch as long as you check theShow Updatesbox up top. Remove critical patches only as a last resort.

Mozilla.org has patched a half dozen critical security flaws in its Firefox browser. Versions 1.5.0.2 and newer or 1.0.8 and newer will protect you. You can download the latest version of Firefox at www.getfirefox.com . For more info on the bugs, click here .

Found a hardware or software bug? Send us an e-mail on it to bugs@pcworld.com .


© 2006 PC World Communications, Inc. All rights reserved