Microsoft’s MS06-015 patch was released on PatchDay, 11 April 2006. Depending on how you look at it, Security Update 908531 (Security Bulletin MS06-015) has been either a spectacular failure or a stunning success.

The Case for Spectacular Failure
PatchDay +4: Microsoft Security Response Chief Mike Reavey admitted that “an application could hang when conducting certain operations, like opening a file from the File-open dialog in an application.”

The scope of the disaster, Reavey figured, was limited to “some Hewlett Packard devices that so far appear to be consumer level.”

Users complained that the patch was so poorly documented, that there was no way to prepare for it.

PatchDay +7: Reavey acknowledged that the disaster was less contained than he had at first reported. “Changes introduced in MS06-015 could cause an application to stop responding during specific interactions with older versions of Hewlett Packard’s Share-to-web software utility, or older NVIDIA video card drivers.”

He pointed the afflicted to Knowledgebase Article 918165 for succor, where additional symptoms were noted. Registry edits were suggested for those experiencing any or all of these troubles:

  • Some files cannot be opened or saved in folders like My Documents or My Pictures, and attempting to do so can actually lock up the applications that try it.
  • Clicking Open on the File menu stimulates an application lock-up.
  • Nothing happens when you type an address in the Address box in Microsoft Internet Explorer, right-click a file and then click Send To, or expand a folder in Windows Explorer.

Luckily, those who tried 918165 reported that they were able to restore functionality to Excel, Outlook, and Word… by removing the 918165 registry edits.

PatchDay +10: As the slow motion train wreck progressed, Stephen Toulouse took over for Reavey: “We’re seeing around 95% of the current customer issues being addressed by implementing the steps specific to the Hewlett Packard Share-to-web software, but we wanted to make sure we were providing the info on how limited the scope of the problem with older NVIDIA drivers is as well.”

PatchDay +14: Toulouse announced Microsoft’s second stab at MS06-15 and advised, “If you are configured for Automatic Update, no need to take any actions. It will detect if you have the problem and deliver the update to you. If you have not yet installed MS06-015, the revised version will be offered to you.”

But then, Auto Update carries its own baggage. An earlier Email Battles report, Does Windows Patch Without Permission?, documented user complaints that Windows had automatically updated itself without permission.

Ironically, the only Windows users who are truly safe from Microsoft-inflicted disasters like MS06-015 are those who can manage to prevent Automatic Update from functioning.

And as for that poor documentation? Reavey claims it’s a feature, as “providing more detail on internal product changes could serve to aid attackers.”

…Or users.

The Case for Stunning Success
For users and administrators, the MS06-015 debacle serves up a powerful reminder that, by allowing blind updating of Windows by the Perpetrator, you open your system to trouble you otherwise wouldn’t have.

Instead, wait a few days after a patch release, then check the body count before patching.

Of course, that requires a level of security management that few of today’s users are willing or able to apply.

Amidst it all, Microsoft wants to be your security company. Scary, isn’t it?

Email Battles Backgrounder: