Microsoft’s latest batch of security fixes keeps causing trouble for some users.
A “critical” patch for a problem in a Windows component for streaming media, called DirectShow, apparently isn’t as straightforward as Microsoft thought. Some Windows 2000 users have applied the incorrect patch, leaving their computers vulnerable even though they think they’ve patched up, Microsoft said Thursday.
“A limited amount of customers, who may have obtained the wrong security update for their version of DirectX, may think they are protected when, in fact, they are not,” a Microsoft representative said in an e-mailed statement. “This only affects users who have selected the wrong package manually.” DirectX contains DirectShow.
Microsoft on Wednesday published its second advisory in as many weeks for users to deal with trouble arising from this month’s patch release. Last week the software maker said another critical patch could cause problems for users who changed specific Windows security settings. The latest patching issue deals with the fixes in security bulletin MS05-050. The problem occurs when Windows 2000 users who have DirectX 8.0 or 9.0 mistakenly apply the patch for DirectX 7.0. The computer will still be vulnerable to the flaw, while the user won’t be notified that the system is not updated, Microsoft said. Windows 2000 users who obtain security patches automatically through Microsoft’s patching tools or who accurately followed the steps in the security bulletin are protected, the Microsoft representative said.
Users probably applied the wrong patch because Microsoft’s security bulletin was unclear, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company in Carlsbad, Calif. “The vendor, no matter who, has to be responsible for being crystal clear on remediation,” he said.
While Microsoft could have perhaps published a clearer bulletin, administrators are ultimately responsible for their systems, said Susan Bradley, an independent security consultant and Microsoft Most Valuable Professional.
“At the end of the day Microsoft is not responsible for my network, I am,” Bradley said in an e-mail interview. “If I don’t have a clear understanding of what I have installed, whose fault is that?”