The days following a Microsoft security update are typically followed by reports of deployment problems, and this month is proving to be no exception. Since the software giant's May 8 patch rollout, various blogs and discussion boards have been full of reports about everything from DNS service failures to Windows Server Update Services (WSUS) malfunctions.
At least one IT professional reported that after applying this month's patches to a bunch of domain controllers, the DNS service on one of them was failing repeatedly.
"I have it set to recover, so it comes back on, but it fails again after a few minutes," he said in a patch management email forum hosted by Roseville, Minn.-based Shavlik Technologies.
Meanwhile, Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., wrote in her MS07-027, a cumulative update for Internet Explorer.
She said there are two issues with the patch -- Some Windows 2000 machines were being offered a 2004 patch, and some Vista machines were getting a "navcancl" error message after patching. As a temporary solution, she recommended IT administrators start Internet Explorer 7 using the following commands: start->run iexplore.exe -nohome -extoff; then right click on the toolbar area and click the menu bar if it's disabled; and then select tools->options->advanced->security->disable phishing filter.
Even though the Internet Explorer patch is rated critical, she said IT administrators should not hurry it onto their systems at the expense of thorough testing.
"Even after you patch it your browser will [still] have security issues and if you have other mitigations in place, the rush should not be on to be the first to install," she wrote in her blog. She said administrators should remember they are "installing changed code on a system that Microsoft CANNOT fully test for because they DO NOT have your system, your software, your surfing habits, etc."
Administrators are also reporting problems with WSUS following Microsoft's Tuesday patch release, which addressed 19 flaws that included a zero-day DNS server flaw and flaws in Microsoft Exchange, Internet Explorer, Microsoft Excel, Word and Office.
The WSUS team has been dealing for some time with a problem they call the 'svchost/msi issue.' One of the problems here is that during automatic patch updates on a Windows XP machine, CPU usage goes into overdrive. "Of course, the computer is virtually unusable" when that happens, someone using the name Foxy-Perth wrote on the Windows Update support forum.
The problem persists even though Microsoft has tried to address it will a hotfix.