Patch Tuesday headaches and dog food

As I mentioned in last week’s post, we should not get bored with Microsoft's Patch Tuesday as the fun has just begun. In that post, I mentioned that patch MS13-061 was interesting because it related to a vulnerability that was dependent on a Microsoft technology, Outside In, and an Oracle middle-ware component.

If that was not compelling enough, or even a little concerning, Microsoft acknowledged problems with knowledgebase articles KB 2876063, KB 2859537, KB 2873872, KB 2843638, KB 2843639 and KB 2868846, all of which relate to Microsoft's Patch Tuesday update MS13-061.

This update to Exchange Servers 2007, 2010 and 2013 attempted to resolve an issue with a Plug-in technology that allowed for a variety of file formats to be previewed within Outlook's OWA online email viewer. Unfortunately, almost as soon as the Microsoft update was released, complaints were raised that the update caused a number of issues including, breaking the content index for Exchange, which would have led to very poor performance on the Exchange email database. The MS13-061 update has been revoked and is no longer available for download.

The Microsoft Exchange Server team has come clean about the issue and posted an update on their Exchange Team blog, which describes the situation as:

"Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed."

There is good news for the slow adopters out there; Exchange Server versions 2007 and 2010 are not affected by the problems with this patch.

In addition to detailing the issues and complaints regarding this update to Exchange Server, the Exchange team provided an update on how this patch problem occurred. The team explained in the same blog post that they did not progress through their own testing and usage process as described here:

"Unfortunately, this security update did not get deployed into our dogfood environment prior to release."

This is a little unfortunate, as this update cannot be removed once the target system has been updated.

If you held off patching your systems and are worried about the potential security vulnerability, Microsoft has offered a workaround command for those running a PowerShell command with Administrator privileges:

Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010'} | Set-OwaVirtualDirectory -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False

For those who already patched their systems, Microsoft is offering KB 2879739, a registry update that resolves an issue with the Patch process.

Unfortunately, for some enterprise clients this update will cause additional headaches, including the Exchange team’s decision to delay the Exchange 2013 Cumulative Update (CU3) release by several weeks. Also mentioned in its blog post, the Exchange team ensured that future releases will progress through their own team-based usage and testing process, also known as dogfooding. In essence, the Exchange team promises to deploy (and use) their updates to their own systems before sending those patches over to our systems. Seems fair, eh?

Moving forward, we must remember that patching and updating our systems is a discipline that requires skilled professionals, rigor and processes for patch deployments, and most notably, the handling of updates that must be revoked, including IT professionals’ worst nightmares – the dreaded uninstall. 

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon