Microsoft scrutinizes WSUS patch snafu

Computerworld - Microsoft Corp. yesterday confirmed it is investigating two-week-old reports from users unable to update client PCs using Windows Server Update Services (WSUS), but said that it is "premature" to assume the snafu had the same source as another patch glitch the company has grappled with since mid-June.

"Microsoft has issued [a] security advisory to inform customers of a non-security related issue that prevents updates from being distributed to client systems through WSUS 3.0 or WSUS 3.0 Service Pack 1 that have client systems with Office 2003 installed in their environments," said Bill Sisk, a spokesman for the Microsoft Security Response Center (MSRC), in an e-mail.

MSRC's advisory was posted to Microsoft's site Monday afternoon.

The WSUS bug was outlined nearly two weeks ago by Cecilia Cole, a WSUS program manager. At the time, Microsoft refused to say whether it would issue a security advisory for the WSUS problem, as it had the previous week for a similar-sounding bug that prevented corporations running System Center Configuration Manager 2007 (ConfigMgr) from pushing patches to some end users' machines.

Both problems, according to Microsoft, relate in some way to a June update to Office 2003 Service Pack 1 (SP1). But in a follow-up e-mail responding to a question today, Sisk said it is too early to connect the two to Office. "It is premature to conclude that the additional metadata that was added for Microsoft Office 2003 SP1 is the source of the problem for [the WSUS issue], being that we are still investigating," he said, claiming that the WSUS bug is "a separate issue" than the one with ConfigMgr.

Andrew Storms, director of security operations at nCircle Network Security Inc., who has been tracking a spate of problems with Microsoft's update mechanisms, thought differently. "It makes sense that Microsoft says that they haven't gotten to the cause, but the two seem to be related to the same root cause," said Storms.

He also tied the WSUS problem with one from November 2007, when the update server software returned errors to administrators just a day before that month's scheduled security updates. "It appears that we have a unique key constraint problem," said Storms, referring to this month's WSUS bug. "Probably, somewhere in the package deployments, we have two patches with the same key and the WSUS database is correctly enforcing unique identifiers. So either the package has bad data, or something is amiss with the master package distribution systems at Microsoft."

If bad data is, in fact, the cause, it could be within the same Office 2003 SP1 metadata that Microsoft has blamed for the ConfigMgr problem, Storms added.

"November [2007] was the first I remembered with problems like this with the update mechanism," Storms added. "Between November and July, there have been four or five issues. That's quite a bit."

In lieu of a fix, yesterday's advisory from Microsoft offered the same several-step workaround first provided by Cole that that requires users to remove approval for the Office 2003 SP1 update on each WSUS server. The MSRC did not promise a patch, saying only that it would "take appropriate action to resolve the issue" at some point.

"This is something they will have to fix before the next patch Tuesday," Storms predicted.

Microsoft's next release of security updates is scheduled for July 8.