Three days ago (August 2nd) Microsoft released a fix (KB2286198) for a critical vulnerability in Windows shortcuts. Everyone that wrote about the patch said to install it. But they were wrong, on the timing.
Of course, the patch needs to be installed, eventually. There was, and is, however, no rush. In fact, waiting is the smarter approach.
It's safe to wait because Microsoft has already provided a work-around with one of their Fixit zaps. After installing this initial work-around, desktop icons became ugly white boxes (a section of a Windows 7 desktop is shown below), but the computer was safe. There was no immediate danger of infection from this particular vulnerability.
I've been a techie for a long time and experience has shown not to rush to install software -- even something as enticing as a fix for a critical bug in all versions of Windows.
Why not?
Most likely, Microsoft did a competent job on the patch and it fully fixes the problem. But, this isn't always the case. There have been instances where patches only fixed part of the problem and this may not come to light for a few days.
But the biggest issue is out of Microsoft's control - compatibility with the thousands upon thousands of applications used by people running Windows. They can't test everything.
This particular patch offered plenty more reasons to wait.
For one, there was confusion about the patch installation proceudre. Writing in Computerworld, Gregg Keizer said:
The company also told users who had deployed a recommended workaround -- which involved disabling the displaying of all shortcuts -- to undo that workaround after applying the patch. Scattered reports on the Web, however, have noted problems unless the workaround is reversed before the patch is applied.
Brian Krebs, who first publicized the vulnerability, said to undo the Fixit before installing the patch. Larry Seltzer, at PC Magazine, said to undo the Fixit after installing the just-released patch as did Steve Gibson.*
Then too, Keizer went on to warn that
Because Microsoft's patch results in a new version of Shell32.dll being pushed to users, the quality of the update will be important: Shell32.dll is a crucial Windows library file that contains numerous Windows Shell API (application programming interface) functions. If it's flawed, or incorrectly updated on some machines, PCs will lock up with the notorious Blue Screen of Death.
Sure enough, Brian Krebs, reported "After I applied this patch and rebooted the system, Windows Explorer stalled, leaving Windows unresponsive." Soo too, Costin Raiu of Kaspersky warned "we have received some reports which seem to indicate some problems ... during the first reboot, the Explorer CPU usage goes skyhigh and it needs to be restarted to work."
Taking stock:
- There is no immediate danger (assuming the Fixit zap was installed)
- There is confusion over the installation procedure
- The patch updates a critical Windows file
- Problems were reported on the first day
- It is impossible to know, on day one, about any incompatibilities
Waiting is the Defensive Computing thing to do.
But, I'm in the minority. Andrew Storms, director of security operations at nCircle Security, "didn't think there was anything to worry about" according to Keizer. Larry Seltzer said to "Make sure to apply the update that Microsoft released today." Steve Gibson said "absolutely, you want to get this patch installed."
Also among those advising on August 2nd to rush out and install the patch was Aryeh Goretsky of ESET, the company that makes the NOD32 antivirus program. In a blog posting he wrote
We recommend that people begin deploying the patch as soon as possible. While ESETs software protects against the malware currently known to exploit this vulnerability, installing Microsofts patch closes the vulnerability on the operating system.
Then came this from ESET on August 3rd: Microsoft security update (KB2286198) for Windows 7 hangs or causes a BSOD on restart which says:
If you are experiencing a system hang or blue screen error after attempting to install Microsoft security update (KB2286198), you will need to update your ESET security product. This issue is due to a potential conflict with the Windows update and ESET NOD32 Antivirus and ESET Smart Security. Downloading a new ESET virus signature update (version 5338 and later) will resolve this issue.
ESET customers that rushed out and installed the Windows patch got screwed. Those that waited, gave the company time to find and fix the incompatibilty.
This is not to pick on ESET. Rather, it's an example of the unknown incompatibilities that accompany any software upgrade.
A number of people are running NOD32 at my recommendation. None of them installed the Microsoft patch the day it was released. Or the next day, or the day after that. A few more days of ugly white icons won't hurt anyone.
*Not that it matters, but I don't blame any of these people, I blame Microsoft. They need to be brutally clear and up-front about the installation procedure for the patch both when running Windows Update and when manually installing from a downloaded EXE.