Right now, the cure may be worse than the bug. The patch causes OCS and LCS licenses to prematurely expire. Microsoft is recommending that IT pros hold off on applying a certain security bulletin until the kinks are worked out, or apply the patch to a test installation.
The security fix -- MS09-056: "Vulnerabilities in CryptoAPI could allow spoofing" -- is aimed at a bug in Windows cryptographic technology. Developers rely on CryptoAPI technology to help ensure security in Windows-based applications.
Users discovered the problem after OCS -- one of the main components of Microsoft's unified communications product line -- failed to start after applying the fix. Thus, a patch designed to thwart spoofing gave some IT pros a spoof of a different kind.
Upon investigation, some IT administrators noticed that the OCS product had expired -- as if it had passed its 180-day trial period. However, these installations were licensed and not a trial versions. The patch code somehow resets the product expiration date, apparently.
Phil Lieberman, president and founder of Lieberman Software, speculated that the way some enterprises have configured OCS in their stack allows for this type of mishap to happen.
"This patch disaster is a perfect example of why phone equipment is generally provided as an embedded system that does not receive automatic updates over the Internet," Lieberman said. "The whole way that OCS is installed, packaged, updated and interfaced represents a break from the rest of the telecom industry. In my opinion, tying telecom systems (like OCS) into the public Internet and allowing them to autonomously receive updates is nuts."
For its part, Microsoft cautions in an updated knowledgebase article 974571 that "services required by Communications Server are not started after users install the security update and then restart the computer." This is particularly the case, Redmond said, for users running Live Communications Server 2005 or Office Communications Server 2007.
On the whole, this is a case where a patch broke the functionality of a product, according to Jason Miller, security and data team leader at Shavlik Technologies.
"This is a prime example of why administrators should test each patch before rolling it out to their networks," Miller said.
If administrators don't want to risk OCS freezing up or going down, then they shouldn't install the patch and should wait until Microsoft releases a new one, Miller advised. For those applying the patch, Miller said that even though installing it may "break functionality" in OCS, it will still mitigate risk with a potential downside to organizations.
"There are a lot of reports of companies uninstalling this patch on these systems," Miller added. "These companies rely heavily on voice over IP, conferencing and instant messaging. Having this asset nonfunctional for any amount of time cannot be accepted in those organizations."
A similar product expiration issue was seen in May with SharePoint Server 2007, although it happened with early installations of Service Pack 2. The update reset the product's licensing, making it seem as if it were a trial version of the software. Microsoft has since fixed that problem.
‘Zombieland’ Kills At Box OfficePatch Tuesday To Address Multiple Microsoft Bugs
