For the second month in a row, Microsoft has withdrawn an update for introducing additional bugs. A day after its monthly Patch Tuesday updates for August, the company announced that the MS13-061 security update for Exchange Server 2013 contained a flaw that would cause the software to malfunction. The error was attributed to incomplete testing prior to release.
“Late last night we became aware of an issue with MS13-061 security update for Exchange Server 2013,” Microsoft’s Ross Smith IV wrote in a blog post detailing the flaw. “Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed.”
The issue does not affect Exchange 2010 or Exchange 2007. For those who had already installed the update, Microsoft suggested a workaround, and the company advised those who had not installed it to wait until the issue was resolved.
MS13-061 was released to address three publicly disclosed vulnerabilities in Microsoft Exchange Server that could enable remote code execution. The vulnerabilities related to the transcoding tool used to display file previews in Outlook Web App. The update was listed as critical. Smith acknowledged that the problem made it to release due to incomplete testing and noted that the company intends to increase its testing timeline to avoid such issues in the future.
Preventing problems in patches
This most recent patch withdrawal comes on the heels of four other recently rescinded patches, including three from July’s Patch Tuesday, IDG New Service noted. The company also withdrew a patch in December
In a Q&A section of his blog post, Smith IV acknowledged that the company’s repeated struggles to improve its patch release quality have been a blow to some users’ trust and confidence. However, Qualys CTO Wolfgang Kandek told IDG News Service that users should not be overly critical of Microsoft and noted the challenge of ensuring software deployments work smoothly with every enterprise computing setup.
“I don’t see this as indicative of a larger quality control problem at Microsoft, but rather of a consequence of the high degree of variations that one encounters in the enterprise software market,” Kandek told IDG.
He advised businesses to try to stick to popular hardware and software configurations to increase the likelihood a patch has been tested against their specific setups. He also recommended testing the update in a controlled environment before performing a full rollout.
Nonetheless, Microsoft’s struggles with patches that contain flaws or vulnerabilities should also be a warning to developers about the importance of carrying out thorough testing and source code analysis of their updates before they are released. Even though a patch may correct one problem, it may interact with other parts of the code base in unexpected ways, making tools such as static analysis software invaluable for catching hidden logical errors. Organizations can enhance the quality of their software in both its initial release and for subsequent patches by taking the time to implement such precautions.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.