Microsoft Pushes Non-Security Security Update
- By Stephen Swoyer
- May 23, 2007
What do you want first, the bad news or the good? Let's start with the bad: Microsoft Corp. last night released a new security advisory, the second this week. The good news is that it doesn't actually deal with a known exploit, worm, or virus. In other words, it doesn't technically deal with security at all.
Instead, last night's advisory concerns the release of a new fix for the Windows Installer (MSI). In spite of its nonsecurity status, Microsoft says the MSI patch is a "high priority" security update because it fixes a memory leak that can cause resource utilization levels to spike when users scan their systems using either Windows Update or Microsoft Update. The bug is the cause of several known issues, according to Microsoft. In some cases, Windows becomes unresponsive and CPU usage for the svchost process spikes to 100 percent. In other cases, users might receive an access violation error in svchost.exe. (This usually causes the Windows Server and Workstation services to stop.) In still other cases, Windows Update or Microsoft Update take hours to complete.
Call it self-imposed denial-of-service (DoS), of a sort.
"This update applies to currently supported versions of Windows except Windows Vista," wrote researcher Christopher Budd on the Microsoft Security Response Center (MSRC) blog. Although Microsoft plans to push the fix via Windows Update and Microsoft Update, it doesn't expect any Catch-22-worthy irony.
"I want to note that this update will install correctly even if you're experiencing this issue. However, the issue may prevent you from installing other updates (including security updates) until you apply this new update, so we encourage customers to apply this right away," Budd explained.
Nor does Microsoft see any irony in its having released a security advisory that deals with a non-security update.
"Security advisories address security changes that may not require a security bulletin but may still affect customers' overall security," the advisory stated. "In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security."