Software update snafus block Microsoft patches

Microsoft Corp. scrambled last week to fix a flaw -- or multiple flaws -- in two of its patch-distribution tools after some systems administrators reported that they had been blocked from installing its latest batch of security updates on PCs.

The problems, which Microsoft first acknowledged late on the night of June 13, affected admins who use the company's System Center Configuration Manager 2007 software to update PCs running its Systems Management Server (SMS) 2003 client.

After initially recommending a work-around that involved using Configuration Manager's software-distribution feature to roll out the seven security fixes it issued June 10, Microsoft last Tuesday released an update to the systems management software itself.

But then on Wednesday, Microsoft disclosed via a blog post that its Windows Server Update Services (WSUS) tool was being blocked from distributing updates to PCs running Office 2003 or pieces of the desktop application suite. The blog post detailed a multistep work-around for WSUS users.

In both cases, the company said that the update snafus stemmed from recent changes related to Office 2003 Service Pack 1. But a Microsoft spokesman wouldn't comment on whether the troubles with the two tools were caused by the same problem, saying only that the vendor was "actively investigating."

Andrew Storms, director of security operations at software vendor nCircle Network Security Inc., said he couldn't think of earlier instances of a single flaw affecting both WSUS and the more sophisticated Configuration Manager software.

The two tools use completely different update approaches, according to Storms. Like SMS 2003, which it replaced, Configuration Manager lets IT staffers automatically push updates to PCs, he said. In contrast, WSUS stores the updates on a server and then relies on PCs to download them via Microsoft's Windows Update client.

Microsoft issued a security advisory about the bug in Configuration Manager, saying that it could affect the "overall security" of users by hampering their ability to install software updates.