Gartner warns of Microsoft patch issues

Gartner has warned that Microsoft's latest update will require some planning before implementation

Enterprises need to tread very carefully as they begin deploying Microsoft's latest security patches as the bug fixes include non-security update code which changes the way in which Internet Explorer interacts with ActiveX, Gartner warned yesterday.

According to an advisory written by Gartner analysts Amrit Williams and Michael Silver the update will require some planning before implementation.

The warning comes after Microsoft's recent release of patches that address 10 security issues, including the highly publicised 'createTextRange' vulnerability that is being actively exploited.

However, this latest update, MS06-013, also changes the way in which Internet Explorer interacts with ActiveX code. The change was made to address patent litigation with Eolas Technologies.

A non-security update for IE modifies the browser to allow it to bypass a patent owned by Eolas, Gartner's advisory explained, changing the way that IE users interact with ActiveX controls.

For controls that display content, such as Adobe's Flash, the control loads normally, but before the user can interact with the control, he or she must click to 'activate' it.

To avoid this behaviour, an HTML authoring change must be made by altering the inline object, applet or embed tag so that it is dynamically generated with script.

"Organisations should expect this security update to have a greater impact than past security patches, and should prepare for this change prior to deploying the patch," the analyst firm warned.

More information on this change can be found at Microsoft's IE update web page.

"Controls must be activated every time a user browses to a web page that does not have this server-side change," explained Gartner.

"Organisations that use ActiveX code in their web applications may need to make the server-side changes to their ActiveX code. Also, users should be informed of the changes to IE so that they will not needlessly burden internal support with questions."

To further complicate matters Microsoft has also released a compatibility patch that temporarily reverts the patent-affected IE modifications.

Organisations that are not prepared for the IE change may deploy this patch on top of MS06-013, but they will need to prepare for the change in the next cumulative IE update which will overwrite the compatibility patch, Gartner noted.

That change is scheduled for release by June 2006. Because patch management systems will not pick up the compatibility patch, users will need to deploy it though other means, such as software distribution products or log-in scripts.

Gartner is advising enterprises to update to the latest security patches and prepare for the IE modifications.

However, those firms which determine that the non-security update is too intrusive at this time should ensure that they download the compatibility patch to address the security issues from Microsoft's security website.