Patch Tuesday - some findings on impact on applications
ChangeBase AOK Application Compatibility Lab Results – Patch Tuesday Update.
August 13th 2008
As part of the August release of the regularly scheduled Microsoft Updates, there are currently eleven patches being released; six with the maximum rating of Critical and related to the Windows operating system and five with the maximum rating of Important that are related to Office. We have used AOK to test for the Windows patches
It should be noted that patch MS08-047 relates to VISTA. The other five relate to XP (SP1/2/3)
Here is a brief summary of the patches that affect the Microsoft Windows operating system;
1) Microsoft Security Bulletin MS08-045
Description: Cumulative Security Update for Internet Explorer (953838). This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. All of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
2) Microsoft Security Bulletin MS08-046
Description: Vulnerability in Microsoft Windows Image Colour Management System Could Allow Remote Code Execution (952954). This update resolves a privately reported vulnerability in the Microsoft Image Colour Management (ICM) system that could allow remote code execution in the context of the current user.
3) Microsoft Security Bulletin MS08-047
Description: Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733). This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied.
4) Microsoft Security Bulletin MS08-048
Description: Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733). This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text.
5) Microsoft Security Bulletin MS08-049
Description: Vulnerabilities in Event System Could Allow Remote Code Execution (950974). This update resolves two privately reported vulnerabilities in Microsoft Windows Event System that could allow remote code execution.
6) Microsoft Security Bulletin MS08-050
Description: Vulnerability in Windows Messenger Could Allow Information Disclosure (955702). This security update resolves a publicly reported vulnerability in supported versions of Windows Messenger. As a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user.
Note: These are not all of the patches that have been released by Microsoft today as the following only apply to Microsoft Office products;
• Microsoft Security Bulletin MS08-042
• Microsoft Security Bulletin MS08-041
• Microsoft Security Bulletin MS08-043
• Microsoft Security Bulletin MS08-051
• Microsoft Security Bulletin MS08-044
We have used the ChangeBase AOK Workbench to analyse each of the Windows patches against a sample of approximately 700 unique application packages with the intention of providing some insight into the following questions;
1. What patches when released are likely to cause my applications to fail?
2. What patches contain files and settings shared by individual applications I am running?
For clarity, a number of software vendors and developers use shared Microsoft code in their applications – for example subsets of IE7. Hence if this embedded code for example has a security issue that the patch is resolving the application will need checking by the software vendor or in house development team.
3. Which applications have a dependency on the software that has been updated? For example many applications use Internet Explorer as part of their functionality – say to produce a management report. If Microsoft update IE7 with a new patch this can cause problems when this action is carried out in the software application
4. What order should I test my applications?
5. What patches should I test most and why?
Results
The following table details the results from the ChangeBase AOK Patch Impact Analysis and includes information on what application packages in the sample portfolio;
• What is the total number of applications affected by each patch?
• What applications also include files and configuration data that were embedded in the patch update?
• What applications had specific dependencies on changes includes in these updates
No of apps %age number with shared number
apps affected code with dependancies
MS08-045 585 32% 3 235
MS08-046 12 <1% <1% N/A
MS08-047 6 <1% <1% N/A
MS08-048 20 <1% <1% N/A
MS08-049 7 <1% <1% N/A
MS08-050 9 <1% <1% N/A
Special Notes:
• MS08-046 Security Update for Windows Server 2003 raised a specific driver issues with Fujitsu 4340 colour scanners (mscms.dll)
• MS08-048 Security Update for Windows Mail raised a specific DLL conflict with Microsoft Digital Image software
• MS08-050 Security Update for Windows XP raised an application conflict with Microsoft Messenger
•
Recommendations
1. Immediately test core applications affected by MS08-045 with dependancies, in this case on IE7
2. Ideally test all other applications affected by this patch with dependancies
3. Test applications with shared code for the new DLL/driver updates
4. Test applications using Fujitsu colour scanners/Microsoft Digital Image software and Microsoft Messenger as above
Conclusion
From the results derived from the ChangeBase AOK Patch Impact Analysis, it appears that the following patch updates could be deployed with relatively light testing and with an expected minimal impact on the application portfolio; MS08-46, MS08-47, MS08-48, MS08-49 and MS08-50. However, the Microsoft Internet Explorer 7 Update IE7 (MS08-045) includes files and configuration data that are a direct dependency for a large number of applications. This could mean that these applications may be adversely affected by the MS08-045 update and this patch should be fully tested prior to deployment to production environments.
About the ChangeBASE Application Compatibility Lab
ChangeBASE launched last month our ACL to allow us to rapidly assess the impact of new operating system code releases on a portfolio of applications. We have loaded c. 700 applications into this Lab and can use AOK to test the impact of new releases on these in minutes.