Just days after fixing a glitch in one of its enterprise patch-distribution tools, Microsoft said that another of its patching programs has been blocking this month's security updates.
According to a Wednesday post to the Windows Server Update Services (WSUS) blog, some Windows client systems that rely on the free WSUS have been unable to retrieve the June 10 patches.
"Computers that have Office 2003 or components of Office 2003 installed fail to run a detection against a WSUS server that has the latest Office updates," said Cecilia Cole, a WSUS program manager. "This prevents the computers from receiving any updates from the WSUS server."
This is the second time in a week that Microsoft has told customers that its patch software is unable to deploy the newest updates. Those updates, which plugged 10 vulnerabilities in Windows, Internet Explorer (IE) and Bluetooth, were released June 10.
Last week, the company's security team warned corporate users of System Center Configuration Manager (ConfigMgr) 2007, the successor to System Management Server (SMS) 2003, that clients running SMS 2003 wouldn't obtain the June 10 fixes. The problem, said Microsoft Tuesday when it issued a hot fix, was "additional metadata" associated with Microsoft Office 2003 SP1.
Although Cole also linked the WSUS problem to Office 2003 SP1, she didn't say whether it was the same issue that plagued ConfigMgr. "When computers with products related to Office 2003 communicate with a [WSUS] server, the Web service is unable to process the approvals, resulting in the detection failure," she said in a section of the alert tagged as "Root Cause."
Microsoft neither confirmed nor denied that the ConfigMgr and WSUS problems stemmed from one bug in Office 2003 SP1.
When asked whether both tools' troubles could be traced to the same source, a company spokesman said by e-mail only that "Microsoft is actively investigating an issue that a limited number of customers are reporting [that] is affecting the deployment of the June 2008 security updates."
Some users have reported problems with blocked clients on Microsoft's WSUS forum, but they have left too little information to match their troubles with the error messages and log file content that Cole spelled out in her alert. "[WSUS] was working fine, but suddenly all the clients are not communicating with the WSUS server," said one user, identified as "the bull" in a message posted Tuesday. "When I checked, I see the request is sent by the client but WSUS server is not responding."
Andrew Storms, director of security operations at nCircle Network Security Inc., said that although Microsoft has had problems in the past with WSUS, this latest one is unusual because it appears to also involve the more sophisticated ConfigMgr. "I can't think of an event like this," said Storms.
The two patching tools -- ConfigMgr and WSUS -- rely on completely different concepts, Storms explained. "Configuration Manager and SMS use push technology. The system administrator can say which patches to deploy, and then they're pushed to the clients, maybe on a weekend, and rebooted. WSUS is different," he continued. "It doesn't require any software installed on the client, [but instead] uses the Windows Update client. Administrators can set Group Policies, but the clients pull the updates from the WSUS server."
In lieu of a ConfigMgr-style fix, Cole offered a several-step workaround that requires users to remove approval for the Office 2003 SP1 update on each WSUS server. That, however, confused at least one WSUS administrator. "My Office 2003 SP1 update is declined and superseded by the most recent Office SPs and I can't approve it again," said Joswald Mata in a comment added Wednesday to Cole's post.
"What you need to do is approve the update with an action of 'Not Approved'," replied a WSUS team member in the next comment. "I know this can be a little confusing since you cannot approve an 'Expired' update for an 'Install,' for example, but a 'Declined' update can be returned to 'Not Approved' (which means it is 'Undeclined')."
Another user noted that the Office 2003 SP1 update carried a date of 6/10/3008. "Is this the reason why we're having problems, or is it just my server?" asked Christopher Hill. Others, however, confirmed that they saw the same 1,000-year date error.
Microsoft's Christopher Budd, a spokesman for the company's security group, didn't commit to providing a patch, but left the door ajar. "Once [our] investigation is complete, we will take appropriate action to help protect customers," he said.