Microsoft patches bust websites

Two Microsoft security updates for Internet Explorer can break the functionality of websites that use certain custom applications.

The problems occur after installing the patches Microsoft delivered with security bulletins MS05-038 and MS05-052, Microsoft said in two advisories posted on its website on Wednesday. The bulletins were issued in August and October, respectively.

Both patches can cause problems with ActiveX controls, small programs designed to perform simple tasks that can make a website more interactive. The MS05-038 patch can also hinder Java applications. After the patches are installed, applications that are programmed in specific ways will no longer work in Internet Explorer, Microsoft said.

Any problems caused by MS05-038 and MS05-052 affect only a few users, Stephen Toulouse, a program manager in Microsoft's Security Response Center wrote on the MSRC blog late Wednesday. "As a result of these changes that we made for security sake, for a limited amount of customers some pages may not load as expected," he wrote.

The issue of broken websites is the latest problem with Microsoft patches. One recent fix wreaked havoc on systems of users who had changed certain settings on their PCs to be more secure, while Windows 2000 users had trouble finding the right patch for another security problem.

The MS05-052 patch causes the problem because it makes several changes to Windows meant to increase the security of the IE web browser. After installing the patch, IE will check for a special security setting called on ActiveX controls. If the control does not have the setting, IE will block it, according to a Microsoft advisory.

To resolve this issue, Microsoft advises developers to recompile an affected ActiveX control and mark it as safe when run in an internet browser, according to the advisory. As a workaround, users of sites with ActiveX controls that no longer work can lower their IE security settings, the company said, although it does not recommend doing so.

Changes made for the benefit of security with the MS05-038 patch mean trouble for ActiveX controls and Java applications. The problems occur if so-called "custom monikers" are used, Microsoft said in a second advisory. To solve the issue, the applications should be converted.

Microsoft's advisories offer technical tips on resolving any issues. The company did not say how many customers have experienced trouble.

Joris Evers writes for News.com