Microsoft patch fiasco gets messier

Microsoft's latest batch of security fixes keeps causing trouble for some users.

A "critical" patch for a problem in a Windows component for streaming media, called DirectShow, apparently isn't as straightforward as Microsoft thought. Some Windows 2000 users have applied the incorrect patch, leaving their computers vulnerable even though they think they've patched up, Microsoft said on Thursday.

A Microsoft representative said in an emailed statement: "A limited amount of customers, who may have obtained the wrong security update for their version of DirectX, may think they are protected when, in fact, they are not. This only affects users who have selected the wrong package manually." DirectX contains DirectShow.

Microsoft on Wednesday published its second advisory in as many weeks for users to deal with trouble arising from this month's patch release. Last week the software maker said another critical patch could cause problems for users who changed specific Windows security settings.

The latest patching issue deals with the fixes in security bulletin MS05-050. The problem occurs when Windows 2000 users who have DirectX 8.0 or 9.0 mistakenly apply the patch for DirectX 7.0. The computer will still be vulnerable to the flaw, while the user won't be notified that the system is not updated, Microsoft said.

Windows 2000 users who obtain security patches automatically through Microsoft's patching tools or who accurately followed the steps in the security bulletin are protected, the Microsoft representative said.

Users probably applied the wrong patch because Microsoft's security bulletin was unclear, said Brian Grayek, chief technology officer at Preventsys, a vulnerability management company. "The vendor, no matter who, has to be responsible for being crystal clear on remediation," he said.

While Microsoft could have perhaps published a clearer bulletin, administrators are ultimately responsible for their systems, said Susan Bradley, an independent security consultant and Microsoft Most Valuable Professional.

Bradley said in an email interview: "At the end of the day Microsoft is not responsible for my network, I am. If I don't have a clear understanding of what I have installed, whose fault is that?"

Microsoft offers guidance for Windows 2000 users who think they may have applied the wrong update in an article on its website.

Joris Evers writes for CNET News.com