ChangeBase AOK Application Compatibility Lab Results On Microsoft Patch Tuesday Update.

[news 28]

August 13th 2008

 

 

As part of the August release

of the regularly scheduled Microsoft Updates, there are currently eleven patches

being released; six with the maximum rating of Critical and related to the

Windows operating system and five with the maximum rating of Important that are

related to Office. We have used AOK to test for the Windows patches

 

It should be noted that patch

MS08-047 relates to VISTA. The other five

relate to XP (SP1/2/3)

 

Here is a brief summary of

the patches that affect the Microsoft Windows operating system;

 

1) Microsoft

Security Bulletin MS08-045

Description:

Cumulative Security Update for Internet Explorer (953838). This security update

resolves five privately reported vulnerabilities and one publicly disclosed

vulnerability. All of the vulnerabilities could allow remote code execution if

a user views a specially crafted Web page using Internet Explorer.

 

2) Microsoft Security

Bulletin MS08-046

Description:

Vulnerability in Microsoft Windows Image Colour Management System Could Allow

Remote Code Execution (952954). This update resolves a privately reported

vulnerability in the Microsoft Image Colour Management (ICM) system that could

allow remote code execution in the context of the current user.

 

3) Microsoft

Security Bulletin MS08-047

Description:

Vulnerability in IPsec Policy Processing Could Allow Information Disclosure

(953733). This update resolves a privately reported vulnerability in the way

certain Windows Internet Protocol Security (IPsec) rules are applied.

 

4) Microsoft

Security Bulletin MS08-048

Description:

Vulnerability in IPsec Policy Processing Could Allow Information Disclosure

(953733). This update resolves a privately reported vulnerability in the way

certain Windows Internet Protocol Security (IPsec) rules are applied. This

vulnerability could cause systems to ignore IPsec policies and transmit network

traffic in clear text.

 

5) Microsoft

Security Bulletin MS08-049

Description:

Vulnerabilities in Event System Could Allow Remote Code Execution (950974).

This update resolves two privately reported vulnerabilities in Microsoft

Windows Event System that could allow remote code execution.

 

6) Microsoft

Security Bulletin MS08-050

Description:

Vulnerability in Windows Messenger Could Allow Information Disclosure (955702).

This security update resolves a publicly reported vulnerability in supported

versions of Windows Messenger. As a result of this vulnerability, scripting of

an ActiveX control could allow information disclosure in the context of the

logged-on user.

 

Note: These are not all of

the patches that have been released by Microsoft today as the following only

apply to Microsoft Office products;

 

* Microsoft Security Bulletin MS08-042

* Microsoft Security Bulletin MS08-041

* Microsoft Security Bulletin MS08-043

* Microsoft Security Bulletin MS08-051

* Microsoft Security Bulletin MS08-044

 

 

We have used the ChangeBase

AOK Workbench to analyse each of the Windows patches against a sample of

approximately 700 unique application packages with the intention of providing

some insight into the following questions;

 

1. What patches when released

are likely to cause my applications to fail?

2. What patches contain files

and settings shared by individual applications I am running?

For clarity, a number of

software vendors and developers use shared Microsoft code in their applications

– for example subsets of IE7. Hence if this embedded code for example has a

security issue that the patch is resolving the application will need checking

by the software vendor or in house development team.

 

3. Which applications have a

dependency on the software that has been updated? For example many applications

use Internet Explorer as part of their functionality – say to produce a

management report. If Microsoft update IE7 with a new patch this can cause

problems when this action is carried out in the software application

 

4. What order should I test

my applications?

 

5. What patches should I test

most and why?

 

Results

The following table details

the results from the ChangeBase AOK Patch Impact Analysis and includes

information on what application packages in the sample portfolio;

 

* What is the total number of applications affected by each patch?

* What applications also include files and configuration data that were embedded in the patch update?

* What applications had specific dependencies on changes includes in these updates

 

 

Patch Total Issues identified –dependancies or shared code Apps Affected Number of application with Shared Code Number of application with Dependencies Status

MS08-045 585 32% 3 235

MS08-046 12 <1% <1% N/A

MS08-047 6 <1% <1% N/A

MS08-048 20 <1% <1% N/A

MS08-049 7 <1% <1% N/A

MS08-050 9 <1% <1% N/A

 

=

Needs serious attention

= Testing required

=

Minor concern

 

 

Special Notes:

 

* MS08-046 Security Update for Windows Server 2003 raised a specific driver issues with Fujitsu 4340 colour scanners (mscms.dll)

* MS08-048 Security Update for Windows Mail raised a specific DLL conflict with Microsoft Digital Image software

* MS08-050 Security Update for Windows XP raised an application conflict with Microsoft Messenger

*

Recommendations

 

1. Immediately test core applications affected by MS08-045 with dependancies, in this case on IE7

2. Ideally test all other applications affected by this patch with dependancies

3. Test applications with shared code for the new DLL/driver updates

4. Test applications using Fujitsu colour scanners/Microsoft Digital Image software and Microsoft Messenger as above

 

 

 

Conclusion

 

From the results derived from

the ChangeBase AOK Patch Impact Analysis, it appears that the following patch

updates could be deployed with relatively light testing and with an expected

minimal impact on the application portfolio; MS08-46, MS08-47, MS08-48, MS08-49

and MS08-50. However, the Microsoft Internet Explorer 7 Update IE7 (MS08-045) includes

files and configuration data that are a direct dependency for a large number of

applications. This could mean that these applications may be adversely affected

by the MS08-045 update and this patch should be fully tested prior to

deployment to production environments.

 

About the ChangeBASE Application

Compatibility Lab

 

ChangeBASE launched last

month our ACL to allow us to rapidly assess the impact of new operating system

code releases on a portfolio of applications. We have loaded c. 700

applications into this Lab and can use AOK to test the impact of new releases

on these in minutes.

 

 

For more information or to arrange an interview or lab test on ChangeBASE AOK, please contact:

 

 

Monique Chambers

Compass Rose Marketing & PR

Land + 44 203 239 9722

Mobile + 356 99 89 1722

Skype monique_chambers