Microsoft acknowledged Tuesday that security patches issued last week for Internet Explorer (IE) crippled the browser for some users, but rather than rework the fix, the company offered up a registry hack workaround.
The confirmation and workaround came a week after users installed Security Update MS07-069 on December 11, and users immediately began reporting that they were unable to connect to the Internet with IE or that the browser kept crashing. MS07-069, one of seven bulletins issued on December's "Patch Tuesday," fixed four critical vulnerabilities in IE 5.01, IE6 and IE7.
Although Microsoft had said on Monday that it was investigating the reports, Tuesday the company owned up to the problem. "On a Windows XP Service Pack 2-based computer, Internet Explorer 6 may stop responding when you try to a visit a Web site," said Kieron Shorrock, the program manager responsible for IE at the Microsoft Security Response Center (MSRC).
In a later post to the MSRC blog, however, Shorrock downplayed the problem, saying, "We have been working with a small number of customers that reported issues related to the installation of MS07-069." He claimed that the bug appeared only in what he called "a customized installation."
"This isn't a widespread issue," Shorrock added.
That would come as a surprise to users such as Harold Decker, who manages 35 Windows XP SP2 machines at San Diego-based Gold Peak Industries NA Inc. Even though Decker described his shop's systems as "pretty plain," 29% of the PCs that installed last week's IE update had trouble accessing the Web.
Other Microsoft managers, however, didn't marginalize the issue as did Shorrock. Terry McCoy, program manager for security at Microsoft's IE development team, didn't dismiss the numbers, but only spelled out the problem. "This might occur while navigating to a Web site hosting considerable media content (for example: MSN.com) resulting in Internet Explorer displaying a dialog that states 'Internet Explorer has experienced a problem and needs to close.'"
Microsoft offered a workaround Tuesday. That fix, which was actually taken from an earlier support document, requires that users edit Windows' registry, a daunting task to most. "If you experience this issue, implement the applicable workaround," advised McCoy on the official IE blog.
Some customers weren't so sure, however. "Why a registry key change?" asked someone identified only as "hAl" in a comment attached to McCoy's post. "That seems beyond the capabilities of normal users. Wouldn't it be better if this security update was removed from the cumulative update and patched?"
Another commenter on the same blog was more critical. "With hundreds of users here running XP SP2 with IE6, how can Microsoft be serious that the solution is to edit each registry? Is this some sort of joke?" said a user identified as Phil. "It would be easier to have each user install Mozilla Firefox and stop using IE completely."
Although Microsoft didn't respond to questions about whether MS07-069 would be recrafted, and if so, when, another Microsoft employee hinted that it would. In a message posted Tuesday to a support newsgroup, someone identified as Kurt Falde, who said he works for Microsoft, noted that the workaround was a QFE (quick fix engineering) fix, not a GDR (general distribution fix). "[That] means [the underlying issue] has not been fully regression tested and was not included as enabled in the current cumulative patch," said Falde.
At least one user has stepped in with patch of his own. Ottmar Freudenberger turned Microsoft's workaround steps into an automated registry hack that can be downloaded from his Web site.
"It's somewhat unacceptable to force users hacking in the heart and brain of Windows, a.k.a. the registry, themselves and leaving those users in the dark, which will most likely never find the way into the newsgroups to get aware of the 'fix,'" said Freudenberger on the Windows Update newsgroup.