ChangeBase AOK Application Compatibility Lab Results On Microsoft Patch Tuesday Update. - 08/14/08 08:56 AM
August 13th 2008
As part of the August release
of the regularly scheduled Microsoft Updates, there are currently eleven patches
being released; six with the maximum rating of Critical and related to the
Windows operating system and five with the maximum rating of Important that are
related to Office. We have used AOK to test for the Windows patches
It should be noted that patch
MS08-047 relates to VISTA. The other five
relate to XP (SP1/2/3)
Here is a brief summary of
the patches that affect the Microsoft Windows operating system;
1) Microsoft
Security Bulletin MS08-045
Description:
Cumulative Security Update for Internet Explorer (953838). This security update
resolves five privately reported vulnerabilities and one publicly disclosed
vulnerability. All of the vulnerabilities could allow remote code execution if
a user views a specially crafted Web page using Internet Explorer.
2) Microsoft Security
Bulletin MS08-046
Description:
Vulnerability in Microsoft Windows Image Colour Management System Could Allow
Remote Code Execution (952954). This update resolves a privately reported
vulnerability in the Microsoft Image Colour Management (ICM) system that could
allow remote code execution in the context of the current user.
3) Microsoft
Security Bulletin MS08-047
Description:
Vulnerability in IPsec Policy Processing Could Allow Information Disclosure
(953733). This update resolves a privately reported vulnerability in the way
certain Windows Internet Protocol Security (IPsec) rules are applied.
4) Microsoft
Security Bulletin MS08-048
Description:
Vulnerability in IPsec Policy Processing Could Allow Information Disclosure
(953733). This update resolves a privately reported vulnerability in the way
certain Windows Internet Protocol Security (IPsec) rules are applied. This
vulnerability could cause systems to ignore IPsec policies and transmit network
traffic in clear text.
5) Microsoft
Security Bulletin MS08-049
Description:
Vulnerabilities in Event System Could Allow Remote Code Execution (950974).
This update resolves two privately reported vulnerabilities in Microsoft
Windows Event System that could allow remote code execution.
6) Microsoft
Security Bulletin MS08-050
Description:
Vulnerability in Windows Messenger Could Allow Information Disclosure (955702).
This security update resolves a publicly reported vulnerability in supported
versions of Windows Messenger. As a result of this vulnerability, scripting of
an ActiveX control could allow information disclosure in the context of the
logged-on user.
Note: These are not all of
the patches that have been released by Microsoft today as the following only
apply to Microsoft Office products;
* Microsoft Security Bulletin MS08-042
* Microsoft Security Bulletin MS08-041
* Microsoft Security Bulletin MS08-043
* Microsoft Security Bulletin MS08-051
* Microsoft Security Bulletin MS08-044
We have used the ChangeBase
AOK Workbench to analyse each of the Windows patches against a sample of
approximately 700 unique application packages with the intention of providing
some insight into the following questions;
1. What patches when released
are likely to cause my applications to fail?
2. What patches contain files
and settings shared by individual applications I am running?
For clarity, a number of
software vendors and developers use shared Microsoft code in their applications
– for example subsets of IE7. Hence if this embedded code for example has a
security issue that the patch is resolving the application will need checking
by the software vendor or in house development team.
3. Which applications have a
dependency on the software that has been updated? For example many applications
use Internet Explorer as part of their functionality – say to produce a
management report. If Microsoft update IE7 with a new patch this can cause
problems when this action is carried out in the software application
4. What order should I test
my applications?
5. What patches should I test
most and why?
Results
The following table details
the results from the ChangeBase AOK Patch Impact Analysis and includes
information on what application packages in the sample portfolio;
* What is the total number of applications affected by each patch?
* What applications also include files and configuration data that were embedded in the patch update?
* What applications had specific dependencies on changes includes in these updates
Patch Total Issues identified –dependancies or shared code Apps Affected Number of application with Shared Code Number of application with Dependencies Status
MS08-045 585 32% 3 235
MS08-046 12 <1% <1% N/A
MS08-047 6 <1% <1% N/A
MS08-048 20 <1% <1% N/A
MS08-049 7 <1% <1% N/A
MS08-050 9 <1% <1% N/A
=
Needs serious attention
= Testing required
=
Minor concern
Special Notes:
* MS08-046 Security Update for Windows Server 2003 raised a specific driver issues with Fujitsu 4340 colour scanners (mscms.dll)
* MS08-048 Security Update for Windows Mail raised a specific DLL conflict with Microsoft Digital Image software
* MS08-050 Security Update for Windows XP raised an application conflict with Microsoft Messenger
*
Recommendations
1. Immediately test core applications affected by MS08-045 with dependancies, in this case on IE7
2. Ideally test all other applications affected by this patch with dependancies
3. Test applications with shared code for the new DLL/driver updates
4. Test applications using Fujitsu colour scanners/Microsoft Digital Image software and Microsoft Messenger as above
Conclusion
From the results derived from
the ChangeBase AOK Patch Impact Analysis, it appears that the following patch
updates could be deployed with relatively light testing and with an expected
minimal impact on the application portfolio; MS08-46, MS08-47, MS08-48, MS08-49
and MS08-50. However, the Microsoft Internet Explorer 7 Update IE7 (MS08-045) includes
files and configuration data that are a direct dependency for a large number of
applications. This could mean that these applications may be adversely affected
by the MS08-045 update and this patch should be fully tested prior to
deployment to production environments.
About the ChangeBASE Application
Compatibility Lab
ChangeBASE launched last
month our ACL to allow us to rapidly assess the impact of new operating system
code releases on a portfolio of applications. We have loaded c. 700
applications into this Lab and can use AOK to test the impact of new releases
on these in minutes.
For more information or to arrange an interview or lab test on ChangeBASE AOK, please contact:
Monique Chambers
Compass Rose Marketing & PR
Land + 44 203 239 9722
Mobile + 356 99 89 1722
Skype monique_chambers
As part of the August release
of the regularly scheduled Microsoft Updates, there are currently eleven patches
being released; six with the maximum rating of Critical and related to the
Windows operating system and five with the maximum rating of Important that are
related to Office. We have used AOK to test for the Windows patches
It should be noted that patch
MS08-047 relates to VISTA. The other five
relate to XP (SP1/2/3)
Here is a brief summary of
the patches that affect the Microsoft Windows operating system;
1) Microsoft
Security Bulletin MS08-045
Description:
Cumulative Security Update for Internet Explorer (953838). This security update
resolves five privately reported vulnerabilities and one publicly disclosed
vulnerability. All of the vulnerabilities could allow remote code execution if
a user views a specially crafted Web page using Internet Explorer.
2) Microsoft Security
Bulletin MS08-046
Description:
Vulnerability in Microsoft Windows Image Colour Management System Could Allow
Remote Code Execution (952954). This update resolves a privately reported
vulnerability in the Microsoft Image Colour Management (ICM) system that could
allow remote code execution in the context of the current user.
3) Microsoft
Security Bulletin MS08-047
Description:
Vulnerability in IPsec Policy Processing Could Allow Information Disclosure
(953733). This update resolves a privately reported vulnerability in the way
certain Windows Internet Protocol Security (IPsec) rules are applied.
4) Microsoft
Security Bulletin MS08-048
Description:
Vulnerability in IPsec Policy Processing Could Allow Information Disclosure
(953733). This update resolves a privately reported vulnerability in the way
certain Windows Internet Protocol Security (IPsec) rules are applied. This
vulnerability could cause systems to ignore IPsec policies and transmit network
traffic in clear text.
5) Microsoft
Security Bulletin MS08-049
Description:
Vulnerabilities in Event System Could Allow Remote Code Execution (950974).
This update resolves two privately reported vulnerabilities in Microsoft
Windows Event System that could allow remote code execution.
6) Microsoft
Security Bulletin MS08-050
Description:
Vulnerability in Windows Messenger Could Allow Information Disclosure (955702).
This security update resolves a publicly reported vulnerability in supported
versions of Windows Messenger. As a result of this vulnerability, scripting of
an ActiveX control could allow information disclosure in the context of the
logged-on user.
Note: These are not all of
the patches that have been released by Microsoft today as the following only
apply to Microsoft Office products;
* Microsoft Security Bulletin MS08-042
* Microsoft Security Bulletin MS08-041
* Microsoft Security Bulletin MS08-043
* Microsoft Security Bulletin MS08-051
* Microsoft Security Bulletin MS08-044
We have used the ChangeBase
AOK Workbench to analyse each of the Windows patches against a sample of
approximately 700 unique application packages with the intention of providing
some insight into the following questions;
1. What patches when released
are likely to cause my applications to fail?
2. What patches contain files
and settings shared by individual applications I am running?
For clarity, a number of
software vendors and developers use shared Microsoft code in their applications
– for example subsets of IE7. Hence if this embedded code for example has a
security issue that the patch is resolving the application will need checking
by the software vendor or in house development team.
3. Which applications have a
dependency on the software that has been updated? For example many applications
use Internet Explorer as part of their functionality – say to produce a
management report. If Microsoft update IE7 with a new patch this can cause
problems when this action is carried out in the software application
4. What order should I test
my applications?
5. What patches should I test
most and why?
Results
The following table details
the results from the ChangeBase AOK Patch Impact Analysis and includes
information on what application packages in the sample portfolio;
* What is the total number of applications affected by each patch?
* What applications also include files and configuration data that were embedded in the patch update?
* What applications had specific dependencies on changes includes in these updates
Patch Total Issues identified –dependancies or shared code Apps Affected Number of application with Shared Code Number of application with Dependencies Status
MS08-045 585 32% 3 235
MS08-046 12 <1% <1% N/A
MS08-047 6 <1% <1% N/A
MS08-048 20 <1% <1% N/A
MS08-049 7 <1% <1% N/A
MS08-050 9 <1% <1% N/A
=
Needs serious attention
= Testing required
=
Minor concern
Special Notes:
* MS08-046 Security Update for Windows Server 2003 raised a specific driver issues with Fujitsu 4340 colour scanners (mscms.dll)
* MS08-048 Security Update for Windows Mail raised a specific DLL conflict with Microsoft Digital Image software
* MS08-050 Security Update for Windows XP raised an application conflict with Microsoft Messenger
*
Recommendations
1. Immediately test core applications affected by MS08-045 with dependancies, in this case on IE7
2. Ideally test all other applications affected by this patch with dependancies
3. Test applications with shared code for the new DLL/driver updates
4. Test applications using Fujitsu colour scanners/Microsoft Digital Image software and Microsoft Messenger as above
Conclusion
From the results derived from
the ChangeBase AOK Patch Impact Analysis, it appears that the following patch
updates could be deployed with relatively light testing and with an expected
minimal impact on the application portfolio; MS08-46, MS08-47, MS08-48, MS08-49
and MS08-50. However, the Microsoft Internet Explorer 7 Update IE7 (MS08-045) includes
files and configuration data that are a direct dependency for a large number of
applications. This could mean that these applications may be adversely affected
by the MS08-045 update and this patch should be fully tested prior to
deployment to production environments.
About the ChangeBASE Application
Compatibility Lab
ChangeBASE launched last
month our ACL to allow us to rapidly assess the impact of new operating system
code releases on a portfolio of applications. We have loaded c. 700
applications into this Lab and can use AOK to test the impact of new releases
on these in minutes.
For more information or to arrange an interview or lab test on ChangeBASE AOK, please contact:
Monique Chambers
Compass Rose Marketing & PR
Land + 44 203 239 9722
Mobile + 356 99 89 1722
Skype monique_chambers