14 DAY TRIAL // Although September was a slow month in terms of the volume of security updates released - only four patches for just as many vulnerabilities - the releases were not without their small surprises. After in August, Microsoft's patch cycle managed to catalyze a Skype outage due to the fact that it exposed a bug in the peer-to-peer service that lad to an overall critical crash, this month, the company introduced the first update capable of installing itself ad infinitum. Microsoft revealed that it is on top of things and that it has resolved the issue. "We updated our detection and deployment logic for that bulletin. First, I want to note that we're not making any changes to the update itself given it protects against the vulnerability discussed in the bulletin. If you've applied it successfully already, you have no further action," stated a member of the Microsoft Security Response Center.
Microsoft Security Bulletin MS07-052 is connected with an Important vulnerability in Crystal Reports for Visual Studio. Windows Updates would deliver the update to Windows Vista and Windows XP with Visual Studio 2005 SP1 deployed even if Crystal Reports was not present. And on a system where the users had opted to not add the VS component, MS07-052 would simply be delivered and installed over and over again. Microsoft confirmed that the issue was indeed generated by the missing Crystal Reports feature. Due to the change in detection logic, Windows Updates will no longer offer the update once it is installed.
"What we have done is change our detection logic update for the Visual Studio 2005 Service Pack 1 update only. This change will address an issue where some customers were being offered KB937061 repeatedly after they had installed the update. This only occurred if they did not have the Crystal Reports for Visual Studio feature enabled, which is installed and enabled by default for Visual Studio 2005. Any customers who chose to minimize their installation footprint of VS 2005 and explicitly 'unchecked' Crystal Reports during installation would have been impacted by this issue after they applied the Visual Studio 2005 Service Pack 1 update. The change addresses that and ensures customers will not be reoffered the update after KB937061 is applied," the MSRC member added.