KB 2264107 rants

I was looking at the DLL hijacking hotfix (KB 2264107).   I deployed the update for 32 bit XP a couple of months back.   Tonight I was taking a look at deploying the update for other operating systems.

The first bit of weirdness I found is the Windows 7 updates now have “v2” in the file name indicating a new version.   The release date is 12/13.   What I find odd is no mention of what was changed.   I’m guessing ntdl.dll needed to be updated due to a December security update.

What is more of a problem, the updates for Windows 7, Vista and 2008 are MSU files.   I can’t deploy MSU files through System Center Update Publisher.  The EXE update for Windows XP deployed with no issues.   I would have to use the older Software Distribution method of SCCM to deploy MSU updates.   I’m trying to avoid that. 

The DLL search order was a stop-gap patch against one of the biggest (yet often forgotten) security storylines of this year.   Countless Windows applications were found to be vulnerable because their authors failed to follow basic security practice.   This patch takes a step away from backwards compatibility and toward security.   It should be available in the Windows Update catalog.   The update by default does nothing.   You have to add a registry value anyway for it to be active.   The only reason I see not to have this in the Windows Update catalog is it provides a false assurance of security until the registry key is also set.   Its then that you have to worry about application compatibility.