Microsoft update for IIS does not always install correctly

Users of Internet Information Services (IIS) on Windows Server 2003 should take another look at their configurations to ensure that the security updates released last week have been properly installed. The patches were intended to close the well known security holes in Active Server Pages. According to a Knowledge Base article from Microsoft, Update MS06-034 does not always correctly install itself on Windows Server 2003 if the server has already been updated with Service Pack 1 and IIS is running. Where this is the case, the server locks the ASP.DLL file, preventing Windows from replacing the file, thus foiling the update and leaving the server vulnerable. A corrected version of the patch eliminates the problem. Users should manually download and install the new version or re-open Windows Update.

Microsoft is also reporting cases of Auto Update or Windows Update repeatedly re-offering the MS06-034 update, even if it has already been installed. The problem is related to the way in which Windows determines whether a patch has already been installed, Microsoft claims. The update mechanism fails properly to detect the presence of the patch on computers that already have the Internet Information Services (IIS) Common Files installed on them but don't yet have the ASP.DLL for Active Server Pages. The Knowledge Base article proposes simply uninstalling the Common Files as a workaround.

See also:

• MS06-034 installation fails on computers that have Windows Server 2003 SP1 installed, Microsoft Knowledge Base article

(ehe)