Windows XP, Windows 2000, and Windows NT newsgroup users have been discussing security patch problems. The discussions center around problems with the Microsoft patch that Security Bulletin MS03-010 (Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks) describes.

Russ Cooper posted a message to the NTBugTraq mailing list summarizing the newsgroup discussion. Apparently, people that use Microsoft IIS along with COM+ have experienced ASP transaction processing problems after installing the patch. Cooper said that the problems are varied and disappear when users remove the patch from affected systems.

At least one person contacted Microsoft Product Support Services (PSS) regarding the anomalies, and PSS referred the person to a fix associated with the Microsoft article 814408. However, that article isn't publicly available, nor does the fix indicate that it's related to Security Bulletin MS03-010.

According to Cooper, the patch files issued with bulletin MS03-010 date from October and November of 2002, even though Microsoft didn't release the bulletin until March 2003. The file dates for the patch related to article 814408 have release dates as late as February 2003. Cooper also said that article 814408 is a "private patch" and the only way to obtain it is to contact PSS. The patch contains all the fixes included with the patch linked to Security Bulletin MS03-010, and will be included with Windows XP Service Pack 2 as well as Windows 2000 Service Pack 4.

Cooper said, "Microsoft should at least add a caveat to the MS03-010 article indicating that reports of the IIS problems have been received, and that a fix is available \[via product support\] should it be needed, assuming \[Microsoft doesn't\] want to re-release the patch. A re-release would likely cause a lot of people to reapply the patch even though they don't fall into the conditions required for the patch to fail, so I can understand them not wanting to re-release it."