It was a Microsoft Word (VBA) application written back in 2001.

Essentially what it does is:

  1. user selects a letter type.
  2. the user then enters some customer reference numbers.
  3. the VBA application does an Oracle database lookup to convert those customer reference numbers into names and postal addresses.
  4. which the VBA then uses to “mail merge” into whatever number of letters need to be sent out.

And it was broken.

I had a feeling that writing about patch management policy would come back to bite me (and it did).

Here’s what the broken application looks like:
Broken Microsoft Word VBA application

and the working one:

Working Microsoft Word VBA application

The most visible difference is the little boxes on the screen:

So let’s fire up the VBA editor and find out what they are:
VBA Editor showing Masked Edit Boxes

Masked Edit Boxes.

From there, it was a short hop, skip, and a jump to find this article:
Visual Basic 6 Controls stop working after Security Advisory 960715

Ah, yes, we’d just finished applying a Microsoft Security patch, this one in fact (MS09-032).  As an aside, we would have bitten in the ass, had we applied the earlier MS08-070 patch as well.

The work-around, we’ll rollback the security patch until we find a solution.

The sort of solutions we’ll be looking at:

Update: Oh the irony!  A year ago today I wrote about “Things to remember when hunting bugs.

Bookmark and Share