April 12, 2013

Microsoft is urging users to who haven’t installed it yet to hold off on MS13-036, a security update that the company released earlier this week to fix a dangerous security bug in its Windows operating system. The advice comes in response to a spike in complaints from Windows users who found their machines unbootable after applying the update.

crackedwinThe MS13-036 update, first released on Tuesday, fixes four vulnerabilities in the Windows kernel-mode driver. In an advisory released April 9, the company said it had removed the download links to the patch while it investigates the source of the problem:

“Microsoft is investigating behavior wherein systems may fail to recover from a reboot or applications fails to load after security update 2823324 is applied. Microsoft recommends that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2823324 update while we investigate.”

The problems with the patch appear to be centered around Windows 7 and certain applications on Windows 7, such as Kaspersky Anti-Virus. Microsoft has issued instructions on how to uninstall this update in the “resolution” section of this advisory.

Update, Apr. 23: Microsoft has re-released the problematic security update to address the problems that some Windows users were experiencing with the MS13-036 patch. The new update, KB62840149, replaces the faulty one, which was KB2823324.


39 thoughts on “Microsoft: Hold Off Installing MS13-036

  1. Gina

    I am still running XP & had no problems (yet!) with the patch download. Should I be trying to figure out how to remove it? Thanks

  2. John Cali

    Hi Brian,

    Thanks very much for the warning. I’ve installed this security update, and am not having any problems on either my Windows 7 or XP computers.

    Should I still uninstall it?

  3. BrianKrebs Post author

    Yeah, I should have addressed that in my post. I had already installed this update by the time I read Microsoft’s advisory on it, and I haven’t had any problems either. I chose to keep the update installed. I think the advice is mainly for those who haven’t yet installed it, or for those who are experiencing problems after doing so.

    1. John Cali

      Thanks very much, Brian. I’ll leave it alone then.

      And thank you also for all the incredibly useful advice and guidance you’ve given over the years. Someone like me who’s not technically expert, really needs someone like you who is.

      Have a great weekend!

    2. Jay Wocky

      Like you, Brian, I installed the update immediately: upon notice, that is (I don’t do automatic installation). Like you, I have had no problems.

      However, this advisory has me inclined to hold off on installing the next updates for @5 days after Patch TU just to make sure the updates are problem-free. After experiencing a huge problem @3 years ago from an MS update, I went to and stuck to a 5-day waiting period. However, over the past year or so, I have let my guard down and installed immediately.

      Having been lucky this time, now that I read your post, above, I will wait next time.

      1. JasonR

        I concure with waiting a few days. At work, we have Alpha (only IT Help Desk) and Beta (an end-user from each department) patch groups. Alpha’s get it day one (typically Tuesday night) on one of their PCs. But they have multiple PCs and know how to revert a bad patch. Beta’s get them on day two (typically Wednesday night). We don’t want to have patches applied for Fridays, the weekend or Mondays, so that means the rest of our users get the patch the following Monday night, or on the 7th day of the patch release.

        We do the same for our AntiVirus, having been burned by McAfee 3-4 years ago.

  4. Darryl Gittins

    Most of the reports seem to indicate that it’s just Portuguese (Brazil) Windows 7 systems that are affected, so should people be concerned if they are running English or other language based systems?

    1. Harry Johnston

      I’ve experienced symptoms on an English-language machine. Relatively harmless ones, but nonetheless, the issues are definitely not confined to Brazil.

      It should also be noted that this was on a machine with very little third-party software, nothing but device drivers and associated content.

  5. Winter

    What I’ve found is that it has affected our Windows 7 x64 systems that are running Kaspersky Endpoint Security 8 but it doesn’t seem like it caused much issue with systems running Kaspersky Endpoint Security 10.

  6. Steve Mullen

    Microsoft released KB2839011 yesterday with guidance to uninstall security update 2823324 if it is already installed.

    MS13-036 remains available for download and is being pushed via updates to help protect customers against the other issues documented in the security bulletin – it no longer contains the affected update.

  7. Cody R

    I have Windows 7 installed with Kaspersky (2013) without issues. I wonder if it’s tied to a specific product of theirs.

  8. ZenRuth

    I am running Win7 with ZoneAlarm and installed the update Tuesday. I’ve had no problems, but this is a reminder that I shouldn’t rush to install MS updates. I agree, wait 3-5 days to make sure there are no bugs in the updates.

  9. Charles

    Interesting that Microsoft advises affected customers to fix the problem by using their Windows installation disk. Unfortunately, many new computers don’t ship with any such disk these days.

    1. SeymourB

      Indeed they don’t, and their Microsoft-pushed alternative – OEM factory reset DVD-Rs that have to be created by the owner after purchase – doesn’t allow for repair installations, just (surprise) factory resets.

      I’ve never understood the rationale behind this. Supposedly people were selling their copies of Windows on eBay. But with OEM media tied to the OEM, even back then, it would be of limited use except to someone with the same make (sometimes even model) computer. Therefore it sounds more like Microsoft wanted to drive more sales of Windows for the poor fellows whose Windows installations went south and had lost/thrown away their OEM media.

      Bah. All they’re doing is driving people to piracy.

  10. AuntieBigDigs

    Wow you guys are lucky…When my computer did the update, It sent me back to a post recovery look. All of my display and desktop had no theme no fonts, no desktop shorcuts no favorites or nothing. I was afraid to do anything but a restore which luckily and while I was holding my breath returned it to its proper current look. Then when I tried to download each update by itself, the first few where ok intil I got to security update 2823324 and it wouldn’t even let me pick it to download.

  11. Adam

    We’re running ~70 Windows 7 clients (x86 & x64) and about half of them have applied all of Tuesday’s patches. We usually release patches in waves for testing purposes and hadn’t noticed any issues. Since reading this article, I have removed the affected updates from WSUS and awaiting further instructions.

    Although the advisory specifies Windows 7, I’ll be holding off on Server OS as well just to be on the safe side.

  12. Mara Alexander

    I also installed it on Wednesday on a W7 machine, no issues.

  13. Mike

    Thanks Brian – I uninstalled it because I’m not sure I’ve restarted the machine since it was installed, and I didn’t want to try and deal with boot problems… Keep up the great work – your insights and explanations are super clear!

  14. Mike

    FYI – After uninstalling it Windows Updater told me it was available and I should install it. (Details are below.) Unless I’m confused and this update is different than the one that has the problem:

    Security Update for Windows 7 for x64-based Systems (KB2823324)

    Download size: 1.1 MB

  15. Bob

    If the problem is due to a Microsoft patch that Microsoft advises average users to install automatically, then shouldn’t Microsoft automatically uninstall it for them instead of making them wait until it comes up with a fix?

    I’ve had no problems on my Win 7 machines. I understand the problem is primarily on Windows 2008 server.

    Regards,

  16. Dave

    Complaints of problems including endless reboots, blue screen stop messages, and having to run CHKDSK after every reboot are now coming from all over the world including many locations in the US. The greatest number of affected machines are running Windows7, either 32-bit or 64-bit versions.

    Microsoft indicates they have “determined that the update, when paired with certain third-party software, can cause system errors. As a precaution, we stopped pushing 2823324 as an update when we began investigating the error reports and have since removed it from the download center”

    The bottom line is that similar to other patches that have caused problems in the past, the problem is not in the patch itself but how it interacts with other third-party software the end user has installed – as with the Kaspersky security software issue. The problems with machines in Brazil had G_Buster security software installed. I have to say that these issues are impossible for Microsoft to predict, and expect that as in the past they will work with the vendors to sort it all out, and then re-release the patch in the future.

    In any case, if you installed KB2823324 you should uninstall it even if you are not having any noticeable problems as this patch modifies kernel drivers which can lead to problems users are unaware of – it all depends on what other software is installed in the machine. Problems may also surface after reboots in the future. Every case researched so far has been caused by low level interaction of third party software with the Windows kernel after the patch, which modifies the kernel drivers, has been installed. In some reported cases, problems did not surface until several days and multiple boots after the patch was installed. I would strongly urge users to follow Microsoft’s advice and uninstall this patch.

    If you still have security concerns and want to hang on to this patch, be advised that a successful attack against this vulnerability would require the attacker to have physical access to the machine along with an administrator privilege user name and password. Remote attacks are not possible against this vulnerability.

    I hope this helps clarify the issues at hand.

    1. pegr

      Not quite. If MS published all APIs to the public, and vendors only used the published APIs, we wouldn’t have this issue. Or if we did, it would be the vendor that messed up, not MS.

      On the other hand, MS considers secret APIs to be a “competitive advantage”, so this is the price their customer’s pay for it. Rot in Hell, Bill.

  17. Mike

    Dave – thanks for the insights, particularly that the vulnerability of not having this patch is only exploitable to people who would have physical access to the machine along with login info. That makes me much more comfortable waiting for the updated patch….. However, I’m still surprised that Windows Update shows this update as critical and recommends installing it……

    1. Dave

      Mike

      MS13-036 is still offered – KB2823324 has been removed, the other three KB’s remain but do not cause any problems of any kind

  18. Dave

    MS13-036 is still offered. It consists of four separate patches or KB’s. The patch causing the problems is KB2823324 and it has been removed along with all links on Microsoft web pages linking to downloads for it. The other three patches cause no problems and therefore remain.

  19. Ben

    I’m having it worse than most of you. The bad update installed automatically and now the system keeps requesting “Insert your windows installation disc and restart your computer.” But no matter what I do, including trying to access the recovery partition and inserting the Win 7 upgrade disc, gets me back to the same “Insert your windows installation disc…” screen. Obviously, if I can’t get into Windows I also cannot uninstall or wait for a better update.

    The remedies under MS Article ID 2839011 call for hitting F8 and “Repair your computer.” That much I can do. But what I see next is not a prompt to select the language and log in. I see the same “Insert your windows installation disc and restart your computer.”

    1. Dave

      Ben

      Apparently you do not have a disc. You can create a System Repair Disc if you have access to a working Windows 7 computer (friend or neighbor) that is the same version (32-bit or 64-bit) as yours. You will need a blank CD or DVD for this.

      On the working Windows 7 machine, go to Start | Control Panel | Backup and Restore (may also be under System and Maintenance depending on Windows 7 version) and select ‘Create a system repair disc’ and burn the disc.

      When back at your machine, insert this disk and boot the computer from it. You can then get straight to the System Recovery options screen and pick your recovery option (restoring the system to an earlier point in time before this whole mess started is probably the best option for you) and then follow the screen prompts. After this, you should then be able to start Windows normally and reinstall your updates, minus update 2823324 of course, which should no longer be offered.

      I hope this helps.

  20. JimV

    On my Win7 Pro x64 laptop, it installed without any problems over the days since, but after reading the updated posts on this thread this morning I’ve uninstalled the KB2823324 update anyway.

  21. Dirgster

    What will happen to people who have installed KB2823324, have no computer issues so far, but find it too difficult to uninstall the update, because they are not too computer savvy? Should they leave the update installed and just wait for a fix from Microsoft to solve the issue?

    1. JimV

      Brian might have specific advice in response, and you didn’t say what OS flavor you were using so there may be some differences in the details of the procedure, but it shouldn’t be difficult with any. For Win7, open Windows Update (Start|Control Panel|Windows Update), and then click the “View update history” link on the left side of the box. That will open the list of updates which have been installed — above the list frame there will be a link embedded in the statement “Check the Status column to ensure all important updates were successful. To remove an update, see Installed Updates.” Click that link, and a different presentation of the list of installed updates will appear — select the one associated with KB2823324 (presuming its status indicates it was indeed successfully installed), then affirm you wish to uninstall it and allow it to run through. After the uninstall process finishes, you will get the notice that your computer must be restarted to complete the removal with the options of “restart now” or “restart later”. Once you restart, there will be a screen which appears after POST and before login which identifies Windows is being configured, and warns not to power the computer off while that is taking place.

  22. Ian

    For those wondering whether they should remove the patch my advice is not to. I’m sitting in front of my Win 7 64 bit machine looking at the “Preparing to configure Windows…” It has been that way for 30 minutes now….

    1. JimV

      I’m very sorry to hear that — I didn’t have any trouble whatsoever when I uninstalled it from my Win7 Pro x64 laptop, and that’s why I went through the description for Dirgster above. If that post provided encouragement and ultimately steered you wrongly into a serious problem, then I really wish I’d kept my thoughts to myself awhile longer.

      1. John Cali

        Like you, Jim, I had no problems with my Windows 7 64-bit laptop. I just followed your instructions. Thanks very much!

      2. Dirgster

        Thank you both, Jim V and Ian; Jim V for the easy-to-follow instructions on how to safely remove KB2823324 and Ian for telling his bad experience when trying to remove the update! What is one to do? I’m running Windows 7, (64-bit) on a desktop computer and have no problems after the installation of the update.

    2. Ian

      Update: I unplugged all peripherals, including Ethernet cable. No change. Pushed power long enough to sleep. Then again to wake. It went to the same screen, but then restarted and made it though the boot with the patch uninstalled. Phew!

  23. Amber

    I’ve had all sorts of problems. My extended partition formatted itself clean (thank goodness for backups), and I can’t roll back using System Restore–Windows tells me that it can’t find the file(s) related to any of my restore points prior to this update. When I attempted to go find the Installed Updates to manually uninstall, Windows tells me that there are no Installed Updates. Of course, I don’t have an install disc either since my machine didn’t ship with one. (I did create repair discs when I received it though.)

    Thanks Microsoft. 🙁 Would that I had found this out before I rebooted and lost my things…

Comments are closed.