Microsoft Telling Users To Uninstall Bad Patch

msm1267 writes "Microsoft announced last night that it has stopped pushing a security update originally released on Patch Tuesday because the fix is causing some PCs to blue-screen. Microsoft recommends users uninstall the patch, which is also causing compatibility issues with some endpoint security software. MS13-036 was part of this week's Patch Tuesday update. It addressed three vulnerabilities in the Windows Kernel-Mode Driver, which if exploited could allow an attacker to elevate their privileges on a compromised machine. Users began reporting issues earlier this week with some systems failing to recover from restarts, or applications failing to load, after the patch was installed."

Re:

[Chris Mattern]

Hideki!

Chi!

Re:

[flimflammer]

Well that's a new one.

Here's how to uninstall it..

[americamatrix]

Just incase your having the problem, here is the easiest way to uninstall the update.

Open an elevated Command Prompt and type "wusa.exe /uninstall /kb:2823324 /quiet /norestart" without the quotes.

You should be good to go now :)


-americamatrix

Re:Here's how to uninstall it..

[Anonymous Coward]

I thought it was:

• 0) unlock secure boot
• 1) reboot to FreeDOS
• 2) format C: /q
• 3) install another OS

Windows 8 itself is the "patch" no?

Re:

[Anonymous Coward]

That's definitely not the easiest, that's what you do when you're too fucking stupid to fix the problem by uninstalling the patch.

Re:Here's how to uninstall it..

[Anonymous Coward]

Have you tried turning it off and then on again?

Re:

[TheRealDevTrash]

What it is, is LUPUS.

Re:

[Molochi]

Remember, you need to restart the machine three times.

Re:

[GaratNW]

When they said uninstall a bad patch, I just thought that was a euphemism for Windows 8.

Re:

[GigaBurglar]

cleer ur cashey

Re:

[HybridST]

I use an eight-pound sledge myself. YMMV.

Re:

[GigaBurglar]

It's actually easier to take a leaf out of the book of the majority and forgo updating at all; indefinitely.

Re:

[Trax3001BBS]

It's actually easier to take a leaf out of the book of the majority and forgo updating at all;

That's what I've done in the past, disabling auto updating, I'd go and get the ones
that were really needed. Never using IE skip those and firewall the one installed.
It's also what I advised others to do, Usenet.

Before an update could take down your system, it's been so long since an update
caused any problems; that just recently I've started downloading them, figuring
they'd finally got their act together.

As fate may have it I passed on the one mentioned here.

Indefinitely.

Yes indeed.

Re:

[Black LED]

That's what I do. I have auto update disabled and only manually update to the latest patches after they've been out for a while.

Re:

[GigaBurglar]

It's like walking the plank.. abandon ship!

Re:

[Douglas Goodall]

I got through step 2, but when it came to step 3 the computer wouldn't boot. I need to access my data on the computer, what do I do now?

Re:Here's how to uninstall it..

[Anonymous Coward]

How is that easier than navigating through four dozen menus and dialogs of advanced options? I really don't understand you command-line people.

Re:

[synapse7]

Then sifting through the list(is it even sortable) of installed updates for the proper kb to be removed.

Re:Here's how to uninstall it..

[Anonymous Coward]

You missed the whoosh step.

Re:

[sapgau]

It's all good except for Windows XP users, T_T

Re:Here's how to uninstall it..

[Toreo asesino]

Kudos for providing some actual useful info for an MS product on Slashdot. Unfortunately it's a rarity around these parts.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TheRealMindChild]

Well, they may not be able to single out exact hardware, just some examples which fail. This patch was to win32k.sys which, among other things, provides the hardware abstraction layer to the NT/Win32 API. It could have made assumptions that turned out not true on corner-case hardware, could have been a problem with actual buggy hardware that didn't follow published specs (not uncommon), or any number of crazy things.

Re:

[Tharkkun]

What is useful? Another posted his CLI doesn't work, and for another neither he nor MSFT said WHAT HARDWARE CAUSES THE FAULT which frankly without THAT knowledge is worth fuck and all because I've applied the patch to a couple dozen bog standard desktops and laptops and? I got nothing. Its gotta either be a funky driver or a piece of funky hardware that is causing this because if its anything bog standard I usually run into it but so far AMD, Intel and Nvidia graphics, Realtek and Sigmatel sound, AMD and Intel chipsets (don't have any Nvidia chipsets on hand ATM) and I haven't seen squat, just been another patch Tues round here.

Oh I did have to reboot my old nettop a couple of times but considering the fact the hard drive already has some bad sectors and the entire system is older than dirt and I'm just waiting on the hardware to finally die because i REALLY don't want to deal with one of my own machines on top of all the other machines I got to deal with? I honestly can't say it was the patch, might have just tried to write to a failing sector. Its an old XP box and XP never was great at dealing with failing sectors...meh its working fine now, left it on for 3 days and its still going when I came in so who cares.

So if anybody knows what actual hardware or software actually causes the thing it would be nice to know, then I'd at least know if any of these systems are at risk, because right now they seem to be running fine and the 2 that got picked up I haven't heard squat from the owners so I'm guessing they are running fine as well.

The article says it's conflicting with certain endpoint security software. That would be antivirus or encryption and I know from using McAfee EPE modifying a kernel driver can cause your machine to blue screen. So it makes perfect sense. Then again if you have an Endpoint Encryption suite running and you aren't testing your Windows updates prior to pushing them you should be asking yourself if you're qualified to do your job.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[malakai]

You're only human...
http://www.telegraph.co.uk/science/science-news/9989623/Feeling-of-being-watched-hardwired-in-brain.html [telegraph.co.uk]

Re:

[DontBlameCanada]

O Hai there paid M$ shill.

Re:

[Anonymous Coward]

And killing people is a capital offense, yet the government has people whose job it is to kill. I bet MS has professional trolls who are exempt from your rule.

Re:

[rot26]

How could anyone be fired for doing something that 0% of them do?

Re:

[dcollins117]

They are fired preemptively, before they are even hired.

Re:

[hawkinspeter]

That's why they outsource it to a different company. They're not employed directly by Microsoft, so they don't have to disclose anything.

Re:

[Ol Olsoc]

There is *precisely* 0% chance there's any Microsoft marketing people in discussions here, commenting on anything related to Microsoft, without disclosing that. People are regularly fired for it.

How can people be regularly fired for something there is a 0 percent chance of them doing?

Re:

[NemoinSpace]

People are regularly fired for it.

You mean Microsoft regularly fires people for NOT doing it?

Re:Here's how to uninstall it..

[Anonymous Coward]

The command in americamatrix’s post is intended for use after you’ve install the windows update(s), but before you’ve rebooted your system to fully apply them. It may also work after rebooting if the update doesn’t prevent a successful reboot, but does cause other problems (e.g. causing Kapersky to lose its license). It’s basically the same thing as using the Programs Control Panel “View Install Updates” feature to uninstall it.

Also, I’d recommend leaving off the “/quiet” flag so that you get some comforting feedback that it has actually worked. So: “wusa /uninstall /kb:2823324 /norestart” (no need for “.exe” either, of course).

If you’ve already rebooted your system and now cannot get into it because of the update (symptoms may include a false indication of file system corruption on a hard drive [Event ID 55], STOP: c000021a {Fatal System Error} status 0xC000003a, or “Windows failed to start Status: 0xc000000e”), there are other ways to remove it, involving either using System Restore or Boot to Command Prompt and issuing a command.

Full details at: http://support.microsoft.com/kb/2839011 [microsoft.com]

Note that this update is apparently only applied to systems running Windows 7 pre-SP1 or SP1, Windows Server 2008 R2 pre-SP1 or SP1, or Windows Server 2008 non-R2 SP2 (any edition of any of these). If you’re running Windows XP, Vista, or 8, presumably this won’t be an issue as the update would never even have been offered via Windows Update.

Re:

[Thornburg]

Note that this update is apparently only applied to systems running Windows 7 pre-SP1 or SP1, Windows Server 2008 R2 pre-SP1 or SP1, or Windows Server 2008 non-R2 SP2 (any edition of any of these). If you’re running Windows XP, Vista, or 8, presumably this won’t be an issue as the update would never even have been offered via Windows Update.

If that's the case, then why does the linked bulletin list every version of Windows under the sun (including RT and Server 2012!) as affected?

Re:

[toph2223]

Nice work man.. Really appreciate that :D

Re:

[AnotherAnonymousUser]

Most helpful comment on Slashdot ever!

Re:

[Sponge Bath]

Why would you want to uninstall this Blue Screen of Defense security patch? Nothing is more secure than a non-functioning system.

Re:

[RockDoctor]

Just incase your having the problem, here is the easiest way to uninstall the update. Open an elevated Command Prompt and type "apt-get install Linux" without the quotes.

FTFY

One driver eh?

[BitZtream]

It addressed three vulnerabilities in the Windows Kernel-Mode Driver

The? When did their become ONE 'driver' for all of windows?

Not that its the editor or submitters fault, its that way in the actual KB article.

Apparently MS has hired the slashdot guys to edit/approve new knowledge base entires.

Re:

[BitZtream]

FAIL ... yes, I know, if you're going to edit troll it helps if you can post a properly written post yourself ... I failed :(

Re:

[__aaqvdr516]

The original knowledge base article which is linked to the fix contains the kernel mode drivers. It makes sense in the context of the linked articles, so the fault with the confusion lies with threatpost.com for not providing all the relevant information.

This link is the knowledge base article in question:
https://support.microsoft.com/kb/2829996 [microsoft.com]

The kernel mode drivers are: ntfs.sys and win32k.sys.

I guess that's what happens when you use a summary of a bugfix to write an article.

Reminds me of another patch . . .

[smooth wombat]

Microsoft put out years ago which killed ones network connection.

The solution? Go back to Microsoft's site to get the updated patch.

Erm, yeah. Great idea. You kill my network connection then want me to go back to your site to fix the issue.

So much for the vaunted "best and brightest" following standard project processes such as TESTING.

Re:Reminds me of another patch . . .

[Anonymous Coward]

Hello. My name is Anonymous Coward. You killed my network connection. Prepare to die.

Re:Reminds me of another patch . . .

[Endo13]

STOP SAYING THAT!

Re:

[interval1066]

I doan thin that word means wat you thin it means.

Re:

[Endo13]

Inconceivable!

Re:

[Anonymous Coward]

It turned out it killed the network connection /except for the Administrator account/ so downloading the fix was very feasible.

Re:

[lord_rob the only on]

If you have problems with your network, contact your company's IT team by email.
(ok stupid joke I know, couldn't resist :)

Re:

[green1]

If only my company would figure out that this is a joke! They frequently send us emails to notify us that the network is down and not to call support because they are aware of it... Great idea guys, but if I could get to my email I wouldn't be calling support!

Re:

[TheLink]

I think many ISPs do the reverse - they don't invest in proper network monitoring and let their customers and call centre do the network monitoring for them ;).

Why I never auto-install updates

[Anonymous Coward]

I set Windows Update to notify and download updates, but never to auto-install them. I also usually hold updates a few days before installing. Use the same policy with my Linux boxes and have never run into problems.

Re:Why I never auto-install updates

[O('_')O_Bush]

That is a good strategy, but, unfortunately, many of us using business computers (issued laptops, etc) don't have that kind of control over the update policy.

Re:Why I never auto-install updates

[Endo13]

And if your business is worth a shit, their own strategy is even more careful and rigorous than what the GP posted.

Re:

[TheLink]

Doesn't even have to be more careful or rigorous. Set the autoupdates to be on Monday then there'd be 6 days for others to notice the problem and for the update to be pulled. Can't remember the last time where Microsoft pulled a BSOD level Windows update more than 6 days after it was released.

Of course it doesn't work if everyone starts doing that ;).

The other problem with the "Download updates and let me choose when to install them" option is many versions of Windows have a nasty habit of changing the shut

Re:

[Endo13]

Or, ya know, have your IT team install it on a test box for a few days to see if anything breaks. That's how most businesses would do it. Well, the ones that care enough to set policies on downloading windows updates anyway.

Re:

[ultranova]

But then again, is a problem with an issued computer your problem? Surely you have your own computer and only use the business computer for business matters? Who knows what spyware it might have, after all.

Re:

[Frontier Owner]

That is a good strategy, but, unfortunately, many of us using business computers (issued laptops, etc) don't have that kind of control over the update policy.

or better yet, windows update is disabled. We only get updated when out IT department deems it necessary.

Re:

[The Rizz]

I do the same. Unfortunately, Windows will attempt to install them by default whenever you shut down the computer - you have to choose a special "shut down without installing" option while there are any critical updates waiting for install.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[dehole]

Microsoft knows better than you whats good for you, apparently.

Re:

[Brucelet]

Exactly! Wait for the first adopters, or "gamma testers", to demonstrate that something is actually safe to use.

Re:

[Dunbal]

Not many actually. Windows 7 is pretty good. All these vulnerabilities they are patching only work when the attacker has local access to your machine. And everyone will tell you that if someone has local access, that machine is compromised, period, no matter what OS you are running.

So, based on the linked garb, this only...

[gatesstillborg]

...affects Vista, 7, /Server? Shoot, perhaps we're already seeing the impact of failing to support XP! :)

Windows versions affected

[felipou]

All versions of Windows since Windows XP are affected! How much code from Windows XP is still used in Windows 8??

Re:Windows versions affected

[gewalker]

I don't know that answer, but I would hope that the answer was "quite a lot of it". Old cold is not bad code, it is the code that has generally stood the test of time. Not that it is defect free, but that the defect rates are generally lower than the newly written code. Even such basic steps as recompiling for 64-bit, causes new breakage (old code was defective, but the problem was masked). This appears likely to be one of those old problems that became unmasked with the latest patch.

Re:Windows versions affected

[Dins]

How much code from Windows XP is still used in Windows 8??

You know how chimpanzees share something like 98% of their DNA with humans? It's like that...

Re:

[Minwee]

You know how chimpanzees share something like 98% of their DNA with humans? It's like that...

Has anyone told Prenda Law about this? Those chimpanzees may have to pay a bundle to avoid being sued for all that unauthorized sharing.

Re:

[GigaBurglar]

And 50% with a banana - you are what you eat as 'they' say..

Re:

[marvinglenn]

And Windoze 95 is an ancestory of yours.

Re:

[StormReaver]

You know how chimpanzees share something like 98% of their DNA with humans?

I'm always having to tell the chimpanzees to keep their DNA to themselves, thank you very much.

Re:

[Anonymous Coward]

It's a kernel mode driver change/error. It would be like God doing a bad update on hydrogen.

Re:

[mikazo]

You'd be surprised to find that some old code from 16-bit Windows is still kicking around in Windows 8... things just get ported to the next OS so that they work. Code is only re-written or developed from scratch if it's for new features or the old code was so broken or impossible to port that it had to be re-written.

Re:

[Curate]

There's no 16-bit code in the 64-bit versions of Windows. 16-bit code requires the NTVDM (virtual DOS machine) to run, and NTVDM is not present in 64-bit Windows. Now 32-bit Windows still has NTVDM, and a handful of old 16-bit command line programs (command.com, edit.com, etc.) are thrown in as well, but none of these are essential to Windows. These are old DOS commands that have been dropped in Windows.

Re:

[mikazo]

I meant as I wrote it, "old code from 16-bit Windows" that is compiled into 64-bit binaries (obviously with some modification to make it work). Some of the code has been around since the 16-bit days and just molded to make it keep working in 32-bit and 64-bit Windows.

Re:

[Ravaldy]

I would think that whatever didn't need changing would use the same code. You wouldn't recode the calculator if it worked.

hmmm looky there what was lurking in my updates...

[Greg01851]

Good thing I saw this article, THEN looked at my pending updates... I had just set up my new computer with Win7 64bit yesterday... and of course had tons of updates to do... Wonder why it stayed in the list even after I refreshed if there's such an issue with it?

Windows - Destroying hardware and helping sales!

[oxidus60659]

Windows update has fried at least two pieces of my hardware in the last year. First it torched my videocard immediately after restarting for a windows update. Next, the PCI express slot wouldn't register on my motherboard, good thing I had another one!

Re:

[Tharkkun]

Windows update has fried at least two pieces of my hardware in the last year. First it torched my videocard immediately after restarting for a windows update. Next, the PCI express slot wouldn't register on my motherboard, good thing I had another one!

That's very similar to my laptop which tries to kill me during the Winter months. I try very hard to sneak up on it by wearing socks on a soft carpet but it always seems to hear me coming and zaps me the moment I touch it.

Re:

[Quirkz]

Once at the office I touched my laptop and the static shock was strong enough it made the computer reboot. That one was a little scary.

GFD microsoft!

[AndyKron]

So they push out updates all the time to the point where I'm ready to throw my computer out the window, and now we get BSOD? God fucking damnit Microsoft!

Re:

[Sponge Bath]

It certainly seems to happen more often than one a week. The wife of a guy I work with leaves her Window laptop in sleep mode at night and it will wake up on its own at 3AM to update, flooding the bedroom with light from the screen. I suppose that feature is this one http://support.microsoft.com/kb/979878 [microsoft.com]. Fun with Windows.

I suspected as much

[Control-Z]

A lightly-used XP machine blue-screened on me this week for the first time, and wouldn't boot without blue-screening. I put it through memory and hard drive checks which it passed just fine. I suspected it might have been a MS patch. Somehow it finally rebooted after 4 or 5 tries, but I haven't rebooted it since. Now I know what patch did it, I can uninstall it. Sheesh.

This must be the reason for the delay ...

[Skapare]

... of North Korea's nuclear missile launch.

Repair released for the patch

[JRHelgeson]

There is a bootable disk that MS has released to help users recover from this nightmare.

Link: http://www.microsoft.com/en-us/download/details.aspx?id=38435 [microsoft.com]

Repair Disk for KB2823324 and KB2782476 (KB2840165)
To help customers who are experiencing difficulties restarting their systems after installation of security update 2823324, Microsoft is making available a bootable media ISO image through the Microsoft Download Center (DLC). Clicking Download means you agree to the MICROSOFT SOFTWARE LICENSE TERMS.

Re:

[Anonymous Coward]

Quick! While you have them on the line, tell them about 9/11, the 2004 Boxing Day Tsunami, the 2010 Haiti Earthquake, 2011 Thoku earthquake / tsunami and Fukushima Daiichi disaster! Oh, and see if you can have them drop a note in the mail to 1999 me that says "12-03-30: 46-23-38-04-02/M23", he'll know what to do with it.

Re:

[flimflammer]

No, fuck that. I don't want the future to change and all humans growing like spider legs or something.