Microsoft Patch Mayhem: February Patch Failure Summary

February was another rough month for anybody having to apply Microsoft patches. We had a couple of posts already covering the Microsoft patch issues, but due to the number of problems, here a quick overview of what has failed so far:

Bulletin/KB #	Patch	Symptom	Solution
MS15-009 KB 3023607	SSL fix to address the "POODLE" vulnerability.	Cisco AnyConnect will refuse to connect	run AnyConnect client in Windows 7 or Windows 8 Compatibilty Mode
KB2920732	PowerPoint (functionality fix, not a security patch)	Powerpoint 2013 fails to start on Windows RT	"refresh" your device (see https://support.microsoft.com/kb/2751424 ) or remove patch. Microsoft did withdraw the patch.
MS15-010 KB3013455	Windows Kernel Mode Drivers	Font quality degrades in Windows Vista SP2 and Windows Server 2003 SP2 (also affected: Windows XP if you paid for extended support).	remove patch
KB3001652	Update for Microsoft Visual Studio 2010 Tools for Office Runtime	Patch will not finish installing and "hang" making the system unresponsive	This patch has to be installed as Administrator. Otherwise, the user will not see a dialog box that needs to be acknowledged to complete the install. Microsoft withdrew the patch and later reissued it. No problems with the re-issued version. There are 3 "versions" of this patch: October 2014: initial release February 10th: released as part of patch Tuesday, removed after problems were reported. February 11th: released to fix the problems reported in Feb. 10th version

In addition, an important reminder that the "Group Policy" patch alone does not fix the actual vulnerability. In addition to applying the patch, you have to enable the new group policy options:

See https://support.microsoft.com/kb/3000483 for details.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3508 Posts
ISC Handler

Reply Subscribe

Feb 16th 2015
4 years ago

Does enabling the GPO patch by requiring SMB signing affect only GPO application or does it turn it on globally? If the latter, those of us running non-Windows file shares such as mainframes cannot enable it.

Anonymous

Reply Quote

Feb 16th 2015
4 years ago

I took KB3013455 off my system on Saturday, and find to my dismay that the automatics have put it back again today. How do I prevent this from being an endless cycle? Vista-64 Home edition.

HackerHater

6 Posts

Reply Quote

Feb 16th 2015
4 years ago

I had the same question. We have a hybrid environment of Windows and UNIX and we need to make sure we will still have compatibility.
As it is, we are only enabling the new features on sysvol and Netlogon like Microsoft recommends since Windows login scripts don't run for our UNIX users.

Jasey

93 Posts

Reply Quote

Feb 17th 2015
4 years ago