Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Microsoft Patch Mayhem: February Patch Failure Summary SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Patch Mayhem: February Patch Failure Summary

February was another rough month for anybody having to apply Microsoft patches. We had a couple of posts already covering the Microsoft patch issues, but due to the number of problems, here a quick overview of what has failed so far:

Bulletin/KB # Patch Symptom Solution
MS15-009
KB 3023607		 SSL fix to address the "POODLE" vulnerability. Cisco AnyConnect will refuse to connect run AnyConnect client in Windows 7 or Windows 8 Compatibilty Mode
KB2920732 PowerPoint (functionality fix, not a security patch) Powerpoint 2013 fails to start on Windows RT "refresh" your device (see https://support.microsoft.com/kb/2751424 ) or remove patch. Microsoft did withdraw the patch.
MS15-010
KB3013455		 Windows Kernel Mode Drivers Font quality degrades in Windows Vista SP2 and Windows Server 2003 SP2 (also affected: Windows XP if you paid for extended support). remove patch
KB3001652 Update for Microsoft Visual Studio 2010 Tools for Office Runtime Patch will not finish installing and "hang" making the system unresponsive

This patch has to be installed as Administrator. Otherwise, the user will not see a dialog box that needs to be acknowledged to complete the install. Microsoft withdrew the patch and later reissued it. No problems with the re-issued version.

There are 3 "versions" of this patch:

October 2014: initial release
February 10th: released as part of patch Tuesday, removed after problems were reported.
February 11th: released to fix the problems reported in Feb. 10th version

In addition, an important reminder that the "Group Policy" patch alone does not fix the actual vulnerability. In addition to applying the patch, you have to enable the new group policy options:

See https://support.microsoft.com/kb/3000483 for details.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defense Forum & Training

 Johannes

3950 Posts
ISC Handler
Feb 16th 2015
Subscribe Feb 16th 2015
5 years ago
Does enabling the GPO patch by requiring SMB signing affect only GPO application or does it turn it on globally? If the latter, those of us running non-Windows file shares such as mainframes cannot enable it.
 Anonymous
Quote Feb 16th 2015
5 years ago
I took KB3013455 off my system on Saturday, and find to my dismay that the automatics have put it back again today. How do I prevent this from being an endless cycle? Vista-64 Home edition.
 HackerHater

7 Posts
Quote Feb 16th 2015
5 years ago
I had the same question. We have a hybrid environment of Windows and UNIX and we need to make sure we will still have compatibility.
As it is, we are only enabling the new features on sysvol and Netlogon like Microsoft recommends since Windows login scripts don't run for our UNIX users.
 Jasey

93 Posts
Quote Feb 17th 2015
5 years ago

Sign Up for Free or Log In to start participating in the conversation!