Beware of MS hotfixes KB2735855 and KB2750841

Marcos · #1 September 25th, 2012, 09:19 AM

The recently released hotfixes KB2735855 and KB2750841 have been confirmed to cause data corruption during the download when a 3rd party driver working at Windows Filtering Platform layer intervenes in the communication. ESET has demonstrated it using a sample driver from Windows Development Kit and will contact Microsoft to address the issue with as highest priority as possible. In the mean time, we strongly recommend removing this hotfix until Microsoft comes up with a solution.

Update: Microsoft has released hotfix 2789397 addressing this issue.

Wallaby · #2 September 25th, 2012, 11:59 AM

What is the practical symptom and the practical effects of this fact?

Marcos · #3 September 25th, 2012, 12:06 PM

So far we know about corrupted (non-executable) files downloaded via Internet Explorer but it's probably just a coincidence that the issue hasn't been reported with other browsers yet.

siljaline · #4 September 25th, 2012, 10:43 PM

Many are remiss in uninstalling this patch from:
http://technet.microsoft.com/en-us/s...letin/ms12-sep. Waiting for further disposition from ESET.

johnpd · #5 September 26th, 2012, 01:20 AM

I attempted to uninstall the fix. It hung at the infamous "Preparing To Configure Windows, Please Do Not Turn Off Your Computer" message. When I finally decided to shutdown the computer (a laptop), it would only go into sleep mode and returned to the "Preparing" message when I powered back up. I eventually had to disconnect the AC and remove the battery in order to get it to boot from scratch. Once I got it back, it finished up and booted to Windows. Not fun.

JohnD

rcdailey · #6 September 26th, 2012, 02:09 AM

Quote:

Originally Posted by johnpd

I attempted to uninstall the fix. It hung at the infamous "Preparing To Configure Windows, Please Do Not Turn Off Your Computer" message. When I finally decided to shutdown the computer (a laptop), it would only go into sleep mode and returned to the "Preparing" message when I powered back up. I eventually had to disconnect the AC and remove the battery in order to get it to boot from scratch. Once I got it back, it finished up and booted to Windows. Not fun.

JohnD

I would hate to try uninstalling the fix on a laptop that needs to be running during the day. I just did another update (this time for MS Security Essentials) on a laptop running Win 7 Pro 64-bit. This laptop was never offered SP1, but seems to be fine. All the updates that have been offered were installed. The laptop required a restart, but the other systems (that have SP1) did not. Maybe many laptops are going to be difficult when it comes to uninstalling the fix, and perhaps all systems that did not get SP1.

johnpd · #7 September 26th, 2012, 07:54 AM

The laptop is a Lenovo Win7 Pro 64-bit. I recall something like this happening once before where it would not shutdown. I don't remember what I was doing at the time, but I again had to remove all power from it to get it to shutdown completely.

JohnD

Trooper · #8 September 26th, 2012, 10:45 AM

Quote:

Originally Posted by siljaline

Many are remiss in uninstalling this patch from:
http://technet.microsoft.com/en-us/s...letin/ms12-sep. Waiting for further disposition from ESET.

I have a dead link showing here.

rockshox · #9 September 26th, 2012, 12:28 PM

We rolled this hotfix out to around 200 machines a couple weeks ago. We haven't had any reports of any download issues with NOD32 4.2.76.0.

What are the steps to recreate this issue? I downloaded some non-executable files from IE that all worked correctly.

Dark Shadow · #10 September 26th, 2012, 01:12 PM

Quote:

Originally Posted by Trooper

I have a dead link showing here.

Same here with server error.

LowWaterMark · #11 September 26th, 2012, 01:31 PM

Quote:

Originally Posted by Dark Shadow

Same here with server error.

There was an extra period inside of link. The original post with link has been edited to fix that.

Dark Shadow · #12 September 26th, 2012, 03:15 PM

working perfect now.Thanks LWM

siljaline · #13 September 26th, 2012, 04:19 PM

My bad on broken link. Thanks @ LWM

http://technet.microsoft.com/en-us/s...letin/ms12-sep

pacek · #14 September 27th, 2012, 07:40 AM

I tested this issue and wrote about all workarounds in this thread:
http://answers.microsoft.com/en-us/w...c-d46e91878bc0
I sent bug report to ESET but they didn't answer me yet...
Do you know is it a ESET HTTP filter related issue or Microsoft patch issue?

hillrb · #15 September 27th, 2012, 08:39 AM

Quote:

Originally Posted by Wallaby

What is the practical symptom and the practical effects of this fact?

We use the Business version and rolled this out to around 100 machines last week via WSUS and I later discovered issues in Internet Explorer 8 and 9. The issues were related with searches. If you tried to search via the search bar (top right), the window that opened would say, "Internet Explorer cannot display the webpage". If you hit F5 many times, you might get the search window to finally populate, but usually wouldn't. Secondly, if you tried to search via the BING bar on MSN's homepage, it would do the same thing. I didn't notice the problem using Firefox though (not sure why). After discovering these problems from several people calling, I set WSUS to uninstall the patches from the computers and as far as I can tell, the uninstalls went successfully. Heck, I installed/uninstalled on my computer probably about 8 times with no problems. I posted to a TechNet forum yesterday about this and it finally occurred to me this morning that it might be a problem with NOD32 and sure enough I found this forum.

Kind Regards,
Brett

rcdailey · #16 September 27th, 2012, 08:49 AM

Quote:

Originally Posted by siljaline

My bad on broken link. Thanks @ LWM

http://technet.microsoft.com/en-us/s...letin/ms12-sep

The only critical patch listed in the link is:

Cumulative Security Update for Internet Explorer (2744842)

I did not find the KB2735855 patch listed in the link above. Maybe MS has changed the content?

The Win 7 systems had the patch KB2735855 installed and no one has noticed a search issue in IE9, but the default browser is set to Chrome. Some are using IE9 anyway and I am sure they would have commented. NOD32 is not installed on the Win 7 systems.

geekpryde · #17 September 27th, 2012, 11:49 AM

WOW! I am so happy I randomly stopped by these forums today. I have been pulling out my hair and freaking out at Fortinet (hardware firewall vendor) for all these broken downloads, busted youtube videos, busted quicktime videos, etc. Ie downloads have been particularly troublesome. Yahoo.com IE homepage has been randomly crashing just sitting there (no user activity). I was 100% sure it was the firewall and blaming Fortinet for pusing a bad IPS sig or AV sig.

So happy there are smart people here!

I am uninstalling KB2735855 now. I will report back in 24 hours and see if there are any further broken downloads at the company (around 30 users).

pacek · #18 September 27th, 2012, 03:50 PM

Quote:

Originally Posted by geekpryde

I am uninstalling KB2735855 now. I will report back in 24 hours and see if there are any further broken downloads at the company (around 30 users).

This issue occurs only on 4-core (and more) Intel and AMD CPUs. If you don't want to do mess with uninstalling this Microsoft update, you can disable HTTP filter in ESET and then everything will be OK with your transfer. It won't be a problem if you use ESET Remote Administration Console (ERAC) with ESET Remote Administration Server. You can do it via Configuration Task in ERAC, and it's done in few seconds. You must understand that disabling HTTP filter will increase risk of infection via HTTP protocol. Uninstalling KB2735855 can be done via WSUS but it'll consume you more time to propagate over the network and also it requires rebooting of the computer, which is annoying to users.
Good luck

rcdailey · #19 September 28th, 2012, 01:14 AM

It occurs to me that if this MS patch does not cause a problem with respect to other AV software (or other applications in general), then MS is not going to do anything about it. Eset users will have to do what you suggest or quit being Eset users. I am still unhappy about having to disable Malwarebytes Pro real-time protection in order to use Eset 5.x on my XP system. The fix for that is still pending.

Marcos · #20 September 28th, 2012, 04:38 AM

We've received a response from MS: I have forwarded your issue to our sustained engineering folks to investigate.

SaphireX · #21 October 4th, 2012, 05:51 AM

Hi Marcos
I noticed this morning that the Internet protection module: 1047 (20121002) updated (since I have pre-release updates selected)
Is this possibly the fix to this issue?
Thanks

Marcos · #22 October 4th, 2012, 06:25 AM

Quote:

Originally Posted by SaphireX

Hi Marcos
I noticed this morning that the Internet protection module: 1047 (20121002) updated (since I have pre-release updates selected)
Is this possibly the fix to this issue?
Thanks

The module addresses an issue with Windows Updates after recent changes in the Windows Update Agent. As for the issues caused by the hotfix 2735855, Microsoft was provided all information and files necessary to debug the issue and is currently looking into it.

siljaline · #23 October 4th, 2012, 10:08 PM

Although I have not yet removed the hotfix, my system information on non pre-release. I am showing these module changes.

Quote:

Antivirus and antispyware scanner module: 1367 (20120921)
Archive support module: 1153 (20120917)

etretat · #24 October 19th, 2012, 02:04 PM

Marcos:

Any evolution and / or solution for this problem?

Regards,

etretat.

TONPumper · #25 October 20th, 2012, 03:36 PM

Is this fix included with Windows updates, or is it something that has to be manually downloaded and installed? I'm just wondering if this could be the cause of my problem.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search