Beware of MS hotfixes KB2735855 and KB2750841

Discussion in 'ESET NOD32 Antivirus' started by Marcos, Sep 25, 2012.

  1. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The recently released hotfixes KB2735855 and KB2750841 have been confirmed to cause data corruption during the download when a 3rd party driver working at Windows Filtering Platform layer intervenes in the communication. ESET has demonstrated it using a sample driver from Windows Development Kit and will contact Microsoft to address the issue with as highest priority as possible. In the mean time, we strongly recommend removing this hotfix until Microsoft comes up with a solution.

    Update: Microsoft has released hotfix 2789397 addressing this issue.
     
    Last edited: Feb 20, 2013
  2. Wallaby

    Wallaby Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    156
    Re: Beware of MS hotfix KB2735855

    What is the practical symptom and the practical effects of this fact?
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Beware of MS hotfix KB2735855

    So far we know about corrupted (non-executable) files downloaded via Internet Explorer but it's probably just a coincidence that the issue hasn't been reported with other browsers yet.
     
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited by a moderator: Sep 26, 2012
  5. johnpd

    johnpd Registered Member

    Joined:
    May 23, 2004
    Posts:
    80
    Re: Beware of MS hotfix KB2735855

    I attempted to uninstall the fix. It hung at the infamous "Preparing To Configure Windows, Please Do Not Turn Off Your Computer" message. When I finally decided to shutdown the computer (a laptop), it would only go into sleep mode and returned to the "Preparing" message when I powered back up. I eventually had to disconnect the AC and remove the battery in order to get it to boot from scratch. Once I got it back, it finished up and booted to Windows. Not fun.

    JohnD
     
  6. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    Re: Beware of MS hotfix KB2735855

    I would hate to try uninstalling the fix on a laptop that needs to be running during the day. I just did another update (this time for MS Security Essentials) on a laptop running Win 7 Pro 64-bit. This laptop was never offered SP1, but seems to be fine. All the updates that have been offered were installed. The laptop required a restart, but the other systems (that have SP1) did not. Maybe many laptops are going to be difficult when it comes to uninstalling the fix, and perhaps all systems that did not get SP1.
     
  7. johnpd

    johnpd Registered Member

    Joined:
    May 23, 2004
    Posts:
    80
    Re: Beware of MS hotfix KB2735855

    The laptop is a Lenovo Win7 Pro 64-bit. I recall something like this happening once before where it would not shutdown. I don't remember what I was doing at the time, but I again had to remove all power from it to get it to shutdown completely.

    JohnD
     
  8. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Last edited by a moderator: Sep 26, 2012
  9. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Re: Beware of MS hotfix KB2735855

    We rolled this hotfix out to around 200 machines a couple weeks ago. We haven't had any reports of any download issues with NOD32 4.2.76.0.

    What are the steps to recreate this issue? I downloaded some non-executable files from IE that all worked correctly.
     
  10. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Re: Beware of MS hotfix KB2735855

    Same here with server error.
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Re: Beware of MS hotfix KB2735855

    There was an extra period inside of link. The original post with link has been edited to fix that.
     
  12. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Re: Beware of MS hotfix KB2735855

    working perfect now.Thanks LWM
     
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  14. pacek

    pacek Registered Member

    Joined:
    Sep 27, 2012
    Posts:
    4
    Location:
    Poland
  15. hillrb

    hillrb Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    44
    Re: Beware of MS hotfix KB2735855

    We use the Business version and rolled this out to around 100 machines last week via WSUS and I later discovered issues in Internet Explorer 8 and 9. The issues were related with searches. If you tried to search via the search bar (top right), the window that opened would say, "Internet Explorer cannot display the webpage". If you hit F5 many times, you might get the search window to finally populate, but usually wouldn't. Secondly, if you tried to search via the BING bar on MSN's homepage, it would do the same thing. I didn't notice the problem using Firefox though (not sure why). After discovering these problems from several people calling, I set WSUS to uninstall the patches from the computers and as far as I can tell, the uninstalls went successfully. Heck, I installed/uninstalled on my computer probably about 8 times with no problems. I posted to a TechNet forum yesterday about this and it finally occurred to me this morning that it might be a problem with NOD32 and sure enough I found this forum.

    Kind Regards,
    Brett
     
    Last edited: Sep 27, 2012
  16. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    Re: Beware of MS hotfix KB2735855

    The only critical patch listed in the link is:

    Cumulative Security Update for Internet Explorer (2744842)

    I did not find the KB2735855 patch listed in the link above. Maybe MS has changed the content?

    The Win 7 systems had the patch KB2735855 installed and no one has noticed a search issue in IE9, but the default browser is set to Chrome. Some are using IE9 anyway and I am sure they would have commented. NOD32 is not installed on the Win 7 systems.
     
    Last edited: Sep 27, 2012
  17. geekpryde

    geekpryde Registered Member

    Joined:
    Mar 22, 2012
    Posts:
    7
    Location:
    USA
    Re: Beware of MS hotfix KB2735855

    WOW! I am so happy I randomly stopped by these forums today. I have been pulling out my hair and freaking out at Fortinet (hardware firewall vendor) for all these broken downloads, busted youtube videos, busted quicktime videos, etc. Ie downloads have been particularly troublesome. Yahoo.com IE homepage has been randomly crashing just sitting there (no user activity). I was 100% sure it was the firewall and blaming Fortinet for pusing a bad IPS sig or AV sig.

    So happy there are smart people here!

    I am uninstalling KB2735855 now. I will report back in 24 hours and see if there are any further broken downloads at the company (around 30 users).
     
  18. pacek

    pacek Registered Member

    Joined:
    Sep 27, 2012
    Posts:
    4
    Location:
    Poland
    Re: Beware of MS hotfix KB2735855

    This issue occurs only on 4-core (and more) Intel and AMD CPUs. If you don't want to do mess with uninstalling this Microsoft update, you can disable HTTP filter in ESET and then everything will be OK with your transfer. It won't be a problem if you use ESET Remote Administration Console (ERAC) with ESET Remote Administration Server. You can do it via Configuration Task in ERAC, and it's done in few seconds. You must understand that disabling HTTP filter will increase risk of infection via HTTP protocol. Uninstalling KB2735855 can be done via WSUS but it'll consume you more time to propagate over the network and also it requires rebooting of the computer, which is annoying to users.
    Good luck ;)
     
  19. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    Re: Beware of MS hotfix KB2735855

    It occurs to me that if this MS patch does not cause a problem with respect to other AV software (or other applications in general), then MS is not going to do anything about it. Eset users will have to do what you suggest or quit being Eset users. I am still unhappy about having to disable Malwarebytes Pro real-time protection in order to use Eset 5.x on my XP system. The fix for that is still pending.
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Beware of MS hotfix KB2735855

    We've received a response from MS: I have forwarded your issue to our sustained engineering folks to investigate.
     
  21. SaphireX

    SaphireX Registered Member

    Joined:
    Jul 29, 2004
    Posts:
    84
    Re: Beware of MS hotfix KB2735855

    Hi Marcos
    I noticed this morning that the Internet protection module: 1047 (20121002) updated (since I have pre-release updates selected)
    Is this possibly the fix to this issue?
    Thanks
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Beware of MS hotfix KB2735855

    The module addresses an issue with Windows Updates after recent changes in the Windows Update Agent. As for the issues caused by the hotfix 2735855, Microsoft was provided all information and files necessary to debug the issue and is currently looking into it.
     
  23. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Re: Beware of MS hotfix KB2735855

    Although I have not yet removed the hotfix, my system information on non pre-release. I am showing these module changes.

     
  24. etretat

    etretat Registered Member

    Joined:
    Oct 19, 2012
    Posts:
    9
    Location:
    Brazil
    Re: Beware of MS hotfix KB2735855

    Marcos:

    Any evolution and / or solution for this problem?

    Regards,

    etretat.
     
    Last edited: Oct 19, 2012
  25. TONPumper

    TONPumper Registered Member

    Joined:
    Jul 20, 2010
    Posts:
    112
    Re: Beware of MS hotfix KB2735855

    Is this fix included with Windows updates, or is it something that has to be manually downloaded and installed? I'm just wondering if this could be the cause of my problem.
     
    Last edited: Oct 20, 2012