Microsoft has been forced to update its own security update to address reports that a patch was causing system errors for customers.
The problem lies in security update 2823324, which was pushed out April 9 as part of security bulletin MS13-036. This update was meant to address four vulnerabilities in the Windows kernel-mode driver. For some users, however, it only caused problems.
“We’ve determined that the update, when paired with certain third-party software, can cause system errors,” blogged Dustin Childs, a group manager of response communications in Microsoft’s Trustworthy Computing Group. “As a precaution, we stopped pushing 2823324 as an update when we began investigating the error reports and have since removed it from the download center.”
The system errors do not cause any data loss, and they do not affect all Windows customers, Childs wrote. Still, he added, all customers should follow the guidance in KB2839011 to uninstall security update 2823324 if it is already installed.
“Update 2823324 addresses a moderate-level vulnerability that requires an attacker to have physical computer access to exploit,” blogged Childs. “MS13-036 remains available for download and is being pushed via updates to help protect customers against the other issues documented in the security bulletin—it no longer contains the affected update.”
The issue appears to be mostly confined to users in Brazil that have a banking security plug-in called ‘G-Buster’ installed, blogged Wolfgang Kandek, CTO of Qualys.
“G-Buster is locally developed in Brazil by the company GAS Tecnologia and is widely installed in Brazil,” he wrote. “Some of the major banks require their customers to install it to secure Internet banking. The plug-in, which provides a virtualized and hardened operating environment for safer banking, and one of its security measures is interfering with the Windows kernel patch contained in MS13-036.”
Kandeck noted that “given the number of complaints in Brazil it is clear that Microsoft does not have this particular combination of Windows 7 and G-Buster plug-in in its QA setup.” Furthermore, in order to “provide the additional security functions, G-Buster has to interfere with low-level functions of the Windows operating system, similar to software such as antivirus and host intrusion detection systems. It will be interesting to read the post-mortem to see [whether] G-Plugin uses any undocumented features that caused the problem or whether all APIs used to provide the additional security functions.”
Microsoft’s knowledgebase article on the issue explains that one symptom of the bug can be that Kaspersky Anti-Virus for Windows may display a message claiming its license is invalid and that it cannot provide anti-malware protection, noted Graham Cluley, senior technology consultant at Sophos, in a blog post.
MS13-036 was designed to address four vulnerabilities, the most serious of which could be exploited to escalate privileges if an attacker logs onto the system and runs a specially-crafted application. Though the bulletin is ranked “important,” Microsoft gave it an Exploitability Index rating of 1, its highest classification.
All totaled, Microsoft released nine security bulletins this month as part of Patch Tuesday. The bulletins address 14 security vulnerabilities across Windows, Internet Explorer and a number of other products.