Newsletter Archives

• Blink and you’ll miss it: Re-issued KB 3197868, 3197873, 3197874, 3197876, 3193479 explained

  Posted on November 26, 2016 at 08:13 CST by woody • Comment in the Forums

  At least, I think they were explained.

  You may recall that KB 3197868 – the Win7 Security Rollup that blew apart Malwarebytes – was mysteriously pulled for a few hours on Nov. 23. Malwarebytes claimed

  This false positive was caused by Microsoft not digitally signing over 500 files included in “November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB 3197868)”. Malwarebytes triggered on these unsigned files despite efforts in the 1.80 and 2.x releases to enhance safeguards and prevent false positives on legitimate files. We are working on correcting what actions took place to better protect from this in the future.

  A few hours later, that KB as well as several others came back online, marked “Last modified: 11/23/2016.”Some of the KB articles (noted below) have been modified to include this explanation:

  Known issues in this update

  Some Lenovo servers do not start after this update is installed. Lenovo is aware of this problem and has released a UEFI update to address it. In the interim, Microsoft has changed the detection logic in the update to prevent additional customers from being affected. For more information, see https://support.lenovo.com/us/en/solutions/ht502912.

  Here are the patches I know about, in numerical order:

  KB 3197867 – the Win7 Security-only (“Group B,” for those of you who are following the patchocalypse grading system) patch wasn’t pulled or updated on Nov. 23.

  KB 3197868 – Win7 Nov. Monthly Rollup (that’s “Group A” ) was updated on Nov. 23, but the KB article still says it was last reviewed on Nov. 8. There’s no indication in the article why the patch was pulled – indeed, there’s no indication that it ever was pulled.

  KB 3197873 – Win8.1 Nov. Security-only (“Group B”) patch was pulled and re-released on Nov. 23. The KB article includes the notice above about Lenovo’s UEFI problem.

  KB 3197874 – Win 8.1 Nov. Monthly Rollup (“Group A”) patch was pulled and re-released on Nov. 23. The KB article includes the notice above about Lenovo’s UEFI problem.

  KB 3197876 – Server 2012 Nov. Security-only (“Group B”) patch was pulled and re-released on Nov. 23. The KB article includes the notice above about Lenovo’s UEFI problem.

  KB 3197877 – Server 2012 Nov. Monthly Rollup (“Group A”) patch was pulled and re-released on Nov. 23. The KB article includes the notice above about Lenovo’s UEFI problem.

  In addition:

  MS16-140 /  KB 3193479 , the “MS16-140: Security update for boot manager: November 8, 2016” was pulled, then re-released as well. MS16-160 has this notice

  • V1.1 (November 23, 2016) Revised bulletin to announce a detection change for certain servers running Windows Servers 2012, Windows Server 2012 R2, and Windows Server 2016. Affected servers will not automatically receive the security update. For more information about the servers affected by this detection change, see Knowledge Base Article 3193479.

  But KB 3193479 has no such notice.

  I don’t see any reference in Microsoft’s documentation to the Malwarebytes “maybe false” positive.

  Happy turkey day, everybody.

  Windows Patches/Security KB 3193479, KB 3197868, KB 3197873, KB 3197874

• Microsoft pulls MS 3197868, the Win7 Security Rollup that blew apart Malwarebytes

  Posted on November 23, 2016 at 14:52 CST by woody • Comment in the Forums

  Thanks to Abbodi…

  Microsoft has pulled KB 3197868. You can search for it in the Update Catalog:

  https://www.catalog.update.microsoft.com/Search.aspx?q=3197868

  That’s right. The November Monthly Rollup for Win7 ain’t there any more.

  I guess that settles the question of whether Malwarebytes or Microsoft made a mistake. Malwarebytes stated a week ago:

  This false positive was caused by Microsoft not digitally signing over 500 files included in “November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB3197868)”. Malwarebytes triggered on these unsigned files despite efforts in the 1.80 and 2.x releases to enhance safeguards and prevent false positives on legitimate files. We are working on correcting what actions took place to better protect from this in the future.

  and they haven’t changed their tune.

  Malwarebytes fixed the problem very quickly. If you’ve updated Malwarebytes Anti-Malware in the past week, you’re fine.

  Those of you in Group A who haven’t yet applied the November patches can go ahead.

  Remarkably, the Preview of next month’s Monthly Rollup is still in the Update Catalog. Sounds like Microsoft forgot to sign 500 files in the November Monthly Rollup, but remembered to sign them in the preview of next month’s Monthly Rollup.

  No idea if we’ll get KB 3197868 back before the turkeys gobble.

  UPDATE: On Wednesday evening, both November Monthly Rollups, KB3197874 and KB3197868, came back online. They’re marked “Last modified: 11/23/2016”. No idea why they were pulled – and Microsoft isn’t saying.

  Windows Patches/Security KB 3197868, Malwarebytes

• Malwarebytes stumbles with false positive on KB 3197868, the Win7 November Monthly Rollup

  Posted on November 20, 2016 at 06:51 CST by woody • Comment in the Forums

  Thanks to SC for the heads up.

  Looks like those of you running Malwarebytes on a Win7 system using Group A updating are in for a rocky ride. Symptoms of the kernel32.dll false positive include locked up systems, and machines that take five minutes or more to shut down.

  On Thursday, Malwarebytes narrowed down the problem and posted this solution:

  What can I do if I have been affected by the Kernel32.dll false positive?

  This detection has been fixed as of database version v2016.11.16.11.

  This false positive was caused by Microsoft not digitally signing over 500 files included in “November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB3197868)”. Malwarebytes triggered on these unsigned files despite efforts in the 1.80 and 2.x releases to enhance safeguards and prevent false positives on legitimate files. We are working on correcting what actions took place to better protect from this in the future.

  Malwarebytes’ solutions are to uninstall KB 3197868 if you haven’t rebooted after installing it, use System Restore, or manually replace some system files (which is a bear!).

  UPDATE: I see some debate online about who’s at fault for the false positive – some blame Malwarebytes, others blame Microsoft. Given the details posted in the comments by abbodi, I think it’s fair to say that neither side committed any grave error. I’m surprised at the way Malwarebytes Anti-Malware reacted to a false positive, but as for the detection there’s plenty of reason to blame (or exonerate!) either side.

  There’s a good note on the situation from Imacri on the Norton Community forum:

  Win 7 SP1 users could potentially be affected if they ran a MBAM scan in the 4-day period between 08-Nov-2016 (the release date for the November 2016 Patch Tuesday updates) and 11-Nov-2016 when MBAM released database version v2016.11.16.11 to fix the problem.  I don’t see a large number of recent reports in their False Positive board at https://forums.malwarebytes.org/forum/42-file-detections/ (link is external) so it doesn’t appear to be a widespread problem.

  Also, as abbodi notes in the comments, it’s likely that this problem also occurs with the Nov Win7 Security-only patch, KB 3197867 – that’s the “Group B” downloaded patch. I have no idea if it happens with the analogous patches for Win 8.1 – KB 3197874 (Nov Win 8.1 “Group A” Monthly Rollup) and KB 3917873 (Nov Win 8.1 “Group B” Security-only update) but wouldn’t be too surprised.

  Windows Patches/Security KB 3197868, Malwarebytes