• EMET conflicts reported with last week’s KB 3153171 patch on Win7 32-bit systems

    Posted on May 16, 2016 at 17:12 CDT by Comment in the Forums

    Looks like another problem with EMET EAF stumbling on a kernel update

     

    A post from LeagueJontur on Reddit claims that the “important” security update for RPC and the Windows kernel, KB 3153171, released last Tuesday, is causing mayhem with large numbers of computers running EMET 5.5 EAF. Details are sketchy, but it looks like Windows 7 32-bit systems with EMET running get clobbered by KB 3153171, and return to sanity if the patch is uninstalled.

    The patch is listed as “important” with no known exploits on the SANS Internet Storm Center list.

    On the Reddit thread, poster ReFFi says:

    I guess my patch team should read reddit more often and we wouldn’t have had to fix approx 12k PCs that this happened too. 32bit sucks, can’t wait for all of the software we run to get certified for 64bit. UGHH…  our help desk took 1200 calls in about 6 hours, people were down for 3 days, and for a bank, that’s not good. I can’t even begin to quantify the amount of money this cost the bank, probably 5+million which isn’t a lot, but enough for a mid level bank.

    The KB article says that patch applies to both Security Bulletins MS16-060 and MS16-061. The KB article was revised on May 12, to version 1.1, but there’s no indication why it was revised. Adding to the confusion, KB 3153171 is documented in at least one Microsoft KB article as being an April patch – it wasn’t. It is, however, associated with two separate Security Bulletins. (MS16-061 is now listed as a Remote Code Execution fix.)

    This sounds a whole lot like the problem we had last month with MS 16-044 / KB 3146706. If you recall, Microsoft issued the patch, and shortly afterwards removed the “check” that would install the patch automatically on systems with Auto Update enabled. It, too, ran afoul of EMET 5.5. It, too, changed the kernel.

    Microsoft re-issued that patch, last month, with an admonition that it interfered with a Seoul-based DRM software package called Fasoo.

    If you have any additional observations or information about this patch, please hit me in the comments here.

    Windows Patches/Security ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.