EMET conflicts reported with last week’s KB 3153171 patch on Win7 32-bit systems

Topic

New Reply

Looks like another problem with EMET EAF stumbling on a kernel update   A post from LeagueJontur on Reddit claims that the “important” security u
[See the full post at: EMET conflicts reported with last week’s KB 3153171 patch on Win7 32-bit systems]

Reply | Quote

Replies

Is this only a problem with Win 7, 32 bit?

What Win 7, 64 bit or Win 8.1?

Larry…

Reply | Quote

I’ve only seen it reported with 32-bit Win7, but I’m looking for confirmation…

Reply | Quote

What sort of “mid-level bank” patches its production-use workstations without a controlled dev/UAT test rollout? Sheesh… It’s not like Microsoft have a proven track record of patches always working.

Reply | Quote

This shocked me too.
Rolling out new untested updates to 12k machines? Now that’s gambling.

Reply | Quote

KB3153171 is a security patch and EMET is a Microsoft security tool. Hello Microsoft!!!

At least EMET is not used by the majority of users. More knowledgeable users will recover from this snafu quite easily and sysadmins will catch it with pre-testing procedures. The bank in the article paid the price for not doing this properly. However, let’s not lose site of the fact that MS did not do adequate testing in-house before they released this KB. Hitting their own security tool twice with security KBs is sloppy.

Head shaker.

Reply | Quote

EMET has often been recommended by Microsoft in security bulletins as a way of mitigating against exploits while they work on a proper patch. In short, EMET helps sandbox Windows and Windows apps to make them harder to exploit, and prevent unpatched vulnerabilities from being successfully weaponised.

EMET maybe on the chopping block. EMET staff have probably already seen this …

“EMET was released in 2009 as a standalone tool to help enterprises better protect their Windows clients by providing an interface to manage built-in Windows security mitigations while also providing additional features meant to disrupt known attack vectors used by prevalent malware. Since that time, we have made substantial improvements to the security of the browser and the core OS. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Control Flow Guard (CFG) protection for 3rd party software that may not yet be recompiled using CFG.”

Reply | Quote

Confirmed. EMET 5.5, EAF opt-in using the “default” protections via GPO, Windows 7, 32-bit. I posted the reddit thread yesterday referencing the April thread from LeagueJontur, in which I was also a participant.

To combat this, we have used a GPP to effectively reverse the EAF opt-ins (mostly Office and web browsers) so that the security patches can be properly installed. As long as EAF (EAF+ is not affected) is not enabled, the affected applications can then successfully run regardless of whether the patches (all 3) are applied or not.

Long story short: Microsoft needs to take a good long look at this and figure out where their code is broken. I suspect the Kernel files I listed in the reddit posting.

Reply | Quote

KB3156013 caused problems for my 32b Vista (couldn’t log in with regular account, “classic” taskbar & start button.) Had this last month with KB3146706. Restoring EMET settings to default resulted in a clean install.

Reply | Quote

Thanks for confirming. I’d sure like to get two or three more complaints, cough, data points before broadcasting this out to the InfoWorld audience. Any help most appreciated…

Reply | Quote

Very interesting. I didn’t realize that Win10 absorbed many of those features. From https://blogs.technet.microsoft.com/srd/2016/02/02/enhanced-mitigation-experience-toolkit-emet-version-5-5-is-now-available/

EMET was released in 2009 as a standalone tool to help enterprises better protect their Windows clients by providing an interface to manage built-in Windows security mitigations while also providing additional features meant to disrupt known attack vectors used by prevalent malware. Since that time, we have made substantial improvements to the security of the browser and the core OS. With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Control Flow Guard (CFG) protection for 3rd party software that may not yet be recompiled using CFG.

Some of the Windows 10 features that provide equivalent (or better) mitigations than EMET are:

Device Guard: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Device Guard provides hardware-based zero day protection for all software running in kernel mode, thus protecting the device and Device Guard itself from tampering, and app control policies that prevent untrusted software from running on the device.

Control Flow Guard (CFG): As developers compile new apps, CFG analyzes and discovers every location that any indirect-call instruction can reach. It builds that knowledge into the binaries (in extra data structures – the ones mentioned in a dumpbin/loadconfig display). It also injects a check, before every indirect-call in your code, that ensures the target is one of those expected, safe locations. If that check fails at runtime, the operating system closes the program.

AppLocker: AppLocker is an application control feature introduced in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization’s network while providing security, operational, and compliance benefits. AppLocker can be used in isolation or in combination with Device Guard to control which apps from trusted publishers are allowed to run.

For more information on Windows 10 security features please review the Windows 10 Security overview whitepaper on TechNet.

Reply | Quote

Here May’s Windows Update KB3153171 as well as KB3154070 failed to install on my Win7SP1-64BIT machine. Even failed when installed independently of all others and of themselves, even failed when manually downloaded/installed. And I have no EMET, no HitmanPro.Alert, no system-wide kernel protection …
The beat goes on, 10 months of an erratically chaotic Windows Update, what friends here laugh about calling it “the Microsoft revolution with Bozo as CEO”

Reply | Quote

Resolution:
To resolve the issue, do not create a user account contains the string “user” on the computer.

https://support.microsoft.com/en-us/kb/3053711

ha, ha ,ha

Seriously?

Reply | Quote

Microsoft? Look at their own code? Start with windows update, then EMET.

Then merge all the actual (by our standards) under the hood improvements into Windows 7.5. Be sure to enforce good coding practices (recode from scratch if needed). Then we can laugh about it in the future:

?__Windows_3.1x
?__Windows_NT____(4.10)
+__Windows_2000__(5.0)
*__Windows_98____(4.10.1998)
+__Windows 98SE__(4.10.2222)
*__Windows_ME____(4.9)
+__Windows_XP____(5.1)
/__Windows_Vista_(6.0)
+__Windows_7_____(6.1)
*__windows_8.0___(6.2)
/__Windows_8.1___(6.3)
?+?Windows_9_____(MIA)
*_windows_10_____(10.???????)
+_Windows__7.5___(11)

They stuck with the pattern (made sure to number 10 correctly, skipping success).
Key:
? Not sure
+ Good
* Bad
/ room for debate (contrast with sucessor)

No really microsoft, end the joke, this 8 month long joke is getting old. “We were kidding, this windows 10 is just a theme pack, its really just windows 7.”

Reply | Quote

Both kb3146706 and kb3153171 causes a fatal crash for my “Dynamic Energy Saver 2.0” application. It’s a Gigabyte program: http://www.gigabyte.com/MicroSite/39/tech_080516_des_advanced-1.htm. After installing the patches login time increases a fair bit and when I reach my desktop I get a message saying DES crashed.
When I uninstall the patches the DES works fine again and login time is normal. I’m on Windows 7 64bit. I don’t know if this information is relevant at all, but I figured I’d post it. I haven’t been able to google up anyone else having problems with DES and these patches, but I don’t know how widely used DES is these days. It came with my GA-Z68X-UD3H-B3 motherboard. From the download page (http://www.gigabyte.com/products/product-page.aspx?pid=3853#utility) it looks like it hasn’t been updated since 2011.

Reply | Quote

Hi, I’m just an ordinary user of a Lenovo Thinkpad running Windows 7 Professional SP 1 – 64 bit OS

When uploading the last batch of critical windows updates (about 15 of them) I wondered why the upload pop-up was hanging at 1 of 15 for over 40 mins. I cancelled the upload, and restarted my laptop. The “do not close” reconfiguration notice indicated that (2) critical updates were being installed.

I next went to “View Update History” to see which updates had been installed, and found the following:

These (2) were installed successfully:

Security Update for Windows 7 for x64-based Systems (KB3156019)

Windows Malicious Software Removal Tool x64 – May 2016 (KB890830)

However, one was not, This is what it said:

Security Update for Windows 7 for x64-based Systems (KB3153171)

Installation date: ‎5/‎28/‎2016 12:56 PM

Installation status: Canceled

Error details: Code 8024000B

Update type: Important

A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

More information:
http://support.microsoft.com/kb/3153171

Help and Support:
http://support.microsoft.com

After reading the knowledge base article, it seemed like this is a pretty critical update, but since it didn’t appear anywhere on the list of critical updates when I went back to Windows Update, I then went and located the correct stand-alone version of the update for my system, and attempted to install it:
https://www.microsoft.com/en-us/download/confirmation.aspx?id=52069

However, all I got when I click the downloaded –program? –patch? is a pop-up “scan bar” saying that the program was attempting to locate the file. Then nothing at all happened for 20+ mins. –it just kept searching.

Running out of patience, I then closed that, and searched my installed updates for KB3153171 and it did not appear on the list, so I went into my download folder to find it. I found it, clicked it to install it, then got the following message: “only one instance of wusa.exe is allowed to run”.

Can anyone please help me? This looks like a really critical update, and I’m freaking-out that someone could take remote control of my computer without this update installed. I’m not an IT or sys admin, or anyone with any programming knowledge or skills, so sending me into the registry, or opening up the black “run box” is out of the question, as I don’t have that kind of expertise.

I’m kind of confused by all the solutions being offered above–much of this is way over my head –is there some kind of one-click solution for novices like myself?

Many Thanks,

Ted

Reply | Quote

You’re trying much, much too hard.

Wait until I switch to MS-DEFCON 3 (probably this weekend), and there will be full instructions. It doesn’t have to be this hard.

Reply | Quote

i guess it would be good to avoid on 64bit windows 7, sorry for resurrecting this, just still finding out what to not install on a fresh OS install of W7 Pro 64

Reply | Quote