Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: KB2823324 causing boot issues in Brazil and some other locales - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
KB2823324 causing boot issues in Brazil and some other locales

An article in Linha Defensiva (http://www.linhadefensiva.com/2013/04/brazilian-users-unable-to-boot-windows-after-botched-update/) reports that after applying the update machines were no longer able to boot.  According to the article Microsoft has recognised that there is an issue with the Brazillian version of the OS, but the links in the article do point to other locales having a similar issues. 

I wasn't able to find any futher reference on the microsoft site, but in the mean time if you do approve this KB for deployment make sure you test it thouroughly prior to a production implementation.

If you've had issues with this KB please let us know.

Mark H

Mark

391 Posts
ISC Handler
I have now seen this on 3 machines, all running Win7 64. The machines boot but it is forcing a chkdsk. Two of these are my home machines, one was a work machine. Common thread is all have the most recent Windows patches and all are running Kaspersky AV. My first inclination is that is was Kaspersky but now I am not sure. Running chkdsk, and reinstalling Kaspersky fixed two of the machines, laptops. I have yet to try and run chkdsk on my home desktop.
Anonymous
Date: Wed, 10 Apr 2013 14:53:23 -0700
From: Susan Bradley - Lyris ListManager - listserv.patchmanagement.org
Subject: MS13-036 / KB2829996
Getting early unconfirmed reports in Brazil that MS13-036 / KB2829996 MS13-036 is causing system hangs that require replacing ntfs.sys to get the machines up and running again so they can perform a system restore...
- http://www.superti.org/?p=180
- http://social.technet.microsoft.com/Forums/pt-BR/winvistapt/thread/a8a900f5-a5b2-45bb-8ac5-b1b3afb22ad7

.
Jack

160 Posts
I've not seen the issue but interestingly enough, this morning WSUS picked up a revised version of "Windows Malicious Software Removal Tool - April 2013 (KB890830)" and the IE and x64 versions of KB890830 for April 2013 as well. Related?
Alan

57 Posts
Yes, it happened in a lot off Win 7 computers in my company here in Brazil.
I saw this problems in home computers too but not all of them.
It must have something with the language used.
Alan
1 Posts
Yes there is a problem, in my company several machine were affected, the problem is only in WIN7 x32 machines, the x64 version is not affected. The post listed before http://social.technet.microsoft.com/Forums/pt-BR/winvistapt/thread/a8a900f5-a5b2-45bb-8ac5-b1b3afb22ad7 has the workaround that basically is remove the update e return to the previous ntfs.sys file.
Looks like it is only affecting Brazil, Windows pt-br.
Alan
1 Posts
Kaspersky has an article on that: http://support.kaspersky.com/9751

The symptoms are not the same as described above, but it does involve KB2823324
Patk7

9 Posts
We have seen some issues with KB2823324 .

The machines that got this update after a reboot started to throw an EventID 55 pointing to disk Corrupt issue.

When running a chkdsk it is either clean or Master file table's (mft) bitmap attribute is Corrupt .


For now uninstalled the Update with 1 machine and monitoring to see if this is fixing the issue and havent seen this yet .
Patk7
1 Posts
Yes, that happened a lot here in Brazil.
Here's the info we received from Microsoft in my company:

Boa tarde a todos,

O KB2823324 está causando falhas nos computadores W7 32bits após reinicialização. Estamos orientando a exclusão deste KB do WSUS como prevenção:

PROBLEM: A System file (ntfs.sys) is impacting the machine to reboot after applying the fix

HOW TO FIX: The file must replaced for an old version so machine is able to boot again
• Automatically using Windows 7 recover
• Manually

(translating the first part:)
Good afternoon everyone,
 
The KB2823324 is causing failures in computers W7 32bit after reboot. We are directing this KB's exclusion from WSUS as prevention:
Patk7
1 Posts
Just to let you know, the issue is serious in Brasil. I had the boot problem this morning and went to my trusted computer "fixer" right away. When I arrived, there was a line of people with the same problem. It is indeed a 32 bit system. Also heard from the manager that a large Public Service had called with 88 computers not booting....
Will Microsoft reimburse the repairs?
Patk7
1 Posts
Swissbrasil, patches are rarely as trivial as they seem. I imagine there's language in terms of service limiting liability. Good practice not to patch immediately after patches come out and to have your stuff backed up someplace safe if you ever run into a disaster. Feel like I'm lecturing, but you last sentence needed an answer.....
Dean

135 Posts
You receive a Stop 0xc000000e startup error in Windows 7 after you install security update 2823324:
https://support.microsoft.com/kb/2839011
Microsoft has released a KB on the subject.
Susan

34 Posts
Got the problem on Win7 32 bit, US English. Chkdsk on boot.
Susan
39 Posts
Repair Disk for KB2823324 and KB2782476 (KB2840165)
To help customers who are experiencing difficulties restarting their systems after installation of security update 2823324
- https://www.microsoft.com/en-us/download/details.aspx?id=38435
4/17/2013
... Thanks to Susan Bradley for posting it @ patchmanagement.org
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!