Patch Tuesday in Reverse

This past Tuesday was Microsoft’s monthly Patch Tuesday. Based on the information I got, it was a pretty straightforward Patch Tuesday – of the nine patches, only two were critical. And considering how high the numbers have been earlier this year, nine seems like nothing. I downloaded my patches, and then thought nothing more about Patch Tuesday.

Until this morning, when I saw a tweet in my Twitter feed that announced Microsoft is asking users to uninstall one of the patches released this week. The original patch, MS13-036, was meant to fix vulnerabilities in a kernel-mode driver. Attackers use these exploits to elevate privilege after they have gained access through another exploit, Ross Barrett, senior manager of security engineering at Rapid7, explained to me in an email.

However, this particular patch didn’t work as planned. According to SC Magazine:

Microsoft is advising Windows customers to uninstall one of the patches it released this week after discovering that applying the update could prevent machines and applications from properly restarting and loading.

Not surprisingly, Microsoft is no longer offering the update 2823324 in its Download Center (the rest of the patch apparently is fine). SC Magazine also pointed out that the error in the patch is only affecting Windows 7, and oddly enough, could shut down Kaspersky Lab’s antivirus software. No other AV software was mentioned as affected.

Recalling a patch already makes this an unusual Patch Tuesday, but several security experts have also expressed surprise that known vulnerabilities in Internet 10, exploited during the Pwn2Own contest last month, were not patched this month.

So, I guess this Patch Tuesday did turn out to be less straightforward than expected.