Confused?
We are!
Here’s how things seem to have unfolded.
One of the commenters on our March 2015 Update Tuesday article issued a warning, telling of a “reboot loop” on 25% of the computers at one site:
A reboot loop, of course, is where an update requires you to reboot, but when you do, the reboot reboots, and so on.
Our commenter used a System Restore to roll back, and repeated her updates without the troublesome one.
If you’re on a standalone computer, you may be able to use other workarounds, such as booting into Safe Mode, which will help if the reboot loop is caused by a component that doesn’t load in safe mode.
Then you can uninstall your most recent update and wait until an update to the update is available.
Just a Security Advisory
The confusing thing is that the troublesome patch is KB3033929, which isn’t on the regular list of security updates for March 2015.
That’s because it was merely a Security Advisory, not a full-blown Security Bulletin.
Ironically, the troublesome patch was a re-issue of KB2949927, which was itself withdrawn back in October 2014 for causing problems.
Even more ironically, KB2949927 wasn’t a patch for an existing bug, but an attempt to prepare for the cryptographic future.
KB2949927 added support for SHA-2 in code signatures on Windows 7 and Windows 2008 R2.
SHA-2 is a more recent cryptographic hashing algorithm that supersedes its precursor, SHA-1, which is now considered at the bottom edge of cryptographic safety.
But you can’t retire SHA-1 until you are willing and able to move forward to SHA-2, and that’s what KB2949927 was supposed to prepare for.
Except that the update had to be “rescinded,” to use Microsoft’s word, because of problems.
After that false start in October 2014, Microsoft tried again in March 2015, only to hit another snag: the abovementioned reboot loop.
Connected to MS15-025
The reboot loop problem seems to be related to MS15-025, also known as KB3035131, which is a Security Bulletin that fixes an Elevation of Privilege hole in the Windows kernel itself.
There’s a cart-before-the-horse problem with the two updates, as Microsoft explains:
For Windows 7 and Windows Server 2008 R2, the 3035131 update discussed in this bulletin shares affected binaries with the update being released simultaneously via Security Advisory 3033929. This overlap in affected binaries necessitates that one update supersede the other and in this case it is advisory update 3033929 that supersedes update 3035131.
That’s quite a mouthful!
In plain English, it means: you must install Security Bulletin MS15-025 before Security Advisory KB3033929.
Apparently, if you let Windows orchestrate your updates, you should be OK, because Windows will do them in the right order.
But if you have your own approval process for updates, it’s possible to apply them the wrong way around.
It sounds as though Microsoft’s original warning understates the impact somewhat:
Scenario: Customer first installs advisory update 3033929 and then attempts to install update 3035131.
Result: The installer notifies the user that the 3035131 update is already installed on the system; and the 3035131 update is NOT added to the list of installed updates.
Clearly, there’s a issue here, because Windows will at best tell you that you have an important security patch installed when, in fact, you do not.
But it looks as though the side-effects can be worse than that, hence the dreaded reboot loop mentioned above.
The fact that the problem was caused by non-critical fix that was replacing a previously-broken non-critical fix is bad enough.
The additional fact that the non-critical fix caused a problem because of an interaction with a critical fix issued at the same time just makes things worse.
That’s bad news for Microsoft, and bad news for future Update Tuesdays.
It is likely to bring at least a few months of understandable “patch reluctance” to many companies, as our commenter Deramin noted at the top of this article.
What to do?
- If you are not using Windows 7 or Windows 2008 R2, you can relax, because this shouldn’t affect you.
- If you have both KB3033929 and KB3035131 installed and are not having problems, you can relax, but make sure that both updates are shown as correctly installed.
- If you haven’t patched yet, make sure you apply KB 3035131 first, or let Windows make all the update decisions for you.
- If you already installed the wrong way round, you will need to roll back and start again.
You’re probably wondering what we think about this.
Will we stick by our often-stated mantra of “Patch early, patch often,” which we not only wrote but also said aloud this month?
To tell you the truth, the jury’s still considering its verdict this time.
Ask us again in April 2015…
BrentC
There may be more complications to this. I did let Windows set the order that patches were installed and KB3035131 shows as installed correctly. KB3033929 has failed to install twice since then, both times setting off a cycle of reboots that eventually resolved itself.
PastorMike
I have the same issue. KB3035131 installed first and correctly but KB3033929 has failed to install four times. It appears to install and then tells me I need to reboot to complete installation. When I reboot, an error message saying that a process has failed appears very briefly. So far, I’ve not been able to capture the message. Then, when it reboots, it tries to configure the update, gets to about 82% configured and then advises that the update has been unsuccessful. It then spends a little while rolling back the update before rebooting again, configuring the system and then a final reboot back to system usability.
Tom
Thanks for bringing this topic up. For at least six months I have been dreading doing the MS updates on my network because of this problem. The solution I found was to use the install disk to go to cmd and then delete two .xml files in winsxs. The problem was random, i.e. not always the same workstations and not all, usually 5% of the workstations developed the problem. As I’m typing this I’m doing this month’s MS updates on half of my workstations for fear of causing the problem on too many machines at once.
Anonymous
thanks for sorting this out, I wasn’t sure what to do
Sue H
My Windows 7 HP system rebooted 3 times after installing the updates yesterday. It’s been working perfectly since though.
Paul Ducklin
One for the money. Two for the show. Three to get ready…I’d have been getting worried by about then :-)
Mike B
I got weird behavior when doing the updates (on 7 x64 thru MS Update) … opting out of MRT and the Defender update (I prefer to rely on my 3rd-party defenses in both cases) brought the total download to a more manageable 120-something MB. It finally reported all were successfully installed, and seemed to run fine after rebooting.
It was only when cold-booting the next morning that problems became evident. I turned the computer on and went for my morning coffee, as usual, and when I got back I found Startup Repair at work analyzing the “Windows couldn’t start” problem. It finally reported failure, and when I looked at its detailed report it showed a long list of “no error” stages except for one at the very end which referred to a “bad patch”. At that point I chose the Sys Restore option, which (for a change) worked fine.
I went back and redid Update the next day, and have had no problems since. I presume that either MS tightened up the the installation-order thing or I just got lucky, but either way those two inter-linked ones probably went in in the correct order on that second try.
This is, what? Seven consecutive months of fouled up Updates, if I haven’t miscounted?
Vic
I am now down loading KB913086, its saying is it a 8 hour download, does this seem right?
Paul Ducklin
Depends on your download speed :-)
RyanT
After installing the updates, it rebooted once, and then it was happy. Haven’t had any problems since, though I know that’s just luck. I’ve had the computer stuck in a reboot loop due to updates before. Had to install them one at a time to fix the problem.
andrew
we’ll still apply updates pretty much as soon as we can. however i snapshot my vm’s before updating. after reading this i think in future i’ll be updating all my vm’s first and seeing if there is any fallout before updating my physical servers
Deramin
Thanks for the explanation! We yanked KB3033929 from the WUS pool after this happened. Good to know we can put it back in after making sure KB3035131 is installed on all the computers. Safemode did let us boot these computers.
If a patch is bad, you can usually hear the Internet’s screams of agony after a couple days. Otherwise it’s pretty safe to release them into the wild. I’d like to think MS would have the resources not to foul something this important up, but they must not.
By the way, the correct pronoun is “her” =)
Paul Ducklin
Fixed, sorry about that. I somehow saw “Deramin” and envisaged “Diarmuid” (which is a bloke’s name with high probability), don’t know why.
Safest thing is to use “their” as if it were singular, now an unexceptionable and very handy syntactic trick :-)
Michel Beauchamp
My update history says they were both successfully installed. Thing is, they were installed in backward order but on the same day. The list seems to go backwards in time and KB3033929 was installed before KB3035131. And that was 14 days ago, and all seems to run smoothly!
ArminL
Same here. KB3035131 installed OK 2015/03/14. Nevertheless KB3033929 fails with error 0x80004005. The process – which wastes a considerable amount of time – repeats every few days: the computers affected are forced into a reboot, install the update, update fails at approx. 82%, update is rolled back, and the computer is fine – until next time. No Linux Boot loader on this machine, just plain Microsoft boot stuff.
Anonymous
According to the upadate history KB3035131 was first installed over 3 weeks ago. Then over the past 3 weeks it and KB3033929 appear to have been installed over a dozen times.
Cat in VT
our ASUS K55N totally croaked on restart. It gets past the logon, but stuck partially loading the desktop icons and keeps doing that continually. nothing works on the repair software for windows 8.1 cannot even reinstally windows from the media disk…it says drivers missing. beyond miffed. will try a new hard drive tomorrow. wish me luck