Reboot loop! Microsoft update to fix an old update ends up breaking a new update…

Confused?

We are!

Here’s how things seem to have unfolded.

One of the commenters on our March 2015 Update Tuesday article issued a warning, telling of a “reboot loop” on 25% of the computers at one site:

A reboot loop, of course, is where an update requires you to reboot, but when you do, the reboot reboots, and so on.

Our commenter used a System Restore to roll back, and repeated her updates without the troublesome one.

If you’re on a standalone computer, you may be able to use other workarounds, such as booting into Safe Mode, which will help if the reboot loop is caused by a component that doesn’t load in safe mode.

Then you can uninstall your most recent update and wait until an update to the update is available.

Just a Security Advisory

The confusing thing is that the troublesome patch is KB3033929, which isn’t on the regular list of security updates for March 2015.

That’s because it was merely a Security Advisory, not a full-blown Security Bulletin.

Ironically, the troublesome patch was a re-issue of KB2949927, which was itself withdrawn back in October 2014 for causing problems.

Even more ironically, KB2949927 wasn’t a patch for an existing bug, but an attempt to prepare for the cryptographic future.

KB2949927 added support for SHA-2 in code signatures on Windows 7 and Windows 2008 R2.

SHA-2 is a more recent cryptographic hashing algorithm that supersedes its precursor, SHA-1, which is now considered at the bottom edge of cryptographic safety.

But you can’t retire SHA-1 until you are willing and able to move forward to SHA-2, and that’s what KB2949927 was supposed to prepare for.

Except that the update had to be “rescinded,” to use Microsoft’s word, because of problems.

After that false start in October 2014, Microsoft tried again in March 2015, only to hit another snag: the abovementioned reboot loop.

Connected to MS15-025

The reboot loop problem seems to be related to MS15-025, also known as KB3035131, which is a Security Bulletin that fixes an Elevation of Privilege hole in the Windows kernel itself.

There’s a cart-before-the-horse problem with the two updates, as Microsoft explains:

For Windows 7 and Windows Server 2008 R2, the 3035131 update discussed in this bulletin shares affected binaries with the update being released simultaneously via Security Advisory 3033929. This overlap in affected binaries necessitates that one update supersede the other and in this case it is advisory update 3033929 that supersedes update 3035131.

That’s quite a mouthful!

In plain English, it means: you must install Security Bulletin MS15-025 before Security Advisory KB3033929.

Apparently, if you let Windows orchestrate your updates, you should be OK, because Windows will do them in the right order.

But if you have your own approval process for updates, it’s possible to apply them the wrong way around.

It sounds as though Microsoft’s original warning understates the impact somewhat:

Scenario: Customer first installs advisory update 3033929 and then attempts to install update 3035131.

Result: The installer notifies the user that the 3035131 update is already installed on the system; and the 3035131 update is NOT added to the list of installed updates.

Clearly, there’s a issue here, because Windows will at best tell you that you have an important security patch installed when, in fact, you do not.

But it looks as though the side-effects can be worse than that, hence the dreaded reboot loop mentioned above.

The fact that the problem was caused by non-critical fix that was replacing a previously-broken non-critical fix is bad enough.

The additional fact that the non-critical fix caused a problem because of an interaction with a critical fix issued at the same time just makes things worse.

That’s bad news for Microsoft, and bad news for future Update Tuesdays.

It is likely to bring at least a few months of understandable “patch reluctance” to many companies, as our commenter Deramin noted at the top of this article.

What to do?

  • If you are not using Windows 7 or Windows 2008 R2, you can relax, because this shouldn’t affect you.
  • If you have both KB3033929 and KB3035131 installed and are not having problems, you can relax, but make sure that both updates are shown as correctly installed.
  • If you haven’t patched yet, make sure you apply KB 3035131 first, or let Windows make all the update decisions for you.
  • If you already installed the wrong way round, you will need to roll back and start again.

You’re probably wondering what we think about this.

Will we stick by our often-stated mantra of “Patch early, patch often,” which we not only wrote but also said aloud this month?

To tell you the truth, the jury’s still considering its verdict this time.

Ask us again in April 2015…