Last week I wrote about an odd security update, KB 3146706, that appeared to be bricking pirated copies of Windows 7 and locking horns with Microsoft's own EMET 5.5 malware blocker. Details are hazy, but apparently Microsoft released MS 16-044/KB 3146706 on April 12 as a "checked" Important update. Since it was checked, those who ran Windows Update or had enabled Automatic Update got the patch installed, sometimes to deleterious effect.
Shortly after the patch was released, the auto update "check" disappeared from most -- if not all -- Windows 7 computers. Customers could install the patch, but only if they manually checked it first.
KB 3146706 also raised a storm of complaints, particularly in China, among people using a particular pirated version of Windows 7 known by the name Ghost -- no doubt in reference to its origins as a Norton Ghost copy of a heavily modified (and sometimes malware infested) version of Win7.
Suddenly, without any notification and not much explanation, KB 3146706 is back again. It appeared, checked, on many computers yesterday afternoon. (I have reports that on some systems it still isn't checked.)
The KB article has been modified, raised to version 2 with this caveat added:
After you install this security update on a Windows 7 SP1-based system, you may experience any of the following problems:
- The system slows down
- You cannot access folders under the Documents and Settings folder.
- You cannot modify permissions on the Security tab in a the Properties dialog box
- You may receive a disk write failure error message
This problem may occur when certain third-party DRM software is installed. The problem is known to occur with certain DRM software from Fasoo.com.
Contact the manufacturer of your software for more information about how to resolve this problem.
Fasoo is a company based in Seoul that "provides data-centric security to protect data as it travels both within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities."
Microsoft's KB article doesn't mention the well-documented EMET 5.5 problems, nor does it say whether those problems have been solved. Tellingly, the published File Information shows that all of the modules were compiled on or before March 21. That's three weeks before original, buggy version of 3146706 rolled out.
Whether the modules have been changed to fix the problem, whether there's a change in the "metadata" that controls the Windows Update behavior, or there's no change at all is simply unknown at this point.
Microsoft also neglected to mention the change in the official Windows Update list.
It would be a good idea to avoid installing KB 3146706 until we have a clearer understanding of the situation -- especially if you run EMET.
Update: A Fassoo spokesperson has contacted us with this explanation:
Fasoo resolved this problem two years ago, but some customers were using an old version of the software. Fasoo resolved the problem introduced by Microsoft patch KB3146706 by releasing v126.96.36.199 of f_ih.sys on Feb. 14, 2014. Some customers in Korea using an older version of f_ih.sys had a problem after installing the Microsoft patch. Fasoo has informed customers running the old component to update to the new software.