Resurrected KB 951847 'zombie' patch fixed -- but now has new problem

Botched patch installs .Net Framework 3.5 without warning or consent -- even on systems that have studiously avoided .Net

Sometimes Microsoft's Black Tuesday flubs make me feel like I'm riding tech bumper cars: One patch bumps into another, then another, which ricochets off into left field and comes back to smack me in a head-on collision. In this case, we have a botched patch from last Tuesday that has brought back to life a two-year-old patch that kept installing and re-installing and re-re-installing itself.

Yesterday Microsoft announced it had fixed the zombie re-installing behavior, but now we're getting reports that the newly improved two-year-old patch is installing .Net Framework 3.5 on its own volition, without notification or consent, even on systems that have studiously avoided the problematic .Net Framework.

In a scene straight out of "Night of the Living Dead," those surreptitiously installed copies of .Net are now begging for even more patches.

Here's how it happened, as best I can tell. This month's botched MS13-082/KB 2878890 patch, which I talked about last week, was supposed to fix vulnerabilities in .Net Framework that could lead to remote execution attacks. While it appears the patch did, in fact, plug the security holes, it also brought back a two-year-old patch, KB 951847, repeatedly. Here's how I put it:

Applying this week's KB 2878890 patch on some Windows XP and Server 2003 SP2 machines causes a two-year-old .Net Framework roll-up patch, KB 951847, to resurface. Windows Update not only prompts WinXP/Server 2003 users to (re)install the big, old .Net patch, it keeps pestering over and over again to (re)install it, even if the WU install logs say it's been installed.

Yesterday, in an obscure blog post, Microsoft advised it had fixed the KB 951847 patch. The new version of KB 951847 isn't being re-offered -- which is good, even if it did take more than a week -- except for one little detail. This new, improved version of KB 951847 installs .Net Framework 3.5 on any machine, without warning, without seeking consent, whether there's a copy of .Net on the machine or not.

Here's how Chris88mzi on the Microsoft Answers forum describes the problem:

I am taking care of a number of WinXP - SP3 / IE 8 systems, all configured with "Automatic updates" enabled. Furthermore none of the systems have any of the .Net framework families installed as the users have no need for it. Suddenly this evening the users have KB951847 ".Net framework 3.5 and families" installed during the system shutdown procedure without any request for it. Has ".Net" suddenly become a must for WinXP operations so users are forced to take it - or is this just another bug in the update operations? Considering the remaining lifetime for WinXP the answer is evident is guess. Anyway I have manually removed the update to avoid a whole bunch of further.Net updates to KB951847 to download and install.

It looks like the detection routines for the KB 951847 installer are getting confused. The patch should only be applied on Windows XP and Server 2003 systems with .Net already installed, but if your XP/Server 2003 systems have Automatic Update turned on -- surprise, you may now have .Net Framework 3.5 on all your computers. Those copies of .Net Framework 3.5 are looking for their updates, of course.

Microsoft desperately needs to implement Patch Monday, or something like it. This is ridiculous.

This story, "Resurrected KB 951847 'zombie' patch fixed -- but now has new problem," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.