Problems with MS update KB891711?

hunt045
hunt045 used Ask the Experts™
on

 Has anybody seen any problems with Windows 98SE booting after the installation of update KB891711?  I just had to remove it from a customer's machine as it was originally causing it to Blue Screen with an fatal exception. Upon removal and reinstallation, it quit the BSD and just would not launch the desktop.  This machine was recently cleared of SpyWare and is running the latest version of McAfee's AV; V9.0.  It also has the free version of ZoneAlarm installed.  I Googled the update number and got the feeling that I may not be alone with problems with this update.  Any input?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
gonzal13Retired

Commented:
I could only find a reference to 891711 not KB891711 on microsofts site which is not pertanant to your problem.

Now what I do when I have wierd problems is to install WIN98 over it self. This of course is don by going to win98, inserting the cd ron, clicking on the X when the logo appears and then going to the device and finally to win98 folder.

gonzal13(joe)
gonzal13Retired

Commented:
I also could not find it on this website's data base.

gonzal13(joe)
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

Microsoft Security Bulletin MS05-002
Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711)

No direct download link given, as expected with them beginning to pull the plug on Win98 support.

Related references:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1049

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability.  An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.
 
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
 
By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone.  Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update (http://www.microsoft.com/office/previous/outlook/2002security.asp) has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 (http://www.microsoft.com/technet/security/bulletin/ms04-018.mspx) has been installed.  The Restricted sites zone helps reduce attacks that could attempt to exploit this vulnerability.

The risk of attack from HTML e-mail can be significantly reduced if you meet all the following conditions:

1. Apply the update that is included with Microsoft Security Bulletin MS03-040 (http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx) or later Cumulative Security Update for Internet Explorer.
2. Use Internet Explorer 6 or later.
3. Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or later in its default configuration.
4. Read e-mail messages in plain text format (Outlook 2002 or later, or Outlook Express 6 SP1 or later).

The update removes the vulnerability by modifying the way that cursors, animated cursor, and icon formats are validated prior to rendering.

Unfortunately I cannot see any indication of known problems or workarounds to issues created by installing this patch.  maybe some other experts here will immediately recognise this patch by the above description and remember any issues.
 
 
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Is it possible that, amongst other things, McAfee AV is protecting the ShellIconCache or something like that?
Top Expert 2005

Commented:

On the same path of BillDL's thoughts, many reports of problems when NAV is running...

Are you?

Zee
Top Expert 2005

Commented:

I'm more and more inclined to believe NAV is an issue here.

 hunt045, are you running NAV?

Could you please confirm that?

Zee
I've been searching google for a while there and, to be honest, I haven't seen anything that tends to imply a known problem with this patch apart from an incompatibility with a corporate database management application.  Even then, it quotes an incompatibility when the patch is installed with WinXP SP1.

hunt, do you have any specific links that led you to believe that you are "not alone" with this problem?

One thing that comes to mind that you should check.  Is Mcafee AV set to intercept things and quietly quarantine and fix without user intervention?  If so, check what is lying in Quarantine and also the activity log.  I see it has a function similar to the NAV "Script Blocking" and also the option to scan for traits that would lead it to believe that something might be an unknown virus (heuristics or bloodhound??).

If it has intercepted a legitimate Windows process or file, then perhaps that removed one of the components of the update.  After all, it does say that the fix "modifies the way that cursors, animated cursor, and icon formats are validated prior to rendering".  How it does this is anyone's guess, but perhaps Mcafee was running while the update was applied, and blocked it as a potentially dangerous script.

Disable Mcafee, or at least the "Auto Protect" and "Script Blocking" features prior to reinstalling, and see what happens.  This is good practice anyway, as AV products can often interfere with installations.

gonzal13Retired

Commented:
Bill I looked on Microsoft's website also, but what came up was not pertanant to the problem. I also went to this website's database without results.

Well I am off to my daughter's first baby shower. We expect 112 people at a ranch. I have weird feelings being a grandfather. My daughter is 20 and works at a bank. She plans to continue woking. Now if I can just get out of baby sitting.



gonzal13(joe)

Commented:
Cheers ,grandpa gonzal13 !

Best wishes
nedvis
Top Expert 2005

Commented:

The problems with KB891711 is not caused by AV's.

No one yet knows why some systems are affected and others aren't.

You can uninstall it in Add/Remove programs or disable it under the startup tab in the System Configuration Utility:

Start > Run > type MSCONFIG and press enter

Until a solution or workaround is known.

It also blocks Scandefrag.
:(

Zee

Commented:
I had here the same 'blue screen of death' lock up each time I tried to boot Windows 98SE after installing KB891711.  I do NOT use any Norton products.

Win98SE would boot OK in safe mode.

I did a non-destructive re-install of Windows 98 and the problem persisted.

Of course, using msconfig to keep the update from starting when Win98SE booted solved the problem.

This is probably the worst MS has done yet with its updates...an update that prevents the operating system from working at all.  I guess practice doesn't always make perfect.
That's an interesting one to take a note of.  So the update relies on loading a startup process/file to actually work.  Incredible!!!

Out of interest, what does the update appear as in msconfig's startup list, and is it launched as a [HKEY_Local_Machine\..\Run], a [HKEY_Local_Machine\..\RunService], or from a shortcut in the Startup folder?

Does anyone have a download link for the update?  I would like to dissect it and see what makes it tick.

From the description of the potential vulnerability it is intended to patch, I would have to guess that the chances of that vulnerability being breached are so slim that it is probably a non-critical update anyway.
Cancel that last one, I see from this discussion page that it runs as Kb891711.exe from its own program folder c:\windows\system\Kb891711\Kb891711.exe and is launched by an entry in [HKEY_Local_Machine\..\RunServices]

Still can't find a download link though.
I do notice that the UNOFFICIAL Windows 98se SP1 (version 1.6.2) update does not include the KB891711 update, but covers just about every other available update right up to 20 Sept 2004.

http://exuberant.ms11.net/98sesp.html

Read the disclaimer at the end of the page.

I installed this on one of my Win98se PC's without adverse effects.  I'm not altogether keen on the My Computer, Recycle Bin, etc icons bein replaced by Win ME-type ones without choice, but that's easy enough to revert them back to the basic old style again.



_

Commented:
Now That's a nice link.  Thanks Bill.

Author

Commented:

  I want to thank everybody for their input on this problem.  Yes this update is described as indicate above in MicroSoft's Bulletin MS05-002.  
  I Googled it again and found more discussions about the problems this update is causing.  Apparently, not everybody is experiencing the symptoms and it maybe affecting Windows 2000 also. A couple of the discussion links: http://www.d-a-l.com/help/showthread.php?p=42596#post42596  Also: http://www.msusenet.com/t-2560174.html
 For what I read so far, this is an .exe patch that runs at startup.  Most people who have been having problems have disabled it using Msconfig or removed it using the Add/Remove feature in the control panel.
  I think MS has an undiscovered problem on their hands.  It will be interesting to see what develops downstream  at Redmond!  

Commented:
I installed this update yesterday on my upate-to-date windows 98SE. This morning when I booted and tried to start both browsers (tried IE and Mozilla), both failed with fatal blue screen system error 0D. Since I had also just installed new SPYBOT and EUDORA releases, I didn't know what caused the problem. Thus, I did a /RESTORE which got me back to normal.

Two critical updates (KB888113 and KB891711) were installed and essentially disabled by the /RESTORE. Microsoft's automatic update site no longer recognizes that these updates were restored and need to be reinstalled. Also, the updates are not available as a download -- MUST use automatic update site! Thus, I can not get KB888113!

Questions:
1) How do I confirm which updates are on my system? I know about hotfixes (QFECHECK) and have WinUpdatesList utility which lists all the updates it can find. Should KB888113 show up if it still resides? How about KB891711  (the module still resides on my system in the file referenced in a previous comment, but the entry in Registry and startup was removed by the /Restore)?

2) Do I have to clean something else up (registry or other) to show that these are not on my system? Since /restore does not remove the code itself, I can only assume I am still running KB888113 whereever it is. Right?

Commented:
Something vent wrong with that Microsoft KB891711 security patch on my WIndows Millenium PC .
I realised new program was running as a system service and then I learned it's KB891711.
Using Sysinternals Process Explorer I killed the process created by KB891711 executable file and my system started complaining with Fatal Exception Error OE : 017F : BFF8E64B. I was unable to stabilize system so I decided to reboot PC.
After disabling executable file from loading at system startup ( using msconfig) my computer ended up with
WINDOWS PROTECTION ERROR - SYSTEM HALTED blue screen at boot time.
After couple unsuccessfull trials to reboot in Safe mode and Windows Registry restorations I realized my Millenium fresh install was practically DEAD.
Problem was that I dual boot this particular PC between WInME and Linspire 4,5 Linux  so the "repair" WinME installation is not a solution to me ( Linux Loader would be owerwritten by new MBR ) and I don't want to lose 200 + downloaded free Linux programs worth more than five days continuous downloads over my dial-up connection.
SO BE AWARE OF MS KB891711  SECURITY PATCH.
I learned one more time the rule of thumb : DO NOT ALLOW WINDOW ME TO SHARE HARD-DISK WITH OTHER OS-es .
good luck
nedvis

Commented:
Top Expert 2005

Commented:

Just came across this statement and I'm wondering if your system fits that:

Quote:

Older processors are not compatible with that fix. Only Athlon 700mhz up and newer Intel
processors are compatible. Its not the OS, Its the chip.

Unquote.

Could you plese, please post back a simple comment  hunt045??

Thank you,

Zee

Author

Commented:

  Zee, thanks for the input on the older processors.....very interesting indeed.  Unfortunately, the machine I had the problem on had a AMD Atheon  high performance 2.2GHz CPU chip with a matching Gig-Byte Motherboard. Not your garden variety system; a custom built gamers machine.  I am wait for this situation to develop as a simple removal of the Update through the ADD/REMOVE utility or unchecking the option in the Startup field takes care of the problem.
Top Expert 2005

Commented:

Thanks for the feedback!

Funny the AMD seems to be persistent...

I'll post your info where I got that quote, for further investigation.

Everything seemed well narrowed down...

Thanks again.

Zee

Commented:
Here is Microsoft's response to me on this issue [KB891711 causes Blue Screen of Death on Bootup]:

Dear Dr. Roger,
Thank you for contacting Microsoft Online Support Service. My name is
Lisa, and I'm glad to work with you. For your reference, the case ID for
this service request is XXXXXXXXXXXX. You can contact me directly by
writing an email to xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx with the case ID in
the subject line.
To give the most accurate support possible, I would like to give a brief
summary of the problem as I understand it:
The computer did not work properly after you installed KB891711. You
have indicated that the issue has been resolved after you removed it
from Startup.
If there has been any misunderstanding, please let me know.  
I would like to explain that Microsoft releases new updates to fix bugs
and increase the stability of Windows Operating System, and we have
tested as much of the software environment as we could to improve the
performance of updates. However, we cannot guarantee that every update
can install perfectly in all computers because every computer has a
different software and hardware environment. I highly appreciate your
understanding.
Regarding your concern, I would like to explain that it is a security
updates for the computer. If you have an antivirus or firewall program,
you do not need to run this update in the background currently.
If you have any further questions, don't hesitate to let me know.
Thank you for your time. I am standing by for your reply.
Best Regards,
 
etc.

In other words,

"Your system works again now that you've de-installed KB891711.  You don't need it.  Case closed"

Works for me.  But I won't be adding any more Microsoft security patches for a while ;)

FWIW I am running a stock P3 1 GHz system, no bells or whistles.
A fairly typical response from Microsoft, wouldn't you say?  They never commit themselves to discussing likely causes for incompatibility. By my reckoning it isn't even a patch, it's more like a logon script ;-)
dhsindyRetired considering supplemental income.

Commented:
After reading the threads I am wondering if I need Kb891711 at all.  Anyway, installed without any problem on my old Pentium II 233 MHz running Norton 2002 AV & FW (automatically updated).

Rather than just fixing or replacing files it runs as a process (task 'Kb891711').

It can be eliminated permanently in Control Panel Add/Remove programs (near the bottom of the list - things starting with W).  It can be stopped in the task manager temporarily (Ctrl+Alt+delete) - end task named Kb891711 (it will restart on next reboot).

One interesting point, Microsoft is extending Win98/Me support into 2006 on critical issues in some cases.
dhsindy, when you look at the narrow scope of the vulnerability, there is really just a very slim chance that you would ever be exposed to a situation that would use this "flaw".

You must be one of the lucky ones.  I ran Windows Update on a fresh install, and didn't notice it adding KB891711.  Immediate problems at reboot, and they disappeared just as immediately after removing that "update" permanently.

Do a search for KB891711 in google.com, and you will be hit by the scale of the problems with this patch.  Despite that, and the number of those people asking/complaining about it to Microsoft, they STILL include it in Windows Update.  Now that's irresponsible of Microsoft.
Top Expert 2005

Commented:

Just for common information:

Quote:

Microsoft has received reports about issues with KB891711 on Windows 98,
Windows 98 SE and Windows ME.  At this point, we have been able to confirm
these reports and are currently working on a resolution.

Please note that by uninstalling the current update, the machine will return
to a vulnerable state.  At this point, we are currently not aware of
customer's being exploited by way of the vulnerability fixed in MS05-002 on
Windows 98, Windows 98 SE and Windows ME.  If you need additional assistance
regarding this update, please contact +1 (866) PCSAFETY. When calling,
please indicate that you are having issues with a security update.
--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Unquote.

Zee
For ONCE they actually tried to patch a vulnerability BEFORE somebody exploited it!!!
dhsindyRetired considering supplemental income.

Commented:
BillDL,

<You must be one of the lucky ones.  I ran Windows...>

I neglected to mention that while running NAV - I have disabled the Recycle Bin 'file protection' feature which can interfere when an upgrade is replaces files (especially system files).  I don't know if it makes a difference but I am using Internet Explorer 6.0.2800.1106IC (the 128-bit version) - BTW is was difficult to get a proper install on it.

That's all I got, dhs
Commented:
PAQed with no points refunded (of 50)

PAQ_Man
Community Support Moderator

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial