none
KB2585542 stops access to websites

    Question

  • Hi, my WSUS automatically installed KB2585542 last night on my Windows 7 machines. Since then i was not able to access my billing software website https://brightree.net.  It kept giving me "Internet Explorer cannot display webpage". I then started removing the updates from last night one by one. When I remove KB2585542 it started working again. Any ideas?

    It does not seem to affect my XP machines but it does affect my 2008 R2 machines. I do not have any Vista machines to test it on.


    • Edited by TAZ7171 Wednesday, January 11, 2012 4:48 PM
    Wednesday, January 11, 2012 4:11 PM

Answers

  • This comment was posted in another thread, sorry I don't have the original posters name: "The change made in KB2585542 is to split a record into two records before sending. Microsoft, Google (Chrome), Mozilla and Opera have all made the same change (or are making the change) to split records in order to prevent an attack against HTTPS sessions. Some SSL/TLS (HTTPS) implementations do not correctly receive the records correctly. If installing KB2585542 causes a lack of HTTPS connectivity in some circumstances and not others, then the place to look is on the receiving side of the connection. In some cases, the issue is related to SSL/TLS implementations in web application servers (firewall, load-balancers, etc.). Other examples are VPN solutions that don't handling the record splitting correctly."

    Now to follow up that comment there is a Microsoft FixIt patch available for people that are having trouble following this update. The patch is available in KB2643584:

    http://support.microsoft.com/kb/2643584


    ~Correction: ArdenW posted my comment above, just want to give proper credit.~
    Tuesday, January 24, 2012 7:08 PM

All replies

  • I can echo a resounding "me too." I installed this update yesterday at work. Then I started getting this error in IE and Chrome on websites that require authentication:

    I took my laptop home last night and noticed that I did not receive the aforementioned error when trying to authenticate there. My home network arguably has a less rigorous network security configuration than we employ at the office. When I connected through our VPN, the issue returned.

    I rolled back yesterday's updates using System Restore, then incrementally reinstalled each one until I figured out it was KB2585542 causing the glitch.

    So, I'm thinking it's a specific interaction with our security software. We use Websense, what about you?

    Sidebar, I noticed that while KB2585542 was listed in Windows Update as an important update, it was not checked to automatically install by default. Wonder why? Additional sidebar, while trying to troubleshoot the issue, I rolled back to IE8, and now I can't get IE9 to reinstall. Any ideas there?


    - Greg
    Wednesday, January 11, 2012 5:29 PM
  • We use Symantec Endpoint Protection in our environment. When I discovered this issue my first thought was to disable the security software. This did not help. Only when removing the update we could access the sites.

    This issue affects both IE8 and IE9 on my Win7 systems. I do not know why you would not be able to upgrade to IE9 after rolling IE8 back.


    I just updated my home PC running Win7 Ultimate x64, IE9, and Security Essentials with KB2585542. It now is not able to access the sites. So if it is related to security software it is affecting a lot of them.
    • Edited by TAZ7171 Wednesday, January 11, 2012 6:28 PM
    Wednesday, January 11, 2012 6:20 PM
  • Hi, my WSUS automatically installed KB2585542 last night on my Windows 7 machines. Since then i was not able to access my billing software website https://brightree.net.  It kept giving me "Internet Explorer cannot display webpage". I then started removing the updates from last night one by one. When I remove KB2585542 it started working again. Any ideas?

    It does not seem to affect my XP machines but it does affect my 2008 R2 machines. I do not have any Vista machines to test it on.



    Yup... Here too.  FYI - I have found that if you uncheck "TLS 1.0" in IE, you can go to the secure site. 
    Wednesday, January 11, 2012 8:13 PM
  • Hi, my WSUS automatically installed KB2585542 last night on my Windows 7 machines. Since then i was not able to access my billing software website https://brightree.net.  It kept giving me "Internet Explorer cannot display webpage". I then started removing the updates from last night one by one. When I remove KB2585542 it started working again. Any ideas?

    It does not seem to affect my XP machines but it does affect my 2008 R2 machines. I do not have any Vista machines to test it on.



    Yup... Here too.  FYI - I have found that if you uncheck "TLS 1.0" in IE, you can go to the secure site. 


    Actually, you have to uncheck ALL TLS (1.0, 1.1, and 1.2) in IE settings for secure sites to work again.... I have an open case w/ Microsoft regarding this and will post info they give me.

     

    Wednesday, January 11, 2012 8:16 PM
  • Hi, i have the same pb even if i uncheck differents TLS, but the problem is certainly around this security.
    Monday, January 16, 2012 11:51 AM
  • Since this update and KB 2638806 relate to SSL and TLS, if you own the Web app server, I'd make sure that the updates are on it as well.  I'm doing research on the patches before installing them, and this is something that came to mind when reading the KBs.  Looking at this thread scares me, so thank you for posting. I was going to install these patches on my server, not the clients, but I'm thinking that I have to install it on both to ensure connectivity.  HTH.  To be clear, i haven't installed these patches yet, so I'm not positive that this is the case.
    Monday, January 23, 2012 6:46 PM
  • This comment was posted in another thread, sorry I don't have the original posters name: "The change made in KB2585542 is to split a record into two records before sending. Microsoft, Google (Chrome), Mozilla and Opera have all made the same change (or are making the change) to split records in order to prevent an attack against HTTPS sessions. Some SSL/TLS (HTTPS) implementations do not correctly receive the records correctly. If installing KB2585542 causes a lack of HTTPS connectivity in some circumstances and not others, then the place to look is on the receiving side of the connection. In some cases, the issue is related to SSL/TLS implementations in web application servers (firewall, load-balancers, etc.). Other examples are VPN solutions that don't handling the record splitting correctly."

    Now to follow up that comment there is a Microsoft FixIt patch available for people that are having trouble following this update. The patch is available in KB2643584:

    http://support.microsoft.com/kb/2643584


    ~Correction: ArdenW posted my comment above, just want to give proper credit.~
    Tuesday, January 24, 2012 7:08 PM
  • We had the same issues in our environment with certain certificate authenticated websites over SSL.  Winxp 32-64 WIN7 32-64. Uninstalling the patch fixed the issue however, we are required to have this patch on our machines. After reinstalling it broke the sites again but pushing this registry change through group policy solved our problems and allowed the patch to remain on our machines.

    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    • add new DWORD (32-bit) SendExtraRecord
    • Value 2
    Friday, February 17, 2012 9:26 PM
  • You do realise that that SendExtraRecord=2 turns the patch off and is basically the same as uninstalling it? If you are required to have it on your machines as some kind of policy then do not set SendExtraRecord to 2.

    Friday, March 16, 2012 10:46 AM
  • Hello all,

    We've been monitoring several of the compatibility issues related to MS12-006 and have worked with the Microsoft Security Research and Defense team to update a blog post consolidating content about what the vulnerability is, how the update mitigates the vulnerability, and links to several FixIt's designed to help quickly automate workarounds.  If you are running into an issue after applying this update, please review the blog and use the FixIt's to help quickly diagnose a compatibility problem.

    http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx

    Monday, March 19, 2012 7:23 PM