Microsoft releases updated MS13-036 security patch

Martin Brinkmann
Apr 24, 2013
Updated • Apr 24, 2013
Windows, Windows Updates

If you are following my coverage on Microsoft's Patch Tuesday here each month you have noticed that one of the patches that the company released this month caused severe issues for some Windows 7 users. Update 2823324, which is part of the bulletin MS13-036 fixes a vulnerability in the file system kernel-mode driver ntsf.sys. It was assigned a security rating of important - the second highest - rating available across all systems, and a moderate rating on Windows 7.

An elevation of privilege vulnerability exists when the NTFS kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

The vulnerability allows local users to cause a denial of service attack or gain privileges using specifically crafted applications. Some Windows 7 users quickly learned about a side-effect of the first patch that Microsoft released on Patch Day. Their system would go in to an endless reboot cycle and Microsoft confirmed later that this was caused by a conflict with third party software installed on the computer system.

Microsoft as a consequence pulled the patch from Windows Update for the time being and suggested to users to uninstall it on their systems.

Microsoft today released an updated patch that resolves the issue that some Windows 7 users were facing. The new update is now listed under KB2840149 and it is suggested that Windows 7 users download and install it as soon as possible on their systems. The update is not only available via Microsoft's Download Center but also via Windows Update. If you have not booted your system for a while check for new updates in Windows Update and it should appear in the list of available updates there as well.

security update windows 7

I recommend you uninstall update KB2823324 if it is still installed on the system before you do install the new one to avoid conflicts of any kind. Consult the guide linked above to find out how you can install the previous update on your operating system.

Update: The previous update, if still installed on the system, seems to be pulled automatically after you have installed the new update on your system.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. techvilli said on April 27, 2013 at 6:50 am

    Microsoft new MS security patch surely resolves denial of service attacks and malware

  2. Miguel said on April 24, 2013 at 1:52 pm

    Thank you Martin for the information on the new patch :)

  3. John said on April 24, 2013 at 12:34 pm

    #Julia I love the BSoDs. At least I can play Pakman without the kids worrying me!

    We’re all here to help if Pakman stops working!! I trust all is ok?.

    We all are on this thread — to help each other.

    Next time, my turn, ok?

  4. Gennaro Prota said on April 24, 2013 at 11:32 am

    Quoting from

    Customers do not need to uninstall the expired 2823324
    update before applying the 2840149 update; however,
    Microsoft strongly recommends it.

    That is: it shouldn’t be necessary but then… if something goes
    wrong don’t blame us :-)

    1. Julia said on April 24, 2013 at 11:53 am

      Geeee! I uninstalled the expired 2823324
      update AFTER applying the 2840149 update! Waiting right now for all BSOD and more to jump at me….. :-)

  5. Gennaro Prota said on April 24, 2013 at 10:46 am

    Note that the opening paragraph of the article mistakenly says “2823323” instead of “2823324” (the other one occurrence in the article is correct).

    1. Martin Brinkmann said on April 24, 2013 at 10:51 am

      Corrected, thanks for noticing the typo.

  6. John said on April 24, 2013 at 6:40 am

    Just as an aside MS Technet says: “The update that this article describes has been replaced by a newer update. To resolve this problem, install security update 2840149″

    Note the words: To resolve this problem”. I don’t know why, unless they have screwed another update, which is unlikely???

    [sorry about the earlier pre-post]


    1. Julia said on April 24, 2013 at 7:53 am

      @Martin: Thanks!
      @John: Thanks, too! Yes, I got a re-boot signal from the Windows Update. And yes, I rebooted.

      Ts, ts, ts Microsoft…

      1. John said on April 24, 2013 at 11:22 am

        #Julia. All is ok! stay with what Microsoft has done and pull the 2823324 as Martin recommends. It may be that it is on your update log but not applicable. Unfortunately Julia, I don’t know cos I pulled it 10 days ago.

        And, seriously: it’s finished. It’s gone. Otherwise … contact me and we’ll both sue MS! You are as safe as you can be! The Microsofts have done it. Nice people.

        Ts, Ts….


  7. Ficho said on April 24, 2013 at 5:48 am

    It looks like KB 2840149 is not culprit.I still have problems.
    I’ll continue to search what could be the problem.

    1. John said on April 24, 2013 at 6:34 am

      # Julia, did you get a re-boot signal from the Windows Update? And did you re-boot? If you still have it after the 2840149 after install, then I agree with Martin: uninstall the KB2823324. To get a sense of proportion on this, most users have no problem. It was a screwed update by MS and affects 1% of users so there is no need to go too far — though why the old update wasn’t uninstalled I don’t know.. Go with Martin on this one.


  8. Ficho said on April 24, 2013 at 5:35 am

    Huge problem!
    I could not restart PC few hours after I installed KB 2840149.I was able to turn off/on PC,
    but normal restart didn’t work so I uninstalled KB 2840149 and everything is OK now.
    How important that update is?
    I have Avast 8 Free as AV if that matters.
    I’ll check if restart is working without that update few more times.

    1. Martin Brinkmann said on April 24, 2013 at 5:42 am

      It can only be exploited locally.

  9. John said on April 24, 2013 at 3:39 am

    Hello Martin

    Thanks for the info.

    From my understanding the manual pull of the update of KB2823324 MS13-036 issued on 9 April is now not necessary as it has been over-ridden with the recently issued KB2840149 and will automatically pull the old update of 9 April. That’s why they need a reboot to get rid of the kernel hooks that they incorrectly implemented at that time. There is no need to uninstall: 2840149 will pull it.

    Let me know if that is wrong, as the is my understanding from Technet.


    1. Martin Brinkmann said on April 24, 2013 at 3:52 am

      John it seems that way, I’ll update the article.

      1. Julia said on April 24, 2013 at 6:01 am

        On one of my computers (which I rarely use) I didn’t deinstall KB2823324 previously. After installing KB2840149 today, I see that KB2823324 is NOT pulled automaticly after reboot. Should I deinstall it manually, once and for all???

      2. Martin Brinkmann said on April 24, 2013 at 6:08 am

        I’d uninstall it since Microsoft did recommend to uninstall that update.

  10. Julia said on April 24, 2013 at 2:20 am

    Let’s hope that with this update everything will work smoothly….

  11. Ficho said on April 24, 2013 at 1:55 am

    Thanks.Update installed.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.