Q811493 Patch
 

Buffer Overrun in Windows Kernel
Message Handling Could Lead
 to Elevated Privileges

*** Article Update - 28th May 2003***

Since I wrote this article Microsoft have
released a fix. Please see the end
of this article for the update - Thanks

(Please Note: There is much confusion between patches Q811493 and Q815021. Please go to http://www.updatexp.com/q815021-q811493.html for more clarity and information.)

So What's The Story With Q811493 ?

Since its release on the 16th April 2003. Rumours of Windows XP machines "running like molasses
uphill on a cold day" have spread around the Internet. And the culprit? 

Windows XP Security Patch Q811493!

Windows XP Guru "Steve Bink" has noticed the issue too... He posted a report on a Microsoft
Newsgroup and got this reply from Redmond HQ:

Thank you for the info. I'm not sure yet what is conflicting with Q811493.We currently have a group of developers working on the problem. We'll get this resolved as soon as possible. Sorry for the inconvenience.
Thanks,
Lucy [MS]

Well as of writing this article, 22nd April 2003, there is no update from Microsoft on this issue...
( NB  - Please see the end of this article for updates on this situation.) I also revisited the
Windows Update site but could not find Q811493 listed under Critical or Recommended Updates.
Perhaps Microsoft pulled it for further investigation...?

So What Are XP User's Experiencing?

Well first of all it is worth mentioning that NOT all those who have upgraded their machine with Q811493 have experienced "slowdown" problems. This includes those with XP SP1 and those without.

For those with problems these are generally the symptoms after installation of the Q811493 patch: (based on postings to the major news groups and forums)

On Starting the machine it takes much longer to boot into Windows XP. Then either attempting to logon or enter via the welcome screen than takes an additional longer wait. Some users of Windows XP Home edition report a green timer bar appearing when they try and enter their profile via the welcome screen -in many instances this has taken 5 mins on a Pentium 4...

Many of these same users have reported reported further problems with their machines when they try and run any software. It would appear that NO application, MS or 3rd party,  is immune so slow starting and exiting. In fact exiting an application can take so long that on the "Task Menu" the application will show up under "Processes" but nothing is displayed under "Applications" - this can go on for several mins...

One user gave up trying to play a DVD on a P4 3.0 with 1G RAM - nothing happened for almost 10 mins except the usual hourglass appearing in the middle of the screen...

One interesting observation is that a minority of users have found disabling their Anti Virus product speeds things up, but that is not the case for most folks hit by the Q811493 problem. But might be worth trying if you are experiencing problems after installing Q811493.

So What Can Be Done?

Well if you have not yet installed it - DON'T!  Just wait until the fix to this patch is released.

If you have already installed it then simply remove it and re-boot Windows XP to resolve the problem and get your speedy machine back.

To do this:

Go to the Control Panel then Select Add or Remove Programs. In here look for an entry:

Windows Hot fix  Q811493

Then select the item, so it highlights, and then click the Change/Remove button. This will then launch the uninstall process!

You will need to re boot after the uninstall process. 

Not Sure It Is Installed On Your PC?

Apart from a quick check in the Add/Remove panel to see if it is listed. You could always take a peek in the registry and if you have the following registry key, it is installed:

Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\ Q811493

Windows XP with Service Pack 1 (SP1):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\ Q811493

Conclusion:

Whilst the Q811493 patch does offer protection for your system, in the face of a known vulnerability. There is no point installing it to have a more secure system and then not be able to use it. Therefore this is one Systems Administrator that will NOT be installing it on his network until Microsoft have fixed the problem.

Q811493 was not deemed a "Critical" patch on its release by Microsoft, as any potential attacker would have to have "local access" to your local machine. So having good controls over who can access your machines will limit any threat this vulnerability may pose to the Windows XP operating system.

This article appears in the latest issue (No 83) of the highly recommended "BootLIST" newsletter! If you are not yet a subscriber then visit Ed's site at www.bootdisk.com and subscribe today! It really is one of the best...

Regards

Marc Liron

See Update below....

 *** Update as of 28th May 2003 ***

Microsoft have issued this update via the "Microsoft Knowledge Base"

This is a précis of the article:

You May Experience Performance Issues After You Install the Q811493 (MS03-013) Package on Your Windows XP SP1-Based Computer

The information in this article applies to:

• Microsoft Windows XP Home Edition SP1
• Microsoft Windows XP Media Center Edition
• Microsoft Windows XP Professional SP1
• Microsoft Windows XP Tablet PC Edition

SYMPTOMS

You may experience slower computer performance after you install the Q811493 (MS03-013) security update package on a computer that is running Windows XP Service Pack 1 (SP1), or after you upgrade to SP1 on a Windows XP-based computer on which the Q811493 security update was previously installed. This problem may be more likely to occur if you use some features of some third-party programs, such as antivirus programs. For example, this problem may occur if your antivirus program is configured to scan all files when you open (or you run) them. This is sometimes called "real-time" scanning.

CAUSE

This problem occurs because of a regression error in the Windows XP SP1 versions of the kernel files (Ntoskrnl.exe, Ntkrnlmp.exe, Ntkrnlpa.exe, and Ntkrpamp.exe) that are included in the Q811493 security update. This problem occurs because of a regression error in the Windows XP SP1 versions of the kernel files (Ntoskrnl.exe, Ntkrnlmp.exe, Ntkrnlpa.exe, and Ntkrpamp.exe) that were included in the original 811493 security update. On May 28, 2003, Microsoft released a revised version of the 811493 security update for Windows XP SP1 to address this problem.

Notes

• The Q811493 security update is still effective in addressing the local elevation of privileges security vulnerability on Windows XP-based computers (with or without SP1) that is discussed in the MS03-013 security bulletin.

• The Q811493 security update for Windows XP is a dual-mode hotfix package that contains updated kernel files for both the original version of Windows XP and Windows XP SP1 (which includes Windows Media Center Edition and Windows XP Tablet PC Edition). The regression error in the Q811493 security update affects only the Windows XP SP1 kernel files. For additional information about dual-mode hotfix packages for Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

  328848 Description of Dual-Mode Hotfix Packages for Windows XP

Resolution...!

To resolve this problem, install the corrected version of the Q811493 security update.

So What Does This Mean?

Visit the Windows Update centre to get the Q811493 Security Patch (Windows XP) now... This "Revised" patch is OK to install - so MS say. I have tried and seen no performance drop on my XP SP1 machines.

I would recommend you do turn off your Antivirus program during installation, just to be on the safe side thought!

The original patch was over 5MB, the new revised Q811493 patch is a smaller 3.2Mb.

What MS are NOT saying is why so many Windows 2000 users who installed the Q811493 security patch have been hit by similar slowdown problems too... Perhaps we will never know why?

Home Page  |   Main Article Index  |  FREE XP Newsletter  |  Privacy Policy 

Q811493 Patch