Windows patch MS15-084/KB 3076895 breaks Symantec, IBM Tivoli, even Microsoft Forefront

It had to happen sooner or later: Microsoft’s near-perfect string of high-quality patches took a hit this month with the Aug. 11 (Patch Tuesday) release of MS15-084/KB 3076895. The following problems may appear on Windows 7 SP1 and Windows Server 2008 R2 systems, according to the KB article:

• Attachmate Secure IT File Transfer — Client does not load
• IBM Tivoli Storage Manager — Backup services may fail or hang, user log-on hangs after providing valid user credentials
• Microsoft Common Antimalware Platform (CAMP) — Server stops responding
• Microsoft Forefront Endpoint Protection (FEP) — Application stops responding
• Symantec Endpoint Protection (SEP) — Notification Area icon shows that it’s in an unknown state
• Symantec Endpoint Protection Small Business Edition — Policies aren’t updated, client UI may not open, the portal isn’t updated with the status of the client
• Symantec Security products — Application stops responding, monitoring status isn’t displayed, on-demand scans don’t run
• PPG — Application hangs were reported but have not been confirmed by Microsoft

The KB article goes on to say, “Other software products that are not listed in this table may experience additional side effects.”

I have seen posts say the problem also appears on Windows 8.1 machines, but Microsoft has not confirmed that. It isn’t clear if KB 3090303 will fix — or even install on — Windows 8.1 computers.

On the Microsoft Answers Forum, poster Mike Leonard offered this blistering account on Aug. 27:

I spent almost an hour with Microsoft Technical Support this morning. They claim there is no hotfix and that I should contact Symantec for support (specifically to use their tool to uninstall and reinstall their product). They said the link I provided them does not exist, and that the information I provided them was “generic” and probably from a forum. It ended with, “Really sorry for this I wish I can do more for you but this is really Symantec’s scope of support.”

As you can see on that thread, the confusion continued on Aug. 28, with Symantec pointing to Microsoft and Microsoft pointing to Symantec.

Poster eventtrac (who is not identified, but appears to be a Windows Servicing team engineer) responded with some authority:

Computers that have never installed KB 3076895 may safely install KB 3090303 and any post-3090303 updates to avoid known symptoms caused by the installation of KB3076895.

Fixes for all other affected Windows client and server OS versions will be distributed after Sept. 1, 2015 under a different article #.

Also on the Answers forum, there’s a particularly galling transcript of a Microsoft Answer Desk conversation that ends like this:

(Customer): All my conversations have been like this one, where I am told it is not a Microsoft issue

(Microsoft): I am sorry but we don’t have a hotfix for issues such as the one for SEP SBE Loss of Connectivity issue.

(Customer): Do you know if you are working on one?

(Microsoft): And sorry but we have not received any update that there is an issue regarding that. It is possible that you were misinformed. Please contact Symantec for further questions.

Note that Microsoft’s own Forefront Endpoint Protection was among the products borked by KB 3076895.

The fix appears to be comprehensive — I can’t find references to any other products that were killed by KB 3076895. It took Microsoft more than two weeks to get it together, with many frustrating tech support fumbles along the way.