In association with heise online

03 March 2010, 12:20

Microsoft re-releases 'blue screen' patch

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

According to Microsoft's Security Response Center, Microsoft is re-releasing patch MS10-015 as an automatic update. However, the patch won't install itself on systems which exhibit certain "abnormal conditions" such as an Alureon root kit infection. Installing the patch had previously caused blue screens on such systems under Windows XP. As a result, Redmond stopped the update process for about 3 weeks.

The root kit infects system drivers and uses fixed API addresses which are altered by Microsoft's patch. A memory error is consequently triggered when the root kit calls an invalid address. It remains unclear how many systems are affected worldwide. The root kit seems to hide so well within the system that even background anti-virus programs often fail to detect it, leaving users without any indication that their systems are infected. However, Microsoft's action in withholding the patch for several weeks could be an indication that a large number of systems are affected.

The new MS010-015 installation package, which closes a privilege escalation hole in all Windows versions, will check whether the patch can be installed without causing trouble. If a problem is encountered, the update process is aborted and an error message issued. Microsoft also offers a tool which allows users to check if the patch could cause problems before they install. This is to assist particularly the administrators of large networks with deploying the update.

Microsoft doesn't provide any practical solutions for those who are affected – users are advised to contact Microsoft's support team. Whether the problems are really caused by the Alureon root kit can be verified by running a virus scanner from a LiveCD. However, Symantec say that automatic disinfection is likely to fail in many cases. The anti-virus vendor suggests replacing infected system drivers with clean copies instead. Even then a clean re-install of the system could be required.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit