Microsoft, patches and Blue Screens

Microsoft had a large Patch Tuesday in February – with an unintended side effect: large amounts of blue screens. This turned out to be due to an interaction between the Alureon rootkit and the patch for KB977165 which updates the Windows kernel. This month’s patches also contain kernel updates, and so have the same incompatibility with the rootkit. As the bulletin for MS10-021 states, “This security update includes package detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems. These abnormal conditions on a system could be the result of an infection with a computer virus that modifies some operating system files, which renders the infected computer incompatible with the kernel update.”

So Microsoft is deliberately not installing the newer kernel updates if the rootkit is detected – and at the same time leaving vulnerabilities unpatched. There are no active exploits for the problems the newest kernel patches are trying to fix, however this situation is far from positive.

Microsoft also can’t just remove the rootkit as this would require entitlement; and there’s a risk to the stability of the system with removing something like a rootkit.

This particular rootkit is removed by Microsoft’s Malicious Software Removal Tool however this tool is not installed through the standard Windows Update mechanism which only does ‘Important’ updates. One has to specifically install the Tool or allow Recommended updates to be installed as well ( this tool enables entitlement for virus removal through acceptance of the T&Cs for the product ).

This problem is only likely to grow worse with time. Until cleaned, the infected machines will be vulnerable to an increasing number of kernel flaws, leaving them exposed to new threats. With little chance that owners of affected computers will clean them up of their own volition, Microsoft might yet be forced to take some more aggressive action to get them clean and up-to-date.

Robby Pedrica

Robby Pedrica is a storage and security specialist providing IT and ITSM consulting services in Southern Africa to SME and Enterprise clients. With 20 years of experience, and numerous certifications, Robby excels in niche areas such as systems monitoring, load balancing, advanced storage functions like virtualisation, backup and replication, virtual security appliances, and FOSS software infrastructure such as web, email and application servers. He also runs 'Robby Pedrica's Tech Blog' expounding the mantra of security, security, security.

robbypedrica has 22 posts and counting.See all posts by robbypedrica

Pin It on Pinterest