Windows Patch Leaves Many XP Users With Blue Screens 658
CWmike writes "Tuesday's security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death, users have reported on the company's support forum. Complaints began early yesterday, and gained momentum throughout the day. 'I updated 11 Windows XP updates today and restarted my PC like it asked me to,' said a user identified as 'tansenroy' who kicked off a growing support thread: 'From then on, Windows cannot restart again! It is stopping at the blue screen with the following message: 'A problem has been detected and Windows has been shutdown to prevent damage to your computer.' Others joined in with similar reports. Several users posted solutions, but the one laid out by 'maxyimus' was marked by a Microsoft support engineer as the way out of the perpetual blue screens."
Re:ha ha suckers!!! (Score:2, Interesting)
Need confirmation (Score:5, Interesting)
An MVP poster in the thread claims that KB977165 causes the problem, and that the problem only occurs on computers that have been compromised by exploit code. The patch in question patches the NT kernel executable files.
If it is true that only compromised computers blue screen then it's hard to fault Microsoft for their patch code choking when it stumbles across the exploit code.
I wonder if they are going to push out an updated patch that at least performs some sort of sanity checking before attempting to modify the files. I doubt it. They'll just pass the buck and tell users that their computers were already hosed and that the BSOD is a "feature" and that they should have re-installed the OS anyway (because we all know that once your Windows box is pwnt, the only way to deal with it is full format and re-install).
Lucky Me (Score:5, Interesting)
I am quadriplegic with a tracheostomy to breathe. That means no keyboard or mouse and no auditory input. I control my computer with eye movement (the only muscles I still fully control) tracked via infrared camera. Almost every system built to assist communication for people like me are built on top of WinXP. There is a Mac version I have heard of but AFAIK doesn't do full control like the one I use. There is no Linux availability at all (oh how I wish).
So I am stuck. This system is my voice and my window to the world (travel is a major production requiring a team of assistants). it controls my immediate environment (tv, lights, etc.). It represents the last bit of independence I possess. It is a Tablet so "pop in the CD isn't so easy.
I am very careful to avoid viruses and other malware (always was when i was healthy and Win32 was only a secondary OS for me then). But to be stabbed in the back would be utterly devastating to me. It could be weeks before I could get qualified help (Nerd Herd, etc. need not apply).
Re:Need confirmation (Score:5, Interesting)
It's bad news for Microsoft at so many levels -
1. it's a 17-year-old bug
2. The disclosure and proof-of-concept attack was done by Google, clearly not Microsoft's best friend
3. Microsoft was forced to release a patch that is not fully tested
4. The cure is worse than the illness
5. Lots of windows users find out they have been compromised for how long? Nobody really knows!
6. The only remedy now is to restore your computer to it's previous state, which means you carry on using your computer in it's compromised state
Re:Need confirmation (Score:3, Interesting)
It's pretty easy to fault them for not taking a checksum before they patch to ensure that the file isn't modified. If it is, warn the user.
You're both missing what's actually happening here.
1} The "patch code" doesn't choke. The patched kernel does next reboot.
2} The patch doesn't touch the infected file.
The problem appears to be a compromised atapi.sys driver. Is it really reasonable for Microsoft's patch to the kernel to react gracefully to whatever corruption is present in that driver? I know the obvious is that Windows should fail gracefully on any fault, but really... we don't have any clue what's present in that file.
Summary: patch patches the kernel. Kernel tries to initialize a compromised driver. BSOD.
Extra stuff...
I actually encountered such a machine this morning. This was pretty much while folks were realizing what was going on, before we collectively knew WHICH patch was responsible. I backed out the offending patch and got the system back up. I then found the box was WinXP Pro SP2, so I applied SP3. The SP3 install choked while examining the environment, saying that something had a handle on ATAPI.SYS Well, being a tech, I fired up some tools, found a system process had the handle, closed it, and let SP3 continue. I then patched up everything else. Finally, I reinstalled KB977165. Lo and behold, the system worked fine. So in hindsight I can see that yeah, something was funky about that file in particular. Malware or not, something wasn't right about it. For the record, the system in question did have current AV (Norton 360) and was behind a simple NAT router but the user did have admin rights. Zero other signs of infection.
For all we know we're going to find out that this was actually some bull-crap DRM solution.
Re:ha ha suckers!!! (Score:2, Interesting)
History Repeats Itself (Score:2, Interesting)
NT - http://technet.microsoft.com/en-us/library/cc750081.aspx [microsoft.com]
2000 - http://support.microsoft.com/kb/174630 [microsoft.com]
Now the same with Windows XP? Come on now, who are they fooling?
Reminds me of that stupid stride commercial - http://www.youtube.com/watch?v=jxBlKFxGhNk [youtube.com]
For those of you who feel left out with a working computer - http://technet.microsoft.com/en-us/sysinternals/bb897558.aspx [microsoft.com]
One copy... on a floppy! (Score:5, Interesting)
When I was in college, a friend of mine who lived down the hall from me came to my door one day frantically knocking. She had stored the only copy of her PhD dissertation on a floppy disk, and the disk had gotten corrupted, and she didn't know what to do.
I poked around on it for a little while, trying out a disk sector editor I had to see if I could recover anything, and I couldn't. It was just lost, period.
She ended up going dumpster-diving. She had thrown away a printed hard copy the day before, and they hadn't taken the trash away yet. She was literally in the trash dumpster, sifting through two apartment buildings' worth of trash to find it, and spent that entire night retyping it from scratch.
I felt sorry for her, and I remember thinking, "Well, I guess that's one way to learn a lesson that you'll never forget..." I was also really glad that I wasn't her significant other, because you know who would have been sifting through that dumpster.
Re:ha ha suckers!!! (Score:3, Interesting)
You should try Live Mesh. [mesh.com]
Not a troll! I am serious -- I use it all the time. I use it to sync files between several computers AND Microsoft's servers, so I have a backup of anything important "in the cloud," accessible by Web browser if I ever need it.
Re:ha ha suckers!!! (Score:2, Interesting)
Re:ha ha suckers!!! (Score:2, Interesting)
Fixed.
this is a pretty big if (Score:3, Interesting)
As you may have read elsewhere, MS doesn't use context or offset diffs. They just replace files. So the case you speak of is unlikely.
The most likely case is that people who are having the problem have a foreign DLL in their system that calls directly into an offset into this DLL without version checking it. This DLL does so because it's a rootkit, and it wants to fly under the radar. When you change this DLL that other DLL is now calling into invalid code.
But the problem here is this other DLL is bad. It isn't a problem in MS' DLL at all. And how is MS to prevent this, are they to somehow figure out every other DLL in your system that could try to call into this DLL using surreptitious means?
MS didn't know this rootkit existed, or if they knew, they didn't test with it. That's about as far as I can blame them without any more info.
Re:ha ha suckers!!! (Score:2, Interesting)
You should try Live Mesh. [mesh.com]
Not a troll! I am serious -- I use it all the time. I use it to sync files between several computers AND Microsoft's servers, so I have a backup of anything important "in the cloud," accessible by Web browser if I ever need it.
I've been doing that with dropbox [dropbox.com] on my ubuntu box
Re:ha ha suckers!!! (Score:4, Interesting)
I've been doing that with ubuntuone [ubuntuone.com] on my ubuntu box.
Re:One copy... on a floppy! (Score:2, Interesting)
PhD "dissertation"? Normally one writes a thesis for a PhD, and a typical length is in the region of 50,000 words. I don't know about you, but that's way more than I can type in a night.
Re:ha ha suckers!!! (Score:3, Interesting)
Assuming this isn't a troll --
1. Sit. Down. Breathe.
2. Go to the store and fill a shopping bag full of fatty snax, Doritos, Pringles, Kit-Kat bars, Coke, Red Bull, etc.
3. Bring your computer and the bag to the university IT department and beg for help. Let them know that you don't care about the computer (because compared to N years of effort, one computer is nothing), just the contents of the hard drive.
4. While the IT department is working on your computer, go to your departmental administrative office and talk to the secretary in charge of accepting doctoral dissertations. Beg for a one-day extension. Involve your advisor's secretary.
5. Return to the IT department to retrieve your dissertation. Do whatever you were going to do to get it printed.
6. Once everything works out, reward the people who saved your ass with more goodies and/or flowers.
This one must have been fun to track down (Score:3, Interesting)
There were 8 freaking OS security patches in this last patch Tuesday. It must have been a joy to track down the one update that was causing the problem (KB977165).
I have honest pangs of sympathy for the poor sucker that had to figure out that that one update was rendering infected systems unbootable.
This is why monoculture sucks. *Healthy* cultures are diverse. "Mono" doesn't enter into it. Pun very much intended.
--
Toro
Re:ha ha suckers!!! (Score:3, Interesting)
As a linux user, the reboot because you installed something is sure strange.....
I usually measure the uptime in months or years, but whatever works for you....
Re:Saw this last month (Score:3, Interesting)
Does the Windows update process, in fact, just naively apply patches to files that have the correct name and path, without verifying hashes or signatures, thus running a very high risk of breaking hard any file that had been slightly modified?
Or was this some subtler and more complex situation, where the modified file itself was fine; but some tampered-with component was depending on the precise behavior of the modified file?
Sounds like that is exactly what this is. The file being patched isn't infected, but the rootkit has some dependancy on the exact layout of this file, and when the file is updated by the patch the rootkit (accidently) causes a bluescreen. Possibly the rootkit tries to patch the in-memory image of this file, which messes things up.
What I find really frightening about this situation is how widespread the rootkit that is causing this problem is. Most people have no idea they were infected. (and still do, they are blaming microsoft)
MS is really gonna cop some flak for this one. Unfortunately this rootkit seems to be so stealthy that its damn hard to tell if the machine is infected until its too late and your machine won't boot.
A machine that had been on our network has the patch yesterday and won't boot, could be some be _very_ interesting when we roll out the patch via SUS to the rest of the machines in the network and smoke out how many are really infected.
Re:Lucky Me (Score:3, Interesting)
Almost every system built to assist communication for people like me are built on top of WinXP. There is a Mac version I have heard of but AFAIK doesn't do full control like the one I use. There is no Linux availability at all (oh how I wish).
Hmmm... that's pretty interesting. What's the software you normally use, and what's the device? There's tons of OSS developers out there just looking for a worthy cause.