Microsoft cops to blue-screen error

The company pulls recent patch from automatic updates

Redmond is once again looking into chatter about Microsoft security patches causing "screens of death."

This time the patch in question (MS10-015) was for a long-unaddressed Windows kernel bug that could enable elevation-of-privilege control by an attacker. The patch, which was contained in Tuesday's mammoth security update, was based on a security advisory that Microsoft released in late January.

According to this discussion thread on a Windows forum page, when Windows XP users applied the kernel patch, all they got was blue screens after they restarted their operating systems. Some users had to reopen Windows in "safe mode," while others simply got blue screens followed by error messages, according to comments on the thread.

The screens-of-death complaints in the forum thread reflect the experiences of XP users. However, Microsoft described its patch as important for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7 for 32-bit systems. The Windows kernel exploit has been present in all 32-bit Windows versions since Windows NT, which means the bug has been accessible for about 17 years.

Microsoft admitted in a security blog that restart issues are associated with its MS10-015 patch, and that malware on a system can cause the problem. To that end, many in the security community believe that a rootkit may be blocking the patch installation and triggering the instances of "blue screen of death" (BSOD) shutdowns.

"The possibility that the reported BSOD problems, associated with the recent Microsoft patches, are related to a malware rootkit makes a lot of sense," said Andrew Storms, director of security operations at nCircle. "As a result of their extensive quality control and testing processes, Microsoft has a terrific track record of releasing solid patches. No one expects Microsoft to test installing patches on a system that already contains malware though."

Because of the snafu and pending investigation, Microsoft has temporarily pulled security bulletin MS10-015 from automatic release through Windows Update. However, the patch still remains on Microsoft update sites for administrators to download and test.

"This issue with the patch is a prime example of why administrators should test each and every patch they deploy them to their systems," said Jason Miller, data and security team leader for Shavlik Technologies. "Microsoft tries to ensure the functionality of each patch, but it cannot be guaranteed with so many different systems and scenarios that are affected by the patch."

For those with the BSOD problem, the Windows forum moderator for Microsoft, Kevin Hau, suggested that users "boot from your Windows XP CD or DVD and start the recovery console." Hau then referred Windows users to this Knowledge Base article for more details on how to reboot safely.

About the Author

Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Reader Comments

Thu, Feb 18, 2010

Steve, Aside from being incomplete, inaccurate, and untimely, it was pretty good wasn't it?

Thu, Feb 18, 2010 BigGoofyGuy East Windsor NJ

A paranoid person might think this is a way to get WinXP users to 'update' their os to the latest version of Windows. :) They might think this explamation is a cover up of what they are doing. Since this has not happened to my WinXP netbook, it is perhaps a bizarre coincidence. :)

Wed, Feb 17, 2010 Art Johnson KRSW

Two XP-Pro and one XP-home (all SP3) and protected by AntiVir Premium Suite.

Have KB977165 (MS10-015) installed on one with no problems, XP-home had it on the 'ask-me' list, but I deselected it.

Third XP-Pro has not had it offered yet.

Thank you for the warning, Kevin Hau on the linked support site said that if you did not have BSOD on boot, you did not need to do anything.

Art

Wed, Feb 17, 2010 MD_Steve

This is perhaps the most incomplete and inaccurate notice I've seen regarding this problem. Even the title is inconsistent with the article. Early blogs from a week ago were more useful than this.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above