Results 1 to 7 of 7

Thread: MS10-015 may cause Windows XP to blue screen

  1. #1

    MS10-015 may cause Windows XP to blue screen


    I am going to learn not to sign up for Handler On Duty any day of the Microsoft Update week. It never fails there are issues to be dealt with.

    Today the issues to be dealt with are internal to my company. We got to work this morning to discover that we had a number of computers
    that would not boot up. They had the infamous "Blue Screen of Death". The file that was indicated as the problem is a file totally none related
    to Microsoft. The file is a kernel level file for an anti-virus program that we have been using internally for quite some time. The AV uses a CLAM-AV engine
    and a few other "interfaces" to package a computer security solution.

    After attempting to contact the company today and getting voice mail for both the tech support and partner support lines I figured that this was a bigger
    problem than what I was seeing. I did finally get a call back from the company as well as a couple of emails indicating that the problem was a result
    of the Microsoft updates. This really puzzles me because most of our machines are setup to NOT download and install the updates for this very reason. We
    prefer to wait a few days after the update is released before we actually install. We prefer to wait to see if there are problems and give Microsoft an opportunity
    to fix it before it breaks computers.


    So my question is: "Did Microsoft force an update despite our auto updates being turned off?" I have verified that the majority of the computers APPEAR to
    have not had the patches applied.

    I have present this question to Microsoft and have no answer back yet. As soon as I do I will update.


    The good news is that in our case it was pretty easy to get our machines back online. We just had to boot to a repair disc and remove the driver file (.sys) that
    was causing the blue screen. Once the file was removed a reboot in every case returned the computer to normal.

    Any one else noticed problems on machines with auto-update turned off?

    UPDATE: I have been in contact with Microsoft and they have insured me that there were no updates done outside of their normal updates. They said that if the
    Auto Update was turned off - then NO updates were done. So the plot thickens. How is it that NO updates were done either by the software vendor or by Microsoft
    and yet the machines Blue Screened. Just what is it that happened to our Windows XP and Windows Vista machines that rendered them blue. I will update
    again as soon as more information becomes available from either Microsoft or the Vendor.

    I have not seen this happen in my company (around 5000 machines). We are at 57% patch level for this one, so thats around 2800 machines but none of them show any signes of BSOD's. However I have currenlty declined update on remaining machines.

    More information here:

    http://social.answers.microsoft.com/...c-e292b69f2fd1

    http://www.krebsonsecurity.com/2010/...dows-xp-users/

    Original source: ISC.SANS.ORG
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Thanks for the heads up.....haven't had any incidents in this neck of the woods.....yet

    MLF

  3. #3
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Just declined it at the WSUS server, though most systems had already installed it. I have seen a couple of blue screens, but I am not sure that they had anything to do with this. Different error messages.

    Just so you don't have to go digging through the other forum, here is the solution presented:

    HERE IS THE PROBABLE SOLUTION : (Thanks to Maxyimus and Angel1776) - It worked for me fine.


    Follow these steps:

    1. Boot from your Windows XP CD or DVD and start the recovery console (see this link http://support.microsoft.com/default.aspx/kb/307654 on how to use recovery console)

    Once you are in the Repair Screen..

    2. Type this command: CHDIR $NtUninstallKB978262 $\spuninst

    3. Type this command: BATCH spuninst.txt

    4. Type this command: systemroot

    5. Repeat steps 2 - 4 for each of the following updates:
    • KB978262
    • KB971468
    • KB978037
    • KB975713
    • KB978251
    • KB978706
    • KB977165
    • KB975560
    • KB977914

    6. When complete, type this command: exit
    Your computer should restart and everything should be back to normal.

    Good Luck Guys!



    From what I have read, it is KB977165 that is actually causing the problem.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  4. #4
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Update: Sounds like this may be caused by an infection that is present before the patch. A widespread rootkit seems to be taking the blame:

    http://patrickwbarnes.com/blog/2010/...despread-bsod/ - Being /.ed at the moment, should be back up eventually.

    http://www.familytechblog.com/2010/0...s-blue-screen/
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmm,

    That is probably not the only bit of malware that will cause a problem................ it would seem that Microsoft don't test their products on infected machines?

    I have always argued in favour of "reference machines" so you test new stuff and updates before rolling them out. It doesn't have to be top of the range kit either, as you are only looking for compatibility issues?

    I think that this is particularly important if you have obscure and/or legacy applications as you can be pretty sure that MS won't have tested with them.

    So far I have not heard of any issues in this part of the World.

  6. #6
    Here is the end of the story.


    Last week we received quite a number of reports that the patch for MS10-015 was causing XP machines to display the dreaded BSOD (http://isc.sans.org/diary.html?storyid=8209). The comments of that diary already suggested that the BSOD may have been related to a rootkit on the machine and it looks like this was correct. If you were infected with the TDL3/TDSS/tidserv AKA Alureon rootkit and applied the patch, then you would get the BSOD as the patch changed some pointers and the malware now tried to execute an invalid instruction.

    Lucky for us the malware writers have addressed this issue and it shouldn't happen again for those who are newly infected with this particular piece of malware. A shame really, as it was a convenient way in which to identify infected machines. If you did get the BSOD on your machine or on machines in your organisation, then you should consider the possibility that the machines are infected.

    Marco's page (http://www.prevx.com/blog/143/BSOD-a...apologize.html ) and the Microsoft page (http://blogs.technet.com/mmpc/archiv...s-applied.aspx) go into the details.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #7
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    It's always good to see the Professional bug writers (Microsoft) teaming up with the Amateurs to BSOD a machine infected to help find out if it's got Malware or not

    Other than Windows 98, Windows 2000 and Windows 7, (Which leaves a lot I might add) they basically do the same kind of software.

Similar Threads

  1. Copying updates
    By Cider in forum Operating Systems
    Replies: 10
    Last Post: March 21st, 2006, 09:30 PM
  2. Using Vim basics
    By gore in forum Other Tutorials Forum
    Replies: 10
    Last Post: March 28th, 2005, 08:38 AM
  3. Secure Windows (All Versions)
    By spools.exe in forum Microsoft Security Discussions
    Replies: 3
    Last Post: October 4th, 2003, 11:54 PM
  4. Securing Windows 2000 and IIS
    By spools.exe in forum Microsoft Security Discussions
    Replies: 0
    Last Post: September 15th, 2003, 09:47 PM
  5. Windows 2003 Server Vulnerability
    By warl0ck7 in forum Microsoft Security Discussions
    Replies: 7
    Last Post: August 14th, 2003, 12:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •