This time the patch in question (MS10-015) was for a long-unaddressed Windows kernel bug that could enable elevation-of-privilege control by an attacker. The patch, which was contained in Tuesday’s mammoth security update, was based on a security advisory that Microsoft released in late January.
According to this discussion thread on a Windows forum page, when Windows XP users applied the kernel patch, all they got was blue screens after they restarted their operating systems. Some users had to reopen Windows in “safe mode,” while others simply got blue screens followed by error messages, according to comments on the thread.
The screens-of-death complaints in the forum thread reflect the experiences of XP users. However, Microsoft described its patch as important for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7 for 32-bit systems. The Windows kernel exploit has been present in all 32-bit Windows versions since Windows NT, which means the bug has been accessible for about 17 years.
Microsoft admitted in a security blog that restart issues are associated with its MS10-015 patch, and that malware on a system can cause the problem. To that end, many in the security community believe that a rootkit may be blocking the patch installation and triggering the instances of “blue screen of death” (BSOD) shutdowns.
“The possibility that the reported BSOD problems, associated with the recent Microsoft patches, are related to a malware rootkit makes a lot of sense,” said Andrew Storms, director of security operations at nCircle. “As a result of their extensive quality control and testing processes, Microsoft has a terrific track record of releasing solid patches. No one expects Microsoft to test installing patches on a system that already contains malware though.”
Because of the snafu and pending investigation, Microsoft has temporarily pulled security bulletin MS10-015 from automatic release through Windows Update. However, the patch still remains on Microsoft update sites for administrators to download and test.
“This issue with the patch is a prime example of why administrators should test each and every patch they deploy them to their systems,” said Jason Miller, data and security team leader for Shavlik Technologies. “Microsoft tries to ensure the functionality of each patch, but it cannot be guaranteed with so many different systems and scenarios that are affected by the patch.”
For those with the BSOD problem, the Windows forum moderator for Microsoft, Kevin Hau, suggested that users “boot from your Windows XP CD or DVD and start the recovery console.” Hau then referred Windows users to this Knowledge Base article for more details on how to reboot safely.