Slashdot Mirror
Microsoft Refuses To Patch Rootkit-Compromised XP Machines
Barence writes "Microsoft has revealed that its latest round of patches won't install on XP machines if they're infected with a rootkit. In February, a security patch left some XP users complaining of endless reboots and Blue Screens of Death. An investigation followed and Microsoft discovered the problems occurred on machines infected with the Alureon rootkit, which interacted badly with patch KB977165 for the Windows kernel. Now Microsoft is blocking PCs with the rootkit from receiving its new patches. 'This security update includes package-detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems,' Microsoft cautions in the patch notes."
To be fair, does the MS virusscanner detect and remove the rootkit?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
I think microsoft acted responsibly in this situation. They merely mitigated any future issues these patches might have, they didn't want the same thing to happen again. In this case it was prevention not intervention. Unfortunately, there are many ways to get a rootkit installed on a computer; however, most of the time it's usually the user that infected themselves. This is why there are measures that a user can take to prevent or minimize the occurrence. Microsoft did make a note to remove the infection and then install the patch. If they don't know how to remove the infection or don't know they can download if not purchase one of many anti-virus solutions or pay someone to do it, then maybe the user's should rethink their web browsing behaviors.
Of all the things I've lost; I miss my mind the most. - Mark Twain
Their Malicious Software Removal Tool (sent out on Patch Tuesday) can remove the rootkit.
But I won't stop the Slashdotters here from complaining about it.
The price is always right if someone else is paying.
The malicious software removal tool will take care of it. Their antivirus will not.
They are giving you the tool to get rid of it and then saying you should install your patches afterwards. But they are chastised for not coming up with a all-in-one solution? Jeez.
The price is always right if someone else is paying.
I mean, they already have the malicious software removal tool, so they could blow the roots away if they wanted to. but what is really needed here is to block the rooting mechanism altogether.
or go back to the saner architecture of nt 3.0/3.1/3.5, where only the kernel and its designated MS helpers ran at level 0 to start with. the world started to go to hell when they allowed the video driver into level 0.
if this is supposed to be a new economy, how come they still want my old fashioned money?
See:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A
I've have reasonably good experiences with MSE so far with my Windows users. Anybody else want to weigh in here?
'Never trust what rooted machines say about themselves..."
Funny, that's usually how I spot a rooted machine. There's a fine difference between "I just don't want to work because I'm a piece of shit" and "I don't want to work because I'm controlled by someone other than you."
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
The reason is, no matter how much Microsoft give to charity (and I don't believe they do anyway, its actually Bill & Melinda Gates Foundation who is the big philanthropist ) Cancer Research is not Microsoft's primary activity. Software is.
Microsoft only care about big corporates interests like the RIAA and MPAA. They absolutely don't care about their own home or small business customers interests. Furthermore they do the bare minimum, their products suck, they strangle innovation, they hold the whole industry back just so they can make more money at any cost. They've made that VERY clear MANY times. Give me one reason why I a non-corp customer and a software developer shouldn't criticise Microsoft for failing to care about my interests or the interests of the industry I work in.
I hope that Microsoft will actually display an appropriate error message. I've had issues installing the Indeo disabling patch where it refused to install and didn't display an error message or whatever. At some point I snapped and manually nuked the codec, so I'm good, but really... The guys who write the security updates can't even code up a message box - what's up with that?
Well... I really can’t say I have high hopes for that.
I’ve had numerous updates (okay, 4 or 5) on Windows 7 that failed to install, with no explanation whatsoever. It seemed like more than it really was because it attempted to install the same 3 updates again the next time I shut down. And the next time. And the next. And... every time until I finally went into the update history to figure out what the deal was.
(In my case I’ve always been able to go onto the Microsoft website, download the update manually, and install it with no problem... just in case anybody else was having this problem. But as far as error messages go... not helpful at all.)
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Have you ever tried to code up a message box in Visual C++? It's worse than pulling teeth, especially when your application doesn't need to be interactive otherwise.
Resistance is futile. Your technological distinctiveness will be added to our own. You will become one with the morgue
Do they notify the users that they're rootkitted?
If anything, a bluescreen is a good thing since the rootkitted machine is now offline and no longer sending spam or whatever other malicious things it might be doing.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Well, by refusing to patch an already compromised system they open that system up to getting further malware infections...
They're not 'opening up' the system -- they're just leaving it open. It was already like that when they found it.
If the system breaks at least it's now offline and will cease sending spam or whatever other malicious things its doing.
Good for us. Bad for the owner. MS cannot fuck the owner on our behalf.
Once a machine gets owned it's gone. Total wipe, reinstall from good backup. No matter what OS or even WIndows it is.
Joe Sixpack doesn't have a backup.
Also, Joe Sixpack probably don't have XP CDs, so he has to install from the 'recovery partition'; I wonder whether any rootkits are installing themselves into the recovery partition so they'll automatically be reinstalled if someone tries to wipe their system and reinstall from scratch?