Slashdot Mirror
Microsoft Refuses To Patch Rootkit-Compromised XP Machines
Barence writes "Microsoft has revealed that its latest round of patches won't install on XP machines if they're infected with a rootkit. In February, a security patch left some XP users complaining of endless reboots and Blue Screens of Death. An investigation followed and Microsoft discovered the problems occurred on machines infected with the Alureon rootkit, which interacted badly with patch KB977165 for the Windows kernel. Now Microsoft is blocking PCs with the rootkit from receiving its new patches. 'This security update includes package-detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems,' Microsoft cautions in the patch notes."
If the rootkit is still on your computer, maybe you should look into having it removed.
how shall thee pull out the mote that is in thine eye, when thou thyself beholdest not the beam that is in thine eye? Luke 6:42
Let's see what do I want?
A) A working machine that has a rootkit installed.
B) A machine that nolonger works.
Can you expect MSFT to test their patches against machines that have been modified via rootkits? Or should the patches themselves remove the rootkits. You are assuming that MSFT can remove the rootkit in the first place.
What ever happened to backwards compatibility? Why, I remember the day when any virus, worm, or piece of malware, would run no matter what!
#fuckbeta #iamslashdot #dicemustdie
I really don't have a problem with this. If the system is already rooted, the patch isn't going to actually help anything since their security is already compromised. And with all the bad press MS received last time over something that was not their fault at all, why should they risk it again? If your system has a serious issue like being rooted, then you have to take care of the issue before you can install the patch. Seems logical to me.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Rightfully so. Security patching a rootkit-ed OS is mildly amusing and also a bit redundant. The only way to secure such an OS starts with reformatting the system partition.
I think microsoft acted responsibly in this situation. They merely mitigated any future issues these patches might have, they didn't want the same thing to happen again. In this case it was prevention not intervention. Unfortunately, there are many ways to get a rootkit installed on a computer; however, most of the time it's usually the user that infected themselves. This is why there are measures that a user can take to prevent or minimize the occurrence. Microsoft did make a note to remove the infection and then install the patch. If they don't know how to remove the infection or don't know they can download if not purchase one of many anti-virus solutions or pay someone to do it, then maybe the user's should rethink their web browsing behaviors.
Of all the things I've lost; I miss my mind the most. - Mark Twain
I recall slashdotters complaining that they didn't do CRC check or similar (they do, but the rootkit gave 'real' value and it was worthless).
Now they're doing the right thing and we get news how they refuse to patch the systems which .dll files have been damaged? Welcome to slashdot.
Their Malicious Software Removal Tool (sent out on Patch Tuesday) can remove the rootkit.
But I won't stop the Slashdotters here from complaining about it.
The price is always right if someone else is paying.
As Microsoft has noted, while the solution prevents users from suffering the misery of Blue Screens of Death, it does leave them unprotected and the company has urged users to download its Malicious Software Removal Tool to clean up their machines and run the patch as soon as possible.
It isnt that they wont patch these systems, its that they wont automatically install the MSRT, which removes the rootkit, as part of the update.
..and to be perfectly honest, who wants the MSRT to be a mandatory component. Things like that are capable of unexpectedly altering the system, something typically frowned upon in enterprise.
"His name was James Damore."
First, you beat up Microsoft because their patch trashed machines that were *already* infected. Then you beat them up because they backed off on applying the patches to avoid trashing the machines. Get thee to SuperAntiSpyware and Anti-Malwarebytes and get your machine cleaned up before you complain.
The malicious software removal tool will take care of it. Their antivirus will not.
They are giving you the tool to get rid of it and then saying you should install your patches afterwards. But they are chastised for not coming up with a all-in-one solution? Jeez.
The price is always right if someone else is paying.
This just proves that it's a great time for people who have been sticking with XP to take the plunge and upgrade to Windows 2000 Professional.
"Microsoft discovered the problems occurred on machines infected with the Alureon rootkit"
There are many reasons to hate Microsoft, and their QA failure when it comes to security is certainnly one of them. However, the spread of rootkits, viruses and other malware is primarily caused by user stupidity, something that is not Microsoft's fault. In the early days of personal computers I took the time to learn how things worked. If you're having the problem described in this article then you can wipe your hard drive and re-install Windows. If you don't know how to do this, then maybe it's time you learned. If you're not willing to learn, then do the rest of the world a favor and throw your computer out the nearest window.
I mean, they already have the malicious software removal tool, so they could blow the roots away if they wanted to. but what is really needed here is to block the rooting mechanism altogether.
or go back to the saner architecture of nt 3.0/3.1/3.5, where only the kernel and its designated MS helpers ran at level 0 to start with. the world started to go to hell when they allowed the video driver into level 0.
if this is supposed to be a new economy, how come they still want my old fashioned money?
microsoft doesn't refuse to patch rootkitted systems, microsoft is UNABLE to patch rootkitted system. NO ONE can patch a rootkitted system, of ANY OS. you need to wipe the system and reinstall
it is ok to be against microsoft, but you have to base your opinion on genuine problems. when you base your opinion on mindless propaganda, you are just another useless partisan in this world: loud, dumb, useless
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
And that’s what will happen. Installation of the patch will fail, if the rootkit is detected. The malicious software removal tool will be pushed out and remove the rootkit. And eventually the patch will be installed again since the installation failed the first time, and if the rootkit is gone the patch should install properly.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
See:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A
I've have reasonably good experiences with MSE so far with my Windows users. Anybody else want to weigh in here?
Screw that. Deliver the patch, BSOD the idiots, and get them off the net so that they're not a danger to the rest of the world.
My sig can beat up your sig.
And if the rootkit remover bricks some systems you'd be yelling at Microsoft for not making it a separate update so users could prepare for it, right? I doubt it matters what MS does, you'd find a reason to think they're wrong no matter what.
Security updates are security update, malware removal is malware removal. Mixing the two is a horrid idea.
If the kernel is fucked, nothing works any more. Any results from on-line determination of the damage status of the machine itself should be assumed fake because the malware is in control of all local resources. To accurately determine the status of the computer, it must be taken offline.
Never trust what rooted machines say about themselves...
Colorless green Cthulhu waits dreaming furiously.
I'm strangely ok with this. If they update the computer and the rootkit conflicts with the new patch and makes the computer unusable, they'll just get blasted for breaking people's computers. But if they don't update the computer, then the person is still able to use it. If they're warned that they can't update because they have a rootkit on their system and they do nothing about it, I feel no sympathy for them. At least Microsoft didn't make their system less operational. They should get rid of the rootkit and then update. If Microsoft let people update while knowing that it would make the computers unusable if they had this rootkit. People would still call foul on Microsoft. This way they're at least giving people a warning and chance to fix their problem, not making the problem worse.
Shouldn't it just determine if the DLL was damaged and replace it with the correct, working patched version if it is? Sorry, but automatically throwing their hands up and saying "you're fucked" is the Microsoft shortcut for not being able to fix their own security problems.
Isn't that what they did last time, and it caused bluescreens?
Do you want every single patch, no matter how small, to try to detect rootkits and, if a rootkit is detected, replace every DLL in the system with known clean copies? That's absurd.
The problem wasn't that the DLL the patch installed caused bluescreens, it's that DLLs the patch didn't touch - because it wasn't patching them - were now incompatible with the clean (patched) DLL (because they were part of the rootkit).
What do you propose Microsoft do about it? Patch the DLLs anyway, knowing it will cause bluescreens? Provide the entire slew of kernel DLLs for download via Windows Update, and install all of them every time there's a kernel patch?
I don't mind what MS is doing at all - they're doing their best to make sure that their users won't get bluescreens, even if they're rooted.
You don't know how computers work, do you?
The blue screen crashing that this rootkit caused after the previous update was not due to rootkit modifications to the files that were being patched.
The problems occured because code that was NOT being patched (the rootkit!) was making direct jumps into kernel memory, to offsets that were no longer relevant after the patch.
"His name was James Damore."
"I'm a people-person. What the hell is wrong with you people?"
*Still* negative function...
What if it hides in the documents?
The Tao of math: The numbers you can count are not the real numbers.
I agree, I thought the title of this submission was skewed - especially after reading the rest of the article. Microsoft does not appear to be "refusing to patch rootkit infected computers".
A more accurate title would be something along the lines of: Microsoft attempts to prevent inadvertently bricking XP systems with Windows Updates
Bear in mind I'm terrible at coming up with titles. Also bear in mind I'm not a big fan of Windows.
Do they notify the users that they're rootkitted?
If anything, a bluescreen is a good thing since the rootkitted machine is now offline and no longer sending spam or whatever other malicious things it might be doing.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
mmm, and what's this bloody obsession with error codes. I was having trouble with windows update giving an error recently and the only expanatory information was an error code.
After some time searching online and finding various speculation I eventually found that the code basically translated as "connection problem" and that I should try again later. Why couldn't they have just fucking told me that in the first place?!
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
That's good for the world in general but bad for the owner of the machine. You're suggesting MS make the decision to fuck over some individual for the good of many? They don't have that mandate.
So now they're actively leaving rootkits online and fucking over the rest of the world for the good of the guy who can't maintain his machine properly? You could argue that they don't have that mandate either.