Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Refuses To Patch Rootkit-Compromised XP Machines

Posted by timothy on from the define-yourself-as-outside-the-fence dept.

Barence writes "Microsoft has revealed that its latest round of patches won't install on XP machines if they're infected with a rootkit. In February, a security patch left some XP users complaining of endless reboots and Blue Screens of Death. An investigation followed and Microsoft discovered the problems occurred on machines infected with the Alureon rootkit, which interacted badly with patch KB977165 for the Windows kernel. Now Microsoft is blocking PCs with the rootkit from receiving its new patches. 'This security update includes package-detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems,' Microsoft cautions in the patch notes."

24 of 330 comments (clear)

  1. First things first by BadAnalogyGuy · · Score: 5, Insightful

    If the rootkit is still on your computer, maybe you should look into having it removed.

    how shall thee pull out the mote that is in thine eye, when thou thyself beholdest not the beam that is in thine eye? Luke 6:42

    1. Re:First things first by Skarecrow77 · · Score: 5, Funny

      no! I need the newest microsoft patch so that there are not any new security holes in my computer! I'll deal with that huge gaping sucking chasm of a security hole that's already there, created by the rootkit, at some later date.

  2. Lesser of two evils? by HockeyPuck · · Score: 5, Insightful

    Let's see what do I want?

    A) A working machine that has a rootkit installed.
    B) A machine that nolonger works.

    Can you expect MSFT to test their patches against machines that have been modified via rootkits? Or should the patches themselves remove the rootkits. You are assuming that MSFT can remove the rootkit in the first place.

  3. Misuse of phrase by girlintraining · · Score: 4, Funny

    What ever happened to backwards compatibility? Why, I remember the day when any virus, worm, or piece of malware, would run no matter what!

    --
    #fuckbeta #iamslashdot #dicemustdie
  4. And the issue is? by dirk · · Score: 5, Insightful

    I really don't have a problem with this. If the system is already rooted, the patch isn't going to actually help anything since their security is already compromised. And with all the bad press MS received last time over something that was not their fault at all, why should they risk it again? If your system has a serious issue like being rooted, then you have to take care of the issue before you can install the patch. Seems logical to me.

    --

    "Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
  5. Why bother? by trifish · · Score: 5, Insightful

    Rightfully so. Security patching a rootkit-ed OS is mildly amusing and also a bit redundant. The only way to secure such an OS starts with reformatting the system partition.

  6. Microsoft - Pragmatic solution to hard issue. by irreverant · · Score: 5, Interesting

    I think microsoft acted responsibly in this situation. They merely mitigated any future issues these patches might have, they didn't want the same thing to happen again. In this case it was prevention not intervention. Unfortunately, there are many ways to get a rootkit installed on a computer; however, most of the time it's usually the user that infected themselves. This is why there are measures that a user can take to prevent or minimize the occurrence. Microsoft did make a note to remove the infection and then install the patch. If they don't know how to remove the infection or don't know they can download if not purchase one of many anti-virus solutions or pay someone to do it, then maybe the user's should rethink their web browsing behaviors.

    --
    Of all the things I've lost; I miss my mind the most. - Mark Twain
  7. Re:The Microsoft way! by sopssa · · Score: 4, Insightful

    I recall slashdotters complaining that they didn't do CRC check or similar (they do, but the rootkit gave 'real' value and it was worthless).

    Now they're doing the right thing and we get news how they refuse to patch the systems which .dll files have been damaged? Welcome to slashdot.

  8. Summary title in error by Rockoon · · Score: 5, Informative
    From the article:

    As Microsoft has noted, while the solution prevents users from suffering the misery of Blue Screens of Death, it does leave them unprotected and the company has urged users to download its Malicious Software Removal Tool to clean up their machines and run the patch as soon as possible.

    It isnt that they wont patch these systems, its that they wont automatically install the MSRT, which removes the rootkit, as part of the update.

    ..and to be perfectly honest, who wants the MSRT to be a mandatory component. Things like that are capable of unexpectedly altering the system, something typically frowned upon in enterprise.

    --
    "His name was James Damore."
  9. Attn infected PC users: Can't have it both ways. by techvet · · Score: 5, Insightful

    First, you beat up Microsoft because their patch trashed machines that were *already* infected. Then you beat them up because they backed off on applying the patches to avoid trashing the machines. Get thee to SuperAntiSpyware and Anti-Malwarebytes and get your machine cleaned up before you complain.

  10. Re:Makes sense... by HerculesMO · · Score: 5, Interesting

    The malicious software removal tool will take care of it. Their antivirus will not.

    They are giving you the tool to get rid of it and then saying you should install your patches afterwards. But they are chastised for not coming up with a all-in-one solution? Jeez.

    --
    The price is always right if someone else is paying.
  11. You can't fix stupid by rudy_wayne · · Score: 5, Insightful

    "Microsoft discovered the problems occurred on machines infected with the Alureon rootkit"

    There are many reasons to hate Microsoft, and their QA failure when it comes to security is certainnly one of them. However, the spread of rootkits, viruses and other malware is primarily caused by user stupidity, something that is not Microsoft's fault. In the early days of personal computers I took the time to learn how things worked. If you're having the problem described in this article then you can wipe your hard drive and re-install Windows. If you don't know how to do this, then maybe it's time you learned. If you're not willing to learn, then do the rest of the world a favor and throw your computer out the nearest window.

  12. Re:Makes sense... by clone53421 · · Score: 5, Informative

    And that’s what will happen. Installation of the patch will fail, if the rootkit is detected. The malicious software removal tool will be pushed out and remove the rootkit. And eventually the patch will be installed again since the installation failed the first time, and if the rootkit is gone the patch should install properly.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  13. MSE claimed to work by Bearhouse · · Score: 4, Interesting

    See:

    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A

    I've have reasonably good experiences with MSE so far with my Windows users. Anybody else want to weigh in here?

  14. Re:Misleading title by SCPRedMage · · Score: 5, Insightful

    Screw that. Deliver the patch, BSOD the idiots, and get them off the net so that they're not a danger to the rest of the world.

    --
    My sig can beat up your sig.
  15. Re:Makes sense... by Rakishi · · Score: 4, Insightful

    And if the rootkit remover bricks some systems you'd be yelling at Microsoft for not making it a separate update so users could prepare for it, right? I doubt it matters what MS does, you'd find a reason to think they're wrong no matter what.

    Security updates are security update, malware removal is malware removal. Mixing the two is a horrid idea.

  16. Re:The Microsoft way! by gzipped_tar · · Score: 5, Informative

    If the kernel is fucked, nothing works any more. Any results from on-line determination of the damage status of the machine itself should be assumed fake because the malware is in control of all local resources. To accurately determine the status of the computer, it must be taken offline.

    Never trust what rooted machines say about themselves...

    --
    Colorless green Cthulhu waits dreaming furiously.
  17. Customer Satisfaction by xerio · · Score: 4, Insightful

    I'm strangely ok with this. If they update the computer and the rootkit conflicts with the new patch and makes the computer unusable, they'll just get blasted for breaking people's computers. But if they don't update the computer, then the person is still able to use it. If they're warned that they can't update because they have a rootkit on their system and they do nothing about it, I feel no sympathy for them. At least Microsoft didn't make their system less operational. They should get rid of the rootkit and then update. If Microsoft let people update while knowing that it would make the computers unusable if they had this rootkit. People would still call foul on Microsoft. This way they're at least giving people a warning and chance to fix their problem, not making the problem worse.

  18. Re:The Microsoft way! by HeronBlademaster · · Score: 4, Insightful

    Shouldn't it just determine if the DLL was damaged and replace it with the correct, working patched version if it is? Sorry, but automatically throwing their hands up and saying "you're fucked" is the Microsoft shortcut for not being able to fix their own security problems.

    Isn't that what they did last time, and it caused bluescreens?

    Do you want every single patch, no matter how small, to try to detect rootkits and, if a rootkit is detected, replace every DLL in the system with known clean copies? That's absurd.

    The problem wasn't that the DLL the patch installed caused bluescreens, it's that DLLs the patch didn't touch - because it wasn't patching them - were now incompatible with the clean (patched) DLL (because they were part of the rootkit).

    What do you propose Microsoft do about it? Patch the DLLs anyway, knowing it will cause bluescreens? Provide the entire slew of kernel DLLs for download via Windows Update, and install all of them every time there's a kernel patch?

    I don't mind what MS is doing at all - they're doing their best to make sure that their users won't get bluescreens, even if they're rooted.

  19. Re:The Microsoft way! by Rockoon · · Score: 4, Informative

    You don't know how computers work, do you?

    The blue screen crashing that this rootkit caused after the previous update was not due to rootkit modifications to the files that were being patched.

    The problems occured because code that was NOT being patched (the rootkit!) was making direct jumps into kernel memory, to offsets that were no longer relevant after the patch.

    --
    "His name was James Damore."
  20. Re:The Microsoft way! by nigelo · · Score: 4, Funny

    "I'm a people-person. What the hell is wrong with you people?"

    --
    *Still* negative function...
  21. Re:The Microsoft way! by maxwell+demon · · Score: 5, Funny

    What if it hides in the documents?

    --
    The Tao of math: The numbers you can count are not the real numbers.
  22. Re:The Microsoft way! by Yaddoshi · · Score: 5, Insightful

    I agree, I thought the title of this submission was skewed - especially after reading the rest of the article. Microsoft does not appear to be "refusing to patch rootkit infected computers".

    A more accurate title would be something along the lines of: Microsoft attempts to prevent inadvertently bricking XP systems with Windows Updates

    Bear in mind I'm terrible at coming up with titles. Also bear in mind I'm not a big fan of Windows.

  23. Re:Makes sense... by petermgreen · · Score: 4, Insightful

    mmm, and what's this bloody obsession with error codes. I was having trouble with windows update giving an error recently and the only expanatory information was an error code.

    After some time searching online and finding various speculation I eventually found that the code basically translated as "connection problem" and that I should try again later. Why couldn't they have just fucking told me that in the first place?!

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register