Microsoft late on Wednesday confirmed that a rootkit caused Windows PCs to crash after users applied a security patch issued last week.
Only systems infected with the Alureon rootkit were incapacitated with Blue Screen of Death (BSOD) errors that prevented booting, said Mike Reavey, the director of the Microsoft Security Response Center (MSRC), in an announcement on the center's blog . "Our investigation has concluded that the reboot occurs because the system is infected with malware," said Reavey.
He added that the MS10-015 update was not at fault. "We have not found quality issues with security update MS10-015," Reavey maintained.
Within hours of the Jan. 9 release of MS10-015 and 12 other security updates, users reported that their computers wouldn't restart. Two days later, Microsoft halted automatic distribution of MS10-015 and launched an investigation, which revealed that malware might be the cause .
Yesterday, Reavey echoed independent researchers who earlier had blamed an address conflict between MS10-015 and the rootkit for the debacle. "Malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address," explained Reavey. "MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function."
MS10-015 patched a 17-year-old bug in the kernel of all 32-bit versions of Windows.
Reavey acknowledged that Microsoft's patch quality control did not catch the conflict because it's difficult to create malware interaction tests. "These types of infections often leave the machine in such an unstable state that it cannot be reliably tested," said Reavey. He also confirmed that all 32-bit versions of Windows were susceptible to Alureon-caused crashes, including Windows 7 , even though the bulk of complaints came from users running Windows XP.
That shouldn't be a surprise: XP is the dominant operating system worldwide.
Although several security firms have published instructions and tools for users trapped with a BSOD, Microsoft hasn't issued any advice for those already affected. Reavey's recommendation was brutal: "If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk," he said.
He did not explain how users were to regain control of their non-booting PCs, however.
Kaspersky Lab offers a less extreme workaround: a free utility that seeks out and destroys the rootkit ( download .zip file for Windows PCs). Symantec, meanwhile, has urged users to replace rootkit-infected drivers with clean copies.
Microsoft will provide a way for users to detect and remove the Alureon rootkit from infected PCs, but Reavey said it would be "a few weeks" before it is ready. In the past, Microsoft has used its Malicious Software Removal Tool (MSRT), a free program updated each Patch Tuesday, to seek out and destroy rootkits. The next scheduled refresh of the MSRT is March 9, nearly three weeks away.
Because the rootkit only infects machines running 32-bit Windows, Microsoft has lifted the Automatic Updates embargo on MS10-015 for 64-bit systems.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Knowledge Center.
This story, "Microsoft says rootkit caused Windows blue screens" was originally published by Computerworld.