Forgot your password?
typodupeerror
Security Microsoft Upgrades Windows Technology

Microsoft Refuses To Patch Rootkit-Compromised XP Machines 330

Posted by timothy
from the define-yourself-as-outside-the-fence dept.
Barence writes "Microsoft has revealed that its latest round of patches won't install on XP machines if they're infected with a rootkit. In February, a security patch left some XP users complaining of endless reboots and Blue Screens of Death. An investigation followed and Microsoft discovered the problems occurred on machines infected with the Alureon rootkit, which interacted badly with patch KB977165 for the Windows kernel. Now Microsoft is blocking PCs with the rootkit from receiving its new patches. 'This security update includes package-detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems,' Microsoft cautions in the patch notes."
This discussion has been archived. No new comments can be posted.

Microsoft Refuses To Patch Rootkit-Compromised XP Machines

Comments Filter:
  • First things first (Score:5, Insightful)

    by BadAnalogyGuy (945258) <BadAnalogyGuy@gmail.com> on Thursday April 15, 2010 @02:51PM (#31861272)

    If the rootkit is still on your computer, maybe you should look into having it removed.

    how shall thee pull out the mote that is in thine eye, when thou thyself beholdest not the beam that is in thine eye? Luke 6:42

    • by Skarecrow77 (1714214) on Thursday April 15, 2010 @02:56PM (#31861346)

      no! I need the newest microsoft patch so that there are not any new security holes in my computer! I'll deal with that huge gaping sucking chasm of a security hole that's already there, created by the rootkit, at some later date.

      • Re: (Score:2, Insightful)

        by sopssa (1498795) *

        You need the newest microsoft patch that - because of the rootkit and the .dll files it has damaged - will BSOD your system? Somehow someone turned this news into an rant and like it's a bad thing to really make sure the windows update should be able to patch things before proceeding.

        • That was the sarcasm train, clearly passing you by.

    • Re: (Score:3, Funny)

      by kseise (1012927)
      Just to be sure that we get this update, I am installing the newest Antivirus 2010 on all of our network machines. This version should pickup the rootkits that Antivirus 2009 left behind. Since I work at the IRS, our systems are absolutely critical to protect this month.
  • Microsoft isn't really in the business of providing a virus scanner as one of their free updates. Oh wait... [microsoft.com]

    *continues running Ubuntu*

    • Re: (Score:3, Interesting)

      by mwvdlee (775178)

      To be fair, does the MS virusscanner detect and remove the rootkit?

      • Re:Makes sense... (Score:5, Interesting)

        by HerculesMO (693085) on Thursday April 15, 2010 @03:02PM (#31861444)

        The malicious software removal tool will take care of it. Their antivirus will not.

        They are giving you the tool to get rid of it and then saying you should install your patches afterwards. But they are chastised for not coming up with a all-in-one solution? Jeez.

        • And rightly so. (Score:3, Insightful)

          by khasim (1285)

          But they are chastised for not coming up with a all-in-one solution?

          Yes. Because when patching, you want the process to be as simple as possible for the END USER.

          The more steps the end user has to follow, the more likely that the end user will make a mistake somewhere.

          If it can be done in one step at the end user's level, then it should be done in one step at the end user's level. No delays.

          • Oh yes, simple as possible, but we're talking about heavily compromised systems.

            Malware removal is not security patching. Don't conflate the two.

  • You keep your original software. Time to wipe it and reinstall. Of perhaps boot Linux and get a faster computer.
  • Provided they[MS] provides doco on how to remove the rootkit, I don't take issue with this. This is similar to MS testing a 3rd-party developers product to make sure it works, when in the marketplace it's the job of the 3rd-party shop. Somehow I doubt the rootkit devs are going to get their kit validated by MS as a certified app......
  • by techno-vampire (666512) on Thursday April 15, 2010 @02:55PM (#31861326) Homepage
    If Microsoft has a way of detecting the rootkit, they should make it available separately so that people can test their machines before they try to update them. Of course, this is Microsoft we're talking about, so you know they're not interested in what's right unless it's also profitable.
    • Re: (Score:3, Informative)

      by TrancePhreak (576593)

      If Microsoft has a way of detecting the rootkit, they should make it available separately so that people can test their machines before they try to update them.

      They do just this. Malicious Software Removal Tool.

  • by HockeyPuck (141947) on Thursday April 15, 2010 @02:56PM (#31861344)

    Let's see what do I want?

    A) A working machine that has a rootkit installed.
    B) A machine that nolonger works.

    Can you expect MSFT to test their patches against machines that have been modified via rootkits? Or should the patches themselves remove the rootkits. You are assuming that MSFT can remove the rootkit in the first place.

  • by girlintraining (1395911) on Thursday April 15, 2010 @02:56PM (#31861348)

    What ever happened to backwards compatibility? Why, I remember the day when any virus, worm, or piece of malware, would run no matter what!

  • And the issue is? (Score:5, Insightful)

    by dirk (87083) <dirk@one.net> on Thursday April 15, 2010 @02:57PM (#31861360) Homepage

    I really don't have a problem with this. If the system is already rooted, the patch isn't going to actually help anything since their security is already compromised. And with all the bad press MS received last time over something that was not their fault at all, why should they risk it again? If your system has a serious issue like being rooted, then you have to take care of the issue before you can install the patch. Seems logical to me.

    • I mean, they already have the malicious software removal tool, so they could blow the roots away if they wanted to. but what is really needed here is to block the rooting mechanism altogether.

      or go back to the saner architecture of nt 3.0/3.1/3.5, where only the kernel and its designated MS helpers ran at level 0 to start with. the world started to go to hell when they allowed the video driver into level 0.

      • by AndGodSed (968378)

        Remember. He who play in root, eventually kills tree.

      • by yuhong (1378501)

        or go back to the saner architecture of nt 3.0/3.1/3.5, where only the kernel and its designated MS helpers ran at level 0 to start with. the world started to go to hell when they allowed the video driver into level 0.

        That would have been useless, as the rootkit had nothing to do with the Win32 subsystem. It involved the file system, which has been in kernel mode from the beginning of NT.

      • Doesn't the video driver run in user-mode now?
    • Re: (Score:3, Informative)

      by rickb928 (945187)

      If this was all caused by some commercial software, say, Adobe Reader gaining a bug that hosed Windows Update, we would be all over Adobe for breaking Windows Update and denying us our precious patches.

      So far, very little scorn for the rootkit author(s) or their legion of distributors.

      I get alerted to malware of various types, from Javascript exploits to out-and-out rootkits, from several interesting websites I visit frequently. I've been reduced to checking them on my phone, cause so far they haven't take

  • Why bother? (Score:5, Insightful)

    by trifish (826353) on Thursday April 15, 2010 @02:58PM (#31861372)

    Rightfully so. Security patching a rootkit-ed OS is mildly amusing and also a bit redundant. The only way to secure such an OS starts with reformatting the system partition.

  • by irreverant (1544263) on Thursday April 15, 2010 @02:58PM (#31861388)
    I think microsoft acted responsibly in this situation. They merely mitigated any future issues these patches might have, they didn't want the same thing to happen again. In this case it was prevention not intervention. Unfortunately, there are many ways to get a rootkit installed on a computer; however, most of the time it's usually the user that infected themselves. This is why there are measures that a user can take to prevent or minimize the occurrence. Microsoft did make a note to remove the infection and then install the patch. If they don't know how to remove the infection or don't know they can download if not purchase one of many anti-virus solutions or pay someone to do it, then maybe the user's should rethink their web browsing behaviors.
    • by Rich0 (548339)

      I tend to agree. If I were running a megacorp with 30k computers, and it turns out that 1000 of them have a rootkit I'd rather that they didn't just all die at the same time from a random patch.

      Of course, I'd be scanning for stuff like this anyway, so I'd be fixing these problems before they got out of hand.

      Even so, adding a major outage to a major security problem isn't necessarily an improvement.

    • Re: (Score:3, Insightful)

      by VGPowerlord (621254)

      Microsoft also included some measures in newer versions of Windows to mitigate user stupidity... and even one to mitigate programmer stupidity in Internet Explorer.

      Not that there aren't still holes in those methods... or the user can just be stupid and click Allow.

  • Oddly enough... (Score:3, Interesting)

    by HerculesMO (693085) on Thursday April 15, 2010 @03:00PM (#31861416)

    Their Malicious Software Removal Tool (sent out on Patch Tuesday) can remove the rootkit.

    But I won't stop the Slashdotters here from complaining about it.

  • by Rockoon (1252108) on Thursday April 15, 2010 @03:01PM (#31861434)
    From the article:

    As Microsoft has noted, while the solution prevents users from suffering the misery of Blue Screens of Death, it does leave them unprotected and the company has urged users to download its Malicious Software Removal Tool to clean up their machines and run the patch as soon as possible.

    It isnt that they wont patch these systems, its that they wont automatically install the MSRT, which removes the rootkit, as part of the update.

    ..and to be perfectly honest, who wants the MSRT to be a mandatory component. Things like that are capable of unexpectedly altering the system, something typically frowned upon in enterprise.

    • Though to be fair, if you have a rootkit on your corporate machines, the MSRT is the least of your worries.

      • by Rockoon (1252108)
        I still assume that uptime is your biggest worry in enterprise. Compromised security is dealt with in a way that preserves the uptime required to operate the business.
    • by Jeian (409916)
      Things like that are capable of unexpectedly altering the system, something typically frowned upon in enterprise.

      Agreed. Our administrators are perfectly capable of bricking our systems on their own, thank you very much.
  • by techvet (918701) on Thursday April 15, 2010 @03:01PM (#31861436)
    First, you beat up Microsoft because their patch trashed machines that were *already* infected. Then you beat them up because they backed off on applying the patches to avoid trashing the machines. Get thee to SuperAntiSpyware and Anti-Malwarebytes and get your machine cleaned up before you complain.
    • by sohp (22984)

      If they patch system can detect the rootkit and not install, why doesn't it remove it and then install? At least give the user the option of doing it, instead of just leaving the user to deal with yet more work.

  • by fred fleenblat (463628) on Thursday April 15, 2010 @03:03PM (#31861462) Homepage

    This just proves that it's a great time for people who have been sticking with XP to take the plunge and upgrade to Windows 2000 Professional.

  • by _KiTA_ (241027) on Thursday April 15, 2010 @03:04PM (#31861474) Homepage

    If they have the ability to detect these things, why in the world doesn't a little popup appear in the systray or security center saying "Your system appears to have a form of Malicious Software installed. Windows Updates are currently disabled. Please see your Network Administrator."

    Seriously, the rogue spyware apps do this all the time, why can't Windows itself do it?

  • by rudy_wayne (414635) on Thursday April 15, 2010 @03:05PM (#31861494)

    "Microsoft discovered the problems occurred on machines infected with the Alureon rootkit"

    There are many reasons to hate Microsoft, and their QA failure when it comes to security is certainnly one of them. However, the spread of rootkits, viruses and other malware is primarily caused by user stupidity, something that is not Microsoft's fault. In the early days of personal computers I took the time to learn how things worked. If you're having the problem described in this article then you can wipe your hard drive and re-install Windows. If you don't know how to do this, then maybe it's time you learned. If you're not willing to learn, then do the rest of the world a favor and throw your computer out the nearest window.

  • microsoft doesn't refuse to patch rootkitted systems, microsoft is UNABLE to patch rootkitted system. NO ONE can patch a rootkitted system, of ANY OS. you need to wipe the system and reinstall

    it is ok to be against microsoft, but you have to base your opinion on genuine problems. when you base your opinion on mindless propaganda, you are just another useless partisan in this world: loud, dumb, useless

    • You didn't think about this before you fired off your little opinion piece did you. It is indeed absolutely possible, though one might not necessarily recommend it. All you need to do is boot from another source - mount your compromised file system and then overwrite anything not having a proper hash. This works fine if you keep a hash list based on an uncompromised reference. Think about a 'tripwire' concept.

      In Linux this is trivially simple to do.

  • MSE claimed to work (Score:5, Interesting)

    by Bearhouse (1034238) on Thursday April 15, 2010 @03:12PM (#31861616)

    See:

    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A [microsoft.com]

    I've have reasonably good experiences with MSE so far with my Windows users. Anybody else want to weigh in here?

    • by pongo000 (97357)

      I'm by no means a Microsoft fanboi, but I have nothing but good things to say about MSE: It's free, the definition files are updated regularly, and (best of all) it doesn't slow down my laptop even when I'm running a scan. If you're not running MSE, you owe it to yourself to try it out. I can almost promise you that you'll toss whatever antivirus software you're running now.

      MSE, Anti-Malwarebytes, and SpywareBlaster has taken care of everything the big bad world has thrown at my machine.

  • by xerio (1001881) on Thursday April 15, 2010 @03:27PM (#31861798)
    I'm strangely ok with this. If they update the computer and the rootkit conflicts with the new patch and makes the computer unusable, they'll just get blasted for breaking people's computers. But if they don't update the computer, then the person is still able to use it. If they're warned that they can't update because they have a rootkit on their system and they do nothing about it, I feel no sympathy for them. At least Microsoft didn't make their system less operational. They should get rid of the rootkit and then update. If Microsoft let people update while knowing that it would make the computers unusable if they had this rootkit. People would still call foul on Microsoft. This way they're at least giving people a warning and chance to fix their problem, not making the problem worse.
  • Sad (Score:3, Insightful)

    by Voulnet (1630793) on Thursday April 15, 2010 @03:28PM (#31861810)
    Seeing the summary and many of the posts here, it's so sad to see how the internet gave every idiot a podium. It's always going to be catch-22 for Microsoft, even if they donated 40 billion dollars for every open source foundation/cancer research facility in the world. It's sad to see CS graduates, sysadmins and programmers with the mentalities of 4channers. Huh
    • Re: (Score:3, Interesting)

      by JustNiz (692889)

      The reason is, no matter how much Microsoft give to charity (and I don't believe they do anyway, its actually Bill & Melinda Gates Foundation who is the big philanthropist ) Cancer Research is not Microsoft's primary activity. Software is.

      Microsoft only care about big corporates interests like the RIAA and MPAA. They absolutely don't care about their own home or small business customers interests. Furthermore they do the bare minimum, their products suck, they strangle innovation, they hold the whole i

  • Obligatory.... (Score:3, Informative)

    by bmo (77928) on Thursday April 15, 2010 @04:19PM (#31862846)

    http://technet.microsoft.com/en-us/library/cc512587.aspx [microsoft.com]

    >You can't clean a compromised system by patching it.

    >You can't clean a compromised system by removing the back doors.

    >You can't clean a compromised system by using some "vulnerability remover."

    >You can't clean a compromised system by using a virus scanner.

    >You can't clean a compromised system by reinstalling the operating system over the existing installation.

    >You can't trust any data copied from a compromised system.

    >You can't trust the event logs on a compromised system.

    >You may not be able to trust your latest backup.

    >>>>>The only way to clean a compromised system is to flatten and rebuild.

    Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I

    Security Program Manager
    Microsoft Corporation

Behind every great computer sits a skinny little geek.

Working...