Microsoft Refuses To Patch Rootkit-Compromised XP Machines

Barence writes "Microsoft has revealed that its latest round of patches won't install on XP machines if they're infected with a rootkit. In February, a security patch left some XP users complaining of endless reboots and Blue Screens of Death. An investigation followed and Microsoft discovered the problems occurred on machines infected with the Alureon rootkit, which interacted badly with patch KB977165 for the Windows kernel. Now Microsoft is blocking PCs with the rootkit from receiving its new patches. 'This security update includes package-detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems,' Microsoft cautions in the patch notes."

First things first

[BadAnalogyGuy]

If the rootkit is still on your computer, maybe you should look into having it removed.

how shall thee pull out the mote that is in thine eye, when thou thyself beholdest not the beam that is in thine eye? Luke 6:42

Lesser of two evils?

[HockeyPuck]

Let's see what do I want?

A) A working machine that has a rootkit installed.
B) A machine that nolonger works.

Can you expect MSFT to test their patches against machines that have been modified via rootkits? Or should the patches themselves remove the rootkits. You are assuming that MSFT can remove the rootkit in the first place.

And the issue is?

[dirk]

I really don't have a problem with this. If the system is already rooted, the patch isn't going to actually help anything since their security is already compromised. And with all the bad press MS received last time over something that was not their fault at all, why should they risk it again? If your system has a serious issue like being rooted, then you have to take care of the issue before you can install the patch. Seems logical to me.

Why bother?

[trifish]

Rightfully so. Security patching a rootkit-ed OS is mildly amusing and also a bit redundant. The only way to secure such an OS starts with reformatting the system partition.

Misleading title

[Anonymous Coward]

The title is totally misleading. It gives the sense that Microsoft refuses to deliver some patch that fixes the rootkit infection. While in fact Microsoft avoids to deliver the patch to keep the machines in a working (albeit infected) condition.

I bet that the poster is a fanboi that found his opportunity to bash Microsoft... :-P

Re:The Microsoft way!

[sopssa]

I recall slashdotters complaining that they didn't do CRC check or similar (they do, but the rootkit gave 'real' value and it was worthless).

Now they're doing the right thing and we get news how they refuse to patch the systems which .dll files have been damaged? Welcome to slashdot.

Attn infected PC users: Can't have it both ways.

[techvet]

First, you beat up Microsoft because their patch trashed machines that were *already* infected. Then you beat them up because they backed off on applying the patches to avoid trashing the machines. Get thee to SuperAntiSpyware and Anti-Malwarebytes and get your machine cleaned up before you complain.

Re:First things first

[sopssa]

You need the newest microsoft patch that - because of the rootkit and the .dll files it has damaged - will BSOD your system? Somehow someone turned this news into an rant and like it's a bad thing to really make sure the windows update should be able to patch things before proceeding.

User Experience FAIL

[_KiTA_]

If they have the ability to detect these things, why in the world doesn't a little popup appear in the systray or security center saying "Your system appears to have a form of Malicious Software installed. Windows Updates are currently disabled. Please see your Network Administrator."

Seriously, the rogue spyware apps do this all the time, why can't Windows itself do it?

You can't fix stupid

[rudy_wayne]

"Microsoft discovered the problems occurred on machines infected with the Alureon rootkit"

There are many reasons to hate Microsoft, and their QA failure when it comes to security is certainnly one of them. However, the spread of rootkits, viruses and other malware is primarily caused by user stupidity, something that is not Microsoft's fault. In the early days of personal computers I took the time to learn how things worked. If you're having the problem described in this article then you can wipe your hard drive and re-install Windows. If you don't know how to do this, then maybe it's time you learned. If you're not willing to learn, then do the rest of the world a favor and throw your computer out the nearest window.

classically mindlessly anti-microsoft

[circletimessquare]

microsoft doesn't refuse to patch rootkitted systems, microsoft is UNABLE to patch rootkitted system. NO ONE can patch a rootkitted system, of ANY OS. you need to wipe the system and reinstall

it is ok to be against microsoft, but you have to base your opinion on genuine problems. when you base your opinion on mindless propaganda, you are just another useless partisan in this world: loud, dumb, useless

Re:Microsoft - Pragmatic solution to hard issue.

[VGPowerlord]

Microsoft also included some measures in newer versions of Windows to mitigate user stupidity... and even one to mitigate programmer stupidity in Internet Explorer.

Not that there aren't still holes in those methods... or the user can just be stupid and click Allow.

Re:Lesser of two evils?

[spidercoz]

C) A working machine that's immune to rootkits and doesn't have an obsolete OS.

hint: always choose C.

Re:Misleading title

[SCPRedMage]

Screw that. Deliver the patch, BSOD the idiots, and get them off the net so that they're not a danger to the rest of the world.

Re:Makes sense...

[Rakishi]

And if the rootkit remover bricks some systems you'd be yelling at Microsoft for not making it a separate update so users could prepare for it, right? I doubt it matters what MS does, you'd find a reason to think they're wrong no matter what.

Security updates are security update, malware removal is malware removal. Mixing the two is a horrid idea.

And rightly so.

[khasim]

But they are chastised for not coming up with a all-in-one solution?

Yes. Because when patching, you want the process to be as simple as possible for the END USER.

The more steps the end user has to follow, the more likely that the end user will make a mistake somewhere.

If it can be done in one step at the end user's level, then it should be done in one step at the end user's level. No delays.

Um, working for whom?

[Colin Smith]

A) A working machine that has a rootkit installed.

And is sending all key presses and bank account details to criminals.

 

Customer Satisfaction

[xerio]

I'm strangely ok with this. If they update the computer and the rootkit conflicts with the new patch and makes the computer unusable, they'll just get blasted for breaking people's computers. But if they don't update the computer, then the person is still able to use it. If they're warned that they can't update because they have a rootkit on their system and they do nothing about it, I feel no sympathy for them. At least Microsoft didn't make their system less operational. They should get rid of the rootkit and then update. If Microsoft let people update while knowing that it would make the computers unusable if they had this rootkit. People would still call foul on Microsoft. This way they're at least giving people a warning and chance to fix their problem, not making the problem worse.

Sad

[Voulnet]

Seeing the summary and many of the posts here, it's so sad to see how the internet gave every idiot a podium. It's always going to be catch-22 for Microsoft, even if they donated 40 billion dollars for every open source foundation/cancer research facility in the world. It's sad to see CS graduates, sysadmins and programmers with the mentalities of 4channers. Huh

Re:The Microsoft way!

[HeronBlademaster]

Shouldn't it just determine if the DLL was damaged and replace it with the correct, working patched version if it is? Sorry, but automatically throwing their hands up and saying "you're fucked" is the Microsoft shortcut for not being able to fix their own security problems.

Isn't that what they did last time, and it caused bluescreens?

Do you want every single patch, no matter how small, to try to detect rootkits and, if a rootkit is detected, replace every DLL in the system with known clean copies? That's absurd.

The problem wasn't that the DLL the patch installed caused bluescreens, it's that DLLs the patch didn't touch - because it wasn't patching them - were now incompatible with the clean (patched) DLL (because they were part of the rootkit).

What do you propose Microsoft do about it? Patch the DLLs anyway, knowing it will cause bluescreens? Provide the entire slew of kernel DLLs for download via Windows Update, and install all of them every time there's a kernel patch?

I don't mind what MS is doing at all - they're doing their best to make sure that their users won't get bluescreens, even if they're rooted.

Re:Makes sense...

[chaboud]

Man, this so exemplifies the distorted user perspective of the ease of software development. There is a completely workable workflow here: run update twice, but you want Microsoft to code up a little custom fix (possibly requiring a double-restart) that seems like a triviality, right?

Wrong.

It takes a long time to write, debug, test, and deploy even small software changes. When non-coders (or even coders) talk about how easy it would be for someone else to do something, alarm bells go off. Microsoft is doing a completely reasonable thing. I won't say that it's the "right thing," because that would imply that there is only one good course of action. Still, this approach is completely fair, easy to use, and safe.

Re:The Microsoft way!

[sopssa]

Uh, what are you trying to say?

Once the machine is rooted or has malware on it that has gained admin/root/kernel access, your best bet is to shut it down, take your documents and reinstall the system. You cannot know where it hides, no matter how knowledgeable you think you are. But you can still save your documents and not reveal banking data or passwords and similar.

Re:Lesser of two evils?

[Anonymous Coward]

I want you to have (B).

Re:The Microsoft way!

[Yaddoshi]

I agree, I thought the title of this submission was skewed - especially after reading the rest of the article. Microsoft does not appear to be "refusing to patch rootkit infected computers".

A more accurate title would be something along the lines of: Microsoft attempts to prevent inadvertently bricking XP systems with Windows Updates

Bear in mind I'm terrible at coming up with titles. Also bear in mind I'm not a big fan of Windows.

Re:Makes sense...

[petermgreen]

mmm, and what's this bloody obsession with error codes. I was having trouble with windows update giving an error recently and the only expanatory information was an error code.

After some time searching online and finding various speculation I eventually found that the code basically translated as "connection problem" and that I should try again later. Why couldn't they have just fucking told me that in the first place?!

XP support

[Happy Nuclear Death]

Meh. I'm just glad they're still patching Windows XP.

Re:Hmmmm....

[VGPowerlord]

I hate to say it, but it's more like this:

A: Release New OS
B: No One Adopts New OS
C: Release Another New OS
D: Support Expires for Old OS
E: "SOMEONE" Develops a rootkit\virus\malware that targets old OS.
F: Anti-Virus keeps the old OS limping along
G: Anti-Virus vendors keep releasing updates to prevent new viruses\rootkits\etc.
H: Over time thousands, if not millions of Old OS systems get infected by root kits that the large population isn't aware of.
I: Create a new patch that specifically, when coupled with the largely ignored\unnoticed rootkit\virus\malware, makes Old OS unuseable.
J: Choice: switch to Linux or upgrade to New OS.
K: Laugh histerically as at least 50% upgrade to New OS and you bath in $20 bills soaked in Champaign.
L: Profit.

Re:The right thing to do

[Anonymous Coward]

If HP sold a laptop with DOS or BeOS you would expect support?

Re:The Microsoft way!

[dhavleak]

That's good for the world in general but bad for the owner of the machine. You're suggesting MS make the decision to fuck over some individual for the good of many? They don't have that mandate.

Re:First things first

[dhavleak]

What about their malicious software removal tool that supposedly scans on updates

The user may not have MSRT on their system. Alureon (the rootkit that caused the last issue) is detectable by every AV software out there and removable by MSRT (and others). We're talking about ultra-computer-phobic/challenged users here.

To me, that makes it obviously WORTHLESS if it can't remove this root-kit what good is it?

If a tool isn't installed on a machine, I don't expect it to be able to do much :)

What motives do they have to not remove this root-kit?

It's not "this rootkit". It could be any rootkit. They are merely checking if the machine has been compromised, before going ahead with applying the patch. Do you want to include an entire rootkit scanner, removal tool, definition files, etc. with every update you send out on windows update? Do you want to delay the sending of patches (to the rest of the world that keeps their machine clean and healthy and cares about these things) while all this is tested?

What kind of brain detects a root-kits presence, but doesn't remove it? And instead wont install the updates? Why cant they hire capable people with Brains who would have this tool remove the root-kit then install the updates ?

You seem to have not applied yourself to the questions you're asking. The answers are plain.

Re:The Microsoft way!

[jibjibjib]

So now they're actively leaving rootkits online and fucking over the rest of the world for the good of the guy who can't maintain his machine properly? You could argue that they don't have that mandate either.

Re:The Microsoft way!

[xQx]

Say someone pisses in your pool...

How do you get the piss out of the pool?

You don't. It's fucked. You drain the pool and start again.

Any server administrator worth their salt knows if someone gets in to root / administrator who is not supposed to be there there is only one course of action: Unplug and rebuild.

You do not try to fix a server that has been compromised in this way, regardless of Operating System. For some reason we get compassionate about home-users who can't afford to fix their computer ... and then we get upset when these computers are used for botnets and spam propagation... WTF?!

I think it's utterly RESPONSIBLE of Microsoft to withdraw support for someone silly enough to want to keep running an operating system that's been rootkitted.

Hell, if it were my network I'd be using the rootkit to permanently disable all network connectivity to avoid any further damage. User be damned.