Microsoft Refuses To Patch Rootkit-Compromised XP Machines 330
Barence writes "Microsoft has revealed that its latest round of patches won't install on XP machines if they're infected with a rootkit. In February, a security patch left some XP users complaining of endless reboots and Blue Screens of Death. An investigation followed and Microsoft discovered the problems occurred on machines infected with the Alureon rootkit, which interacted badly with patch KB977165 for the Windows kernel. Now Microsoft is blocking PCs with the rootkit from receiving its new patches. 'This security update includes package-detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems,' Microsoft cautions in the patch notes."
Re:Makes sense... (Score:3, Interesting)
To be fair, does the MS virusscanner detect and remove the rootkit?
Microsoft - Pragmatic solution to hard issue. (Score:5, Interesting)
Oddly enough... (Score:3, Interesting)
Their Malicious Software Removal Tool (sent out on Patch Tuesday) can remove the rootkit.
But I won't stop the Slashdotters here from complaining about it.
Re:Makes sense... (Score:5, Interesting)
The malicious software removal tool will take care of it. Their antivirus will not.
They are giving you the tool to get rid of it and then saying you should install your patches afterwards. But they are chastised for not coming up with a all-in-one solution? Jeez.
can't MS come up with a patch to block rooting? (Score:3, Interesting)
I mean, they already have the malicious software removal tool, so they could blow the roots away if they wanted to. but what is really needed here is to block the rooting mechanism altogether.
or go back to the saner architecture of nt 3.0/3.1/3.5, where only the kernel and its designated MS helpers ran at level 0 to start with. the world started to go to hell when they allowed the video driver into level 0.
MSE claimed to work (Score:5, Interesting)
See:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A [microsoft.com]
I've have reasonably good experiences with MSE so far with my Windows users. Anybody else want to weigh in here?
Re:The Microsoft way! (Score:3, Interesting)
'Never trust what rooted machines say about themselves..."
Funny, that's usually how I spot a rooted machine. There's a fine difference between "I just don't want to work because I'm a piece of shit" and "I don't want to work because I'm controlled by someone other than you."
Re:Sad (Score:3, Interesting)
The reason is, no matter how much Microsoft give to charity (and I don't believe they do anyway, its actually Bill & Melinda Gates Foundation who is the big philanthropist ) Cancer Research is not Microsoft's primary activity. Software is.
Microsoft only care about big corporates interests like the RIAA and MPAA. They absolutely don't care about their own home or small business customers interests. Furthermore they do the bare minimum, their products suck, they strangle innovation, they hold the whole industry back just so they can make more money at any cost. They've made that VERY clear MANY times. Give me one reason why I a non-corp customer and a software developer shouldn't criticise Microsoft for failing to care about my interests or the interests of the industry I work in.
Re:Makes sense... (Score:1, Interesting)
I hope that Microsoft will actually display an appropriate error message. I've had issues installing the Indeo disabling patch where it refused to install and didn't display an error message or whatever. At some point I snapped and manually nuked the codec, so I'm good, but really... The guys who write the security updates can't even code up a message box - what's up with that?
Re:Makes sense... (Score:3, Interesting)
Well... I really can’t say I have high hopes for that.
I’ve had numerous updates (okay, 4 or 5) on Windows 7 that failed to install, with no explanation whatsoever. It seemed like more than it really was because it attempted to install the same 3 updates again the next time I shut down. And the next time. And the next. And... every time until I finally went into the update history to figure out what the deal was.
(In my case I’ve always been able to go onto the Microsoft website, download the update manually, and install it with no problem... just in case anybody else was having this problem. But as far as error messages go... not helpful at all.)
Re:Makes sense... (Score:2, Interesting)
Re:The Microsoft way! (Score:4, Interesting)
Do they notify the users that they're rootkitted?
If anything, a bluescreen is a good thing since the rootkitted machine is now offline and no longer sending spam or whatever other malicious things it might be doing.
Re:The Microsoft way! (Score:3, Interesting)
Well, by refusing to patch an already compromised system they open that system up to getting further malware infections...
They're not 'opening up' the system -- they're just leaving it open. It was already like that when they found it.
If the system breaks at least it's now offline and will cease sending spam or whatever other malicious things its doing.
Good for us. Bad for the owner. MS cannot fuck the owner on our behalf.
Re:Rooted means always wipe, reinstall. (Score:3, Interesting)
Once a machine gets owned it's gone. Total wipe, reinstall from good backup. No matter what OS or even WIndows it is.
Joe Sixpack doesn't have a backup.
Also, Joe Sixpack probably don't have XP CDs, so he has to install from the 'recovery partition'; I wonder whether any rootkits are installing themselves into the recovery partition so they'll automatically be reinstalled if someone tries to wipe their system and reinstall from scratch?