Microsoft Refuses To Patch Rootkit-Compromised XP Machines 330
Barence writes "Microsoft has revealed that its latest round of patches won't install on XP machines if they're infected with a rootkit. In February, a security patch left some XP users complaining of endless reboots and Blue Screens of Death. An investigation followed and Microsoft discovered the problems occurred on machines infected with the Alureon rootkit, which interacted badly with patch KB977165 for the Windows kernel. Now Microsoft is blocking PCs with the rootkit from receiving its new patches. 'This security update includes package-detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems,' Microsoft cautions in the patch notes."
First things first (Score:5, Insightful)
If the rootkit is still on your computer, maybe you should look into having it removed.
how shall thee pull out the mote that is in thine eye, when thou thyself beholdest not the beam that is in thine eye? Luke 6:42
Re:First things first (Score:5, Funny)
no! I need the newest microsoft patch so that there are not any new security holes in my computer! I'll deal with that huge gaping sucking chasm of a security hole that's already there, created by the rootkit, at some later date.
Re: (Score:2, Insightful)
You need the newest microsoft patch that - because of the rootkit and the .dll files it has damaged - will BSOD your system? Somehow someone turned this news into an rant and like it's a bad thing to really make sure the windows update should be able to patch things before proceeding.
whoosh! (Score:2)
That was the sarcasm train, clearly passing you by.
Re: (Score:3, Insightful)
What about their malicious software removal tool that supposedly scans on updates
The user may not have MSRT on their system. Alureon (the rootkit that caused the last issue) is detectable by every AV software out there and removable by MSRT (and others). We're talking about ultra-computer-phobic/challenged users here.
To me, that makes it obviously WORTHLESS if it can't remove this root-kit what good is it?
If a tool isn't installed on a machine, I don't expect it to be able to do much :)
What motives do they have to not remove this root-kit?
It's not "this rootkit". It could be any rootkit. They are merely checking if the machine has been compromised, before going ahead with applying the patch. Do you want to include an entire
Re: (Score:3, Funny)
Re: (Score:2)
Makes sense... (Score:2)
Microsoft isn't really in the business of providing a virus scanner as one of their free updates. Oh wait... [microsoft.com]
*continues running Ubuntu*
Re: (Score:3, Interesting)
To be fair, does the MS virusscanner detect and remove the rootkit?
Re:Makes sense... (Score:5, Interesting)
The malicious software removal tool will take care of it. Their antivirus will not.
They are giving you the tool to get rid of it and then saying you should install your patches afterwards. But they are chastised for not coming up with a all-in-one solution? Jeez.
And rightly so. (Score:3, Insightful)
Yes. Because when patching, you want the process to be as simple as possible for the END USER.
The more steps the end user has to follow, the more likely that the end user will make a mistake somewhere.
If it can be done in one step at the end user's level, then it should be done in one step at the end user's level. No delays.
Re: (Score:2)
Re:Makes sense... (Score:5, Informative)
And that’s what will happen. Installation of the patch will fail, if the rootkit is detected. The malicious software removal tool will be pushed out and remove the rootkit. And eventually the patch will be installed again since the installation failed the first time, and if the rootkit is gone the patch should install properly.
Re: (Score:3, Interesting)
Well... I really can’t say I have high hopes for that.
I’ve had numerous updates (okay, 4 or 5) on Windows 7 that failed to install, with no explanation whatsoever. It seemed like more than it really was because it attempted to install the same 3 updates again the next time I shut down. And the next time. And the next. And... every time until I finally went into the update history to figure out what the deal was.
(In my case I’ve always been able to go onto the Microsoft website, download th
Re: (Score:2)
P.S. I actually can count; it was the same 3 updates over and over, plus 1 or 2 other updates have failed similarly since then and I have dealt with them in the same way. So 4 or 5, altogether.
Re: (Score:2, Interesting)
Re:Makes sense... (Score:5, Insightful)
mmm, and what's this bloody obsession with error codes. I was having trouble with windows update giving an error recently and the only expanatory information was an error code.
After some time searching online and finding various speculation I eventually found that the code basically translated as "connection problem" and that I should try again later. Why couldn't they have just fucking told me that in the first place?!
Re:Makes sense... (Score:5, Insightful)
And if the rootkit remover bricks some systems you'd be yelling at Microsoft for not making it a separate update so users could prepare for it, right? I doubt it matters what MS does, you'd find a reason to think they're wrong no matter what.
Security updates are security update, malware removal is malware removal. Mixing the two is a horrid idea.
Re: (Score:2)
Re: (Score:2)
If Microsoft can detect the rootkit
They don't. They're checking hashes on key platform binaries to check if they're compromised -- that's not the same as detecting the nature of the compromise.
they can fix it...BEFORE running the patch.
Detecting = more code. Fixing = more code. Many varieties of rootkits to allow for, not just one. Needs much more testing before sending out patches -- delays sending updates to the rest of the world that acutally does care, and does maintain their machines in a healthy state. Requires user's approval before making changes to the machine, etc.
It really can't be that hard.
Becau
Re: (Score:3, Insightful)
Man, this so exemplifies the distorted user perspective of the ease of software development. There is a completely workable workflow here: run update twice, but you want Microsoft to code up a little custom fix (possibly requiring a double-restart) that seems like a triviality, right?
Wrong.
It takes a long time to write, debug, test, and deploy even small software changes. When non-coders (or even coders) talk about how easy it would be for someone else to do something, alarm bells go off. Microsoft is do
Time to reinstall it all (Score:2)
Re: (Score:2)
Not for me. I keep win7 for a few videogames that don't run on linux at all.
If I want to watch something from my computer on my 42in HDTV and get sound through the hdmi cable?
In windows 7 I must first turn my TV on and switch it to the apropriate hdmi channel, then reboot my computer or I get no audio.
In ubuntu, it just works.
If I plug an standard formatted SD memory card into my computer?
In windows 7 it won't read the card unless it formats it first, even if it had previously formatted the exact same card
Re: (Score:2)
In windows 7 I must first turn my TV on and switch it to the apropriate hdmi channel, then reboot my computer or I get no audio
Right click the speaker icon in the system tray, select the HDMI source, set it as default. Just Works(tm).
If I plug an standard formatted SD memory card into my computer? In windows 7 it won't read the card unless it formats it first, even if it had previously formatted the exact same card card.
Define standard? Doesn't sound right - SD cards Just Work.
Re: (Score:2)
I understand why MS is doing this... (Score:2)
The right thing to do (Score:3, Informative)
Re: (Score:3, Informative)
They do just this. Malicious Software Removal Tool.
Re: (Score:2)
It doesn't matter how old XP is.
It only matters how old the machine is that came pre-installed with it.
It's moronic and highly anti-consumer to advocate anything else.
Re: (Score:2)
As a matter of fact, no. I run a Linux only household and as long as Microsoft has 90%+ market share, such things have only a minor academic interest for me.
Lesser of two evils? (Score:5, Insightful)
Let's see what do I want?
A) A working machine that has a rootkit installed.
B) A machine that nolonger works.
Can you expect MSFT to test their patches against machines that have been modified via rootkits? Or should the patches themselves remove the rootkits. You are assuming that MSFT can remove the rootkit in the first place.
Re: (Score:2, Insightful)
hint: always choose C.
Re: (Score:2)
What is this miraculous machine to which you refer?
Re: (Score:2)
Re: (Score:2)
"Updates regularly" (Score:2)
More like Obsoletes regularly. Wait a year to update and you can be SOL.
Re: (Score:2)
Re: (Score:3, Funny)
It most certainly does have an Operating System. In fact if it has disc brakes it even has a Disc Operating System...
Um, working for whom? (Score:3, Insightful)
A) A working machine that has a rootkit installed.
And is sending all key presses and bank account details to criminals.
Misuse of phrase (Score:5, Funny)
What ever happened to backwards compatibility? Why, I remember the day when any virus, worm, or piece of malware, would run no matter what!
And the issue is? (Score:5, Insightful)
I really don't have a problem with this. If the system is already rooted, the patch isn't going to actually help anything since their security is already compromised. And with all the bad press MS received last time over something that was not their fault at all, why should they risk it again? If your system has a serious issue like being rooted, then you have to take care of the issue before you can install the patch. Seems logical to me.
can't MS come up with a patch to block rooting? (Score:3, Interesting)
I mean, they already have the malicious software removal tool, so they could blow the roots away if they wanted to. but what is really needed here is to block the rooting mechanism altogether.
or go back to the saner architecture of nt 3.0/3.1/3.5, where only the kernel and its designated MS helpers ran at level 0 to start with. the world started to go to hell when they allowed the video driver into level 0.
Re: (Score:2)
Remember. He who play in root, eventually kills tree.
Re: (Score:2)
or go back to the saner architecture of nt 3.0/3.1/3.5, where only the kernel and its designated MS helpers ran at level 0 to start with. the world started to go to hell when they allowed the video driver into level 0.
That would have been useless, as the rootkit had nothing to do with the Win32 subsystem. It involved the file system, which has been in kernel mode from the beginning of NT.
Re: (Score:2)
Re: (Score:3, Informative)
If this was all caused by some commercial software, say, Adobe Reader gaining a bug that hosed Windows Update, we would be all over Adobe for breaking Windows Update and denying us our precious patches.
So far, very little scorn for the rootkit author(s) or their legion of distributors.
I get alerted to malware of various types, from Javascript exploits to out-and-out rootkits, from several interesting websites I visit frequently. I've been reduced to checking them on my phone, cause so far they haven't take
Why bother? (Score:5, Insightful)
Rightfully so. Security patching a rootkit-ed OS is mildly amusing and also a bit redundant. The only way to secure such an OS starts with reformatting the system partition.
Re: (Score:2)
Re: (Score:2)
Security patching a rootkit-ed OS is mildly amusing and also a bit redundant
Car analogy: it's like fixing you door lock and leaving the broken out window unrepaired.
Microsoft - Pragmatic solution to hard issue. (Score:5, Interesting)
Re: (Score:2)
I tend to agree. If I were running a megacorp with 30k computers, and it turns out that 1000 of them have a rootkit I'd rather that they didn't just all die at the same time from a random patch.
Of course, I'd be scanning for stuff like this anyway, so I'd be fixing these problems before they got out of hand.
Even so, adding a major outage to a major security problem isn't necessarily an improvement.
Re: (Score:3, Insightful)
Microsoft also included some measures in newer versions of Windows to mitigate user stupidity... and even one to mitigate programmer stupidity in Internet Explorer.
Not that there aren't still holes in those methods... or the user can just be stupid and click Allow.
Oddly enough... (Score:3, Interesting)
Their Malicious Software Removal Tool (sent out on Patch Tuesday) can remove the rootkit.
But I won't stop the Slashdotters here from complaining about it.
Summary title in error (Score:5, Informative)
As Microsoft has noted, while the solution prevents users from suffering the misery of Blue Screens of Death, it does leave them unprotected and the company has urged users to download its Malicious Software Removal Tool to clean up their machines and run the patch as soon as possible.
It isnt that they wont patch these systems, its that they wont automatically install the MSRT, which removes the rootkit, as part of the update.
..and to be perfectly honest, who wants the MSRT to be a mandatory component. Things like that are capable of unexpectedly altering the system, something typically frowned upon in enterprise.
Re: (Score:2)
Though to be fair, if you have a rootkit on your corporate machines, the MSRT is the least of your worries.
Re: (Score:2)
Re: (Score:2)
Agreed. Our administrators are perfectly capable of bricking our systems on their own, thank you very much.
Attn infected PC users: Can't have it both ways. (Score:5, Insightful)
Re: (Score:2)
If they patch system can detect the rootkit and not install, why doesn't it remove it and then install? At least give the user the option of doing it, instead of just leaving the user to deal with yet more work.
Re: (Score:2)
Microsoft let the crap get on the machine in the first place.
They're ultimately responsible any way you try to spin this situation.
I will say that again s-l-o-w-l-y: It's Microsoft's OS. They are responsible for it. You even paid money for it.
Re: (Score:2)
Microsoft let the crap get on the machine in the first place.
They're ultimately responsible any way you try to spin this situation.
I will say that again s-l-o-w-l-y: It's Microsoft's OS. They are responsible for it. You even paid money for it.
I wasn't aware that Microsoft was to blame when a user went against safe operating practices, such as clicking on pop-ups and opening virus-filled emails. I suppose I was wrong.
You can't put it off forever! (Score:4, Funny)
This just proves that it's a great time for people who have been sticking with XP to take the plunge and upgrade to Windows 2000 Professional.
User Experience FAIL (Score:3, Insightful)
If they have the ability to detect these things, why in the world doesn't a little popup appear in the systray or security center saying "Your system appears to have a form of Malicious Software installed. Windows Updates are currently disabled. Please see your Network Administrator."
Seriously, the rogue spyware apps do this all the time, why can't Windows itself do it?
You can't fix stupid (Score:5, Insightful)
"Microsoft discovered the problems occurred on machines infected with the Alureon rootkit"
There are many reasons to hate Microsoft, and their QA failure when it comes to security is certainnly one of them. However, the spread of rootkits, viruses and other malware is primarily caused by user stupidity, something that is not Microsoft's fault. In the early days of personal computers I took the time to learn how things worked. If you're having the problem described in this article then you can wipe your hard drive and re-install Windows. If you don't know how to do this, then maybe it's time you learned. If you're not willing to learn, then do the rest of the world a favor and throw your computer out the nearest window.
classically mindlessly anti-microsoft (Score:4, Insightful)
microsoft doesn't refuse to patch rootkitted systems, microsoft is UNABLE to patch rootkitted system. NO ONE can patch a rootkitted system, of ANY OS. you need to wipe the system and reinstall
it is ok to be against microsoft, but you have to base your opinion on genuine problems. when you base your opinion on mindless propaganda, you are just another useless partisan in this world: loud, dumb, useless
Re: (Score:2)
MSE claimed to work (Score:5, Interesting)
See:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A [microsoft.com]
I've have reasonably good experiences with MSE so far with my Windows users. Anybody else want to weigh in here?
Re: (Score:2)
I'm by no means a Microsoft fanboi, but I have nothing but good things to say about MSE: It's free, the definition files are updated regularly, and (best of all) it doesn't slow down my laptop even when I'm running a scan. If you're not running MSE, you owe it to yourself to try it out. I can almost promise you that you'll toss whatever antivirus software you're running now.
MSE, Anti-Malwarebytes, and SpywareBlaster has taken care of everything the big bad world has thrown at my machine.
Re: (Score:2)
Fits with my experiences.
I'd add Spybot S&D to that list...
http://www.safer-networking.org/en/index.html [safer-networking.org]
Customer Satisfaction (Score:4, Insightful)
Sad (Score:3, Insightful)
Re: (Score:3, Interesting)
The reason is, no matter how much Microsoft give to charity (and I don't believe they do anyway, its actually Bill & Melinda Gates Foundation who is the big philanthropist ) Cancer Research is not Microsoft's primary activity. Software is.
Microsoft only care about big corporates interests like the RIAA and MPAA. They absolutely don't care about their own home or small business customers interests. Furthermore they do the bare minimum, their products suck, they strangle innovation, they hold the whole i
Obligatory.... (Score:3, Informative)
http://technet.microsoft.com/en-us/library/cc512587.aspx [microsoft.com]
>You can't clean a compromised system by patching it.
>You can't clean a compromised system by removing the back doors.
>You can't clean a compromised system by using some "vulnerability remover."
>You can't clean a compromised system by using a virus scanner.
>You can't clean a compromised system by reinstalling the operating system over the existing installation.
>You can't trust any data copied from a compromised system.
>You can't trust the event logs on a compromised system.
>You may not be able to trust your latest backup.
>>>>>The only way to clean a compromised system is to flatten and rebuild.
Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I
Security Program Manager
Microsoft Corporation
Re:The Microsoft way! (Score:4, Insightful)
I recall slashdotters complaining that they didn't do CRC check or similar (they do, but the rootkit gave 'real' value and it was worthless).
Now they're doing the right thing and we get news how they refuse to patch the systems which .dll files have been damaged? Welcome to slashdot.
Re:The Microsoft way! (Score:5, Insightful)
A more accurate title would be something along the lines of: Microsoft attempts to prevent inadvertently bricking XP systems with Windows Updates
Bear in mind I'm terrible at coming up with titles. Also bear in mind I'm not a big fan of Windows.
Re:The Microsoft way! (Score:5, Informative)
If the kernel is fucked, nothing works any more. Any results from on-line determination of the damage status of the machine itself should be assumed fake because the malware is in control of all local resources. To accurately determine the status of the computer, it must be taken offline.
Never trust what rooted machines say about themselves...
Re: (Score:3, Interesting)
'Never trust what rooted machines say about themselves..."
Funny, that's usually how I spot a rooted machine. There's a fine difference between "I just don't want to work because I'm a piece of shit" and "I don't want to work because I'm controlled by someone other than you."
Re:The Microsoft way! (Score:5, Funny)
What if it hides in the documents?
Re:The Microsoft way! (Score:5, Insightful)
Shouldn't it just determine if the DLL was damaged and replace it with the correct, working patched version if it is? Sorry, but automatically throwing their hands up and saying "you're fucked" is the Microsoft shortcut for not being able to fix their own security problems.
Isn't that what they did last time, and it caused bluescreens?
Do you want every single patch, no matter how small, to try to detect rootkits and, if a rootkit is detected, replace every DLL in the system with known clean copies? That's absurd.
The problem wasn't that the DLL the patch installed caused bluescreens, it's that DLLs the patch didn't touch - because it wasn't patching them - were now incompatible with the clean (patched) DLL (because they were part of the rootkit).
What do you propose Microsoft do about it? Patch the DLLs anyway, knowing it will cause bluescreens? Provide the entire slew of kernel DLLs for download via Windows Update, and install all of them every time there's a kernel patch?
I don't mind what MS is doing at all - they're doing their best to make sure that their users won't get bluescreens, even if they're rooted.
Re:The Microsoft way! (Score:4, Interesting)
Do they notify the users that they're rootkitted?
If anything, a bluescreen is a good thing since the rootkitted machine is now offline and no longer sending spam or whatever other malicious things it might be doing.
Re:The Microsoft way! (Score:4, Insightful)
Re:The Microsoft way! (Score:4, Insightful)
Re: (Score:3, Funny)
Re: (Score:3)
Re:The Microsoft way! (Score:5, Informative)
The blue screen crashing that this rootkit caused after the previous update was not due to rootkit modifications to the files that were being patched.
The problems occured because code that was NOT being patched (the rootkit!) was making direct jumps into kernel memory, to offsets that were no longer relevant after the patch.
Re: (Score:2, Flamebait)
You don't know how software development and pointers work, do you?
To many users, a computer works by doing what they tell it to do, and that's plenty for them to know. "How computers work" is a very broad statement that could mean a number of things that you don't address in the statements following your first one.
It also makes you sound condescending.
Re:The Microsoft way! (Score:5, Funny)
"I'm a people-person. What the hell is wrong with you people?"
Re: (Score:3, Funny)
So this is a vendor software issue? Those rootkit developers should have a better testing process. I'm not going to go to all of the trouble of rooting 100k servers just to have my botnet BSOD on the next update. I demand a refund
Re: (Score:3, Insightful)
How do you get the piss out of the pool?
You don't. It's fucked. You drain the pool and start again.
Any server administrator worth their salt knows if someone gets in to root / administrator who is not supposed to be there there is only one course of action: Unplug and rebuild.
You do not try to fix a server that has been compromised in this way, regardless of Operating System. For some reason we get compassionate about home-users who can't afford to fix their computer
Re: (Score:3, Interesting)
Well, by refusing to patch an already compromised system they open that system up to getting further malware infections...
They're not 'opening up' the system -- they're just leaving it open. It was already like that when they found it.
If the system breaks at least it's now offline and will cease sending spam or whatever other malicious things its doing.
Good for us. Bad for the owner. MS cannot fuck the owner on our behalf.
Re: (Score:2, Informative)
Code 0xB302392838271
This is why I come to Slashdot. So many computer-literate people...
Re: (Score:2)
So, does this detection result in a message like "Windows Update had an error. Code 0xB302392838271" or "YOU'VE BEEN HACKED!!! GET YOUR COMPUTER FIXED!!!!"?
Oh, like those lovely programs XP Antivirus and "Security Tool" do! Yes, I think that trying to scare and confuse the user into an irrational course of action is the way to go.
Re: (Score:2)
Re: (Score:2)
Chances are, if it's a rootkit, it's already overwritten the "known good" versions of those files Windows keeps around.
Plus, they can't guarantee that other files won't be modified by different versions of the same rootkit.
Other than that, Microsoft already pushes a new version of the Malicious Software Removal Tool [microsoft.com] through Windows Update every month.
Re:Misleading title (Score:5, Insightful)
Re: (Score:2)
"You mean to tell me that you don't know how to set up and admin a Cisco network? You don't know C? Get away from me, whore!"
The fact that your comment was modded insightful is discouraging, yet expected, to say the least. How sad.
How about realizing that not everyone is a computer guru, and sometimes people, while doing something 'stupid', may not understand that what they are doing is harmful.
Sensationalism drives page views (Score:2)
and hence advertising revenue.
Re: (Score:2)
>> It never ceases to amaze me how the company that SHOULD produce some of the best code in the world (given revenue and longevity) instead seems to almost invariable produce code based on the "quickest and cheapest" principle.
Thats what happens when accountants get more say than engineers in the important decisions. The big problem is that missed sales can't be counted. The real problem is that most people will still buy Microsoft products no matter how bad they get, and Microsoft know it too.
Re: (Score:3, Insightful)
I hate to say it, but it's more like this:
A: Release New OS
B: No One Adopts New OS
C: Release Another New OS
D: Support Expires for Old OS
E: "SOMEONE" Develops a rootkit\virus\malware that targets old OS.
F: Anti-Virus keeps the old OS limping along
G: Anti-Virus vendors keep releasing updates to prevent new viruses\rootkits\etc.
H: Over time thousands, if not millions of Old OS systems get infected by root kits that the large population isn't aware of.
I: Create a new patch that specifically, when coupled with t
Re: (Score:3, Interesting)
Once a machine gets owned it's gone. Total wipe, reinstall from good backup. No matter what OS or even WIndows it is.
Joe Sixpack doesn't have a backup.
Also, Joe Sixpack probably don't have XP CDs, so he has to install from the 'recovery partition'; I wonder whether any rootkits are installing themselves into the recovery partition so they'll automatically be reinstalled if someone tries to wipe their system and reinstall from scratch?