Newsletter Archives

  • MS-DEFCON 4: Get Patched

    Posted on March 5, 2010 at 07:15 CST by Comment in the Forums

    Microsoft just fixed the really bad February patch. MS10-015 / KB 977165, which I wrote about two weeks ago, had a nasty habit of clobbering Windows XP machines. According to a Microsoft Security Response Center blog, MS10-015 is now offered “with new logic that prevents the security update from being installed on systems if certain abnormal conditions exist.”

    In other words, if your WinXP PC is infected with the Alureon rootkit, MS10-015 won’t install itself, and you won’t be faced with an endless cycle of Blue Screens of Death.

    With that big problem out of the way, it’s now time to apply the February Black Tuesday patches. Get yourself all patched up, then make sure Automatic Updates is turned off. The two March patches will be out next week, and you don’t want Microsoft to zap you. Again.

    I’m moving us to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

    Windows Patches/Security , ,

  • MS10-015 Blue Screens due to TDL3 rootkit infection

    Posted on February 18, 2010 at 05:05 CST by Comment in the Forums

    Fascinating.

    Last week I wrote about Microsoft’s security patch MS10-015 causing Blue Screens of Death on some machines: if you install MS10-015/KB 977165, or it gets installed for you, your machine may BSOD on reboot. Every reboot.

    Marco Giuliani on the Prevx site has this explanation:

    TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

    When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

    This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

    Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

    Windows Patches/Security , , ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.