Microsoft says rootkit caused Windows blue screens

Computerworld - Microsoft late on Wednesday confirmed that a rootkit caused Windows PCs to crash after users applied a security patch issued last week.

Only systems infected with the Alureon rootkit were incapacitated with Blue Screen of Death (BSOD) errors that prevented booting, said Mike Reavey, the director of the Microsoft Security Response Center (MSRC), in an announcement on the center's blog. "Our investigation has concluded that the reboot occurs because the system is infected with malware," said Reavey.

He added that the MS10-015 update was not at fault. "We have not found quality issues with security update MS10-015," Reavey maintained.

Microsoft's conclusion that malware was to blame was not unexpected. Last week, the rootkit -- also called TDSS, Tidserv and TDL3 -- had been named by security researchers as the likely culprit.

Within hours of the Jan. 9 release of MS10-015 and 12 other security updates, users reported that their computers wouldn't restart. Two days later, Microsoft halted automatic distribution of MS10-015 and launched an investigation, which revealed that malware might be the cause.

Yesterday, Reavey echoed independent researchers who earlier had blamed an address conflict between MS10-015 and the rootkit for the debacle. "Malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address," explained Reavey. "MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function."

MS10-015 patched a 17-year-old bug in the kernel of all 32-bit versions of Windows.