Microsoft again pushes patch linked to Windows blue screens

Adds rootkit detection so patch isn't installed on infected PCs

Microsoft today said it had restarted distribution of a security update that had crippled some Windows PCs last month with reboot problems and Blue Screen of Death error screens.

The update, dubbed MS10-015, originally shipped on Feb. 9, but was pulled from Windows Updates' automatic update two days later after complaints flooded Microsoft's support forum from users whose machines refused to restart after they had installed the patch. The affected PCs shuddered to a stop at the blue screen which indicates a serious software error and crash in Windows.

Within a week, Microsoft announced that only PCs infected with the "Alureon" rootkit were incapacitated by MS10-015. It denied that there was any flaw in the security update itself.

"Today Microsoft resumed the distribution of MS10-015 to Windows customers through Automatic Update," Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC), said in an e-mail. "The bulletin includes added detection logic for consumer and enterprise customers that searches for indications of the Alureon rootkit. If detection logic included in Automatic Update discovers abnormal conditions in certain operating system file configurations, the update will fail and customers will be presented with an error message that offers alternative support options. If this occurs, Microsoft customer support will work with impacted customers to resolve each issue."

Microsoft provided more information about the error messages, and what users seeing them should do, on its Web site.

Users who have already installed MS10-015 without problems do not have to reinstall it, Microsoft said.

The company also issued a scanning tool users can run to determine whether their PCs are infected with the rootkit before they attempt to download and install MS10-015. The tool doesn't scrub Alureon from a compromised computer, but only determines whether the system is compatible with the patch.

Microsoft has not yet delivered a promised detect-and-destroy tool that will clean infected PCs. Two weeks ago, the company said the tool would be ready in "a few weeks." It used the same timeframe today. " We anticipate that tools for both consumers and enterprise customers will be available in a few weeks," said Bryant.

In the past, Microsoft has used its Malicious Software Removal Tool (MSRT), a free program updated each Patch Tuesday, to seek out and destroy rootkits. The next scheduled refresh of the MSRT is March 9.

MS10-015 targeted a pair of 17-year-old kernel bugs in all 32-bit versions of Windows. The vulnerability went public in late January when a Google engineer published attack code.

Microsoft has caught heat over the fact that it took nearly two decades to fix the flaw. At the RSA Conference in San Francisco today, Brian Snow, former technical director of the National Security Agency's Information Assurance Directorate, blasted Microsoft for its sluggish pace.

Saying that fixing vulnerabilities can be a competitive advantage for companies, Snow cited MS10-015. "Seventeen years and not yet addressed? Give me a break," said Snow.

Robert McMillan of the IDG News Service contributed to this report.


Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon