Is Microsoft using security patch KB 3146706 to break pirate copies of Windows 7?

It's not clear whether it’s intentional, but the patch is throwing blue screen error 0x0000006B on Ghost pirate copies of Windows 7

Microsoft certainly has no obligation to support "ungenuine" copies of Windows 7, but the strange case of KB 3146706 suggests Microsoft might be actively gunning for the pirates.

Last patch Tuesday, Microsoft released MS 16-044 and KB 3146706 as an "important" security update for OLE running in Windows Vista, Windows 7, Windows 8.1, Windows RT 8.1, and corresponding server versions. At the time, patching sirens went off for two odd reasons.

First, the patch was unchecked on most Windows 7 PCs, even though it appears in the "Important" Windows Update list. (A checked patch is one that is installed when Windows Update runs.) The patch is checked on Windows 8.1 systems and on Vista. It's not clear if the patch was originally unchecked on Win7 PCs or if Microsoft dropped the check mark shortly after the patch rolled out.

Second, red lights went up all over China that the patch was throwing a blue screen error 0x0000006B. It's a nasty and recurring error on boot, and the only way to get out of the error is to boot with some other media and uninstall the patch.

Soon after the patch appeared, I posted on about this strange behavior:

I'm seeing lots of reports of MS16-044 / KB 3146706 throwing errors -- most commonly blue screen 0x0000006B -- that go away if the patch is removed.

Remarkably, almost all of the reports (for example, this one on site vvcat) are in Chinese. Makes me wonder if there's a conflict between KB3146706  and a program that's commonly run in China. We saw something similar three years ago with KB 2823324, which triggered BSODs on many computers in Brazil.

AskWoody denizen LL wrote to me and said that it looks like Microsoft is still distributing the patch through Windows Update, but isn't checking it -- which is typically a precursor to yanking the patch entirely.

There was, and is still, no indication in the KB article why the patch isn't checked for Windows 7. My Windows 7 test machines currently show KB 3146706 as "Important" but not checked.

After struggling through automated translations of Chinese websites, it's become more apparent to me that the 0x0000006B blue screens appear on Chinese-language Windows 7 systems with a specific pirate copy generally called Ghost (most likely in reference to Norton's Ghost hard drive copying program).

There's a fascinating description of the Chinese Ghost process (in English) from jimdagys on the VideoHelp forum:

This has been going on for at least 15 years, and until today, I was totally ignorant of this practice. I hate to be ignorant of what half the world's population is doing. I remember being in China 10 years ago, and I couldn't figure out why every other disk in a software shop said "Ghost" on it. I know Ghost is useful, but...

Today I had a computer that wouldn't access the internet very well. The technician said reinstalling the operating system would solve the problem. I didn't look forward to the hour or so plus reboots involved to reinstall Windows. Shortly after the technician put in a windows cd, I noticed the Ghost interface came up. I was curious why Ghost would be involved in this situation. After 5 or so minutes, Ghost was finished, then a special driver window appeared, automatically installing drivers. The technician said that the one Ghost cd (obviously specially modified) would install Windows on any computer…  After the operating system was totally installed… I did a Malwarebytes scan… and there were 3 viruses (apparently already present on the install cd). But for now, I can access the internet perfectly.

I lived in Thailand for 13 years and can attest to the prevalence of the process. In the time I was there, I'd guess less than 10 percent -- more likely fewer than 1 percent -- of the consumer PCs sold and repaired in Thailand had genuine copies of Windows. If you took your perfectly valid, U.S.-bought Windows 7 laptop in for repairs, more often than not it was returned with a pirate copy of Windows.

Is this an attempt by Microsoft to wipe out a wide swath of illegal copies of Windows? Or is it simply roadkill on the path to Windows 10? Without a doubt, Microsoft's under no obligation to make its patches work with illegal copies of Windows. This problem seems … fortuitous.

KB 3146706 may have been put on hold for a completely different reason. As described in this TechNet post and this Reddit thread, there's a conflict between EMET 5.5 and both KB 3146706 and KB 3147071 running on 32-bit Windows 7. I also have a report of KB 3146706 causing a failure to connect to the System Event Notification Service. It doesn't look like Microsoft has fixed these problems yet, which may also explain why KB 3146706 isn't checked.

If intended, however, it's an interesting attack vector, wouldn't you say?

Tip o' the Baker Street Irregulars hat to Hopeful Cynic and Gord.

Copyright © 2016 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon