My next class:

MS10-015 may cause Windows XP to blue screen

Published: 2010-02-11. Last Updated: 2010-02-11 20:59:41 UTC
by Johannes Ullrich (Version: 1)
21 comment(s)

We have heard about reports that MS10-015 causes some Windows XP machines to blue screen. If you are seeing this issue, please let us know.

(I am filling in for Deborah on this diary as she is ironically busy dealing with lots of blue screens in her organization, which may be related)

See for example:

http://www.krebsonsecurity.com/2010/02/new-patches-cause-bsod-for-some-windows-xp-users/

and

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: blue screen Microsoft patches
21 comment(s)
My next class:

Comments

I have seen this on one of my workstations. Rebooted the workstation and everything seems fine.

pwobbe

Feb 11th 2010
1 decade ago

Two PCs were updated. I found one not responding, part way through booting. Powered off and on, and it booted normally. The other PC had rebooted OK.

Dick Rawson

Feb 11th 2010
1 decade ago

we updated 112 PC's updated last night, no problems at all

bertomatic

Feb 11th 2010
1 decade ago

we updated 112 PC's updated last night, no problems at all

bertomatic

Feb 11th 2010
1 decade ago

67 machines updated, one BSOD. Rolled back KB977165 (MS10-015) on that one machine, rebooted and all was well.

GuenTech

Feb 11th 2010
1 decade ago

I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced \WINDOWS\System32\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted... voila! Problem solved.

For reference, the SHA1SUMs of the atapi.sys files:

Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6

Working:
a719156e8ad67456556a02c34e762944234e7a44

If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys

I will be looking at this more in-depth.

Patrick W. Barnes

Feb 11th 2010
1 decade ago

I uploaded the non-working atapi.sys to VirusTotal. Here's the result:

http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Apparently, this update problem is the result of an infection.

Patrick W. Barnes

Feb 11th 2010
1 decade ago

Patrick, just before your post I downloaded the atapi.sys from your site because nothing at Microsoft's site indicates that this driver would be replaced by MS10-015. My AV screamed. I turned it off and, more or less simultaneously with you, uploaded the file to virustotal, see http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925521

I wouldn't be surprised if the new kernel files, replaced by the MS10-015 patch, change (pointer) tables that are being exploited by certain types of malware (rootkits in particular), which cease to work 'correctly' after the patch.

Bitwiper

Feb 11th 2010
1 decade ago

Based on the malware observation above, my best guess is that either malware, or legitimate software, that modifies (probably undocumented) in-memory kernel data, functions or (pointer-) tables, is causing XP systems to crash after applying MS10-015.

Bitwiper

Feb 11th 2010
1 decade ago

I concur with Bitwiper's conclusion. It appears that, following this update, the references made by the malware-infected atapi.sys are broken, resulting in the crash.

The best advice to those who have not already applied the update is to perform virus scans with up-to-date antivirus software. The problem may not be isolated to the infection identified by the VirusTotal results above.

For those who are now facing this issue, replacing atapi.sys using the Windows Recovery Console or live media, then thoroughly scanning for and cleaning any other infected files should return the system to working order. As with any infection, I would recommend wiping and reloading the system if feasible.

Patrick W. Barnes

Feb 11th 2010
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives