MS10-015 may cause Windows XP to blue screen
We have heard about reports that MS10-015 causes some Windows XP machines to blue screen. If you are seeing this issue, please let us know.
(I am filling in for Deborah on this diary as she is ironically busy dealing with lots of blue screens in her organization, which may be related)
http://www.krebsonsecurity.com/2010/02/new-patches-cause-bsod-for-some-windows-xp-users/
and
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
My next class:
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
×
Diary Archives
Comments
pwobbe
Feb 11th 2010
1 decade ago
Dick Rawson
Feb 11th 2010
1 decade ago
bertomatic
Feb 11th 2010
1 decade ago
bertomatic
Feb 11th 2010
1 decade ago
GuenTech
Feb 11th 2010
1 decade ago
For reference, the SHA1SUMs of the atapi.sys files:
Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6
Working:
a719156e8ad67456556a02c34e762944234e7a44
If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys
I will be looking at this more in-depth.
Patrick W. Barnes
Feb 11th 2010
1 decade ago
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529
Apparently, this update problem is the result of an infection.
Patrick W. Barnes
Feb 11th 2010
1 decade ago
I wouldn't be surprised if the new kernel files, replaced by the MS10-015 patch, change (pointer) tables that are being exploited by certain types of malware (rootkits in particular), which cease to work 'correctly' after the patch.
Bitwiper
Feb 11th 2010
1 decade ago
Bitwiper
Feb 11th 2010
1 decade ago
The best advice to those who have not already applied the update is to perform virus scans with up-to-date antivirus software. The problem may not be isolated to the infection identified by the VirusTotal results above.
For those who are now facing this issue, replacing atapi.sys using the Windows Recovery Console or live media, then thoroughly scanning for and cleaning any other infected files should return the system to working order. As with any infection, I would recommend wiping and reloading the system if feasible.
Patrick W. Barnes
Feb 11th 2010
1 decade ago