Dreaded KB977165 Patch
in [Windows Viruses]
|
From: MEB on 17 Feb 2010 14:33 On 02/15/2010 02:31 PM, MEB wrote: > On 02/15/2010 04:38 AM, David Kaye wrote: >> "The Real Truth MVP" <trt(a)void.com> wrote: >> >>> The Malicious Removal Tool does detect and remove Win32/Alureon family, that >>> Peter Foldes troll does not check his facts before he posts. MS is not 100% >>> sure why the patch has caused crashing but a common finding is that Trojan. >>> They are still investigating. Give them some time there are many factors to >>> look at. >> >> My feeling is that given the hundreds of different kinds of motherboards, >> dozens of kinds of memory, video cards, audio cards, resulting in hundreds of >> thousands of combinations -- it's a wonder that Windows works at all. >> > > Along those lines; Windows STILL isn't working all that well. These are > the apparent vulnerabilities un-addressed and/or left/found directly > after the massed patches last Tuesday and/or as otherwise shown. > > http://www.us-cert.gov/cas/bulletins/SB10-046.html > (see prior week summaries for other factors) > > Compare with: > > Microsoft Security Bulletin MS10-015 - Important > Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege > (977165) > http://www.microsoft.com/technet/security/Bulletin/MS10-015.mspx > > http://www.microsoft.com/security/updates/bulletins/ > > Security updates - Updated: July 14, 2009 > http://www.microsoft.com/protect/computer/updates/bulletins/default.mspx > > Microsoft Security Bulletin Summary for February 2010 > Published: February 09, 2010 - Updated: February 10, 2010 > http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx > > > As for the BSoD, one must keep in mind that the "major" changes made > with this massed patching were kernel related, a deep change in the > basic functioning of Windows 086 coding, AND the core functioning of > several parts of applications or the OS extensions. > Yes, perhaps Microsoft should have tested deeper and longer, but the > issues being addressed are/were essential to the CORE functioning of > Windows NT operating systems which existed for several versions of OSs > [the 17 year old vulnerability], one of which is the 16bit coding > vulnerability [ex., backwards compatibility] which so many Windows users > *have DEMANDED* Microsoft continue. > This isn't the first time a Microsoft patch BSoDed one of its OSs, nor > will it be the last. The hardware CAN be part of the update issue, as > well as individuals' settings, and/or other found within the > individuals' computer such as the applications which might be installed, > in ADDITION to the malware that might be involved. > > One factor that many Windows users are conveniently overlooking is the > apparent FACT that their systems MAY have been or DO have severe > malware/hack issues, which either their AV did NOT protect them from or > advise them of, or which came, perhaps, with their pirated software or > otherwise became installed. OBVIOUSLY, Microsoft would not include this > malware in its legitimate distributions so the users should look more > towards their own activities. > How about an interesting update to the issue. BSOD after MS10-015? TDL3 authors "apologize" - Feb. 16 2010 http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html Seems the rootkit developers have already fix the BSoD so you can install the update while leaving the rootkit installed and intact. Now THERE is a group that is concerned about you [cough]. -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___---
From: David Kaye on 17 Feb 2010 18:54 Geoff <geoff(a)invalid.invalid> wrote: >It looks like your machines were infected with a rootkit called >Tidserv. This also explains why my own machines were not affected in the slightest. Okay, I'm sorry, Microsoft. You win. You put out a good patch.
From: Geoff on 17 Feb 2010 20:21 On Wed, 17 Feb 2010 23:54:31 GMT, sfdavidkaye2(a)yahoo.com (David Kaye) wrote: >Geoff <geoff(a)invalid.invalid> wrote: > >>It looks like your machines were infected with a rootkit called >>Tidserv. > >This also explains why my own machines were not affected in the slightest. >Okay, I'm sorry, Microsoft. You win. You put out a good patch. Apparently the malware was calling a kernel function using a hard-coded address. This is typical of shellcode exploits. The patched kernel probably moved the location of that function and when the malware jumps into the new kernel code it crashes the machine. I expect to see a more detailed analysis soon. I don't know if you tried booting into the command prompt safe-mode or not but you might try that but if the same kernel is used or the rootkit has a chance to start you may end up with just another BSOD. Presence of the rootkit is just another example of the failure of reactive malware detection or out of date A-V products and of the failure to use secure coding practices as part of the development process.
From: David Kaye on 17 Feb 2010 21:47 Geoff <geoff(a)invalid.invalid> wrote: >I don't know if you tried booting into the command prompt safe-mode or >not but you might try that but if the same kernel is used or the >rootkit has a chance to start you may end up with just another BSOD. On one machine I couldn't even get to safe mode. On the other it was spotty; sometimes it would boot and sometimes hang.
From: MEB on 18 Feb 2010 01:29 On 02/17/2010 06:54 PM, David Kaye wrote: > Geoff <geoff(a)invalid.invalid> wrote: > >> It looks like your machines were infected with a rootkit called >> Tidserv. > > This also explains why my own machines were not affected in the slightest. > Okay, I'm sorry, Microsoft. You win. You put out a good patch. > Well that may not necessarily be true, many computers MAY be infected and did not BSoD depending upon when the updates to Windows process was done. The patched rootkit was distributed within a matter of hours after the first complaints of BSoD issues surfaced. Hence many users may still be infected. -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___---
First
|
Prev
|
Pages: 1 2 3 4 5 6 7 Prev: False Positives? Next: Dreaded KB977165 Patch - Stalker Alert |