By Scott M. Fulton, III, Betanews
A spokesperson for Microsoft told Betanews early this afternoon that it has officially investigated claims that its latest security updates are the cause of an alleged "crop" of "Black Screen of Death" incidents, for which British security firm Prevx hurriedly released something billed as a possible fix. The claims, the company says, are unfounded.
"Microsoft has investigated reports that its latest release of security updates is resulting in system issues for some customers due to changes made by the security updates to the registry," the spokesperson told us. "Our comprehensive investigation has shown that the November security updates, the Microsoft Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November do not make any changes to the registry as claimed. We do not believe Microsoft Updates are related to the behavior described in these reports."
In the era of Google News, when the mere mention of certain high-intensity keywords can guarantee headline success, the phrases "black screen," "death," and "woes" are ripe pickings for blogs and news aggregators. The resulting swarm of Twitter links yesterday landed Prevx smack in the middle of BBC News this morning, after Prevx released what it called a "fix" (which may or may not work) for recent Black Screen of Death (KSoD) incidents. Although such incidents have continued to be reported for years, including by Betanews itself, the existence of a recent "crop" of such problems had not been apparent or even claimed until Prevx's release yesterday.
The KSoD problem is a real problem, and we've covered it before because it's happened to us. But in our case, it happened on Vista-based PCs, not Windows 7. There are multiple known potential causes; the one we discovered for Vista had to do with a faulty event log that the operating system could not read or write to during the startup sequence. That failure triggered a condition intentionally created for when a user runs a non-genuine copy of Windows for too long (ours was certainly genuine).
Our research on the subject suggests that any number of potential causes could still trigger the product activation feature to show a black screen on top of the active Windows desktop -- which is how the activation penalty is actually designed to work, even though triggered by the wrong causes. But we have yet to notice the problem ourselves, or see a "crop" or "swarm" or "blizzard" of such incidents, on Windows 7.
Prevx is claiming the existence of a new "crop" of KSoD issues affecting all versions of Windows going back to NT. In the past, the firm has released free tools which have appeared to counteract the effects of specific security incidents, such as straying onto a rogue anti-malware site and picking up real malware or even rootkits in the process. An initial observation of the 49K FixShell.exe file released by Prevx yesterday shows nothing obviously malicious. It contains a valid XML manifest, and a code certificate backed by VeriSign. And in fact, on our test system with Sophos anti-malware installed, not only did the file not appear to run any process of its own on startup, it did not appear to do what Prevx said it would do: make adjustments to the System Registry.
For a company that made its name pointing out the dangers of trusting any old site that claims it's found an infection on your system and it can fix that for you, it may be a little ironic for Prevx to be pushing a quick fix as an .EXE file, for a problem whose causes it can't adequately explain.
"The cause of this recent crop of Black Screen appears to be a change in the Windows Operating Systems lock down of registry keys," writes Prevx support technician David Kennerley. "This change has the effect of invalidating several key registry entries if they are updated without consideration of the new ACL [access control list] rules being applied. For reference the rule change does not appear to have been publicized adequately, if at all, with the recent Windows updates."
Kennerley goes on to say Prevx knows of ten different scenarios that could trigger KSoD conditions, and acknowledges that maybe this fix will work and maybe it won't.
Assuming that by "recent" Kennerley meant within the last few months, of the Patch Tuesday fixes Microsoft has released since October, only a few have been broad enough to cover multiple versions of Windows dating back to at least Windows 2000. Microsoft does not actively support Windows NT any longer, so it's conceivable that a reported issue that impacted W2K could affect NT as well. But none of the security bulletins and fixes issued for the broader problems appear to deal with what Kennerley is implying: the institution of some kind of lockdown mechanism for certain System Registry keys, that may conflict with the permissions that programs and system services may expect for their access control lists.
We're not aware of any rule change for access control lists; and Microsoft certainly had plenty of opportunity to discuss such a change, if there was one, with developers at PDC 2009 a few weeks ago. Perhaps a more likely scenario was that a recent patch may have changed permissions for a file or resource that some program, possibly a third-party driver, expected to be more open. If that's the case, even if the Prevx fix does cure the KSoD problem, it would be conceivable that adjusting the permissions the other way could re-introduce the vulnerability that the original Microsoft patch addressed. That's assuming the fix actually does anything at all -- something which we haven't yet been able to verify.
However, all of that is speculation until anyone, including Microsoft, can make sense of just what it was that Kennerley is claiming.
"The successful deployment of security updates is the ultimate goal of the Microsoft Security Response Center. Because of this, we continually work with our Customer Service and Support teams to keep a close eye for issues that may impact customers' deployment of security updates. Based on our investigation so far we can say that we're not seeing this as an issue from our support organization," the spokesperson told us. "The issues as described also do not match any known issues that have been documented in the security bulletins or KB articles."
E-mails to known Prevx addresses bounced back this morning, as though no one were actually present at the firm.
Copyright Betanews, Inc. 2009