MS10-015 may cause Windows XP to blue screen

Published: 2010-02-11
Last Updated: 2010-02-11 20:59:41 UTC
by Johannes Ullrich (Version: 1)
21 comment(s)

We have heard about reports that MS10-015 causes some Windows XP machines to blue screen. If you are seeing this issue, please let us know.

(I am filling in for Deborah on this diary as she is ironically busy dealing with lots of blue screens in her organization, which may be related)

See for example:

http://www.krebsonsecurity.com/2010/02/new-patches-cause-bsod-for-some-windows-xp-users/

and

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

21 comment(s)

Comments

I have seen this on one of my workstations. Rebooted the workstation and everything seems fine.
Two PCs were updated. I found one not responding, part way through booting. Powered off and on, and it booted normally. The other PC had rebooted OK.
we updated 112 PC's updated last night, no problems at all
we updated 112 PC's updated last night, no problems at all
67 machines updated, one BSOD. Rolled back KB977165 (MS10-015) on that one machine, rebooted and all was well.
I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced \WINDOWS\System32\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted... voila! Problem solved.

For reference, the SHA1SUMs of the atapi.sys files:

Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6

Working:
a719156e8ad67456556a02c34e762944234e7a44

If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys

I will be looking at this more in-depth.
I uploaded the non-working atapi.sys to VirusTotal. Here's the result:

http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Apparently, this update problem is the result of an infection.
Patrick, just before your post I downloaded the atapi.sys from your site because nothing at Microsoft's site indicates that this driver would be replaced by MS10-015. My AV screamed. I turned it off and, more or less simultaneously with you, uploaded the file to virustotal, see http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925521

I wouldn't be surprised if the new kernel files, replaced by the MS10-015 patch, change (pointer) tables that are being exploited by certain types of malware (rootkits in particular), which cease to work 'correctly' after the patch.
Based on the malware observation above, my best guess is that either malware, or legitimate software, that modifies (probably undocumented) in-memory kernel data, functions or (pointer-) tables, is causing XP systems to crash after applying MS10-015.
I concur with Bitwiper's conclusion. It appears that, following this update, the references made by the malware-infected atapi.sys are broken, resulting in the crash.

The best advice to those who have not already applied the update is to perform virus scans with up-to-date antivirus software. The problem may not be isolated to the infection identified by the VirusTotal results above.

For those who are now facing this issue, replacing atapi.sys using the Windows Recovery Console or live media, then thoroughly scanning for and cleaning any other infected files should return the system to working order. As with any infection, I would recommend wiping and reloading the system if feasible.

Diary Archives