Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Microsoft Black Screen of Death - Fact of Fiction? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Black Screen of Death - Fact of Fiction?

Published: 2009-12-02
Last Updated: 2009-12-02 16:43:47 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

We've had a lot of interest in the drama unfolding around Prevx's announcment on Nov 27 that they had found a "Black Screen of Death" issue that they had researched - you can find their initial post on this issue here ==>   http://www.prevx.com/blog/140/Black-Screen-woes-could-affect-millions-on-Windows--Vista-and-XP.html
The title of their blog indicates that this could affect "millions of Windows 7, Vista and XP stations".  Prevx's root cause post on dec 1 ( http://www.prevx.com/blog/141/Windows-Black-Screen-Root-Cause.html ) fleshes this out further, indicating that that one of the recent Microsoft patches, either KB915597 and/or KB976098  seemed to modify the ACLs on a registry key that in turn denies local users the right to view their own desktop, which results in the "black screen" symptom.

This is a well known and long-standing symptom -  you can deny users access to their own screen by changing the ACLs on the registry key  HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonShell .  This isn't a problem on it's own, it's part of the overall design of Windows - I can think of a few cases where this might be a useful thing in fact.

Anyway, on to the drama: Microsoft also posted on Dec 1 ( http://blogs.technet.com/msrc/archive/2009/12/01/reports-of-issues-with-november-security-updates.aspx  ) - they had a few important points:

  • They've reviewed all of their recent updates - they simply do not change this ACL
  • They are not receiving millions of calls - this can't be affecteding millions of systems
  • Prevx went straight to press without involving Microsoft


I'd echo Microsoft on this one (on all 3 points actually) - we simply aren't seeing any widespread "black screen" issue.

Prevx has posted a final blog entry today ( http://www.prevx.com/blog/142/Windows-Black-Screen-recap.html ).  They're now agreeing with Microsoft, that the black screen issue that they've seen appears to have some cause unrelated to the Microsoft updates.  I can see how this might be an easy mistake to make, especially if you are researching several issues on one machine or VM image.

The thing I find most interesting in this cyber-opera is the number of  posts that we're seeing on other sites that took the original post as truth without doing any check at all.  I realize people are busy and everything, but a little bit of fact-checking goes a long way ....


So to recap - the "Black Screen of Death" is in fact a real thing, but it's not a recent thing, and you won't be seeing it as a result of applying any of the Microsoft patches to date.  It's still recommended to keep your Windows systems (and any other systems for that matter) as up to date as possible with vendor updates.
 

 

1 comment(s)
Diary Archives