Microsoft patches fail infected Windows users

The company's April security updates will not install if it detects a user's machine as being infected with the Alureon rootkit
Written by Martin Gaston, Contributor

Microsoft's April security fixes for Windows will not install if the user's machine is infected with the Alureon rootkit.

The company's latest security patches, released on 16 April, will spot the rootkit if present and refuse to continue with installation. The Alureon rootkit was responsible for crashes in February's security updates, including Blue Screen of Death errors for XP users due to the way it interacted with the KB977165 patch, which required kernel access.

April's security bulletin primarily patches vulnerabilities in the kernel, with the most severe exploit allowing a elevation of privileges if an attacker has logged on locally. The patches include 11 security bulletins that fix 25 vulnerabilities, and can be installed once the infected machines are cleaned.

Alureon causes problems with the way Microsoft's patches interact with the kernel, which has led the company to include a package detection logic that prevents the installation of the security update if the rootkit is present on 32-bit systems, according to the MS10-021 bulletin.

Microsoft has provided MpSysChk.exe, a command-line tool for IT managers that diagnoses potential incompatibilities in their systems, and a similar Fix it application for individual users.

Microsoft added Alureon to its Malware Protection Center in October 2009, whereas Symantec has detected it — as TidServ — since September 2008. Alureon intercepts an infected machine's network traffic to search for usernames, passwords and credit card data.

Microsoft recommended in the MS10-021 bulletin that all IT managers install the updates.

"If Microsoft issues a patch that they think is important, we should all sit up and listen," said Graham Cluley, head of corporate communications and senior technology consultant at security firm Sophos.

February's kernel problems were not the fault of Microsoft, but instead a result of the malware having poor compatibility with other software, according to Sophos security researcher Fraser Howard.

Editorial standards