RSSMicrosoft denies latest 'Black Screen of Death' claims
By Scott M. Fulton, III | Published December 1, 2009, 12:34 PM
A spokesperson for Microsoft told Betanews early this afternoon that it has officially investigated claims that its latest security updates are the cause of an alleged "crop" of "Black Screen of Death" incidents, for which British security firm Prevx hurriedly released something billed as a possible fix. The claims, the company says, are unfounded.
"Microsoft has investigated reports that its latest release of security updates is resulting in system issues for some customers due to changes made by the security updates to the registry," the spokesperson told us. "Our comprehensive investigation has shown that the November security updates, the Microsoft Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November do not make any changes to the registry as claimed. We do not believe Microsoft Updates are related to the behavior described in these reports."
In the era of Google News, when the mere mention of certain high-intensity keywords can guarantee headline success, the phrases "black screen," "death," and "woes" are ripe pickings for blogs and news aggregators. The resulting swarm of Twitter links yesterday landed Prevx smack in the middle of BBC News this morning, after Prevx released what it called a "fix" (which may or may not work) for recent Black Screen of Death (KSoD) incidents. Although such incidents have continued to be reported for years, including by Betanews itself, the existence of a recent "crop" of such problems had not been apparent or even claimed until Prevx's release yesterday.
The KSoD problem is a real problem, and we've covered it before because it's happened to us. But in our case, it happened on Vista-based PCs, not Windows 7. There are multiple known potential causes; the one we discovered for Vista had to do with a faulty event log that the operating system could not read or write to during the startup sequence. That failure triggered a condition intentionally created for when a user runs a non-genuine copy of Windows for too long (ours was certainly genuine).
Our research on the subject suggests that any number of potential causes could still trigger the product activation feature to show a black screen on top of the active Windows desktop -- which is how the activation penalty is actually designed to work, even though triggered by the wrong causes. But we have yet to notice the problem ourselves, or see a "crop" or "swarm" or "blizzard" of such incidents, on Windows 7.
Prevx is claiming the existence of a new "crop" of KSoD issues affecting all versions of Windows going back to NT. In the past, the firm has released free tools which have appeared to counteract the effects of specific security incidents, such as straying onto a rogue anti-malware site and picking up real malware or even rootkits in the process. An initial observation of the 49K FixShell.exe file released by Prevx yesterday shows nothing obviously malicious. It contains a valid XML manifest, and a code certificate backed by VeriSign. And in fact, on our test system with Sophos anti-malware installed, not only did the file not appear to run any process of its own on startup, it did not appear to do what Prevx said it would do: make adjustments to the System Registry.
For a company that made its name pointing out the dangers of trusting any old site that claims it's found an infection on your system and it can fix that for you, it may be a little ironic for Prevx to be pushing a quick fix as an .EXE file, for a problem whose causes it can't adequately explain.
"The cause of this recent crop of Black Screen appears to be a change in the Windows Operating Systems lock down of registry keys," writes Prevx support technician David Kennerley. "This change has the effect of invalidating several key registry entries if they are updated without consideration of the new ACL [access control list] rules being applied. For reference the rule change does not appear to have been publicized adequately, if at all, with the recent Windows updates."
Kennerley goes on to say Prevx knows of ten different scenarios that could trigger KSoD conditions, and acknowledges that maybe this fix will work and maybe it won't.
Assuming that by "recent" Kennerley meant within the last few months, of the Patch Tuesday fixes Microsoft has released since October, only a few have been broad enough to cover multiple versions of Windows dating back to at least Windows 2000. Microsoft does not actively support Windows NT any longer, so it's conceivable that a reported issue that impacted W2K could affect NT as well. But none of the security bulletins and fixes issued for the broader problems appear to deal with what Kennerley is implying: the institution of some kind of lockdown mechanism for certain System Registry keys, that may conflict with the permissions that programs and system services may expect for their access control lists.
We're not aware of any rule change for access control lists; and Microsoft certainly had plenty of opportunity to discuss such a change, if there was one, with developers at PDC 2009 a few weeks ago. Perhaps a more likely scenario was that a recent patch may have changed permissions for a file or resource that some program, possibly a third-party driver, expected to be more open. If that's the case, even if the Prevx fix does cure the KSoD problem, it would be conceivable that adjusting the permissions the other way could re-introduce the vulnerability that the original Microsoft patch addressed. That's assuming the fix actually does anything at all -- something which we haven't yet been able to verify.
However, all of that is speculation until anyone, including Microsoft, can make sense of just what it was that Kennerley is claiming.
"The successful deployment of security updates is the ultimate goal of the Microsoft Security Response Center. Because of this, we continually work with our Customer Service and Support teams to keep a close eye for issues that may impact customers' deployment of security updates. Based on our investigation so far we can say that we're not seeing this as an issue from our support organization," the spokesperson told us. "The issues as described also do not match any known issues that have been documented in the security bulletins or KB articles."
E-mails to known Prevx addresses bounced back this morning, as though no one were actually present at the firm.
hahahahahahahahahahahahahahaha
I found this too curious to actually dismiss as another BS filler article, only to discover that it was, indeed, another BS filler article. hehehehehehehehe
My intelligence NEVER fails...
Google: prevx click news. Whatcha see is this beautiful thing in front your very eyes:
"Now Prevx has admitted that as well. On a company blog, director of research Jacques Erasmus admits that the Black Screen of Death is in fact caused by malware, not by the Microsoft security patch. He adds, "We apologize to Microsoft for any inconvenience our blog may have caused."
Something tells me that the people at Prevx aren't going to be named a Microsoft MVP any time soon."
http://blogs.computerwor...een_of_death_we_blew_it
Score: 1
|Step 1: Announce solution to non-proven problem
Step 2: ???
Step 3: Profit
Questions?
Score: 2
|My screen went blank when I touched a button on the side of the monitor. Is it Windows 7?
Score: 0
|Your computer must have very high fever. Try to spray some icy water on side, top, front, and back of monitor to wake it up. Always works.
Score: 2
|I have yet to see a black screen of death. I have had 2 blues screens of death caused by nvidia display driver. Way to go Nvidia, no matter to OS Nvidia sucks at making drivers. 500 dollars for a video card and you think they could get the drivers to work. To much to ask for I guess.
Score: 1
|I paid $50 for my fanless 9600GT and no issues for over a year?
Score: 0
|Black screen of death. Argh hate those and I've had a few of those over the last couple of months! Oh wait, it was in Linux...
Score: 2
|Why can't we configure designer colored screens of death? I'll take mine in teal.
Score: 1
|used to be possible ;) not sure if it still is
Score: 1
|If this guy thinks Windows NT 4 suffers from the black screen of death that speaks volumes about his intelligence right there. Since the first version of Windows NT to use Genuine Advantage was Windows 2000 and product activation didn't appear until Windows XP there's no way that the black screen of death could affect NT 4.
Score: 0
|When I used to be a Windows user I got really annoyed when their updates broke something; it happened more often than it should have. So I started to avoid updates. Then the net became a nastier place and I had no choice.
So I switched to Linux. And guess what? Ubuntu updates often break things too.
Score: 5
|lol, i know what you mean there... :P
but, all in all, Windows Update has become highly tested and reliable, much more so than Ubuntu etc
Score: 2
|LMAO! I was reading the first paragraph and expected either an Apple or a Linux "it doesn't happen to me" statement.
Kudos for actually pointing out that updates can break ANY operating system!
Score: 3
|Other than XPSP2, I have never had an issue with any Windows Update. NEV-ER.
Score: 1
|seems more so lately with 9.10, had to start gnome in safe mode for a while after an update.
Score: 1
|i honestly don't recall any issues with windows update besides one .NET Framework update failing to install over and over. then one day it installed without an issue.
Score: 1
|I've recently started having blank/black screen caused by an annoying UAC prompt delay. The screen goes into the secure desktop mode, but the popup doesn't show for up to 30 seconds. I can get around waiting by hitting ALT+C or ALT+A on Vista or ALT+C on Win7 (the underlined letters on the 'Continue' and 'Allow' buttons). It seems like the form is loaded and active before the prompt becomes visible. I don't have the same problem described here, but maybe this is a workaround.
Score: 0
|why not just disable the secure desktop, and produce just the popup Window, doing so is not any less secure, if you're proactive about security yourself. try searching:
Security
Local Policies
* UAC:switch to secure desktop when prompted for elevation
see if that solves any delay
better than messing with an EXE from a third-party
Score: 2
|i'll just repeat my twatter here ;P
"hmm, whats be this B(lack)SoD, millions of users affected BS? ;P Vista/Win7 up-to-date, http://is.gd/599V7 All-Ok"
i run both avast! and MSE respectively, zero issue
also have an XP machine with MSE, zero issue as well...
guess i lucked out this time? lol
and to all those so called journalists, stop jumping on the spin bandwagon so early, you look like utter fools
Score: 1
|My system has crashed and burned :(
Just kidding, count me in for lucky as well!
I've been one of those lucky Windows users though. Vista worked perfectly for me, and now 7.
On the other hand, I am kinda struggling to get effects enabled on 9,10.
Score: 1
|I have over a 200 machines here and none were affected...of coarse none of them have malware on them either...HMMMMM
No not all my mahcines...just machines I take care of.
Score: 2
|