Microsoft's 'Black Screen of Death' denial solves the blame not the problem

Microsoft's response to the so-called "Black Screen of Death" problem is a throwback to an older and equally ineffective strategy -- what I have called "security by PR." Rather than managing the problem, Microsoft is managing the reaction. That simply is the wrong approach to quality customer service or instilling users with confidence about using Windows. With Windows 7 only in market for about six weeks and the holiday sales season just started, the company's priority should be fixing the problem rather than denying culpability.

Recap: Some Windows users are complaining of a Black Screen of Death (KSoD), where the operating system essentially fails to fully load at startup. KSoDs aren't new, but there have been recent reports suggesting an increasing number starting in mid November. Last week, British security firm Prevx claimed that November 10 Microsoft security updates caused recent KSoDs. However, in a late-day blog post yesterday, Prevx backed away from its assertion:

"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."

The post followed Microsoft's denial by many hours. But Prevx's update doesn't exonerate Microsoft from having mishandled the situation, because Windows security may yet be an issue. Prevx still identifies a registry problem, just one it now asserts could be caused by malicious software:

The issue appears to be related to a characteristic of the Windows Registry related to the storage of string data. In parsing the Shell value in the registry, Windows requires a null terminated "REG_SZ" string. However, if malware or indeed any other program modifies the shell entry to not include null terminating characters, the shell will no longer load properly, resulting in the infamous Black Screen with the PC showing only the My Computer folder.

The malware modifying the registry caught my attention, and Microsoft mentions it in yesterday's blog post denying culpability as deflection of responsibility:

We've conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don't believe the updates are related to the 'black screen' behavior described in these reports.

We've also checked with our worldwide Customer Service and Support organization, and they've told us they're not seeing 'black screen' behavior as a broad customer issue. Because these reports were not brought to us directly, it's impossible to know conclusively what might be causing a 'black screen' in those limited instances where customers have seen it. However, we do know that 'black screen' behavior is associated with some malware families such as Daonol.

But neither Microsoft's denial nor Prevx's retraction resolve the issue or answer why some Windows users report experiencing new KSoDs after installing Microsoft security updates. What if, say, the security updates corrected changes made by malware that results in black screens? I certainly have seen Windows PCs rendered partially unusable after removing malware. Example: Networking features disabled after some spyware is excised.

The point: Prevx only just made its assertions about Microsoft security updates and KSoDs last week, offering up a fix, too. How can either company definitively say that Microsoft security updates aren't involved? In the scenario I arbitrarily suggest, Microsoft could still claim its security updates weren't the cause, since the updates would fix changes made by malware. That's great security by PR.

Even if the security updates aren't the cause, Microsoft should show customers that it's aggressively looking for what might be causing the KSoDs -- particularly if malware might be mucking with the Windows registry. I expect more from Microsoft. Security by PR shifts the blame. Real security seeks a solution for the benefit of customers that might have comprised systems and, more importantly, to protect other users who might be assaulted by others' infected Windows PCs. Afflicted customers don't want to hear what's not causing their KSoDs. They want to know the cause and how to fix the problem. Microsoft's denial fixes nothing but blame.

The holidays have historically been a time of increased malware attacks. That's all the more reason for Microsoft to show customers -- and even malware writers planning holiday attacks -- that it's prepared for most anything. But is Microsoft really on the job, or are too many security professionals without a job because of the company's 5,000-plus layoffs? I'm not feeling confident because of Microsoft's response to Prevx? Are you?