Article

Microsoft blue screen affecting few corporate PCs

Robert Westervelt, News Editor

Some Windows PCs are being reportedly crippled with the Blue Screen of Death (BSoD) as a result of the latest round of Microsoft patches, but several patching experts say that it appears many corporate deployments are not experiencing any major issues.

Microsoft issued 13 bulletins,

Requires Free Membership to View

five critical in its latest round of patches, issued this week. In a Microsoft support forum thread, some people reported Windows XP PCs rebooting with the notorious blue screen. The issue was first reported by security reporter and blogger Brian Krebs. Several of those who have deployed the updates attribute the problem to MS10-015, which addresses two Windows kernel vulnerabilities. Uninstalling the fix appeared to correct the issue.

Jerry Bryant, senior communications lead at the Microsoft Security Response Center, issued a statement late Thursday acknowledging that Microsoft engineers were aware of the blue screen reports and investigating the issue.

Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., said the issue should serve as a reminder to system administrators to test patches thoroughly before deploying them. Bradley noted that those on the support forum appear to be dealing with consumer machines.

"Microsoft does test patches but with the vast/huge/large/ecosystem of machines out here they cannot be perfect," wrote Bradley in an email message. "Right now it looks consumerish and not enterprise impacting."

Other patch management experts said Microsoft tests its patches thoroughly, but on fairly standard configurations. Corporate systems, which have fairly typical configurations, may not be impacted by the BSoD at all, said Don Leatham, senior director of solutions and strategy at vulnerability management vendor Lumension Inc. Leatham said the company received no reports from customers having blue screen issues. Tests by Lumension also came up clear, he said.

"People should take a second to look at the information inside the bulletin that Microsoft publishes and understand the mitigating factors," he said. "In this case [MS10-015], someone would need access to the machine, so if you know certain groups of machines are well protected then maybe you can hold off on this patch until we know more about any issues associated with it."

The BSoD is also being monitored at the Sans Internet Storm Center blog, where experts patching corporate systems reported few issues. Microsoft security bulletin MS10-015 contains a workaround for one of the flaws that can be temporarily deployed until the issue is resolved. MIcrosoft notes that users will not be able to run 16-bit applications as a result of implementing the workaround.

Wolfgang Kandek, chief technology officer of Qualys Inc., said his customers also reported no issues with the updates, though some are still testing them prior to deployment. Until Microsoft thoroughly investigates the reported blue screen issue, administrators shouldn't have a problem delaying the deployment of MS10-015, Kandek said.

"This patch release contains other issues of a much higher criticality," Kandek said. "Microsoft tests their patches very thoroughly, but if you haven't applied it yet you may take a cautious approach and see what comes out of this."

Kandek said extremely large enterprises with a mature patching process typically conduct testing in three stages. Testing begins on a standard test bed of a couple of Windows systems. Then the patches are deployed over 1% of the user base followed by 10% of the user base. The final deployment covers all machines, he said. Smaller businesses, with fewer machines to patch often streamline the process.

"Structured companies have standard configurations and that's why it is rare to come across patching problems," Kandek said. "We haven't heard anything from our corporate customers and some of them have very aggressive schedules for rolling out patches."

Jason Miller, data and security team leader, at St. Paul, Minn.-based Shavlik Technologies Inc. said he has been in contact with Microsoft and patching engineers are investigating the issue.

"I wouldn't hold off unless you have a really good reason not to," Miller said. "Not patching a system because of speculation is not a good idea. The big thing is that Microsoft is aware of this and they're researching it."

Miller added that it's hard to jump to conclusions when early reports of patching issues surface. In November, antivirus vendor Prevx, attributed some black screen crashes to a patch that altered Windows registry keys. Days later, Microsoft said its investigation found no link to its issued patches and Prevx reversed its warning.