Windows Kernel Update Compatibility Assessment Tool and MS10-015

Microsoft resumed the distribution of MS10-015 to all Windows customers via Automatic Update on March 2nd, 2010. Microsoft Security Bulletin MS10-015, rated Important and designed to patch vulnerabilities in Windows Kernel, ended up being the catalyst for Blue Screen errors and computers that would no longer boot, on machines that were infected with the Alureon rootkit. Having pulled MS10-015 from AU, the Redmond company is now giving the green light once again to automatic distribution, having set in place a number of measures that will prevent the patch from being installed on PCs compromised by Alureon until the infection is cleaned.

Due to added security measures such as Patch Guard (Kernel Patch Protection), Alureon was incapable of compromising 64-bit copies of Windows, with the vast majority of problems being reported by users of 32-bit Windows XP. In this regard, Microsoft has already started offering x64 Windows users MS10-015 again, as soon as it could confirm that the rootkit could not circumvent PatchGuard.

On March 2nd, the software giant simply kicked off yet again the distribution process of MS10-015 via AU for 32-bit Windows platforms. Jerry Bryant, Sr. security communications manager lead, explained that the MS10-015 installation package evolved with new logic, which stopped deployment if Alureon was detected. The added detection logic is specifically designed to search for indications of the Alureon rootkit.

“If abnormal conditions such as modified operating system files generated by a computer virus associated with the Alureon rootkit are detected, the infected computer is rendered incompatible with MS10-015,” Bryant added. “If detection logic included in Automatic Update discovers abnormal conditions in certain operating system file configurations, the update will fail and customers will be presented with an error message that offers alternative support options. If this occurs, Microsoft customer support will work with impacted customers to resolve each issue.”

According to the Redmond company, customers infected with the rootkit that attempt to deploy MS10-015 are bound to come across the following messages: “Error Code 0x8007F0F4 (For Windows XP, Windows Server 2000 and Windows Server 2003),” and “Error Code 0XFFFFFFFF (For Windows Vista, Windows Server 2008 and Windows 7).” If this is the case, they should take the necessary measures to clean their PC.

In addition, Microsoft is offering for download the Kernel Update Compatibility Assessment Tool (KB980966). “We have also released a Microsoft Fix It as a standalone scanning tool that reports on the compatibility of a system with the MS10-015 update. The scanning tool can also be deployed through enterprise deployment systems allowing administrators to detect compatibility with the update before deploying broadly. The Fix It and deployment information are available at Microsoft Knowledge Base Article 980966,” Bryant said.

Kernel Update Compatibility Assessment Tool is available for download here.