Microsoft said Tuesday that its investigation has turned up no evidence that anything in its November security updates should be causing users to encounter a so-called "black screen of death."
"Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," Microsoft security response communications lead Christopher Budd said in a statement. "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."
Microsoft said it was not contacted by British security firm Prevx before that company went public with its claims. Microsoft said it has reached out to them to let them know the results of its investigation.
The company said on Monday that it would look into the matter, but issued an update later in the day saying it could not verify any issues.
"Our support organization is also not seeing this as an issue," Budd said on Tuesday. "The claims also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles.
Update, 3:15 p.m. PT: Prevx posted an updated blog saying that it has done additional testing.
"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches," the comapny said. "Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."
The company also offered up a mea culpa to Redmond and said it also recommends users keep patching their systems promptly. "We apologize to Microsoft for any inconvenience our blog may have caused."
Microsoft said on Monday that it is looking into reports that its latest security updates are causing some serious problems for certain users.
The problem has been dubbed the "black screen of death" because those affected are left with a black desktop and little else on their screen.
.JPG){kind=logo}
"Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers," the software maker said in a statement. "Once we complete our investigation, we will provide detailed guidance on how to prevent or address these issues. "
The issue was noted by British security firm Prevx on its blog on Friday, with that company also offering a suggested fix for the problem.
"The symptoms are very distinctive and troublesome," Prevx said. "After logging on there is no desktop, task bar, system tray or sidebar. Instead you are left with a totally black screen and a single My Computer Explorer window."
Prevx suggested that the black screen issue can occur on a wide range of Windows machines from Windows NT through Windows 7. In its blog, Prevx said there appear to be many causes of the black-screen issue, not all of which are related to the security update.
"In researching this issue we have identified at least 10 different scenarios which will trigger the same black screen conditions," Prevx said. "These appear to have been around for years now." As for the latest security update, Prevx said changes to the way registry keys are handled appears to be the reason it is causing black screens.
I've asked Microsoft what it recommends users should do for now and will post its answer here.
Microsoft released its latest security updates on November 10, issuing six bulletins addressing 15 flaws.
Update, 3:35 p.m. PT: A Microsoft representative said that the company continues to recommend that customers "test and deploy" the November security updates.
"Based on our investigation so far we can say that we're not seeing this as an issue from our support organization," the representative said. "The issues as described also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles."
Mozilla on Friday disabled a Microsoft plug-in for Firefox called the .Net Framework Assistant because of a security problem--then scrambled to give people with patched systems an override option.
Mike Shaver, Mozilla's vice president of engineering, announced the first step late Friday night on his blog. "It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on," Shaver said. "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately."
This warning sign greeted Firefox users after Mozilla blocked use of a Microsoft add-on.
(Credit: Screenshot by Stephen Shankland/CNET)The .Net Framework Assistant add-on lets Firefox use Microsoft's ClickOnce technology for installing applications that run on its .Net programming foundation. The add-on already was something of a thorn in the sides of some Firefox users: it was automatically installed via Windows Update with the .Net Framework 3.5 Service Pack 1 without telling the user the add-on was being installed or giving an option. More hackles were raised because it wasn't compatible with Firefox 3.5, Shaver said, and because removing it initially required people to edit their Windows Registry--a technically onerous task for most people.
Firefox checks a Mozilla server periodically for a list of add-ons to avoid. Although Mozilla's blocking move was intended to protect users, it caused other problems. Shaver indicated that Firefox's changed behavior irked some system administrators.
That led Justin Angel, a former Silverlight program manager at Microsoft, to tweet, "When business users can't use their core business functionality--they uninstall stuff."
One issue was that Mozilla's add-on blocking technology couldn't tell if people had patched their software and so weren't vulnerable anymore. "We can't distinguish patched from unpatched, so we're blocking it while we sort that out," Shaver twittered. Over the weekend, Mozilla worked to remedy the situation.
"Pushing a change to our blocklist software that will let Firefox 3.5 users override the blocking of .NET FA/WPF plugin if they're patched," Shaver tweeted Sunday. But a few hours later, he added, "We're still working on the blocklist tweaks to help enterprises override the blocking of the WPF plugin, stay tuned!"
Update 6:47 p.m. PDT: Crisis partially averted, apparently. At about 6:10 p.m., Shaver tweeted, "MSFT confirmed that the .NET Framework Assistant is not exploitable, so we've removed it from the blocklist; one down!"
Update 8:34 p.m. PDT: There's still another blocked Microsoft add-on that's vulnerable, one that concerns the Windows Presentation Foundation (WPF), which also is installed with the .Net service pack. Shaver said it was more serious.
"We're hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist," Shaver said in a Sunday night blog post that announced the other plug-in had been removed from the Firefox blocked add-on list.
Microsoft on Thursday said it is delaying the release of its Forefront Endpoint Protection 2010 antimalware product for Windows desktops and servers until the second half of next year.
Forefront Endpoint Protection is a component of the upcoming Forefront Protection Suite, formerly code-named "Stirling."
"Based on customer feedback and market trends, we have made the strategic decision to build Forefront Endpoint Protection (FEP) on System Center Configuration Manager, Microsoft's solution to comprehensively assess, deploy, and update servers, clients, and devices," the company said in a blog post.
"This approach better aligns our customers' client management and security infrastructure, helping simplify deployment and reduce costs," the post said. "We are confident this is the right decision for our customers."
In the interim, Microsoft said, it will continue to offer its Forefront Client Security solution to customers.
Meanwhile, Microsoft said it is on track to release related products, including Forefront Protection Manager, in the first half of next year.
Microsoft on Thursday said it will provide a fix next week for zero-day flaws in Microsoft Server Message Block (SMB) and Internet Information Services (IIS) that could allow an attacker to take control of a computer.
Those are just two of the 34 vulnerabilities addressed in 13 bulletins (eight of which are critical and five of which are rated important) that will be fixed during Patch Tuesday, according to a blog post on the announcement. The bulletins affect Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server, the advisory shows.
The SMB flaw was reported a month ago. At the time, Microsoft said it affected Vista, Windows Server 2008, and the "release candidate" version of Windows 7, but not the final version that was completed in July. Windows Server 2008 R2 is not vulnerable, and neither are the earlier Windows XP and Windows 2000 operating systems.
Microsoft, which previously released a temporary fix for the SMB hole, reported the IIS flaw in the File Transfer Protocol in August. Its its advisory says there have been limited attacks that use the IIS flaw exploit code, which was posted on the Milw0rm Web site, according to IDG News Service.
Update 2:56 p.m. PDT: Also on Thursday, Adobe Systems announced that it will release an update Tuesday that will resolve a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier on Windows, Macintosh and Unix that has reportedly been exploited in the wild in limited targeted attacks.
"Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista are protected from this exploit," Adobe said in an advisory. "Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible."
Microsoft 's new Security Essentials software has passed at least one exam so far--a review by security testing firm AV-Test.org.
Using the latest version and definition updates of Microsoft Security Essentials (MSSE) downloaded from the Web, AV-Test ran the product through a series of tests on Sept. 29 and 30 to judge its effectiveness at fighting malware.
(Credit:
AV-Test.org)
To check static known malware, AV-Test pitted Security Essentials against the most recent WildList, a sampling of 3,732 viruses and other threats compiled by the WildList Organization. Microsoft's product successfully detected and blocked all of the samples in both manual and active scanning.
AV-Test also threw its current set of 545,034 viruses, worms, Trojans, and other threats at Security Essentials. MSSE successfully caught 536,535 samples for an overall good detection score of 98.44 percent.
In AV-Test's battle against adware and spyware, Security Essentials stopped 12,935 out of 14,222 samples, earning a detection grade of 90.95 percent. No false positives came up in a scan of over 600,000 clean files from Windows, MS Office, and other commonly used programs.
To check dynamic malware, which is based on its behavior rather than static lists, AV-Test found that MSSE had no "dynamic detection" in place as the software failed to find any of the recently released malware used in the test. AV-Test noted that other standalone antivirus products don't include behavior-based detection either, although that feature is typically found in full security suites.
MSSE also found and eliminated all 25 rootkits that AV-Test threw at it.
Security Essentials did only a fair job of cleaning up infections. Facing 25 different malware samples, the product removed all active components as part of its repair process. But in many cases, some remnants of the malware were left behind, as inactive executable files or empty Registry keys.
Finally, AV-Test found that the speed of Security Essentials scanning was about average compared with that of other security products.
AV-Test's review of Security Essentials was run on Windows XP with SP3, Windows Vista with SP2, and Windows 7 RTM, both the U.S. English and German 32-bit editions. A series of papers on the methodology used by AV-Test in its testing process are at the company's Web site.
CNET's Seth Rosenblatt also looked at Security Essentials this week, while CNET News reporter Ina Fried has said the beta version of the product recently saved her from a Koobface attack.
Microsoft plans to release the final version of its free antivirus software soon, according to a note sent to testers late Sunday.
"The final version of Microsoft Security Essentials will be released to the public in the coming weeks," Microsoft said in the note.
(Credit:
CNET News)
Microsoft first announced its plans for the product, then code-named Morro, last November, at the same time the company said it was scrapping its paid Windows Live OneCare product.
Public beta testing of Security Essentials started in June, with Microsoft reaching its goal of 75,000 testers just one day after it issued a call for them.
On a personal note, I've been using the product on several machines since June, and I like the way--unlike other antivirus programs--it doesn't make a spectacle of itself, just quietly doing its thing. I often forget it is running on a machine, yet it did save my bacon a couple weeks back when I almost caught Koobface from a friend on Facebook.
For the second time in two days, there are reports that a cougar has been on the prowl near Microsoft's headquarters in Redmond.
(Credit:
Washington Department of Fish and Wildlife)
The sightings were enough to prompt Microsoft to send out a note on Friday letting its employees know what they should do if they encounter one of the cats, which are also known as mountain lions.
"Never approach a cougar," Microsoft said in the memo, which was earlier posted on Seattle-area Web site TechFlash. "Although cougars will normally avoid a confrontation, all cougars are unpredictable. Cougars feeding on a kill may be dangerous."
The e-mail also advised workers to make sure to give the cougar an avenue to escape, to talk in a calm, confident voice, and to back away slowly, as opposed to sprinting.
Predictably, the cougar also made for some good fodder for puns and jokes on Twitter, particularly given the popular culture meaning of the word cougar, along with Apple's penchant for naming versions of its operating system after big cats.
Here are a few of my favorites:
"Microsoft recruits Cougar to help fight Snow Leopard." (via @LoCul)
"Just saw the email about a cougar sighting on the Microsoft campus. Young men in their early 20's should take extra precautions." (via @akula)
"The cougar sighting at Microsoft is further proof that they can be found anywhere but the end zone." (via @MichaelGruner)
That last one, for those who didn't catch it, is a reference to the Washington State University football team, which has the cougar as its mascot and has been victory-challenged of late.
Aiming to crack down on a growing problem, Microsoft said it filed five lawsuits Thursday against parties it suspects of posting online advertisements laden with malicious code.
Microsoft has tried to work with ad networks to thwart such "malvertising" in the past, but this is the first time it has gone to court.
"Our filings in King County Superior Court in Seattle outline how we believe the defendants operated, but in general, malvertising works by camouflaging malicious code as harmless online advertisements," Microsoft Associate General Counsel Tim Cranton said in a blog posting.
In each case, Microsoft is suing the unknown parties responsible for the ads.
"Although we don't yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits," Cranton said.
In the past week, The New York Times' Web site was hit with a rogue advertisement that told readers that their computer may be infected with a virus and redirected them to a site that purports to offer antivirus software.
"Scareware is often distributed among criminals, which therefore results in many of the animations a user may see utilizing a common design and interface," a Microsoft told CNET News. "However, without additional information and specific details about the attacks, we cannot be certain that any of today's filings directly relate to the attacks on The New York Times' Web site."
Microsoft likened the latest lawsuits to prior legal action that it has taken against those suspected of click fraud or instant messaging spam.
"This work is vitally important because online advertising helps keep the Internet up and running," Cranton said. "It's the fuel that drives search technologies. It pays for free online services like Windows Live, Facebook, Yahoo, and MSN. Fraud and malicious abuse of online ad platforms are therefore a serious threat to the industry and for all consumers and businesses that rely on these free services."
Microsoft issued a formal security advisory late Tuesday on a reported zero-day flaw in Windows Vista and Windows Server 2008. However, the software maker also said that the flaw does not affect the final version of Windows 7, contrary to earlier reports.
"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation," Microsoft said in the advisory. "We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."
The flaw could allow an attacker to gain control of a system, although Microsoft said that "most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."
The software maker said it is working with security software partners to provide information that can be used to create protections. Once its investigation is wrapped up, Microsoft said it will take action, which could include releasing a patch during its next monthly cycle or doing an "out-of-band" release, if necessary. Tuesday was Microsoft's monthly release for patches, which included five critical Windows updates addressing eight vulnerabilities.
The software maker said the latest issue affects the "release candidate" version of Windows 7, but not the final version that was completed in July. Also, the recently completed Windows Server 2008 R2 is not vulnerable, Microsoft said, nor are the earlier Windows XP and Windows 2000 operating systems.
Microsoft is already dealing with a separate, still unpatched flaw reported last week. Attacks have already been seen based on that vulnerability. Microsoft has taken issue with the fact that that flaw, like the latest one, was reported publicly as opposed to being privately disclosed to Microsoft, giving the company time to patch it.
