I am a bit late on reporting this, but I have been waiting for the dust to settle on this issue.  Each time reports like this float around the Internet, it is important to wait for the vendor to confirm the reports.

On Wednesday, reports started to surface regarding users who were getting the blue screen of death after installing MS10-015.  The MS10-015 security bulletin was released on patch Tuesday that patches the Windows Kernel.

Last night, Microsoft pulled the bulletin from Windows Update as they are attempting to gather information regarding the reported blue screens on affected computer.  The reports were:

  1. User installs MS10-015 manually or through Windows Update
  2. Computer reboots
  3. Computer blue screens on reboot, the operating system does not load

People have found ways around this blue screen by running the recovery CD and uninstalling the patch.

Microsoft's Security Response Center has just posted an update on the situation.  They have been finding the blue screen is actually caused by malware on the target systems.  Apparently, some malware programs just do not like the Kernel updates from Microsoft.

As many of you are approaching your patch cycle for February, here are some important reminders on patching in general and with this issue:

  • TEST, TEST, TEST.  Patch management programs make patching very easy.  But, you should never blindly push out updates unless it is necessary.  The issues with MS10-015 are a prime example of what can happen when you blindly push out patches without testing them first.  Microsoft and other vendors make every attempt to ensure their patches do not break functionality.  The last thing Microsoft wants with MS10-015 is to fix vulnerabilities but take a "black eye" from causing system crashes.  Take some time and establish a test environment that contains your commonly used systems and programs.  This may slow down your patch deployment, but it will save you a lot of time fixing issues that can come up with patch management.
  • Research the issue.  The reports came out about MS10-015 and research should be done.  How many people are *actually* affected by this issue?  What is the vendor saying about the issue?  How can this patch affect my network?  What does this patch fix (criticality, publically known vulnerability, actively exploited vulnerability, servers or desktops affected)?  After gathering information, you can make the decision on the patch.  Am I will to accept the risk of not patching this vulnerability?  That is a question only you can answer.
  • Report issues to the vendor.  Most vendors have a response team waiting for issues that may come up with patching.  Don't be afraid to contact the vendor if you are seeing an issue with the patch.  Yes, you will need to fix the affected machines.  But, you will be doing a great service to the rest of the users who may run into this problem.

 - Jason Miller