Prevx apologizes, backtracks on claims that Microsoft patch causes black screen

Prevx now states that Microsoft patches do not cause problems

Prevx, the anti-malware vendor that claimed a Microsoft patch caused users to experience black screens of death, has backtracked and apologized. Yesterday, Microsoft denied that there were any problems with the patch, and even hinted that Prevx users (or others) who experienced the problem might really be dealing with an untreated virus.

Here is Prevx statement in full:

"We've been working with Microsoft to get to the bottom of the specific black screen issues in our earlier blog. We have made some significant progress in determining specific triggers of the black screen event.

"The issue appears to be related to a characteristic of the Windows Registry related to the storage of string data. In parsing the Shell value in the registry, Windows requires a null terminated "REG_SZ" string. However, if malware or indeed any other program modifies the shell entry to not include null terminating characters, the shell will no longer load properly, resulting in the infamous Black Screen with the PC showing only the My Computer folder

"SysInternals was one of the first companies to discover this characteristic of the registry a number of years ago in their utility: RegHide http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx which modifies registry entries to prevent them from being accessible within the operating system. This technique is frequently used by malware authors which is why it is recommended to first query the length of a registry value, and then read it into a buffer, forcing the null termination of strings whether or not null terminated by their content.

"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor.

"We have not analyzed further whether a change occurred in the OS interpretation of this or other registry values. In any case, we believe there are significant benefits in the OS using the length of the value as recommended by the SysInternals article.

"We have always strongly recommended keeping Windows and all other software up-to-date to reduce the window for exploitation by new threats. We'll keep you updated with further progress if we find anything new.

"We apologize to Microsoft for any inconvenience our blog may have caused. This has been a challenging issue to identify. Users who have the black screen issue referred to can still safely use our free fix tool to restore their desktop icons and task bar."

Moral of the story: If you want 15 minutes of fame, publicly accusing Microsoft of a faulty patch ought to do it ... just be prepared to have to public ally apologize as well.

Like this post? Check out these others.

• Secrets of Exchange Server 2010
• Unified Messaging (Voicemail) in Exchange 2010
• Microsoft's Teamprise acquisition means nothing for open development
• Microsoft's data cache technology, code-named Velocity, speeds app performance
• SQL Server 2008 R2: November CTP Feature Pack
• F5 announces new management pack for OpsMgr 2007
• Microsoft Linux: Why one free software advocate wants it
• Server Sizing in Exchange 2010

Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Follow All Microsoft Subnet bloggers on Twitter
Follow Julie Bort on Twitter

 

• Microsoft
• Microsoft patches
• Microsoft security
• Patch Tuesday
• Prevx