Microsoft Denies "Black Screen" Security Issues
Microsoft denied that its November security updates were related to the "black screen" behavior of Windows 7 described in recent reports.
The problem, which has caused a small number of users to see a completely black screen after logging on, was identified by British software security firm Prevx last week.
According to the reports, after a user is starting a Windows 7, Vista, XP, NT, W2K, W2K3 or W2K8 PC or server system, it appears normal. However, after logging on there is no desktop, task bar, system tray or side bar. Instead users are left with a totally black screen and a single My Computer Explorer window.
Prevx had also issued a fix for the problem.
"We've received questions about public reports that customers might be experiencing system issues with the November Security Updates (which some are referring to "Black Screen" issues)," Microsoft wrote in a blog entry at Technet.
"We've investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues," Microsoft added.
While these reports weren?t brought to us directly, from our research into them, it appears they?re saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell key.
"We've conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don?t believe the updates are related to the "black screen" behavior described in these reports."
We've also checked with our worldwide Customer Service and Support organization, and they've told us they're not seeing "black screen" behavior as a broad customer issue. Because these reports were not brought to us directly, it's impossible to know conclusively what might be causing a "black screen" in those limited instances where customers have seen it. However, we do know that "black screen" behavior is associated with some malware families such as Daonol.
Prevx also gave an update on the issue today.
"The issue appears to be related to a characteristic of the Windows Registry related to the storage of string data. In parsing the Shell value in the registry, Windows requires a null terminated "REG_SZ" string. However, if malware or indeed any other program modifies the shell entry to not include null terminating characters, the shell will no longer load properly, resulting in the infamous Black Screen with the PC showing only the My Computer folder," the company wrote at its blog.
SysInternals was one of the first companies to discover this characteristic of the registry a number of years ago in their utility: RegHide http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx which modifies registry entries to prevent them from being accessible within the operating system. This technique is frequently used by malware authors which is why it is recommended to first query the length of a registry value, and then read it into a buffer, forcing the null termination of strings whether or not null terminated by their content.
"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor," Prevx said.
"We apologize to Microsoft for any inconvenience our blog may have caused. This has been a challenging issue to identify," Prevx added.
Microsoft says it's not to blame for a problem that is causing a "limited" number of Windows computers to boot up to a blank black screen. The company says it hasn't identified the problem but says some malicious programs on the Internet are known to cause black screens.
According to the reports, after a user is starting a Windows 7, Vista, XP, NT, W2K, W2K3 or W2K8 PC or server system, it appears normal. However, after logging on there is no desktop, task bar, system tray or side bar. Instead users are left with a totally black screen and a single My Computer Explorer window.
Prevx had also issued a fix for the problem.
"We've received questions about public reports that customers might be experiencing system issues with the November Security Updates (which some are referring to "Black Screen" issues)," Microsoft wrote in a blog entry at Technet.
"We've investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues," Microsoft added.
While these reports weren?t brought to us directly, from our research into them, it appears they?re saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell key.
"We've conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don?t believe the updates are related to the "black screen" behavior described in these reports."
We've also checked with our worldwide Customer Service and Support organization, and they've told us they're not seeing "black screen" behavior as a broad customer issue. Because these reports were not brought to us directly, it's impossible to know conclusively what might be causing a "black screen" in those limited instances where customers have seen it. However, we do know that "black screen" behavior is associated with some malware families such as Daonol.
Prevx also gave an update on the issue today.
"The issue appears to be related to a characteristic of the Windows Registry related to the storage of string data. In parsing the Shell value in the registry, Windows requires a null terminated "REG_SZ" string. However, if malware or indeed any other program modifies the shell entry to not include null terminating characters, the shell will no longer load properly, resulting in the infamous Black Screen with the PC showing only the My Computer folder," the company wrote at its blog.
SysInternals was one of the first companies to discover this characteristic of the registry a number of years ago in their utility: RegHide http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx which modifies registry entries to prevent them from being accessible within the operating system. This technique is frequently used by malware authors which is why it is recommended to first query the length of a registry value, and then read it into a buffer, forcing the null termination of strings whether or not null terminated by their content.
"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor," Prevx said.
"We apologize to Microsoft for any inconvenience our blog may have caused. This has been a challenging issue to identify," Prevx added.
Microsoft says it's not to blame for a problem that is causing a "limited" number of Windows computers to boot up to a blank black screen. The company says it hasn't identified the problem but says some malicious programs on the Internet are known to cause black screens.
