Security Watch

As the Black Screen of Death Turns

Plus: Patch Tuesday fixes IE zero-day flaw; third party takes up XP's cause.

• By Jabulani Leffall
• 12/08/2009

The IT community has seen many soap opera-type feuds. The most recent example? The episode involving Microsoft, Prevx and the so-called "black screen of death."

I reported last week of Prevx's assertion that Microsoft's November patches had been causing, in some instances, a black screen. I pointed out that Prevx was offering a fix for the problem -- indeed, that the company was claiming to be the only one with a fix for a problem that it alone had discovered. Microsoft hadn't yet responded at the time.

Well, Microsoft did eventually respond, saying emphatically that it wasn't aware of any black screens. Microsoft further said that if there were such black screens, they weren't widespread, nor were they caused by installing the November patches.

So it goes. Vendors will continue to make assertions against Microsoft that Microsoft will then refute, correct or both. There may even be blog battles, like the one between Microsoft and Sophos, who've been at odds for years.

Some may put it down to vendors behaving badly or tech writers engaging in he-said-she-said reporting. But if, as is the case here, the problem remains an unpatched mystery, the real losers are the users. This is something third-party vendors should recognize and Microsoft should address.

For now, though, it looks like the "black screen of death" has morphed into the "black screen of breadth," in the sense that the breadth of the controversy has spread across the Web faster than a solution.

Microsoft: Zero-Day Flaw Will Be Patched this Month
While the black screen won't be patched in December's Patch Tuesday slate, there will be an update fix for a zero-day vulnerability in Internet Explorer as part of a cumulative hotfix.

Since last week, Redmond has gone out of its way to say that the newly released IE 8 is not affected on any platform, and that "running Protected Mode in Internet Explorer 7 on Windows Vista mitigates this issue." This is according to Jerry Bryant, a spokesman for the Microsoft Security Response Center (MSRC), who first announced the advisory just before Thanksgiving.

Meanwhile, there are more proofs-of-concept in the offing, such as a recently announced TLS flaw that, according to Lumension's Don Leatham, will most likely force updates to all brands of browsers and all Internet servers using SSL/TLS.

Leatham, who is Lumension's senior director of solutions and strategy, said the flaw allows attackers to inject text into encrypted traffic.

"Although we'll have to wait until Patch Tuesday for confirmation, we are led to believe that Microsoft has chosen not to address this vulnerability in this round of patches," Leatham said. "There is controversy in the security community as to the true importance of speeding a fix to market for this flaw, and no widespread exploits have been reported."

Third Party Takes Up XP's Cause
We've seen this before: Microsoft takes a new strategic direction, but enterprise adoption lags by several months or even years, leaving room for channel partners, resellers and security vendors to fill the gap.

Case in point: Microsoft has announced that the end of Windows XP SP2 support is coming less than seven months from now, despite the fact that XP is still the most pervasive OS among enterprises and Windows consumers.

So security vendor Shavlik Technologies has decided to cash in, providing its own support for XP through the release of a comprehensive patch management solution for XP Embedded (XPe) devices.

XPe devices are commonly used in hundreds of applications. The devices use a stripped-down version of XP on a thin client, like a kiosk or point-of-sale device. Many of the services and components found in the full version of XP are disabled or unavailable.

Shavlik said its solution will secure XPe devices against viruses, worms and hackers -- and it certainly sounds like they need it.

"The number of XPe devices used by consumers and individuals every single day that may have never been patched is staggering," said Nancee Melby, Shavlik's director of product marketing, in a statement. "Shavlik's agentless approach eliminates the obstacles to patching Windows XPe devices and leaves no footprint other than the patches themselves."