October 28, 2010

I’ve received several e-mails from readers concerned about a mysterious, undocumented software patch that Microsoft began offering to Windows 7 users through Windows Update this week. Some Microsoft users have been spinning conspiracy theories about this patch because it lacks any real description of its function, and what little documentation there is about it says that it cannot be removed once installed and that it may be required as a prerequisite for installing future updates.

Normally, when Microsoft offers a patch through Windows Update, it also will publish a corresponding “knowledgebase” article that describes in great detail what the patch does and why users should install it — and how applying the update may impact current and future operations on the system.

This fix went out via Windows Update on Oct. 26 as a “recommended” and “important” patch, but it lacked any additional details, prompting conspiracy theories and speculation on message boards from users wondering whether they should ignore or install this update — which for many users was sandwiched between the dozens of security patches Microsoft began offering earlier this month as part of its regular Patch Tuesday security update cycle.

To make matters worse, many Windows 7 users said the patch was no longer offered after they declined installing it the first time, leading some curious researchers to dub it the “Blackhole” update.

I have verified with Microsoft that this update is designed to smooth the way for the deployment of future updates on Windows 7 systems (read on to the very end if you’d like the official response from Microsoft). The confusion appears to stem from a timing mistake by the folks at Microsoft, but this incident illustrates the hysteria that can ensue when the world’s largest software company fails — for whatever reason — to be fully transparent with a user base that has come to expect detailed advisories with every patch.

When I was researching this patch, I found an amusing thread on the Microsoft Answers forum — where several Microsoft most valuable professional experts urged other forum members to hold off installing the patch until more information was available. Others offered more speculative answers, suggesting that the patch was instead:

-A new service pack for Windows 7

-A “heuristic scanner to the machine that turned on whenever the machine went idle, and searched all attached storage devices for ‘terrorism-related’ information, then alerting ‘somebody’ over the Internet”

-The result of Microsoft having been hacked, with the patch being some kind of malicious third-party code being sent out to infect all Windows machines

-A new anti-piracy check from Microsoft.

Here is the official response I just received from Microsoft about this update:

On Tuesday Microsoft released KB 976902 to customers of Windows 7 through Windows Update. This update was pre-maturely released in English and the KB article had not been published yet. We are in the process of releasing the KB Article so users have more information about the update. This update is a Servicing Stack Update, which can’t be uninstalled. The update will be released at a later date, and it will be required to ensure compatibility with some future updates.

If you have already installed the update, there is no action required – there is no impact from the update being on your system. We apologize for any confusion this update may have caused.

Also, for extra context – Microsoft did a similar update when we were about to release the SP1 beta (what’s known as a “service stack” update – it helps the OS recognize and work better with the service pack code). As things like a service pack in development hit new milestones (i.e. we just hit RC, before that it was beta), the service stack update gets updated. That’s why folks don’t need to worry about removing it

Bottom line: It should be safe to install this relatively harmless update, which is designed in part to help pave the way for Service Pack 1, the first major bundle of fixes and stability updates for Microsoft’s flagship operating system. However, SP1 isn’t due out for a while yet, so it’s also safe to delay installing this update for a bit. Or at least until Microsoft gets around to issuing an official advisory about it.

57 thoughts on “Demystifying KB976902, a.k.a. Microsoft’s “Blackhole” Update

  1. ASIMO

    Demystifying article, re-mystifying comments.
    I choose the people. Pass.

    1. zero

      this update is in fact a new anti piracy software or a way to see who and who has a pirate copy of ms checked on a machine with remove wat it now requires the machine to be activated

  2. Chris

    Installed this update automatically on 26th Jan 2011 on DELL Studio 17 with Win 7 Home Prem.

    First thing i noticed after 30 min reboot was – “The version of Windows you have is illegal” notice at the bottom right corner.

    Ofcoarse the version of windows came from Dell and it has been fine for the past year, but i said “oh wel, let me reboot again”.

    That pretty much was the end of my Windows 7. Since then the system became very irresponsive, with no CPU or HDD usage, takes 30-60 min to be able to use Windows after reboot/hybernation, all the restore points are gone, so no, you cannot remove this update and now i want to kill someone as i have urgent work to do over the weekend and cant!

    So yes, it is a security/pirate copy check + i dont know what else and yes, it is very premature since its buggy, like a 5 month old baby!

    Do not install it unless you enjoy gambling too much.

    And to MS – why the heck you push untested software in live versions of windows?!?!

    I already lost few thousand ££ thanks to your stupidity and me trusting your updates!

  3. Odys

    nothing to say, I just wanted to be able to unsubscribe from newer comment. Deleted cookies and this WP plugin doesnt allow to do it unless you login via commenting. so.. ignore me :p

  4. Ove S

    BSAOD on an Acer Laptop after this update!!
    A one year old Acer Laptop – running without problems at all until innstalling this update. BSOD – but System restore did the job – almost. Had to uninnstall the Acer software for sound etc, and reinstall antivirus. Took me hours – the System restore before this update was corrupted – had to go a while back. havn’t got the Acer software up and going yet.

  5. xo

    Installed it today. After reboot there were no changes visible on my ‘not so’ legal copy of win7. Still activated…

  6. michael wilson

    Does anyone know of a connection between installing thgis update and the svchost.exe downloading continuously from deploy.akamaitetechnologies.com
    What is it updating/replacing???

    1. jonny

      Microsoft is obviously lying, and it’s easily provable. I installed the streamlined MSDN Windows 7 Ultimate with SP1 included.

      For 5 months after I proved MSSE was force-installing malicious Hotfix’s to facilitate hacker access / remote systems administration (same thing, put the dots together geniuses); I’ve been explicitly rejecting the option to install Win Updates during installation and I firmly block all Windows Updates via Control Panel settings.

      For 5 months, despite this, Microsoft Windows Updates which have no possible relation to my system (and which can therefore ONLY be malicious) have been force-fed onto my systems. I’m talking about URGENT / IMPORTANT Windows Updates demanding I switch my clocks back due to 2009 daylight savings. And others for 2010. Just to clarify, the year is 2011. My computer clock is set correctly. I have screenshots of these updates, as well as the forced updates relating to hacker accessibility and a great deal more. I have thousands of screenshots and dozens of hours of video showing MSSE doing this in real time.

      Microsoft is lying about this update, because I just installed the MSDN Win7 (with SP1). And I set updates to NEVER.

      Most recent check for updates: Never
      Updates were installed: Never

      View Update History: You have not tried to install any updates for your computer.

      Windows edition:
      Windows 7 Ultimate
      Copyright (c) 2009 Microsoft Corporation. All rights reserved.
      Service Pack 1


      And…yet….under Uninstall an update:

      Microsoft Windows (2)
      Hotfix for Microsoft Windows (KB2534111)
      Update for Microsoft Windows (KB976902)

      Here is the requisite screenshot evidence:

      Here is a box.net shared folder where I’ve started compiling evidence of Microsoft’s lies and the filthy Microsoft-GENERATED (I used to believe it was merely facilitated) corruption which everyone claims is impossible, and then goes silent once they view the evidence. I have hundreds of images I have to upload still, and dozens of hours of footage. But there is enough in there to convince anyone who isn’t corrupt beyond capacity to function…that Microsoft is out of control with their lies and malicious, illegal behaviour.



      I have no idea which entities in this industry are complicit in the corruption; but I give everyone the benefit of the doubt. So far, I have proven – PROVEN – that ESET, Secunia, Trend Micro and literally every single poster at Technet forums, are corrupt to the point of being criminal.

      If we’re talking about complicity, you can safely add very nearly every single ‘AV’ industry company or entity; and everyone profiting from the scandalous scam – which amounts to extortion, or worse.

      I have evidence of Microsoft advanced tech support, who charged me $600, sharing control of my desktop whilst MSSE force downloaded a hacker Hotfix, twice. I uninstalled both and reproduced the event for them. They had no comment. At least, that’s better than the filthy Microsoft tech support scum who, five months ago when I reported that unauthorised Hotfix’s which were unrelated to my systems were being force downloaded, called me a liar.

      And then, after I submitted to that filthy criminal the evidence of my submitting the evidence to him, he killed the chat.

      I have evidence to support every statement I ever make, and a GREAT DEAL more. Microsoft are out of control, and we’re talking serious crimes here. Not incompetence, or feigned incompetence in order to sell AV products – CRIMINAL offences, as outlined by multiple national and international laws.

      1. F-3000

        There’s plenty of stuff you simply have no idea about what they are, yet you outright declare them bad or harmful. A very bad policy if you wish to maintain credibility.

        *Some* of the “evidence” you’ve gathered makes sense in a way that you’re not supposed to be able to edit, or even view some of the content related to Windows. If YOU can edit them, then any malicious program that has same permissions as you do, can edit them. Same goes for viewing (and collecting data). Windows is not like Linux, where you can do ANYTHING with root access (assumption). It can be very frustrating for a person who expects that every single bit in his OS should be editable/viewable by end-user, while Windows is (perhaps?) built in a manner that some things are accessible ONLY by the OS, and it’s sub-processes. But “luckily” for such people, Windows is like a cheese: full of small holes. Thus if you have the time and dedication, you can crack every secret in Windows. (basically every OS is like a cheese due to the simple fact that there’s no perfect OS, but in my view, Windows just got more holes, and bigger ones too) Even though hiding some* of the content from the view of those who actually use the software is not very transparent behavior (although, would you really expect full transparency from M$?), it still hinders possibilities to dig out those cheese-holes in Windows.

        Oh, btw, if you want to edit/view those desktop.ini files, boot with Linux LiveCD, mount the Windows partition, and do the dirty job. (I haven’t tested that, but I would expect it to work)

        About “some*”: Who has seen Windows’ source code? That’s few hundred megabytes of “hidden content”.

        1. jonny

          What a stupid non-response. And you have the nerve to fling words like “credibility” around.

          Look at the evidence. ADDRESS the evidence submitted, you joke.


          Microsoft is lying about this update, because I just installed the MSDN Win7 (with SP1). And I set updates to NEVER.

          Most recent check for updates: Never
          Updates were installed: Never

          View Update History: You have not tried to install any updates for your computer.

          Windows edition:
          Windows 7 Ultimate
          Copyright (c) 2009 Microsoft Corporation. All rights reserved.
          Service Pack 1


          And…yet….under Uninstall an update:

          Microsoft Windows (2)
          Hotfix for Microsoft Windows (KB2534111)
          Update for Microsoft Windows (KB976902)

          Here is the requisite screenshot evidence:


          Keep your corruption and ignorance away from me.

  7. Mike

    – Installed fine on my pirated and activated/loaded Windows 7 at home.

    – Crashed and BSODed half of the 5 or 6 PCs we installed it on at work that had legal licenses. Got copyright warnings, never ending loading screens, etc. If we had had it installed on every PC with a weekly patch we would have lost thousands of £ or more.

  8. Bill

    Many BSOD after applying this update on my totally legit copy of W7 and Windows update “crashed” when checking for updates after installing it. Fortunately I had a single Restore point previous to that which seems to have solved my problems, so far, since I tried to install it this morning. Wish I had searched on it before I had tried. Would have saved me a lot of time and pain. Also have not seen any updates since this one appeared in the queue quit some time ago. Whatever that means?!?

  9. DrewKrew

    This rang alarm bells as soon as i saw it in the Windows Update list and read it’s description, and a very basic description it was too.
    It instantly makes you suspicious as to whether it will jeopardise those “not-so-legitimate” installations of Windows 7 from ever updating again…
    I know pirating Windows software is morally wrong, but there are many circumstances where genuine honest people end up having to install these copies onto their system due to loss of install/restore discs, or when the O/S is pre-installed on a system with no disc supplied at all and the hidden partition on the harddrive containing installation files becomes inaccessible, or even poverty struck families who simply cannot afford the excessive price tags for purchasing Windows software.
    Even our UK schools push such families towards using the latest windows that “their school” uses and teaches by. Repair shops often install pirate copies and aren’t always successful of then enterring a genuine key back onto them if one was obtainable; how many of these Genuine Key stickers are still legible after 6 months on the base of a laptop?!!!
    It makes you wonder…

  10. Dick Stowe

    It ain’t on mine and it ain’t going on till there is better documentation about it. I personally believe it is some sort of internet spy. I’m English and I do not want some U.S. company telling me what I can or cannot look at on the internet in a FREE world.

    1. Kevin

      Hold on to your hats… It won’t be free for too much longer!

      Same old thing rearing it’s ugly head… The rich getting richer on the backs of the poor!!!

  11. Ellen

    OK… this is bogus.
    I’ve been trying to install Windows 7 SP1 for weeks.. WEEKS.. I keep getting an error at 90% installed.
    I was looking at my Windows Log/Setups (Component Services) and for 4/6/2011 (the last time I tried installing SP1) is says it Cannot install SP1 because of KB976902. And there’s an error with it.

    If 976902 is supposed make it easier for SP1 to install… it sure isn’t doing what it’s supposed to do.

    If I was getting notified that my OS was illegal, I’d be contacting my computer maker or where ever I bought the OS, and Microsoft. The software should have a legal key with it, whomever I bought it from.

Comments are closed.