October 28, 2010

I’ve received several e-mails from readers concerned about a mysterious, undocumented software patch that Microsoft began offering to Windows 7 users through Windows Update this week. Some Microsoft users have been spinning conspiracy theories about this patch because it lacks any real description of its function, and what little documentation there is about it says that it cannot be removed once installed and that it may be required as a prerequisite for installing future updates.

Normally, when Microsoft offers a patch through Windows Update, it also will publish a corresponding “knowledgebase” article that describes in great detail what the patch does and why users should install it — and how applying the update may impact current and future operations on the system.

This fix went out via Windows Update on Oct. 26 as a “recommended” and “important” patch, but it lacked any additional details, prompting conspiracy theories and speculation on message boards from users wondering whether they should ignore or install this update — which for many users was sandwiched between the dozens of security patches Microsoft began offering earlier this month as part of its regular Patch Tuesday security update cycle.

To make matters worse, many Windows 7 users said the patch was no longer offered after they declined installing it the first time, leading some curious researchers to dub it the “Blackhole” update.

I have verified with Microsoft that this update is designed to smooth the way for the deployment of future updates on Windows 7 systems (read on to the very end if you’d like the official response from Microsoft). The confusion appears to stem from a timing mistake by the folks at Microsoft, but this incident illustrates the hysteria that can ensue when the world’s largest software company fails — for whatever reason — to be fully transparent with a user base that has come to expect detailed advisories with every patch.

When I was researching this patch, I found an amusing thread on the Microsoft Answers forum — where several Microsoft most valuable professional experts urged other forum members to hold off installing the patch until more information was available. Others offered more speculative answers, suggesting that the patch was instead:

-A new service pack for Windows 7

-A “heuristic scanner to the machine that turned on whenever the machine went idle, and searched all attached storage devices for ‘terrorism-related’ information, then alerting ‘somebody’ over the Internet”

-The result of Microsoft having been hacked, with the patch being some kind of malicious third-party code being sent out to infect all Windows machines

-A new anti-piracy check from Microsoft.

Here is the official response I just received from Microsoft about this update:

On Tuesday Microsoft released KB 976902 to customers of Windows 7 through Windows Update. This update was pre-maturely released in English and the KB article had not been published yet. We are in the process of releasing the KB Article so users have more information about the update. This update is a Servicing Stack Update, which can’t be uninstalled. The update will be released at a later date, and it will be required to ensure compatibility with some future updates.

If you have already installed the update, there is no action required – there is no impact from the update being on your system. We apologize for any confusion this update may have caused.

Also, for extra context – Microsoft did a similar update when we were about to release the SP1 beta (what’s known as a “service stack” update – it helps the OS recognize and work better with the service pack code). As things like a service pack in development hit new milestones (i.e. we just hit RC, before that it was beta), the service stack update gets updated. That’s why folks don’t need to worry about removing it

Bottom line: It should be safe to install this relatively harmless update, which is designed in part to help pave the way for Service Pack 1, the first major bundle of fixes and stability updates for Microsoft’s flagship operating system. However, SP1 isn’t due out for a while yet, so it’s also safe to delay installing this update for a bit. Or at least until Microsoft gets around to issuing an official advisory about it.

57 thoughts on “Demystifying KB976902, a.k.a. Microsoft’s “Blackhole” Update

  1. Faust

    “It should be safe to install this relatively harmless update”

    That’s exactly what they *want* you to think. 😉

  2. J."CURLY" Kessner

    I won’t hold may breath on anything Microsoft states.

  3. Anon Lurker

    I don’t get it. Microsoft issues a content-free response that says nothing about the contents of the update, and your reaction is “oh, well, that clears it up then”? That doesn’t make sense to me.

    Look: the paranoid theories were a priori unlikely. We didn’t need the Microsoft statement to know that. But the Microsoft statement provides no new information, and shouldn’t change our view of the update: the same concerns still apply. It’s unreasonable to treat this as though Microsoft’s statement puts all the worries to rest.

  4. froman

    This just shows poor planning and execution from a corporation that has gotten too big, to quote a familiar movie and I’m sure something most of us have heard at least once in our own office. “Did you get the memo?”

  5. That that I am

    This answer is almost as vague as the original description of the update. I also wonder why the update had various sizes (from 4MB to 10MB) on the exact same W7 Premium systems?

  6. Don't Copy That Floppy!

    Like the real value of paper money, Windows Updates are what you believe them to be, whatever they claim they are.

    Don’t you just adore proprietary software? It’s like a new twist in a sitcom every week! Which product will receive a remotely exploitable backdoor this week? Adobe Flash, Shockwave, Reader? Microsoft Windows?

    And, like any daytime soap opera, the players are the same, while the faces may sometimes change the roles do not and the plots repeat.

    Luckily, you can change the channel at any time, just look at the Distrowatch website and take your pick.

    Dban is a useful tool which helped me remove all traces of the Windows Operating System, which I consider to be one of the most sinister forms of malware ever created.

  7. Jim

    While we have Redmond on the whipping post. I’m becoming weary of Silver Light and Windows Live Essentials being a force-feed each time I opt to update Win7. Unlike XP, these two nuisances have no way, that I can located, to have them go invisible. Once Silver Light and Live Essentials install, they are a PIA to uninstall and the registry junk they leave behind is about 270+ useless entries.

  8. drzaiuschimplord

    Err if MS wanted to put malicious code on your machine it would do it in any update. and you would never know. Its funny how the conspiracy theorists have come out in force, like they have any proof of anything but their own ignorance and fear peddling. Seriously, MS could put malware on your machine in a million ways that would never be noticeable to most users, let alone attempt to do such a thing via some sloppy content free update.

    Seriously Krebs, this stuff isn’t worth reporting. Most likely this is just another pre Service Pack fix so that people’s machines don’t go crazy when they attempt to install SP1 because Lenovo or Dell’s crapware is causing an issue. If MS pushed out malware we’d see it via network sniffing, auditing, etc.

    1. Jason

      Totally agree that if it was anything nefarious, they could do it anytime and just call it an update that fixes a remote exploit in IE 8 which could allow an attacker to take control of your machine (not like that would surprise anybody or anything). So yeah, people are ridiculously paranoid at times.

      However, I think it’s worth reporting on because *I* noticed and tried to read the knowledgebase article and got nothing. So I refused to install it until I knew more (mainly because I don’t install updates if it’s not a security issues and probably doesn’t effect me). And was surprised when I went to look again that it was gone the next day. I didn’t think it was suspicious, just curious so I’m glad to see an article on it.

    2. F-3000

      “MS could put malware on your machine”

      I think the old joke about Windows easily fitting into definition of worm still works. As malware generally, it just has become more sophisticated.

      Did you know, that after uninstalling loads of unwanted trials and demos, Vista takes up MORE space than fresh install? That’s my personal experience after several reinstall on my Asus laptop.

    3. Ijustlovethatlittlecompany

      There are already backdoors etc. on Windows. Enjoy your OS that’s like a sieve.

  9. Vic

    I agree with the sentiments already stated, if there was evil code release through an update someone would find it and publish it because they would get so much fame from it. Microsoft is beholden to it’s reputation, and a victim of its success. Anything they do that is questionable generally gets a spotlight shown on it brightly.

    1. F-3000

      “Microsoft is beholden to it’s reputation”

      Very ugly cake inside, with lots of cream, sugar and candy covering it. If M$ would be beholden to it’s reputation, it would have been bankruptced long ago.

      Micro$oft paying fines by donating thousands of computers to schools is not charity, but plain strategy if the computers contains Windows OS.

      “Best” of it, that’s just a mere example – and quite mild one – of M$’s history, and what they have done, are doing, and will do.

      To underline: People don’t learn. Think of Windows as a product. Very failure as a whole. Maybe not Win7, I don’t have enough experience about it to call it such, but it’s predecessors are, noticeably Vista – which was supposed to be the best Windows ever. Then M$ brought Xbox into markets. Imagine a console giving you a BSOD! Not to forget the fact that it loves to scratch your game-disks to oblivion. Now, is Xbox dead project? Why not? Because people don’t learn. They don’t accept facts. They seem to love to give a 99th chance for the beast to kick them on the balls.

      1. JAKE NO1 FAN


        1. F-3000

          I guess you’ve never heard of “underlining”…

          In this context, it’s as if trying to make sure that reader knows what’s my opinion about the corporation without the need to repeat myself by telling on every post about how I think their aim is to make money without giving a **** about the users, or about the WHOLE (as long as it doesn’t clearly concern them in negative manner).

          And of course, I get occasional amusement from people who fail to understand such things as I explained above.

  10. timeless

    Brian: thanks for writing about this. I don’t mind such updates (and thus happily selected it, basking in my power to make my own random decision) since my w7 runs in a VM (I could roll back if I really cared).

    It’s nice to get an explanation from a channel I read :).

    FWIW, there does seem to be a kb article up now:
    — thanks for providing a picture of the details dialog where the ID was clear enough to read :).

    1. Smart Assist

      Probably since around the time that “hyphen” dropped the ‘h.’

  11. Mark Adams

    The KB article went up last night at almost 11PM EDT, when some Microsoft employees finally noticed the threads in the MVP forums. However, oddly, they had also pulled the package from Windows Update 20 hours earlier. Who knows if it will reappear.

    Also, the KB article that is now up is not as detailed as they usually are. Probably a hasty action from their web team who didn’t appear to know anything more about the package than what we’ve written about it.

  12. Ted Phillips

    After installing KB976902 and restarting my system, the system locks up almost immediately after startup.

    I restarted in Safe Mode to attempt a System Restore. The system locked up on System Restore.

    I restarted again in Safe Mode to attempt to uninstall recent updates manually from the control panel. After successfully removing a few, simply highlighting KB976902 caused the system to lock up.

    Sorry, but I’m with the “malicious software by Microsoft” conspiracy on this one. My computer is currently useless.

    1. Jason

      That really sucks. I feel your pain. But I’m sure Microsoft wasn’t intentionally trying to screw things up.

      It did mention in the update I saw that it couldn’t be removed after installation which is why you couldn’t remove it but it seems odd that it would cause that severe of a problem but not completely unusual. Microsoft has released an update before that caused severe problems on some systems.

  13. Ted Phillips

    Managed to get my system up and running again. It seems that the update has affected the way Windows interacts with my SATA card. By switching the drives using the card to less frequently accessed ones, I have restored system stability.

    I probably have to look for new drivers for my card that are compatible with KB976902, but I’m not hopeful considering it’s not supposed to be released yet, and not even Microsoft knows its release notes…

  14. John

    Thanks for the post on this issue. It’s good to know I wasn’t the only one curious about this to say the least.

  15. Andy

    It’s good to hear about things like this even if they are not big news. I’m not affected as I don’t run WIn7, but some of my friends may do so I will let them know about this. Better too much information available than not enough.

  16. GNU|BreadMaker

    Why you’re using a system defective by design? There’s something else than Windows (and Mac) out there! The free (free as in freedom) software is better (technically: faster, more stable and 99.99% virus-free; and ethically: protect your freedom). The actual distros allow you to try the system before installing via a Live CD/USB. Inform yourself before saying it’s a conspiracy theory. Seek the truth, and you will find it. Be free, my friend!

    1. Max



      OK you’re smart you use a better OS to your eyes. To me it’s not better, I can’t work in a linux enviroment, the tools I need for my work are incompatible, limited in its features, or simply not available in linux. I work in graphics design for print…
      last time I installed linux the only free vector desing soft that was out there was inkscape… and although it’s pretty good, it’s just miles away from adobe or corel even. I don’t even remember if it supported CMYK, and I’m pretty sure there were no Pantone palletes.

      I just want some of these linux fanatics to understand that world is really more complicated than just a matter of choise between free and propietary. People have very distinctive needs when using a computer, and the linux community are more interested in developing in say for instance a more secure, stable, etc OS. Which is great.

      And to me windows is not bad, it’s just mean.

  17. Michell Amir

    If this update apears unmarked just like the KB971033, so it’s an optional update. I think this will not be realy need it to install sp1, so I say just put it on hide.

  18. Pete

    KB976902 has re-appeared on the list of available updates (for my Windows 7 laptop) released today.
    It’s raised my suspicions about this “Black Hole” update as it was already installed (sucessfully) in October of last year!

  19. Jose Juan

    “It should be safe to install this relatively harmless update, which is designed in part to help pave the way for Service Pack 1”

    1.- “SHOULD be safe”
    2.- “RELATIVELY harmless update”
    3.- Designed IN PART to help pave the way…”

    What do all these “more-or-less” statements mean?

    Microsoft sometimes does freak me out.

  20. Ignetiusjrelly

    Installing this update changed my wallpaper. 🙁

  21. Baba

    I wouldn’t be surprised if I heard this blog was created by Microsoft themselves…..

  22. ernstlustig

    Looks like it fixes also a nasty bug preventing Visual Studio’s Help Library Manager installing local help files.

  23. Odys!

    Lets assume two things:
    1. Kb976902 is completely ok.
    2. Microsoft is a company having a process on delivering updates.
    (both seem true to me)

    Why would M$ “forget” to provide info about it?

    1. It is recomended and not suspicious – If it was indeed, they would have followed the process (engough time to do so, it’s recomended). They didn’t, no documentation, or at least not a detailed one.

    2. It is important and not suspicius, but they forget to mark it as so. If it was, it wouldn’t have passed QA tests. And I am sure those folks on Redmond follow a QA process for their best OS so far.

    3. They have strange reaction, though. They do not provide documentation on BOTH the update and the online article. Why would someone send something as an update and forget or intentionally forget to provide this kind of data?

    The answer to the last one is only one, to me. They want the middle-class computer guys, the one between IT and normal users, to buy a license. This kind of users DO know how to install an unlicensed copy of windows (like IT guys do), but do not have the knowledge (bored, lack of interest or curiosity) to search for the documentation on it, and if they would there is nothing to read. Those poor guys have only the knowledge to avoid “Genuine Advantage…” updates etc. What will they do? Install it.

    M$ spent every single cent on promoting vista and seven. The direct method failed miserably. To me, this is the indirect one.

    Prove me wrong.

  24. Mark

    My name is Mark. I invented this patch and windows 7, bill stole the idea while he was balls deeps in my sister.

  25. jake

    In January 2011 Microsoft has released a NEW similar update with the same number, and after several months, the “new” KB article still says nothing about what EXACTLY this update changes in the Windows update stack. Unlike most updates this update seems to replace every single file in its area of functionality, like they did a complete rebuild from the latest source code without keeping track of what parts contain needed improvements and which ones don’t.

    The files being updated include many key parts of the higher level system management code, including the code to install drivers (but not the MSI engine) and the WMI/CMI system used by current versions of task manager, control panel etc. This increases the risk that bugs in this sloppily released updated will wreck havoc on the system and leave the sysadmin unable to recover.

    If the conspiracy theorists are right, then the set of files replaced seem perfectly selected to act like a user mode root kit that conceals and blocks all visibility of some nefarious payload, every user interface that users trust to identify and stop running and/or installed code goes through at least one of those DLLs for its information.

    I say ditch this update until someone has done a full independent (no NDA or other prior agreement with MS) reverse engineering of the changes and published a trustworthy description of what Microsoft changed.

  26. Daffy

    You know… if MS had a really good track record of treating license holders of its products fairly and not ‘excluding’ without permission, the users choice of competitive products, there would be very little need for conspiracy theories of what the PC world’s biggest name was up to when they refuse to make all the facts known.
    They have unfortunately taken on the arrogant bureaucratic attitude of the powerful govt’s they’re in bed with… And they continually wonder why people don’t blindly trust everything they say and do.

  27. PK-JIN

    KB976902: Seems like an anti-piracy “attack” again.
    The computer is putting up incessant “You may be a victim of software counterfeiting” false warnings. Blech.
    Update doesn’t work anymore.

Comments are closed.