Buggy McAfee update whacks Windows XP PCs

(Credit: McAfee)

McAfee's popular antivirus software failed spectacularly on Wednesday, causing tens of thousands of Windows XP computers to crash or repeatedly reboot.

A buggy update that the company released early in the day turned the software's formidable defenses against malicious software inward, prompting it to attack a vital component of Microsoft Windows. The update was available for business customers for about four hours before distribution was halted, McAfee said.

The damage was widespread: the University of Michigan's medical school reported that 8,000 of its 25,000 computers crashed. Police in Lexington, Ky., resorted to hand-writing reports and turned off their patrol car terminals as a precaution. Some jails canceled visitation, and Rhode Island hospitals turned away non-trauma patients at emergency rooms and postponed some elective surgeries.

Intel was also hit by McAfee's bungled update, a source inside the company confirmed to CNET. The source said that all Intel's computers inside the United States ran McAfee and many were affected but didn't know how many or whether it impacted the company's factories.

The update released at 6 a.m. PT effectively redirected the PC's immune system, causing it to attack a legitimate operating system component known as SVCHOST.EXE in the same way that some diseases can cause the human immune system to turn inward. In this case, McAfee's application incorrectly confused it with malware known as the W32/Wecorl.a virus.

McAfee apologized to customers for the problem, which seemed to affect primarily Windows XP computers running Microsoft's Service Pack 3, but downplayed its impact. "We are not aware of significant impact on consumers," the company said in a statement sent to CNET at 2 p.m. PT.

Screen snapshot of CNET News editor's computer in Portland after McAfee was causing her computer to reboot.

(Credit: CNET)

That didn't endear the company to the enterprise users who were the most affected by the update, especially system administrators who were forced to trek from computer to computer and manually install the repair that McAfee had made available by midday. It's not clear how many customers were affected, and a McAfee representative said she did not have an update. (Here's a related CNET article on how to fix your McAfee-crippled PC.)

Tech-related mailing lists soon began buzzing with complaints. And the condemnation on Twitter was unrelenting, with Sonny Hashmi, the deputy chief information officer of the District of Columbia, calling it a "huge disruption," adding that McAfee is now on his "blacklist." An engineer in San Francisco said that, thanks to McAfee, "the wait at my work is two days and growing to get your laptop back." Others complained that, approximately six hours after the problem was known, McAfee has yet to post a note on the home page--which currently boasts of "technology to supercharge your network security."

A CNET editor in Portland, Ore., was affected Wednesday morning when the update caused her computer to lose network and Internet connections and McAfee prevented her from launching programs or uninstalling it.

A report at the Internet Storm Center said the errant McAfee update registered a false positive that flagged the Windows file SVCHOST.EXE as a virus.

Compounding what seems to be a day of snafus for the Santa Clara, Calif.-based company was its initial recommendation that users encountering the problem download a file from a McAfee support site. But after tens of thousands of irate users flooded into the forums, the site abruptly went offline and began to return an error message.

McAfee has posted a Web page on a separate site with detailed instructions on how to fix XP computers that have been crashing because of Wednesday's update. It recommends manually downloading and installing an "EXTRA.DAT" file and then restore files that have been incorrectly quarantined.

But that option requires a least a modest amount of technical ability, and as of 4 p.m. PDT, the company had not offered a better way. "McAfee is continuing to work on an automated solution," the page said.

Last update 10:20 p.m. PT: McAfee has posted a statement saying that the problem affected "one half of 1 percent of our enterprise accounts globally and a fraction of that" among home users. Another post from Barry McPherson, executive vice president for customer service, apologizes for the snafu and says: "Mistakes happen. No excuses." And it looks like the company has posted some more details about how SVCHOST.EXE was targeted.