The Inquirer-Home

Microsoft pulls Patch Tuesday update causing blue screen of death

Gives users a fiddly complex workaround
Mon Aug 18 2014, 11:27

SOFTWARE BUG FACTORY Microsoft has told users to uninstall one or more parts of its August Patch Tuesday release after it emerged that updates were causing system crashes.

The Redmond firm warned installers that MS14-045, which fixes various security holes in the Windows kernel, can cause a Blue Screen of Death (BSoD), thus forcing a reboot.

blue screen of death windows 8 crash BSOD

The issue arose on Microsoft's community forum with a post from a member named Xformer complaining of a "blue screen after applying update KB2982791 to Windows 7 Home Premium 64 bit".

Xformer explained that in applying all of the updates of August Patch Tuesday, installation went smoothly, but when he shut down his notebook and switched it on a little later it came up with a blue screen with a Stop 0x50 in Win32k.sys.

"I could not even boot into safe mode as Windows failed to start no matter which mode chose," Xformer said. "I restored from a backup, installed the updates again and same effect."

There are now 42 pages on the forum of users complaining of the same bug.

Security firm Sophos said the BSoD is caused by incorrect handling of the Windows font cache file, and because that happens during boot-up, it leads to a reboot loop.

"The euphemistically-named 'bugcheck' number that you'll see if you are affected is: 0x50 PAGE_FAULT_IN_NONPAGED_AREA. The reason this problem didn't show up in testing is because it only happens under rather specific circumstances," explained Sophos in a security blog post.

"You need to have one or more Open Type Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames."

Microsoft was quick to respond to the issue, telling users to fiddle around with the registry and uninstall the update. The firm posted a workaround on its support forum to get systems affected by the bug up and running again, although it's not entirely straightforward. To complete the uninstall, users need to go into Recovery Mode, delete the crash-triggering file %WINDOWS%\system32\fntcache.dat, and reboot normally, which should succeed.

Once rebooted back to home screen, users need to then save a registry key that enumerates their system fonts, remove from the registry all Open Type Font (OTF) font references with pathnames, then delete %WINDOWS%\system32\fntcache.dat again.

It's only then that users can uninstall the MS14-045 update. Once done, the registry key that enumerates fonts can be reinstalled and the system rebooted again. All should be back to normal.

It's not only MS14-045 that is the culprit. According to Sophos, three other Microsoft updates might also provoke this problem, so any of the following updates should be removed, if they've been installed: 2982791 MS14-045, a security update for kernel-mode drivers; 2970228, a new currency symbol for RUB; 2975719, an August 2014 rollup for RT 8.1, 8.1,; and 2975331, an August 2014 rollup for RT, 8, Windows Server 2012.

"We regularly urge you to 'patch early, patch often,' so let's hope Microsoft's patch for the broken patch goes smoothly, lest even those who weren't affected this time get cold feet next month," added Sophos.

On Tuesday, Microsoft issued nine bulletins covering a total of 41 vulnerabilities across its software products for its August Patch Tuesday release. This included two "Critical" patches addressing zero-day flaws in Internet Explorer (IE) versions IE6 to IE11 and Adobe Flash.

The IE security update resolves one publicly disclosed and 25 privately reported vulnerabilities in Internet Explorer, making a total of 26 patched vulnerabilities.

The second priority fix for this Patch Tuesday came from Adobe with the "Critical" update APSB14-19 for Adobe Reader. That addresses one vulnerability that is seeing limited targeted attacks in the wild. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Masque malware is putting iPad and iPhone user data at risk

Has news of iOS malware made you reconsider getting an iPhone?