Microsoft to Fix Broken Patch Tuesday Security Update

Microsoft is still hammering away at a fix for a security update released last week that caused a small number of computers to crash and blue screen.

“We are aware of some issues related to the recent updates and we are working on a fix,” a Microsoft representative today told Threatpost.

MS14-045 was released as part of the August 2014 Patch Tuesday security updates. It patched three vulnerabilities that could lead an attacker to elevate their privileges on a compromised Windows machine.

Almost immediately, users began reporting blue screens of death. Microsoft on Friday pulled part of the update related to a font issue that was the culprit.

Microsoft confirmed three known issues with the bulletin. The most serious occurs when systems crash with a 0x50 Stop error message after MS14-045 is installed. The two other items are related to fonts either not rendering correctly, or presenting a “File in Use” error message.

Microsoft has provided a few temporary mitigations until the update is fixed and re-released.

MS14-045 patched vulnerabilities in kernel-mode drivers that were rated important by Microsoft because they require valid credentials and local access in order to exploit.

The bugs affect Windows systems all the way back to Windows Server 2003 and all supported desktop versions of Windows.

The faulty update was one of nine bulletins released by Microsoft last week. The updates patch 26 vulnerabilities including a publicly reported bug in Internet Explorer. All of the IE bugs were rated critical and could lead to remote code execution.

Windows admins have to contend with a number of upcoming changes related to IE as well. Microsoft recently also put the word out that users had 18 months to migrate to the latest version of Internet Explorer for their respective versions of Windows before support would end. That would mean no more security updates for IE 6-8, older versions of the browser that lack built-in memory protections, making it so attractive for hackers and exploits.

The company followed that up last week with news that it would begin blocking older ActiveX controls in IE, starting with outdated versions of Java. That began last Tuesday, Microsoft said.