A security update from Patch Tuesday can potentially lead users to a crash, Microsoft officials said.
After systems ended up updated, users reported being a victim of the “blue screen of death” (BSOD) after installing update KB2982791 (MS14-045).
MS14-045 fixes three Windows kernel-mode driver vulnerabilities that could end up exploited by a local authenticated attacker to escalate privileges by running a specially crafted application. Microsoft said there are three issues with this update: Fonts not installed in the default directory, fonts do not render correctly, and the system could crash with a 0x50 Stop error message (bugcheck).
The system crash and the font rendering issue can also occur if the KB2970228 (new Russian Ruble currency symbol), the KB2975719 (August 2014 update rollup for RT 8.1, 8.1, and Server 2012 R2) or the KB2975331 (August 2014 update rollup for RT, 8, and Server 2012) updates have undergone installation.
“Apparently, the BSoD is caused by incorrect handling of the Windows font cache file — and because that happens during boot-up, you end up stuck in a reboot loop,” said Sophos’ Paul Ducklin in a blog post. “The euphemistically-named ‘bugcheck’ number that you’ll see if you are affected is: 0x50 PAGE_FAULT_IN_NONPAGED_AREA.
Ducklin aid Microsoft missed the bug in testing because it triggers only in specific circumstances.
“You need to have one or more OpenType Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames,” Ducklin said.
While the flaws are under investigation, Microsoft removed the download links to affected updates. The company has also published a workaround, but it may be tricky to apply.
For the workaround, users need to:
1. Boot from installation media or go into Recovery Mode.
2. Delete the crash-triggering file %WINDOWS%\system32\fntcache.dat.
3. Reboot normally, which should now succeed.
4. Save the registry key (see image above) that enumerates your fonts.
5. Remove from the registry all OTF font references with pathnames.
6. Delete %WINDOWS%\system32\fntcache.dat again. (It will have been rebuilt.)
7. Uninstall the MS14-045 update.
8. Restore the registry key that enumerates your fonts.
9. Reboot again.
The security bulletins released on August 12 addressed 37 vulnerabilities affecting Windows, Internet Explorer, .NET, SQL Server, OneNote, Office, SharePoint and other software.