Microsoft is investigating a potentially faulty Windows security update that is causing some systems to crash, and is removing the download links to the updates until it can determine what is causing the error.
The troubled update was pushed out as part of its August Patch Tuesday round of security updates last week, in which Microsoft fixed 37 vulnerabilities across its product lines. MS14-045 addresses three vulnerabilities in the Windows kernel, one of which could be used by cybercriminals to elevate privileges as part of a second stage of an attack.
The company is urging users to uninstall the update while it investigates the matter.
"Microsoft is investigating behavior in which systems may crash with a 0x50 Stop error message … This condition may be persistent and may prevent the system from starting correctly," the software maker said in a support page message for the security bulletin updated on Aug. 16. "Microsoft has removed the download links to these updates while these issues are being investigated."
The security update impacts all currently supported versions of Windows and Windows Server 2003, and 2008 and 2012. Microsoft also lists two other known issues with the update in which system fonts render incorrectly or are installed in a location other than the default fonts directory.
Large businesses typically have policies in place to thoroughly test security patches before deploying them in the production environment, said Rob Kraus, director of research at Omaha, Neb.-based managed security services provider, Solutionary, a subsidiary of NTT Group. Adequate testing of system patches has been a challenge for small and midsize businesses, which have limited resources, he said.
"Most organizations don't have a policy or some sort of procedure in place to deploy patches or fix a major vulnerability," Kraus said. "If you don't have policy and procedure in place to test patches that go out, there's a myriad of problems where things could go wrong, and this is a prime example of that."
Until Microsoft engineers fix and reissue the faulty patch, solution providers say users remain exposed to the vulnerabilities. The security bulletin impacts a wide range of systems and theoretically could be used in a second stage of an attack to elevate privileges and pivot to more sensitive resources, said Kraus.
"The fact is that the patch is causing systems to crash so in this case the identified security hole is left open until they can fix it to stop making blue screens," Kraus said.
The Windows kernel update was among six other bulletins rated "important" in Microsoft's August Patch Tuesday. Microsoft issued nine security updates, including two critical security bulletins affecting users of SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer.
Microsoft repaired 25 vulnerabilities in Internet Explorer, including a critical remote code execution error that could be used by an attacker to take complete control of a victim's machine. The update impacts all supported versions of Internet Explorer.
The other critical bulletin addresses a serious vulnerability in Microsoft Media Center that could be used by an attacker to elevate privileges. Microsoft said it has no reports of attacks targeting flaws addressed in both critical bulletins.
PUBLISHED AUG. 18, 2014