Microsoft reissued a security update Wednesday after pulling it from distribution to investigate reports that it had caused problems for some users, including the notorious "Blue Screen of Death" condition.
The faulty update originally was pushed out Aug. 12 as part of the Redmond, Wash.-based software maker's Patch Tuesday regular round of security patches for its products. The security bulletin MS14-045 addressed three vulnerabilities in the Windows kernel, one of which could be used by cybercriminals to elevate privileges as part of a second stage of an attack.
Once the update was applied, however, the patch caused some systems to crash in the Blue Screen of Death condition. Other users reported incorrectly rendered system fonts or fonts that failed to load into an active session. When CRN asked about the update, a Microsoft spokesperson issued a statement from Tracey Pretorius, director of Microsoft Trustworthy Computing, urging users to apply the update. Instructions are available for users of Windows 7, 8 and 8.1 to repair the Blue Screen 0x50 Stop error message condition.
"A small number of customers experienced problems with a few of the updates. As soon as we became aware of some problems, we began a review and then immediately pulled the problematic updates, making these unavailable to download," Pretorius said in a statement on the company's Security Response Center blog. "We then began working on a plan to re-release the affected updates."
August was the first month that the company had issued performance and experience improvements along with security updates on the second Tuesday of each month, Pretorius said. It eliminates the process of bundling together improvements into a larger update. In addition to the privilege escalation vulnerability, MS14-045 also supported a currency symbol for the Russian ruble in Windows.
The Windows kernel update was among six other bulletins rated "important" in Microsoft's August patching cycle. Microsoft fixed 37 vulnerabilities across its product lines, with most of the coding errors being addressed in its Internet Explorer browser.
Solution providers say one of the performance or feature improvements could have triggered the broken updates. Organizations should be testing patches thoroughly in a nonproduction environment before fully applying them. But small and midsize businesses often don't have the resources to fully test patches, said Rob Kraus, director of research at Omaha, Neb.-based managed security services provider, Solutionary, a subsidiary of NTT Group.
If solution providers don't assist with the patching each month, the businesses risk applying updates that could create errors in custom applications or create new weaknesses in custom configurations for their environment, Kraus said.
"This has been a longstanding issue and something that is challenging to all organizations," Kraus said.
If a patch causes errors, organizations can chose to simply ignore it and accept the risk or apply workarounds that would thwart an exploit attempting to target the vulnerability, Kraus said.
The Blue Screen of Death is a fatal system error that has been in every version of Windows since Windows 3.1. Microsoft has pulled security updates that break critical Windows system processes in the recent past. In 2010, the software maker turned off the Automated Update mechanism while its engineers investigated a patch that caused the Blue Screen of Death condition in Windows XP.
PUBLISHED AUG. 28, 2014