Microsoft Fixes Broken Security Patch MS14-045

Microsoft re-released MS14-045 today two weeks after pulling it from Windows Update because the patch was causing system crashes and blue screens of death.

Microsoft today re-released security bulletin MS14-045, which was pulled shortly after the August Patch Tuesday updates because a number of users reported crashes and blue screens. The patch was removed from Windows Update on Aug. 15, three days after it was released as part of Microsoft’s monthly patch cycle.

“As soon as we became aware of some problems, we began a review and then immediately pulled the problematic updates, making these unavailable to download,” said Tracey Pretorius, director, Trustworthy Computing at Microsoft. “We then began working on a plan to rerelease the affected updates.”

MS14-045 patched vulnerabilities in kernel-mode drivers that were rated important by Microsoft because they require valid credentials and local access in order to exploit. Successful exploits could have led to an elevation of privileges on a compromised Windows machine.

Microsoft said at the time that a font issue patched in the update was the culprit causing the reported system crashes. Microsoft said that only a small number of computers were affected. There were other issues with the bulletin, the most serious causing systems to crash and render a 0x50 Stop error message after installation. Users were also seeing “File in Use” error messages because of the font issue in question.

The bugs affect Windows systems all the way back to Windows Server 2003 and all supported desktop versions of Windows. Windows Update users will automatically get the patch, otherwise, Microsoft urges users to install the update.

This month’s update had a distinct IE feel to them with another cumulative update patching 26 vulnerabilities in Microsoft’s flagship browser, including a publicly reported vulnerability that is likely being exploited in the wild. All 26 vulnerabilities were rated critical and could be remotely exploited.

The update came on the heels of an announcement at the start of the month alerting users that Microsoft would, in 18 months, no longer support older version of the browser. With a rash of zero-days and high profile exploits targeting older versions of IE, such as 6, 7 and 8, Microsoft made it clear that users should use only a current browser with modern memory exploit mitigations built in.

Microsoft also announced it would be blocking older ActiveX controls in Internet Explorer, starting with out of date versions of Java, another platform heavily targeted by hackers.

The next scheduled Patch Tuesday security bulletins release is set for Sept. 9.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.