Microsoft announced last night that it has stopped pushing a security update originally released on Patch Tuesday because the fix is causing some PCs to blue screen. Microsoft recommends users uninstall the patch, which is also causing compatibility with some endpoint security software.
“We’ve determined that the update, when paired with certain third-party software, can cause system errors,” said Trustworthy Computing group manager Dustin Childs.
MS13-036 was part of this week’s Patch Tuesday update. It addressed three vulnerabilities in the Windows Kernel-Mode Driver, which if exploited could allow an attacker to elevate their privileges on a compromised machine.
Microsoft rated the vulnerabilities “important” because an exploit would require an attacker to have physical access to a computer. The faulty update does not result in any data loss for users, Childs said, adding that only update 2823324 has been removed from the Windows download center, and the remainder of MS13-036 is still available.
Users began reporting issues earlier this week with some systems failing to recover from restarts, or applications failing to load, after the patch was installed.
The MS13-036 update was supposed to patch two separate race condition vulnerabilities (CVE-2013-1238 and CVE-2013-1292) and a NTFS NULL pointer deference vulnerability (CVE-2013-1293) that lead to privilege escalation for attackers. The update also addresses a font parsing vulnerability (CVE-2013-1291) that could lead to crashes and a denial-of-service condition.
This week’s Patch Tuesday release was relatively light with two critical bulletins and nine overall addressing 14 vulnerabilities. Notably missing were patches for the vulnerabilities in Internet Explorer 10 exploited during the Pwn2Own contest last month at the CanSecWest Conference.
Researchers from VUPEN were able to exploit a fully patched version of IE 10 on a Windows 8 machine. Up-to-date versions of Google Chrome and Mozilla Firefox were also hacked during the contest; Google and Mozilla had patches pushed out to users within 24 hours.
Childs said in an email to Threatpost on Tuesday that Microsoft was investigating possible issues identified by VUPEN.
“We are not aware of any attacks and the issues should not affect our customers as Pwn2Own organizers do not publicly disclose the competition’s findings,” Childs said.
Chaouki Bekrar, CEO and head of research at VUPEN, acknowledged that Microsoft does extensive compatibility tests that lead to delays in releasing updates, but added that the window of exposure is serious, regardless of the lack of publicly available exploit details.
“As Microsoft has the full details of all these flaws and patches are still missing, there is a chance that criminals discover the same vulnerabilities and exploit them to compromise critical systems,” Bekrar told Threatpost. “I’m not surprised about the delays; Microsoft had always been very slow in fixing reported vulnerabilities as they have very strict QA tests in place to avoid regressions.”
VUPEN brought eight zero-day exploits to Pwn2Own, Bekrar said, and used four of them against Microsoft products. One IE exploit used against Microsoft Surface Pro is a memory corruption bug that affects all versions from 6-10 on all Windows versions from XP to Windows 8. The second, also used against Surface, is a sandbox-bypass against IE 10 and prior. The third was an Adobe Flash zero-day exploit used to beat the sandbox in IE 9. The final exploit took advantage of a design error in Windows, Bekrar said, and enabled his team to bypass ASLR protections via a Firefox exploit.
Microsoft, however, did issue another cumulative update for IE this week that patches two critical remote code execution use-after free flaws in versions 6-10 the browser. Both may corrupt memory and enable an attacker to run malicious code on a compromised machine. Another bulletin, rated critical, patched remote code execution flaws in Microsoft Remote Desktop Client.