Microsoft pulls Patch Tuesday kernel update - MS14-045 can cause Blue Screen of Death

Filed Under: Featured, Microsoft, Vulnerability, Windows

Microsoft has pulled one of its August 2014 Patch Tuesday updates.

MS14-045, which fixes various security holes in the Windows kernel, can cause a Blue Screen of Death (BSoD), thus forcing a reboot.

Apparently, the BSoD is caused by incorrect handling of the Windows font cache file - and because that happens during boot-up, you end up stuck in a reboot loop.

(Yes, MS14-045 requires a reboot after you've applied it.)

The euphemistically-named "bugcheck" number that you'll see if you are affected is: 0x50 PAGE_FAULT_IN_NONPAGED_AREA.

The reason this problem didn't show up in testing is because it only happens under rather specific circumstances,

You need to have one or more OpenType Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames.

A default Windows 8.1 install, for instance, includes only TTF (TrueType Font), TTC (TrueType font Collection) and FON (Windows bitmap FONt) files, recorded without pathnames:

Microsoft has published a workaround that will get you up and running again, but it involves a fair amount of fiddling.

You need to:

  1. Boot from installation media or go into Recovery Mode.
  2. Delete the crash-triggering file %WINDOWS%\system32\fntcache.dat.
  3. Reboot normally, which should now succeed.
  4. Save the registry key (see image above) that enumerates your fonts.
  5. Remove from the registry all OTF font references with pathnames.
  6. Delete %WINDOWS%\system32\fntcache.dat again. (It will have been rebuilt.)
  7. Uninstall the MS14-045 update.
  8. Restore the registry key that enumerates your fonts.
  9. Reboot again.

The sort of font entry you need to remove from the registry, if you have any like it, is shown in an example on Microsoft's Knowledgebase page:

Click for KB2982791...

(Click on the image to jump to Microsoft's how-to guide)

As well as MS14-045, three other Microsoft updates may provoke this problem, so any of the following updates should be removed, if you've installed them, in step 7 above:

  • 2982791 MS14-045: security update for kernel-mode drivers
  • 2970228 New currency symbol for RUB
  • 2975719 Aug 2014 rollup for RT 8.1, 8.1, Server 2012 R2
  • 2975331 Aug 2014 rollup for RT, 8, Windows Server 2012

Unfortunately, and understandably, Patch Tuesday aftershocks of this sort leave sysamdins wondering if they should approach future updates more cautiously.

We regularly urge you to "patch early, patch often," so let's hope Microsoft's patch for the broken patch goes smoothly, lest even those who weren't affected this time get cold feet next month.

, , , , , , ,

You might like

24 Responses to Microsoft pulls Patch Tuesday kernel update - MS14-045 can cause Blue Screen of Death

  1. This is why we patch in phases with a WSUS server.

  2. Jmatt · 74 days ago

    "You need to have or more OpenType Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames."

    The first part of that sentence doesn't seem correct. Specifically "You need to have ___ or more...."

    • Paul Ducklin · 73 days ago

      It originally said "one or more," or was supposed to :-)

      Fixed, thanks.

  3. spookiewon · 74 days ago

    Paul, for me it's not a problem, but for some of the friends I've recommended NS to, it will be. It sure would be nice to have a bit more detail on how to find and save the correct registry key.

    Thanks!

    • Paul Ducklin · 73 days ago

      I didn't want to repeat the (good) detail provided by Microsoft, just to set the scene for the various changes. The registry key is the one shown in the first image:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Fonts\

      If you click on the links that says "Knowledgebase article" (or just click on the second image) you will go to the relevant Microsoft page.

      I've added a note to the article to make it more obvious the image can take you where you need to go...

  4. Steve · 74 days ago

    Thank You !!

  5. Catman · 73 days ago

    That's it for me, next time I buy a PC, it will be running on Linux.

    • The Flying Dutchman · 73 days ago

      If you want, you can switch in a heartbeat at the ubuntu site.
      However, if you're not familiar with installing operating systems, you should enlist the help of someone who is. You could even have both Windows and Linux and get the best of both worlds, so to speak.

    • I hate to burst your bubble but this happens just as often, if not more so in Linux. It's just that due to the relatively small amount of computers affected it doesn't get the same press as it does when it happens to a Microsoft product.

      Now don't get me wrong. I like and use Linux as well as Windows. MS does make enough mistakes that are their own fault. I don't like to see people bash MS for something that really their fault as how are they supposed to test EVERY system prior to releasing an update, especially ones where people have installed things in NON standard locations.

      The last really big Windows Update problem that I remember was caused by HP and a couple of other OEM's using incorrect images to install Windows at the factory. There was no way that MS could have foreseen that, nor should they have had to, but they still got the blame for someone else's screwup in the press.

      • LindaB · 73 days ago

        The could do actual user style testing and not rely solely on scripted testing where the script is written by the developer who wrote the code! That means they are much less likely to test for what ought to be checked for, namely what a user might do that is not quite what the developer thought the design spec said! Developers, in my experience, are the wrong people to be writing tests. The M$ example is liokely to have been missed because they only did scripted testing. Any decent software house will emply specific testers who will check against their understanding of the design spec (which may well be different from the understanding of the coder) and apply the 'user mis-use' logic approch. So they should have real machines that reflect a range of users settings. No excuse for a firm the size of M$.

    • Haha · 73 days ago

      Why wait until you buy a new PC? I thought the strength of Linux, besides being free of initial costs, was the ability to run on most older hardware.

      All you have to do is pick from a gazillion different forks and within those forks you need to pick a version that is stable, simples.

  6. r l · 73 days ago

    Booting into safe mode and system restore should roll back changes? Isn't this the best way? Anyways, it is what i would d should such a thing happen, after all, if i did have BSOD then i would not be reading this and would be acting on past experience before researching the problem in full

  7. Mike Smith · 73 days ago

    I think this sort of bug (i.e. one that causes a crash at bootup) is inexcusable. I pity the ordinary user without a PhD in Computer Science or a system administrator with 500 PCs that he/she has to now manually fix.

    This reminds me of a trial version of Visual Studio I tried from a magazine CD. I installed it and it caused a BSOD on reboot. It turned out that a DLL used by Windows OS had been split into 2 DLLs and one of the new DLLs had the version number like 0.0.1! This did not get installed, but the other DLL did. This meant many of the DLL functions vanished from the system. Unfortunately, this was a DLL used by the OS. After hours of struggle and copying the old DLL files from another PC I managed to fix it.

    Catman, you can run Linux on your PC now - no need to wait!

    • Haha · 73 days ago

      You are complaining about Windows when the DLL issue you are describing happened because you installed an application from a CD you ripped out of a magazine...

      There unfortunately is not an OS in existence that can prevent PEBKAC errors.

  8. Cliff Jones · 73 days ago

    It pays to be lazy. I've put off doing MS updates for about a week after patch Tuesday, exactly for this sort of problem. It wasn't long ago I recall a similar "recall," I saved myself a ton of work on that one, and perhaps with this one, too.

    I know some of the proprietary apps my customers use install fonts of their own, not sure if they'd meet the "requirements" for the BSOD.

    I know it's 'dangerous' to not patch right away, because now the info regarding a given weakness is publicly known can be exploited. That's where IDS/IPS comes into play. If I notice a spike in traffic seemingly aimed at a potentially unpatched exploit, I'll get on it and do the patch.

    That is if that scenario ever plays out. So far, waiting a week to do MS updates hasn't caused any problems but HAS prevented a few.

    I can't imagine having to do the steps described above on dozens upon dozens of machines. This one sounds like a nightmare.. exporting show-stopping registry keys? Ouch!

  9. PaulD · 73 days ago

    I updated 4 Windows SBS 2011 servers over the week-end and fortunately none of them sufferred a BSOD! However, looking at the Microsoft Article (and here), there are a number of entries in the registry as described. Do I

    1 - Follow the steps 1-9 above
    2 - Do nothing
    3 - Simply uninstall the MS14-045 update (CP, P&F, find path and click uninstall button)

    • Paul Ducklin · 71 days ago

      The reason for the lengthy "steps 1-9" list if if you can't do 2 or 3 because you're stuck in a BSoD reboot-loop :-)

      Presumably if you aren't affected now, and you don't install any more fonts until after the patch to the patch is ready, you'll be OK...

  10. PaulD · 73 days ago

    ps - KB2982791 is installed

  11. chris · 73 days ago

    I'm still not clear if EVERYONE should uninstall the updates or only users who are having problems or have OTF font files.

    "You need to have one or more OpenType Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames."

    Is there a method to determine if I meet these requirements for a potential BSOD?

  12. Another patch that was pulled from this round was KB2881011 - This update is for Outlook 2013 and breaks access to archive mailboxes on Exchange 2013 or Office 365/Exchange On-line.

  13. Robert Brereton · 73 days ago

    This appears to have been caused by having Photoshop Elements 11 installed, which places font shortcuts in the font directory. So not all MS's fault.

  14. daisycrazy · 73 days ago

    Dang, dang, dang. My computer is on its way to Best Buy's extended warranty department 900 miles away to have the hard drive replaced. I got the blue screen of death Saturday morning when I rebooted and there was no way out of the loop. You cannot begin to imagine my frustration and inconvenience!

  15. DougCuk · 72 days ago

    Microsoft may have identified one trigger for the 0x50 crash - but I have a customer whose system went down and do NOT have any OTF fonts registered. They have Win7 64bit and all fonts are located in the Windows Fonts folder - none have explicit path to any location.

    Initial reports said the error could be triggered by a "corrupted" FNTCACHE.DAT file - and that deleting this file allowed you to boot the computer. I assume this FNTCACHE "corruption" is due to the inclusion of the non-standard directory paths of these OTF fonts.

    I can only assume that other types of unexpected entries in the FNTCACHE data can also cause the 0x50 crash.

    • Paul Ducklin · 71 days ago

      Problem with having only "STOP 0x50" to go on is that it might have nothing to do with the font cache, or even the MS14-045 update :-(

      Did you follow the recovery procedure? If deleting the fntcache file alone causes the reboot loop to stop once, but it then returns, you can indeed probably blame MS14-045 (and uninstalling it will be a confident workaround), otherwise there might be yet another cause.

      Did the problem stop when you removed the MS14-045 patch?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog