Microsoft pulls Patch Tuesday kernel update – MS14-045 can cause Blue Screen of Death


Microsoft has pulled one of its August 2014 Patch Tuesday updates.

MS14-045, which fixes various security holes in the Windows kernel, can cause a Blue Screen of Death (BSoD), thus forcing a reboot.

Apparently, the BSoD is caused by incorrect handling of the Windows font cache file – and because that happens during boot-up, you end up stuck in a reboot loop.

(Yes, MS14-045 requires a reboot after you’ve applied it.)

The euphemistically-named “bugcheck” number that you’ll see if you are affected is: 0x50 PAGE_FAULT_IN_NONPAGED_AREA.

The reason this problem didn’t show up in testing is because it only happens under rather specific circumstances,

You need to have one or more OpenType Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames.

A default Windows 8.1 install, for instance, includes only TTF (TrueType Font), TTC (TrueType font Collection) and FON (Windows bitmap FONt) files, recorded without pathnames:

Microsoft has published a workaround that will get you up and running again, but it involves a fair amount of fiddling.

You need to:

  1. Boot from installation media or go into Recovery Mode.
  2. Delete the crash-triggering file %WINDOWS%\system32\fntcache.dat.
  3. Reboot normally, which should now succeed.
  4. Save the registry key (see image above) that enumerates your fonts.
  5. Remove from the registry all OTF font references with pathnames.
  6. Delete %WINDOWS%\system32\fntcache.dat again. (It will have been rebuilt.)
  7. Uninstall the MS14-045 update.
  8. Restore the registry key that enumerates your fonts.
  9. Reboot again.

The sort of font entry you need to remove from the registry, if you have any like it, is shown in an example on Microsoft’s Knowledgebase page:

Click for KB2982791...

(Click on the image to jump to Microsoft’s how-to guide)

As well as MS14-045, three other Microsoft updates may provoke this problem, so any of the following updates should be removed, if you’ve installed them, in step 7 above:

  • 2982791 MS14-045: security update for kernel-mode drivers
  • 2970228 New currency symbol for RUB
  • 2975719 Aug 2014 rollup for RT 8.1, 8.1, Server 2012 R2
  • 2975331 Aug 2014 rollup for RT, 8, Windows Server 2012

Unfortunately, and understandably, Patch Tuesday aftershocks of this sort leave sysamdins wondering if they should approach future updates more cautiously.

We regularly urge you to “patch early, patch often,” so let’s hope Microsoft’s patch for the broken patch goes smoothly, lest even those who weren’t affected this time get cold feet next month.