Microsoft ships replacement patch KB 2993651 with two known bugs

Microsoft re-releases botched MS14-045/KB 2982791 'Blue Screen 0x50' patch, buries tip to manually uninstall first patch, and introduces more problems

1 2 3 Page 2
Page 2 of 3

It's amazing to me that Microsoft recommends -- in a dusty corner of an obscure document -- that people who were bitten by KB 2982791 need to go in and manually uninstall it. We're talking about a bad patch that Microsoft spread through the Auto Update mechanism for almost four days. Why the new patch, KB 2993651, doesn't uninstall the bad old patch absolutely blows my beleaguered mind. I don't know for sure and Microsoft isn't saying, but my guess is that if you (or your dearly sainted Aunt Mable) leave KB 2982791 installed, and at some point in the future you happen to install an OpenType font with a link in the \Fonts folder, your machine will blue screen (or black screen) when you next reboot. Try explaining that to Aunt Mable -- or your CEO.

This shiny new replacement patch, KB 2993651, actually ships with two known bugs. The new KB 2993651 article explains the first bug like this:

Known issue 1

After you install this security update, fonts that are installed in a location other than the default fonts directory ( percentwindir percent\fonts\) cannot be changed when they are loaded into any active session. Attempts to change, replace, or delete these fonts are blocked, and a "File in use" message is displayed.

I'd call that weird but not overwhelming. But the second bug not only affects this new patch, it also comes along with old patches. Specifically:

Known issue 2

After you install this update, the z-order of the windows is changed. (The z-order calls the SetWindowPos function together with the HWND_TOP parameter.) Therefore, the windows of certain applications may become invisible or may be incorrectly displayed behind other windows.


We are currently working on a resolution for this issue.


This issue also occurs after you install the following updates:

2965768 Stop error 0x3B when an application changes the z-order of a window in Windows 7 SP1 and Windows Server 2008 R2 SP1

2970228 Update to support the new currency symbol for the Russian ruble in Windows

2973201 MS14-039: Description of the security update for Windows on-screen keyboard: July 8, 2014

2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Todd Cassell at the Bentley Technical Support Group has more details on this newly announced z-order bug:

The issue was first introduced in KB2965768 on 5 Feb 2014. In that version win32k.sys makes changes to the z-order of the windows. That z-order calls the SetWindowPos function) . KB2973201 (8 Jul 2014) and KB2982791 (12 Aug 2014) also contained these changes to win32k.sys. Updates that affect the behavior of the toolboxes as well are: KB2970228 and KB2975719. The issue may also be in other security or service updates released since 5 Feb 2014. The last well working version of win32k.sys (Windows\system32) is: 6.1.7601.22665 from 23 Apr 2014.

Due to dependencies with .dll and other files, just replacing win32k.sys is NOT possible and will result in system crashes. Currently the only solution is to uninstall KB2965768, KB2970228, KB2973201, KB2975719, KB2982791 and that will bring win32k.sys back as the working version.

If I may cut through the alphabet soup for a second, that means this newly released patch, KB 2993651, and another active patch -- KB 2973201, the July Black Tuesday patch for the Windows on-screen keyboard -- have known bugs. Microsoft just released the new, known-to-be-faulty patch and continues to offer the older bad patch knowing that both have bugs wherein "windows of certain applications may become invisible or may be incorrectly displayed behind other windows." There's no indication of when the z-order problem will be fixed, how many machines are affected, or what the source of the problem might be. If you experience problems with dancing windows, you have to manually uninstall six patches to restore win32k.sys to working order.

Other than the newly announced z-order bug, I still don't have any idea what's happening with this month's other three pulled patches: KB 2970228, which adds the ruble to valid currencies, KB article last updated Aug. 20; KB 2975719, the vestiges of what we once laughingly called "Windows 8.1 Update 2," KB article last updated Aug. 22, at revision number 11; and KB 2975331, a giant Windows 8/8.1/RT patch rollup, KB article last updated Aug. 22, revision number 8, not in the z-order bug list. If you find any of those missing bad boys, have them drop me a line, OK?

As a historical note, every single vestige of Windows 8.1 Update 2 has now been pulled, as best I can tell. All that happy talk about rapid "Update Tuesday" deployment of Windows updates has succumbed to the hard-core realities of patching Windows, which is a bear.

Against that background, Tracey Pretorius, director of Microsoft's Trustworthy Computing effort, posted a blog on the Microsoft Security Response Center yesterday, explaining why MS14-045 was released. This is such an astounding piece of ... I don't know what to call it ... that I'd like to take it apart, piece by piece. It starts:

Every month for many years, we've released a number of updates focused on the continuous improvement of customers' experiences with our technology. Historically, these updates happened at different times during the month, with the security-specific ones occurring on the second Tuesday of each month. Recently, to further streamline, we decided to include more of our non-security updates together with our security updates and begin the global release to customers on the second Tuesday of each month.

1 2 3 Page 2
Page 2 of 3