Microsoft releases patch that crashes Outlook, denies logons - then releases patch for the patch with no way to tell the difference



  • Original article documenting crash: http://www.infoworld.com/article/3004519/microsoft-windows/kb-3097877crashes-outlook-causes-network-sign-in-black-screens.html

    Article documenting the fix: http://www.infoworld.com/article/3004441/microsoft-windows/microsoft-surreptitiously-reissues-botched-patch-kb-3097877-for-windows-7.html

    Glad they got a fix out right away, but :wtf: Microsoft - give us a way to tell we've got the right patch, will ya?

    (All this to prevent malicious fonts from messing with your system!)



  • @redwizard said:

    (All this to prevent malicious fonts from messing with your system!)

    Do you not understand the meaning of

    remote code execution if an attacker convinces a user to open a specially crafted document or to go to an untrusted webpage that contains embedded fonts.

    ?

    Fonts are a vector for RCE. But no biggie, cuz it's fonts. :wtf:


  • Notification Spam Recipient

    Well they were having troubles with fonts if the firewall was switched off, so it makes sense they would issue a security patch for it...


    Filed under: Not that hole!


  • Discourse touched me in a no-no place

    @redwizard said:

    Microsoft - give us a way to tell we've got the right patch

    Does Outlook work? You got the right one.



  • This reminds me of KB2952664, whose number I still have memorized. They have released KB2952664 dozens of times over the past decade and it has always resulted in infinite install loops for most people. It affected me, my mom, and my sister. They have had years to fix the issues with it and they have instead just pulled it and re-released it later.

    I always wonder :wtf: goes on at Microsoft that they can't even get patches right after several years.



  • Oh I understand it. I just think it's a :wtf: that fonts are even capable of creating a remote code execution vulnerability, you know?

    @loopback0 said:

    Does Outlook work? You got the right one.

    Until it breaks, at which point you've just discovered you got the wrong one...



  • It doesn't surprise me very much. Fonts have a ridiculous amount of access to low-level/legacy system APIs. See http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak/ for a short dissection of one (warning: not this exact vulnerability)



  • @redwizard said:

    Oh I understand it. I just think it's a :wtf: that fonts are even capable of creating a remote code execution vulnerability, you know?

    Actually, it's a bug in the Windows font rendering code. Probably similar to what happened several years ago when there was a bug in the jpeg library used by some browsers, allowing RCE when viewing a specially rigged jpg file.


  • Grade A Premium Asshole

    @Spanky587 said:

    Actually, it's a bug in the Windows font rendering code.

    ISTR that in versions of Windows up to and including Windows 7, the font rendering code runs in Ring 0. So, yeah. Errors in the font rendering code can give you System-level access. No idea if that's been fixed yet, but my money's on "No.".



  • Poor rendering of JPEGs and fonts could cause Recurrent Corneal Erosion? Yeah, better get on top of that quick.



  • Miserable fuckers have cost a bunch of my users the use of their classroom computers and me my weekend.

    Fuckers.

    I'm at the school right now, cleaning up after these fuckers.

    Fuck!

    Edit: turns out that if you have the faulty kb3097877 installed on a Windows 7 PC, and one of the little darlings has turned on the on-screen keyboard for the logon screen because they think it looks cool, pressing Ctrl-Alt-Del at the opening screen doesn't get you a logon screen, just a featureless black screen or logon background image with a mouse cursor but no active controls; the only way to control the machine at that point is to use the power button to request an ACPI shutdown.

    If you have kb3097877 installed but don't have the logon screen's on-screen keyboard turned on, you can log on but your volume control doesn't work and most of your other system tray icons will be missing.

    Fuckers.

    I've now blacklisted kb3097877. I'm sure a heap of other admins will have done likewise. Fuck trying to work out whether the kb3097877 I'm being offered is the "good" one; they can fucking well issue a new kbid that supersedes it, like they should have done as soon as they became aware that the original kb3097877 was broken.

    Fuck!



  • Any chance you can bypass the problem using RDP or a remote access tool? (Just guessing, haven't been hit by this buzzsaw myself because our team tests the patches before rolling them out a week later for exactly this reason.)



  • They did fix it - it is why the fix for this vulnerability (which would have way less impact in the first place) does not break Windows 10 systems at all.

    It did, however, break 8.1, and Win32k updates have been breaking Windows in various ways in the past, usually only on older Windows versions - a recent case broke font rendering on Vista and Server 2003/extended support XP, for instance.



  • @flabdablet said:

    I've now blacklisted kb3097877. I'm sure a heap of other admins will have done likewise. Fuck trying to work out whether the kb3097877 I'm being offered is the "good" one; they can fucking well issue a new kbid that supersedes it, like they should have done as soon as they became aware that the original kb3097877 was broken.

    I agree completely. A bad patch is very aggravating, but it happens from time to time. Trying to pretend it never happened by replacing it with a good version, and keeping the identical KB number is inexcusable. Did someone think the rest of the world wouldn't find out? When people call for support due to using the bad patch, are they going to say "there was no problem, you must've installed it wrong"?

    Would it really be that difficult to generate a new KB number, or append "v2" or do anything to distinguish the fixed one from the original?

    This is something you'd expect to see from a fly-by-night company with under 100 customers, not from Microsoft. (Or maybe it is exactly what you'd expect from Microsoft, depending on what you have been thinking about them up until this point. ...)



  • @redwizard said:

    Any chance you can bypass the problem using RDP or a remote access tool?

    If you're a netadmin you can get around it in any number of ways (at my own site all the machines are set to run a startup script by group policy anyway, so I just put some stuff in there to wusa the broken update away if it was installed). If you're a typical home user and it's just happened to your only Windows box, you're basically boned.

    The only way you're going to fix it without another, unaffected, LAN-connected PC to hand is by booting into a repair or WinPE or Linux environment that lets you tweak the registry for the affected installation. Then you can set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\ShowTabletKeyboard to 0, so that next time you boot you won't have the on-screen keyboard enabled, which should let you log on and uninstall kb3097877.

    Or you could try just leaving your machine on for a few days and see if Windows Automatic Updates will replace the busted kb3097877 with a good one. Don't know if that works.



  • @David_C said:

    When people call for support due to using the bad patch, are they going to say "there was no problem, you must've installed it wrong"?
    Or "You're holding it wrong".



  • Which, on a separate note, means Apple was Atwooding before Atwood was Atwooding. Do we need to find a new image instead of :doing_it_wrong: ?

    Also, I guess trying to use emoji on an iPad in landscape qualifies as :doing_it_wrong: as the selector is under the address bar half the time.


  • Discourse touched me in a no-no place

    @Arantor said:

    Which, on a separate note, means Apple was Atwooding before Atwood was Atwooding.

    It must be a California thing. Don't like what reality and history tell you is the truth? Delete it! Ban it! Then pretend what you want to do/say has been the way it is all along.



  • @Spanky587 said:

    Or "You're holding it wrong".

    Pretending a problem doesn't exist is nothing new.

    I am still ticked off at Borland for their customer support in the early 90's. I found a code-generation bug in their C compiler and sent them a small program that demonstrates the bug, complete with expected results, actual results, and a commented disassembly pointing out exactly what they did wrong.

    The extent of their "support" was to e-mail me a "fix" for my test case so it would produce the expected results. When I phoned them to explain that they misunderstood the reason for my problem, they said that they have no bugs and therefore it is my code that is faulty, and that if I want to continue the discussion I'll have to pay several hundred dollars for a support contract.

    It was right about then that I decided it's not worth contacting any company for support. They have no interest in fixing their products unless it becomes a New York Times front page embarrassment, and they will lie to your face in order to make you go away if it doesn't rise to that level.

    If a product gets so annoying that I can't put up with its faults, I'll just switch to a competing product. If all the products are equally bad, I'll just stop using them all. Which is why I haven't logged on to any social media service in the past 4 years.

    It's also why I am seriously considering trashing all my smartphones and going back to my Morotola RAZRv3, which worked great for 5 years and will probably work great for a lot longer if I buy a new battery for it.


  • Grade A Premium Asshole

    To be sure I understand, you're saying that this was fixed in Windows 10, but not earlier?


  • Notification Spam Recipient

    @bugmenot said:

    you're saying that this was fixed in Windows 10, but not earlier?

    No, just that the vulnerability apparently doesn't exist in Windows 10. Either that, or the patches don't affect Windows 10 the same way they do other versions.



  • @Tsaukpaetra said:

    Either that, or the patches don't affect Windows 10 the same way they do other versions.

    This is correct. Windows 10 updates are all fucked (unless you use WSUS, but Microsoft doesn't want you to know that).



  • @bugmenot said:

    To be sure I understand, you're saying that this was fixed in Windows 10, but not earlier?

    Windows 10 moves font handling out to a special-cased user-mode process (fontdrvhost.exe), so the vulnerability at most is a denial of service, and fixes don't apply to a 5 MB kernel driver anymore either (and that driver is refactored into multiple smaller modules in 10, as well, by the way).


  • Trolleybus Mechanic

    I still don't get Disconumbers.

    The list said this thread had 2 blue and 3 grey. I thought that meant "2 new, 3 unread from before"

    It drops me off at 20/23-- so does that mean 3 unread, 2 are new?

    I scroll past 5 messages to get to 23/23.

    Fucking-- numbers-- are hard?



  • It means there are 3 unread old posts and 2 unread new posts.


  • BINNED

    Also, Discourse manages up to fuck up in-page anchors. How the fuck do you do that, I have no idea.


  • Discourse touched me in a no-no place

    Strictly, three posts unread at the point you stopped looking at the thread (which it can get confused about, of course) and another two since then.



  • All these articles about Microsoft screwing up updates don't make me feel any better about W10 unavoidable update train.

    Once I get on W10, I'll probably just pirate the enterprise edition, where you can "postpone" updates indefinitely.


  • Discourse touched me in a no-no place

    I've got Win 10 Pro (legitimately) and being able to defer the updates is handy.



  • @Lorne_Kates said:

    I still don't get Disconumbers.

    The list said this thread had 2 blue and 3 grey. I thought that meant "2 new, 3 unread from before"

    It drops me off at 20/23-- so does that mean 3 unread, 2 are new?

    I scroll past 5 messages to get to 23/23.

    Fucking-- numbers-- are hard?

    Math - one more thing Discohorse sucks at.



  • @Lorne_Kates said:

    It drops me off at 20/23-- so does that mean 3 unread, 2 are new?

    Yeah, I assumed that :doing_it_wrong: is designed to prevent you from following threads effectively. (It also goes to pains to prevent you from discovering new content, but eh :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong: :doing_it_wrong:



  • @David_C said:

    I am still ticked off at Borland for their customer support in the early 90's.

    TIL -- Borland is still in business. Delphi and other programming tools were sold off in 2008 and Borland was bought by MicroFocus in 2009 and now they apparently focus on "Application Lifecycle Management".


  • ♿ (Parody)

    @Lorne_Kates said:

    It drops me off at 20/23-- so does that mean 3 unread, 2 are new?

    I scroll past 5 messages to get to 23/23.

    The newlevator seems like it's lying because you expect it to show the number of the thing at the top of the screen, but it usually shows the number of the post at (or even a little beyond) the bottom of the screen.


Log in to reply