Microsoft issues bug fix one day before Windows 10 launch

With less than 24 hours to go until the Windows 10 launch, Microsoft has released yet another patch for the new operating system, this time to fix a bug introduced by a patch brought out over the weekend.

The original patch, KB3074681, was pushed out on Saturday and brought in various unspecified bug and security updates, but complaints that it was crashing Windows Explorer soon started coming in.

According to WinSuperSite, the error occurred when users on build 10240, the RTM build that will be generally release tomorrow, tried to disable an active network adapter or uninstall a program using the path Programs and Features>Uninstall or change a program.

Gabe Aul, general manager for the OS Group Data and Fundamentals team, told WinSuperSite that "a fix is in the works for this [bug] and will be pushed out soon". True to Aul's word, the new patch, KB3074683, was rolled out overnight specifically to fix this problem and, by all accounts, does work. The buggy update has since been withdrawn.

Emergency update

While these latest updates fix minor issues, another patch released last week for Windows 10 and all other currently supported systems, was far more significant.

The emergency, out of band patch fixed an exploit first discovered by surveillance firm Hacking Team.

The patches, named MS15-078 for Windows Vista through to Windows Server 2012 and KB3074667 for Windows 10, fix a remote code execution vulnerability in the Windows Adobe Type Manager Library. The hole, which has been given the reference CVE-2015-2426, could be used by hackers to escalate privileges and remotely control a system if the user opened a specially crafted document or visited a website that uses OpenType fonts.

This is the third Windows vulnerability patch related to information released in the massive Hacking Team data breach, which saw 400GB of stolen documents leaked online. Included in those documents was information on zero-day vulnerabilities it had discovered in Windows, which were sold as part of its "offensive security" software that allowed unauthorised users to gain access to and collect data from systems undetected.

Since the leak at the beginning of the month, security researchers have been scouring the data to identify and patch the vulnerabilities documented within. Thanks for this particular discovery can be laid at the door of Trend Micro, which published a detailed analysis of the threat on its Security Intelligence blog.

According to Microsoft, however, while the exploit was listed in Hacking Team's documents there is no current evidence it has ever been used in an active attack.

While the out-of-band patch will protect all currently supported Windows desktop and server operating systems, those using older software such as Windows XP or the recently expired Server 2003 will not receive the update, meaning they will remain vulnerable to potential attack.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.