Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure

Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. From a report: This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM. The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.

I am still waiting to apply these patches...

[ls671]

I am still waiting to apply these patches. About 2 months ago, I wrote here that it looked like a 2-3 months waiting period could be a nice ballpark figure. Will I have to wait even longer?

Re:I am still waiting to apply these patches...

[techno-vampire]

OK, you use Windows for a living; I don't. Tell me, do you find this report surprising, or is it what you expect from Microsoft?

Re:I am still waiting to apply these patches...

[aliquis]

They just revealed another side-channel attack.

Best is likely to buy some future product which don't have these faults. Hard to do now though.

Re:I am still waiting to apply these patches...

In the same boat as you, though I'm not really "waiting". I intentionally chose not to apply said updates, given how both motherboard vendors (ex. Dell or HP, I forget which) and OS vendors (ex. Ubuntu) botched things (in different manners). Further compounded by Intel releasing subsequent microcode patches (i.e. the first set apparently wasn't enough) and the low-level complexity of Meltdown and Spectre, I opted to do absolutely nothing for our bare-metal machines on entirely private/segregated networks. Being patient has paid off.

Re:I am still waiting to apply these patches...

[ls671]

"Using Windows for a living" is far fetched! I have a couple Windows VM running under qemu. I wait to apply these patches on all OS flavors that I manage, I will spare you the list.

Re:I am still waiting to apply these patches...

What is the exact patch number? I read the article in this story, but they don't mention the patch, which I need in order to remove it. I would appreciate your help.

Re:I am still waiting to apply these patches...

What is the exact patch number? I read the article in this story, but they don't mention the patch, which I need in order to remove it. I would appreciate your help.

Once you realize that the actual purpose is click-bait headlines, you will stop expecting useful information.

Re:I am still waiting to apply these patches...

No worries, we are due for a worm to come along that attacks some "unfixable" part of the operating system affecting Windows 7, 8, and 8.1. Everyone does remember the worm attacking WindowsXP pre-service pack 1? In that instance, Microsoft had to kill off all the pirated and leaked copies of XP. This time it will be to push everyone to 10.

Re:I am still waiting to apply these patches...

I will never apply any of the so-called "fixes" for Spectre and Meltdown on my personal PCs. The "vulnerabilities" (actually FEATURES BY DESIGN for over two decades) just aren't serious and the media blew it way out of proportion. My computers are secure as ever, nothing has changed and no hackers are going to be gaining access to them or anything stored on them. I'm not going to suffer massive performance hits because some crackpipe smoking, tinfoil hat wearing idiot said that it was a "bad thing(tm)" and all of the lemmings followed him over the edge.

Re:I am still waiting to apply these patches...

"Using Windows for a living" is far fetched!

Hah! In Soviet USofA, windows uses you for a living.

Re:I am still waiting to apply these patches...

[NicknameUnavailable]

Still use Windows, but don't find it surprising. They've been known to release patches which cripple vital OS functionality (e.g. the XP phase-out) in order to get people to upgrade, in very subversive ways they don't know actually happened most of the time (e.g. making network or local files disappear at random from the file explorer, but not to other programs.) They probably see Spectre/Meltdown as an opportunity to cripple Windows 7 with minor backlash. Windows 7 machines should not be upgraded beyond the first time they announced the end of life (definitely none of the ongoing support patches after they extended the end of life.) You need to keep such machines behind several firewalls and browse safely to use them (with all telemetry and update services shut off.) Do that and it's solid, don't do that and it will keep breaking. Sadly there are still a bunch of things you just can't do on Linux because of people not porting their apps over (especially when you get into high end computing which requires simulating specialty engineering stuff.)

Re:I am still waiting to apply these patches...

Yeah, and in Linux I have to compile my own kernel to disable that crap. Oy! Another shitty day in paradise!

Re:I am still waiting to apply these patches...

That's good and all, but my system is just as secure as it's always been: AMD for the win!

Re:I am still waiting to apply these patches...

[rtb61]

You, 'HOPE'. No matter what you do, they want to hack you, they will. Security is a balance, being more secure than you are worth hacking. That worth hacking can take on all sorts of metrics, from being a target of three letter agencies, to manipulating your psychology, to identity fraud against credit card acceptors. In this case of M$ wanting to push Windows anal probe 10, you can bet patches will far and few and likely shite, to kick you off what they already sold you, to force you to buy what amounts to spyware, full up, no holds barred, spyware.

Re:I am still waiting to apply these patches...

[Bert64]

Just add pti=off to your kernel command line and its off, but you can still benefit from any other updates going forward.

Re:I am still waiting to apply these patches...

Just as you hope these patches don't screw up your system or introduce potentially worse vulnerabilities of their own as the ones mentioned in this article do.

If it ain't broke, don't fix it. And my systems ain't broke. I'm not about to risk their current stability or security by applying pointless patches.

Re:I am still waiting to apply these patches...

Give me a Windows 10 with at least the update options available in 7 (auto(default), ask before installing, ask before downloading), a documented way to control the telemetry (i.e. provide documentation of what it all does, and a granular way of controlling it, with the default being Basic rather than Enhanced), feature updates that allow some kind of "segmented" installation (so the computer isn't loaded up with support for things it doesn't have even the hardware for, but which can be added later if the hardware is acquired - similar to the way legacy support is loaded on-demand), and 10-year support for EACH feature update (since they are actually Service Packs which in the past had 5 years' mainline and 5 years' security support). In essence, Win7 with the (semi-optional) funny UI and the under-the-hood improvements. For that (call it Pro+, offer it to the retail channel), I would pay to update (say, $50-100 from Home or base Pro). ONE TIME not monthly or annual subscription (I'm not a business).

Re:I am still waiting to apply these patches...

[jwhyche]

I would keep waiting. For the past two months I have heard horror stories about the patches. Yet, I have not heard of any exploits that use the problems. Seems to me this is a case of the cure being worse than the illness.

Re:I am still waiting to apply these patches...

What is the difference between that and adding the "nopti" option in GRUB?

Re: I am still waiting to apply these patches...

[Brockmire]

What the fuck is your point? We all know what code Intel submitted to the kernel and got ripped by Linus for being stupid and shitty. Any developer or QA tester that claims they don't make mistakes is fucking stupid. This is an issue of a rushed fix that wasn't properly tested. How many fixes did it take to fix bash issues that were there for years? At least 3?

Re:I am still waiting to apply these patches...

[toddestan]

I thought about it, and realized that really the only credible threat to my machines would be something in the browser written in Javascript. All the major browsers have modified their Javascript implementations to basically make that vector impossible, to which I said "good enough".

And that's just the desktops. As the servers go, I couldn't think of any way, assuming everything nothing is broken, that someone could run their own code on the server as to exploit Spectre or Meltdown. Sure, maybe they could use some other exploit to load and run arbitrary code on my servers, but if they could do that then I'd have already lost.

Security in a complex system is hard

[davidwr]

"Fast, good, cheap, pick (no more than) two."

Sometimes you only get to pick one, or none.

Re:Security in a complex system is hard

[rrohbeck]

Open source often manages to give you all three.

Re:Security in a complex system is hard

[Bigfishbowl]

Yeah I think we both know that is not true. I love open source, but know that is not some magical force field against hardware-level bugs, so stop claiming there is. The most common examples of these exploits are done IN LINUX.

These are brilliantly done exploites, and the Linux-x64 house is made of just as much glass as Windows.

Difference being, Microsoft and Intel actually have to report to shareholders, so there is some accountability.

I'm a little off the reservation on what the proper path is since all is currently properly fucked.

Re:Security in a complex system is hard

[davidwr]

Open source often manages to give you all three [fast, cheap, and good].

Measure the cost in man-hours instead of "how much the end user paid for it" and "cheap" tends to disappear.

I will grant you one major difference between a large-team distributed project - most large FOSS projects are distributed - and a large-team project run by a single entity: Project management is usually very different, and as a result, the cost of project management may be very different.

Re:Security in a complex system is hard

Ok, I choose good.

Now where is it?

The Meltdown meltdown.

[fahrbot-bot]

Fixing one problem in haste sometimes creates other problems.

For example, as Jason Mendoza, from The Good Place, noted:

Jason: Any time I had a problem, I threw a Molotov Cocktail and, boom, I had a different problem.

Re:The Meltdown meltdown.

No, the problem was fixed with the required attention. Someone even ran the regression tests that failed, as the "functionality" they required was not present, so the team had to hack in an equivalent to make te regression tests happy. The whole process was overseen by a PHB.

translation

microsoft is intentionally crippling windows 7 security.. stay tuned for the press release touting windows 10 as the 'best' fix for these issues.

Re:translation

[webmistressrachel]

This is exactly what I was thinking.

Microsoft released a decent operating system and then killed it on purpose when they couldn't persuade people to upgrade to Windows 8, 8.1, or 10 - there was no need to upgrade while everything worked so well under 7!!

I only upgraded from Windows 2003 "workstation" after I had observed feedback from 7 users for about a year. I will not upgrade to 10, even if they try to force me to with "exclusive" releases - I will play my games on 7 until that market ends, and I will continue to use Linux for my work as I always have, all of which simply means that eventually my hobby will die with Windows 7. Thanks M$.

I strongly suspect that I'm not the only person thinking like this. M$ created a whole industry, now they want to destroy it.

Re:translation

The new vulnerability mentioned in the article was fixed in the March 13 update.

You will upgrade to 10 after windows 7 falls out of extended support and stops receiving any security patches at all.

Re:translation

You will upgrade to Mint after windows 7 falls out of extended support and stops receiving any security patches at all.

FTFY

Alternatively you can simply not give a fuck and continue to use 7 as normal, recognizing that 99.99% of infections can be prevented with ad/script blockers and common sense shit like not clicking random sketchy links in emails/message board posts or sharing networks with idiots who can't be trusted to do these things.

Not to mention that (assuming regular data backups are made) recovering from an infection by wiping the machine and starting from scratch takes less cumulative time and hassle than putting up with all the bullshit Windows 10 would force on you to allegedly prevent the infection in the first place.

t. religiously disable autoupdates on everything I install and have been completely infection-free for well over a decade.

Re:translation

[blackpaw]

Funny, I "upgraded" a toasted kubuntu install yesterday to Min 18.3 (Cinnamon). Looked nice and slick at first. But the taskbar is a PITA in vertical mode, no pinned apps on taskbar, fullscreen rdp on one monitor killed the desktop on the other monitor. Apps open at random location and I just don't have the time to yet again tweak the crap out of it.

All on bog std hardware. The neighbouring Win 10 pro machine with the same hardware has no issues at all.

Linux has always been crap with multiple monitors and usable desktops. Ironically we use the desktops to remote onto VM's running on a Linux cluster.

Re:translation

This is also why Microsoft never truly fixed Windows Update (the routines that checks updates is horribly slow) on pre-Windows 10 PCs.

On Windows 10, they never really fixed it either, instead opting for 'upgrades' (vs 'update') every six months to reset the baseline; and, of course, taking away user control over the entire update/upgrade process and forcing whatever they want to install onto PCs.

Re:translation

t religiously disable autoupdates on everything I install and have been completely infection-free for well over a decade.

Same here. It's the only rational move when your OS vendor decides to become part of your threat model.

Re:translation

[Tyger-ZA]

Funny, I "upgraded" a toasted kubuntu (I fucked it up) install yesterday to Min 18.3 (Cinnamon). Looked nice and slick at first. But I fucked with it again and now it's broken so I'll blame the OS

All on bog std hardware. The neighbouring Win 10 pro machine with the same hardware (That I didn't fuck up, apparently) has no issues at all.

Linux has always been crap with multiple monitors and usable desktops. Ironically we use the desktops to remote onto VM's running on a Linux cluster.

FTFY

Now my turn for anecdotal evidence:

I've been running Mint for years on my work machine (js, Python, C, C++ dev); with Windows (C# dev) banished to a Virtual Machine before it can cause any trouble.

The host OS gives me no trouble, the guest OS typically wastes my time by being unusable while it updates, because the retarded shit gibbons at MS have written an overly complicated update system that takes 100% of a CPU core to download & copy files + edit registry

The only reason I would want to run Windows as a host OS is for gaming, and even that use case can be solved with a Linux host and GPU passthrough

Re:translation

Funny, I "upgraded" a toasted kubuntu install yesterday to Min 18.3 (Cinnamon). Looked nice and slick at first. But the taskbar is a PITA in vertical mode, no pinned apps on taskbar, fullscreen rdp on one monitor killed the desktop on the other monitor. Apps open at random location and I just don't have the time to yet again tweak the crap out of it.

All on bog std hardware. The neighbouring Win 10 pro machine with the same hardware has no issues at all.

Linux has always been crap with multiple monitors and usable desktops. Ironically we use the desktops to remote onto VM's running on a Linux cluster.

I fail to see how any part of your response addresses his reason for being done with MS... "Microsoft released a decent operating system and then killed it on purpose when they couldn't persuade people to upgrade..." Or in other words, hes done paying for a product that will intentionally be borked to increase revenue.

Re:translation

[blackpaw]

Ah the classic Linux fanboy. Finding bugs in the software by your desktop to work the way you need it = breaking it.

Re:translation

[Tyger-ZA]

Ah the classic Linux fanboy. Finding bugs in the software by your desktop to work the way you need it = breaking it.

No, to give you a counter example:

The upgrade process in Mint works, without eating crazy amounts of CPU, and there's actually a repo on Mint. If this were as frustrating as it is on Windows, I would be complaining to the devs and looking into whether I can fix it myself. Now if I fucked up my OS for example by interfering with parts I don't understand, that would be my fault if it broke. Example, interfering with fstab and then complaining when I can't find hard drives is akin to you touching things you apparently don't understand and toasting Kubuntu

For a Windows example, me installing Windowblinds because the flat Windows UI looks like shit and fucking up the OS because of it, would be my fault. If I moved the taskbar to the left and something breaks, that would be their fault, nobody else had a hand in making that feature. It's their update system and their fault that the update system is shit. I can't fix it even if I knew how.

Re:translation

You will upgrade to 10 after windows 7 falls out of extended support and stops receiving any security patches at all.

No I won't. It's not like after that date my computer will magically stop working.

And if I were to ditch Windows 7, it certainly won't be for Malware 10.

Re: translation

[Brockmire]

Mint installation can fuck off. If install fails due to an NTP server going unreachable, they fucked up. Mint has also failed to install on a couple of laptops (without any useful error message), which blew my mind. Never had install issues with Xubuntu with many more Xubuntu installs. Everyone has their own unique experience with the millions of fucking distros. Some just work, some just fucking suck.

Re: translation

[Brockmire]

Address the issue that Windows 7 development was stopped years ago, that had a schedule years in advance of ending support? This is only a surprise to morons. When you're clueless and make no fucking sense, you don't deserve a response. Anyone working in software development understands you put your efforts into newer, better code than spinning wheels putting in new features that were never planned or supported.

Re:translation

I'm already running unpatched Windows 7, which since Microsoft started their update rollups, is the only way to run Windows 7 without installing telemetry. As such, Microsoft's end of support for Windows 7 in 2020 doesn't really mean much, as they already ended support for over a year ago for anyone that doesn't want all their information shared with Redmond. Of course, eventually Windows 7 will no longer be able to run newer software, but much like Windows XP, it will take a few years beyond 2020 before there's something I would want to run on Windows that won't run on Windows 7.

Then, there's always Windows 8.1, which is supported to 2023, though I'm guessing that will get the Vista treatment in the sense that almost everyone will drop support for Windows 8.1 at the same time they drop support for Windows 7, even if that's before 2023.

With any luck, I won't have any need for Windows much longer anyway.

Windows security: a landfill fire

The more they dump on it, the bigger it gets.

It's the chips

[WillAffleckUW]

Ask yourself, who would design chips so that they could be backdoored?

There you go.

Oh, and, yes, we're in your keyboards, mice, printers, and so many devices in your "smartphones".

Less than two years to go

Before Windows 7 EOL. Microsoft simply isn’t making the effort now it is near.

Should have been optional from the start!

[duke_cheetah2003]

When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.

Mainly because these 'flaws,' and I do use that word loosely. I'm not entirely convinced it's an actual flaw. It's just how it works. Anyway, gimping the execution predicting to protect against these 'flaws' is really stupid on a desktop computer, where there's no VM's, very little if any usage outside of 1 user. They're hurting computing performance for a non-issue.

On server systems, data center, etc, yes, fix this bug, it's a real issue on shared computing resources. On a desktop where there's 1 maybe 2 users whom browse the web, play games, type documents and otherwise 'use' their computer normally, it should be left as is. It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.

All that aside, Microsoft making it worse it just laughable. And pretty much non-surprising. I'd wager Microsoft is one of the few companies that could take a 'problem' with fairly straight forward fixes and fuck it up, making a bigger problem than originally existed. Par for the course, for Microsoft.

Re: Should have been optional from the start!

didn't the proof of concept include a chrome based javascript file that could dump all your user credentials/logins on your windows machine? Not exactly 'only servers' if site adverts can steal your bank details.

Re: Should have been optional from the start!

[Luckyo]

This was nuked almost instantly by all major browser vendors. Javascript engine in browsers no longer has access to timings tight enough to utilize this bug.

Re:Should have been optional from the start!

[Howitzer86]

If you're worried about performance, don't install the new firmware. The Windows patch can't mitigate Spectre/Meltdown without it, and you'll have to do it yourself. If you're worried about security... I guess you're boned no matter what.

Just do what you probably always do: keep regular backups, keep an updated antivirus, use adblock, and avoid shady websites.

Re:Should have been optional from the start!

All flaws are "just how they work".
You could say that about any bug in any piece of software or hardware.
Your phone crashes all the time? That's just how it works.
In any case, I agree on Spectre. Side channels are just that, side channels.
No one ever promised that it would be impossible to determine what a computer is doing if you do sophisticated measurements on it while running.
Meltdown is simply the combination of spectre with a stupid design choice that without spectre would never be visible.

Re: Should have been optional from the start!

Not the PoC in the original paper at least. That one was just a handcrafted sample that read a string it itself placed there. The concept was clear though: it could have had access to your passwords.
If the attacker knew where they were stored in memory.
And there was a piece of code it could trick into accessing it.
And the javascript engine was running in the same process as the password manager.
And your javascript engine compiled the javascript to the exact vulnerable instruction sequence.

Re: Should have been optional from the start!

Everything I've read is this is plainly false. They got rid of built-in high resolution timers, but they did nothing to get rid of the ability to make your own in javascript (think a simple count loop calibrated to a lower resolution timer, then using the count loop as a proxy for time). Getting rid of SharedArrayBuffer probably made attacks harder, but is there any evidence that it fully thwarts it or was it simple disabled because it was easily exploited and deemed sufficiently unnecessary? Honestly, you're too optimistic about the inability of javascript to exploit Meltdown today, just like ASLR and NX have done very little to stop exploits. Mitigations aren't necessarily useless, but often times they seem it.

Re: Should have been optional from the start!

[Luckyo]

Evidence is in the fact that in spite of massive attention this exploit got, and its supposed pervasiveness, no one utilized it to attack browsers in any meaningful capacity to this date.

Re:Should have been optional from the start!

Part of me suspect that they want to actively Nuke Windows 7, and that in near future, the supposedly one final Win7 patch before support ends will "accidentally" brick wall a good number of Win7 PCs.

Re:Should have been optional from the start!

[drinkypoo]

It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.

Hurt me again, daddy! That's a lot of nonsense, because people execute code from untrusted sources all the time. On any computer where you might wind up running untrusted code, it's a problem. And that describes the average user desktop. You sound like an Intel apologist to me. Are you getting paid, or do you just have a lot of Intel kit and you don't want to feel stupid?

Re:Should have been optional from the start!

[Waccoon]

PLEASE MAKE FIXES OPTIONAL.

Indeed. I nearly had a heart attack when I discovered my Gigabyte motherboard doesn't allow you to revert your BIOS after an update. So, does that mean if I installed the Meltdown patch and it screwed up, I couldn't fix it myself by downgrading? I didn't even take the chance!

I expect that crap from companies that build fully pre-built systems, but now even the aftermarket parts market is making choice difficult. Isn't choice the whole point of building your own PC? How long before firmware updates are mandatory, too?

Re: Should have been optional from the start!

Evidence is in the fact that in spite of massive attention this exploit got, and its supposed pervasiveness, no one utilized it to attack browsers in any meaningful capacity to this date.

How many browser exploits and local privilege exploits are found on a monthly basis? The main reason people haven't bothered to target this exploit is because (1) there's tons of extant exploits that have not been patched or disclosed and (2) the high publicity of Meltdown has made a lot more people patch their OS with patches that don't merely mitigate but actually blocks the exploit. Simply put, there's very little reason malware writers or the like would target this. Script kiddies might, but it's actually the SharedArrayBuffer block that made the exploit harder--trying to make a contiguous useful memory block is made more difficult--, so I doubt many script kiddies would bother.

Meanwhile, legitimate researchers are going after other possible speculative execution vulnerabilities. If they find one, they might try to whip up another one that works in javascript. I'd imagine they won't bother though since it's likely not worth the bother. Rowhammer researchers though I imagine will look into it.

Put another way, there was also a lot of evidence that Spectre is virtually unpatchable for allowing programs to spy on each other. So, where's all the examples of that in the wild? The truth is Meltdown just looked really bad because it was so readily exploitable and the workaround takes such a massive performance hit in some cases. But Spectre is much worse and a lot harder to exploit. It's just the tip of the iceberg of side-channel attacks, though, as BranchScope shows. Until there's a good reason to specifically use these methods of attacks, it's unlikely they'll be commonly used. The real point is when they are used, the intended target will likely never know.

Re:Should have been optional from the start!

[thegarbz]

They WERE optional from the start. All the added features of the patch can be disabled via a registry entry.

Re: Should have been optional from the start!

[Luckyo]

Exploits that have been stated as "unpatchable" and drummed about in every single piece of media the way meltdown and spectre were?

Weeks at most. In most cases, probably days. Malware industry is a for-profit one, and you could make nine-ten digits easily if you actually had an exploit to vaccuum people's passwords en masse with just a javascript.

Greed is a very powerful motivator.

Re:Should have been optional from the start!

[duke_cheetah2003]

You sound like an Intel apologist to me. Are you getting paid, or do you just have a lot of Intel kit and you don't want to feel stupid?

Why is this the assumption when someone disagrees with you? I wish I were getting paid for speaking my mind, but I'm not. Must be a painful unpleasant reality you exist in where everyone who disagrees with you is a shill. So much paranoia.

Re:Should have been optional from the start!

[duke_cheetah2003]

....And that describes the average user desktop.

And frankly, if the average user downloads malware and installs it, or browses a malicious website. They deserve whatever they get. Stay away from untrusted programs and websites, plain and simple. I have no sympathy for people who browse untrusted sites and download garbage they don't need.

I actually like these people. They pay my bills, since I have to remove their stupid from their machines and teach them how to not be stupid.

No amount of anti-virus, flaw correction, security patches or arm twisting will fix the levels of stupid of the average user, so stop gimping ALL OF OUR PC's because some people can't take 5 seconds out of their busy lives to learn how to use a computer properly.

Re:Should have been optional from the start!

[ElizabethGreene]

>> When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.

They did.
The fixes for Spectre and Meltdown can be disabled with two registry keys,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

FeatureSettingsOverride =3
FeatureSettingsOverrideMask =3

They are disabled by default on server operating systems.

Ref: KB4073119

Re:Should have been optional from the start!

[ElizabethGreene]

... fairly straight forward fixes

Are you familiar with the Dunning-Kruger effect? It seems like this might be relevant to your understanding of the effort and complexity required here.

Re:Should have been optional from the start!

[drinkypoo]

Why is this the assumption when someone disagrees with you?

You're disagreeing with reality. Please consider how the world really works, in this case what users really do, and then consider your comment in that light.

Re: Should have been optional from the start!

Where is this so-called proof of concept JavaScript? I heard a number of people talk about it, but none could point me to a live demonstration that I could load in my browser. Just a bunch of run around to various documents and code snippets that did nothing when I opened them in my browser.

Re: Should have been optional from the start!

[Brockmire]

Fuck off, you dumb cunt. You probably missed all the stories of legit ad networks being fooled into serving malware on big name sites? Perhaps you've heard of zero days? Do you work in an office with dumb, gullible people? Plenty of really smart, really careful people get infected all the time.

People in a hurry Re:It's the chips

Ask yourself, who would design chips so that they could be backdoored?

People in too big a hurry or too cheap to do it right.

These flaws were almost certainly unforeseen side effects of otherwise-smart design decisions, not intentional.

I am owed an apology

Every one of the motherfuckers that sneered at me and downvoted me and talked shit to me when I dared to suggest that turning off automatic updates was a good idea can eat crow. Assholes. Enjoy your wide open computers, you "secure" cunts.

Re: I am owed an apology

You sound very happy and well-adjusted. Im sure your coworkers love seeing you every day.

Windows 10

And now Windows 10 is more secure than Windows 7!

That was M$ plan all along.

Puff for WIndows 2008r2

Some of our server lost they network card after the last Windows update... it cannot be more secure !

True patch?

[ELCouz]

What is the good KB##### patch for meltdown/spectre as today?

Re: True patch?

Pretty sure itâ(TM)s posted on Ubuntu.com

NSA rule- one door closes = another door opens

The jewish 'engineers' of Israel ensured the Intel successor to the awful Netbust x86 design would be the most perfect spy device mossad and the NSA could ever desire. And better, by ensuring every Intel x86 CPU from then onwards was broken by design, they'd also run FASTER than the AMD competition.

Imagine a thread is a person. Imagine a thread's data always sits in a closed chest. AMD's chests have a LOCK, and AMD's threads must have the correct key for a lock protecting a chest the thread is entitled to open.

Meanwhile Intel Israel removed the locks Netburst 'chests' also had. Now the thread on an Intel Israel CPU (all Intel CPUs for the last ten+ years) is TRUSTED to not open and look inside chests of the wrong privilege. But when that thread represents mossad or NSA user-code...

This is the essential basis of Meltdown and Spectre. Intel sold this sickening situation by having microsoft and linux devs focus on OS partition methods based on the memory paging system. But any user code on an Intel CPU can inspect any data on the same CPU, not matter what kind of other thread that data belongs to. As I said, no locks.

There is only ONE way to make an Intel CPU secure. Run one thread at a time on the CPU, and do a complete state flush of the CPU each time multi-tasking shedules a thread change. The latest Intel CPU (8700K) runs SIXTEEN threads at once, so you are already at a situation where the 8700K loses 15/16s of its max performance, before factoring in the insane time it takes to fully reset the chip state (data flush).

And NO, despite Intel spending millions of dollars to push FUD claiming otherwise, AMD does not have this issue. The only impact of this type of vulnerability on AMD's Ryzen is where a tiny number of edge cases (usually branch prediction) accidentally bypass the universal data locks AMD has but Intel does not have. But to use this form of exploit on AMD in an actual attack has not even been proven possible in theory.

PS Intel has recently lied, and stated its next batch of CPUs will have the issue fixed in hardware. What Intel actually meant is that they are fiddling with the memory paging system to advance OS thread partition methods- the very FAKE NEWS method of not fixing the problem that already exists in current versions of windows and linux.

It will take Intel at least four years to introduce a new x86 architecture with privilege data locks on every data transaction. And this architecture will be loads slower per clock than Intel's current 'core' architecture. And it will max clock to lower speeds than current as well.

opening a data lock (ie., checking the privilege level of every data transaction low level) takes time and energy- time and energy Intel's chips currently avoid. Like a doping athlete, Intel currently cheats its way to victory.

Did I say "sixteen threads"?

Darn- forgot how far Intel is behind AMD these days. Of course it is the best Ryzens that have 8 cores (16 threads). Intel's 8700K is just 6-cores/12 threads, tho my point remains.

That's a load of nonsense

[OneHundredAndTen]

You cannot make Windows more insecure.

Break this patch out of the cumulative update?

[slincolne]

The March rollup comes with several issues that make it a bit of a risk in itself to deploy (https://support.microsoft.com/en-au/help/4088875/windows-7-update-kb4088875). Of note:

• A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.

  Static IP address settings are lost after you apply this update.

  In both instances the advisory states that "Microsoft is working on a resolution and will provide an update in an upcoming release."

Extra words in headline

Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure

There are extra words inserted by accident in the headline. Should read:

"Microsoft ... Made PCs More Insecure"

Every time you say that ...

... Microsoft devises a "better" flaw.

It's a natural result of Murphy's laws. ;)

There must be a major lawsuit against intel pendin

This whole problem was warned about in the 90s from memory; Google it.
Intel usually only had 10% increase over AMD which wonâ(TM)t exist after this update. So the whole intel premium should be refunded at least pro-rata from this point on. Arguable if it shouldnâ(TM)t go back in time too to compensate for the lack of security.
Microsoft etc are being generous in their resources to solve a mostly intel problem. Intel stock should tank.
Popcorn.

Now what?

Should we un-install all Meltdown patches? WTF are we doing now?

submission

[rastos1]

I was first to submit this story to /. I could live with my submission being rejected in favor of submission of someone else. Although my submission had link straight to the Ulf Frisk's blog. But marking my submission as SPAM? Really? That hurts.

Re:submission

Don't bother. msmash and beauhd only repost stories from a fixed list of web sites.

They don't care about the submission queue one bit.