Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure (theregister.co.uk)

Posted by msmash on Wednesday March 28, 2018 @09:42AM from the closer-look dept.

Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. From a report: This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM. The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.

3 of 84 comments (clear)

Min score:

Reason:

Sort:

I am still waiting to apply these patches... by ls671 · 2018-03-28 09:46 · Score: 4, Insightful

I am still waiting to apply these patches. About 2 months ago, I wrote here that it looked like a 2-3 months waiting period could be a nice ballpark figure. Will I have to wait even longer?

--
Everything I write is lies, read between the lines.
1. Re:I am still waiting to apply these patches... by NicknameUnavailable · 2018-03-28 12:57 · Score: 3, Insightful
  
  Still use Windows, but don't find it surprising. They've been known to release patches which cripple vital OS functionality (e.g. the XP phase-out) in order to get people to upgrade, in very subversive ways they don't know actually happened most of the time (e.g. making network or local files disappear at random from the file explorer, but not to other programs.) They probably see Spectre/Meltdown as an opportunity to cripple Windows 7 with minor backlash. Windows 7 machines should not be upgraded beyond the first time they announced the end of life (definitely none of the ongoing support patches after they extended the end of life.) You need to keep such machines behind several firewalls and browse safely to use them (with all telemetry and update services shut off.) Do that and it's solid, don't do that and it will keep breaking. Sadly there are still a bunch of things you just can't do on Linux because of people not porting their apps over (especially when you get into high end computing which requires simulating specialty engineering stuff.)
submission by rastos1 · 2018-03-29 01:18 · Score: 3, Insightful

I was first to submit this story to /. I could live with my submission being rejected in favor of submission of someone else. Although my submission had link straight to the Ulf Frisk's blog. But marking my submission as SPAM? Really? That hurts.