Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure

Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. From a report: This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM. The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.

I am still waiting to apply these patches...

[ls671]

I am still waiting to apply these patches. About 2 months ago, I wrote here that it looked like a 2-3 months waiting period could be a nice ballpark figure. Will I have to wait even longer?

Re:I am still waiting to apply these patches...

[techno-vampire]

OK, you use Windows for a living; I don't. Tell me, do you find this report surprising, or is it what you expect from Microsoft?

Re:I am still waiting to apply these patches...

[aliquis]

They just revealed another side-channel attack.

Best is likely to buy some future product which don't have these faults. Hard to do now though.

Re:I am still waiting to apply these patches...

[ls671]

"Using Windows for a living" is far fetched! I have a couple Windows VM running under qemu. I wait to apply these patches on all OS flavors that I manage, I will spare you the list.

Re:I am still waiting to apply these patches...

No worries, we are due for a worm to come along that attacks some "unfixable" part of the operating system affecting Windows 7, 8, and 8.1. Everyone does remember the worm attacking WindowsXP pre-service pack 1? In that instance, Microsoft had to kill off all the pirated and leaked copies of XP. This time it will be to push everyone to 10.

Re:I am still waiting to apply these patches...

I will never apply any of the so-called "fixes" for Spectre and Meltdown on my personal PCs. The "vulnerabilities" (actually FEATURES BY DESIGN for over two decades) just aren't serious and the media blew it way out of proportion. My computers are secure as ever, nothing has changed and no hackers are going to be gaining access to them or anything stored on them. I'm not going to suffer massive performance hits because some crackpipe smoking, tinfoil hat wearing idiot said that it was a "bad thing(tm)" and all of the lemmings followed him over the edge.

Re:I am still waiting to apply these patches...

[NicknameUnavailable]

Still use Windows, but don't find it surprising. They've been known to release patches which cripple vital OS functionality (e.g. the XP phase-out) in order to get people to upgrade, in very subversive ways they don't know actually happened most of the time (e.g. making network or local files disappear at random from the file explorer, but not to other programs.) They probably see Spectre/Meltdown as an opportunity to cripple Windows 7 with minor backlash. Windows 7 machines should not be upgraded beyond the first time they announced the end of life (definitely none of the ongoing support patches after they extended the end of life.) You need to keep such machines behind several firewalls and browse safely to use them (with all telemetry and update services shut off.) Do that and it's solid, don't do that and it will keep breaking. Sadly there are still a bunch of things you just can't do on Linux because of people not porting their apps over (especially when you get into high end computing which requires simulating specialty engineering stuff.)

Re:I am still waiting to apply these patches...

[rtb61]

You, 'HOPE'. No matter what you do, they want to hack you, they will. Security is a balance, being more secure than you are worth hacking. That worth hacking can take on all sorts of metrics, from being a target of three letter agencies, to manipulating your psychology, to identity fraud against credit card acceptors. In this case of M$ wanting to push Windows anal probe 10, you can bet patches will far and few and likely shite, to kick you off what they already sold you, to force you to buy what amounts to spyware, full up, no holds barred, spyware.

Re:I am still waiting to apply these patches...

[Bert64]

Just add pti=off to your kernel command line and its off, but you can still benefit from any other updates going forward.

Re:I am still waiting to apply these patches...

[jwhyche]

I would keep waiting. For the past two months I have heard horror stories about the patches. Yet, I have not heard of any exploits that use the problems. Seems to me this is a case of the cure being worse than the illness.

Re: I am still waiting to apply these patches...

[Brockmire]

What the fuck is your point? We all know what code Intel submitted to the kernel and got ripped by Linus for being stupid and shitty. Any developer or QA tester that claims they don't make mistakes is fucking stupid. This is an issue of a rushed fix that wasn't properly tested. How many fixes did it take to fix bash issues that were there for years? At least 3?

Re:I am still waiting to apply these patches...

[toddestan]

I thought about it, and realized that really the only credible threat to my machines would be something in the browser written in Javascript. All the major browsers have modified their Javascript implementations to basically make that vector impossible, to which I said "good enough".

And that's just the desktops. As the servers go, I couldn't think of any way, assuming everything nothing is broken, that someone could run their own code on the server as to exploit Spectre or Meltdown. Sure, maybe they could use some other exploit to load and run arbitrary code on my servers, but if they could do that then I'd have already lost.

Security in a complex system is hard

[davidwr]

"Fast, good, cheap, pick (no more than) two."

Sometimes you only get to pick one, or none.

Re:Security in a complex system is hard

[rrohbeck]

Open source often manages to give you all three.

Re:Security in a complex system is hard

[Bigfishbowl]

Yeah I think we both know that is not true. I love open source, but know that is not some magical force field against hardware-level bugs, so stop claiming there is. The most common examples of these exploits are done IN LINUX.

These are brilliantly done exploites, and the Linux-x64 house is made of just as much glass as Windows.

Difference being, Microsoft and Intel actually have to report to shareholders, so there is some accountability.

I'm a little off the reservation on what the proper path is since all is currently properly fucked.

Re:Security in a complex system is hard

[davidwr]

Open source often manages to give you all three [fast, cheap, and good].

Measure the cost in man-hours instead of "how much the end user paid for it" and "cheap" tends to disappear.

I will grant you one major difference between a large-team distributed project - most large FOSS projects are distributed - and a large-team project run by a single entity: Project management is usually very different, and as a result, the cost of project management may be very different.

The Meltdown meltdown.

[fahrbot-bot]

Fixing one problem in haste sometimes creates other problems.

For example, as Jason Mendoza, from The Good Place, noted:

Jason: Any time I had a problem, I threw a Molotov Cocktail and, boom, I had a different problem.

translation

microsoft is intentionally crippling windows 7 security.. stay tuned for the press release touting windows 10 as the 'best' fix for these issues.

Re:translation

[webmistressrachel]

This is exactly what I was thinking.

Microsoft released a decent operating system and then killed it on purpose when they couldn't persuade people to upgrade to Windows 8, 8.1, or 10 - there was no need to upgrade while everything worked so well under 7!!

I only upgraded from Windows 2003 "workstation" after I had observed feedback from 7 users for about a year. I will not upgrade to 10, even if they try to force me to with "exclusive" releases - I will play my games on 7 until that market ends, and I will continue to use Linux for my work as I always have, all of which simply means that eventually my hobby will die with Windows 7. Thanks M$.

I strongly suspect that I'm not the only person thinking like this. M$ created a whole industry, now they want to destroy it.

Re:translation

[blackpaw]

Funny, I "upgraded" a toasted kubuntu install yesterday to Min 18.3 (Cinnamon). Looked nice and slick at first. But the taskbar is a PITA in vertical mode, no pinned apps on taskbar, fullscreen rdp on one monitor killed the desktop on the other monitor. Apps open at random location and I just don't have the time to yet again tweak the crap out of it.

All on bog std hardware. The neighbouring Win 10 pro machine with the same hardware has no issues at all.

Linux has always been crap with multiple monitors and usable desktops. Ironically we use the desktops to remote onto VM's running on a Linux cluster.

Re:translation

This is also why Microsoft never truly fixed Windows Update (the routines that checks updates is horribly slow) on pre-Windows 10 PCs.

On Windows 10, they never really fixed it either, instead opting for 'upgrades' (vs 'update') every six months to reset the baseline; and, of course, taking away user control over the entire update/upgrade process and forcing whatever they want to install onto PCs.

Re:translation

[Tyger-ZA]

Funny, I "upgraded" a toasted kubuntu (I fucked it up) install yesterday to Min 18.3 (Cinnamon). Looked nice and slick at first. But I fucked with it again and now it's broken so I'll blame the OS

All on bog std hardware. The neighbouring Win 10 pro machine with the same hardware (That I didn't fuck up, apparently) has no issues at all.

Linux has always been crap with multiple monitors and usable desktops. Ironically we use the desktops to remote onto VM's running on a Linux cluster.

FTFY

Now my turn for anecdotal evidence:

I've been running Mint for years on my work machine (js, Python, C, C++ dev); with Windows (C# dev) banished to a Virtual Machine before it can cause any trouble.

The host OS gives me no trouble, the guest OS typically wastes my time by being unusable while it updates, because the retarded shit gibbons at MS have written an overly complicated update system that takes 100% of a CPU core to download & copy files + edit registry

The only reason I would want to run Windows as a host OS is for gaming, and even that use case can be solved with a Linux host and GPU passthrough

Re:translation

[blackpaw]

Ah the classic Linux fanboy. Finding bugs in the software by your desktop to work the way you need it = breaking it.

Re:translation

[Tyger-ZA]

Ah the classic Linux fanboy. Finding bugs in the software by your desktop to work the way you need it = breaking it.

No, to give you a counter example:

The upgrade process in Mint works, without eating crazy amounts of CPU, and there's actually a repo on Mint. If this were as frustrating as it is on Windows, I would be complaining to the devs and looking into whether I can fix it myself. Now if I fucked up my OS for example by interfering with parts I don't understand, that would be my fault if it broke. Example, interfering with fstab and then complaining when I can't find hard drives is akin to you touching things you apparently don't understand and toasting Kubuntu

For a Windows example, me installing Windowblinds because the flat Windows UI looks like shit and fucking up the OS because of it, would be my fault. If I moved the taskbar to the left and something breaks, that would be their fault, nobody else had a hand in making that feature. It's their update system and their fault that the update system is shit. I can't fix it even if I knew how.

Re: translation

[Brockmire]

Mint installation can fuck off. If install fails due to an NTP server going unreachable, they fucked up. Mint has also failed to install on a couple of laptops (without any useful error message), which blew my mind. Never had install issues with Xubuntu with many more Xubuntu installs. Everyone has their own unique experience with the millions of fucking distros. Some just work, some just fucking suck.

Re: translation

[Brockmire]

Address the issue that Windows 7 development was stopped years ago, that had a schedule years in advance of ending support? This is only a surprise to morons. When you're clueless and make no fucking sense, you don't deserve a response. Anyone working in software development understands you put your efforts into newer, better code than spinning wheels putting in new features that were never planned or supported.

It's the chips

[WillAffleckUW]

Ask yourself, who would design chips so that they could be backdoored?

There you go.

Oh, and, yes, we're in your keyboards, mice, printers, and so many devices in your "smartphones".

Should have been optional from the start!

[duke_cheetah2003]

When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.

Mainly because these 'flaws,' and I do use that word loosely. I'm not entirely convinced it's an actual flaw. It's just how it works. Anyway, gimping the execution predicting to protect against these 'flaws' is really stupid on a desktop computer, where there's no VM's, very little if any usage outside of 1 user. They're hurting computing performance for a non-issue.

On server systems, data center, etc, yes, fix this bug, it's a real issue on shared computing resources. On a desktop where there's 1 maybe 2 users whom browse the web, play games, type documents and otherwise 'use' their computer normally, it should be left as is. It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.

All that aside, Microsoft making it worse it just laughable. And pretty much non-surprising. I'd wager Microsoft is one of the few companies that could take a 'problem' with fairly straight forward fixes and fuck it up, making a bigger problem than originally existed. Par for the course, for Microsoft.

Re: Should have been optional from the start!

didn't the proof of concept include a chrome based javascript file that could dump all your user credentials/logins on your windows machine? Not exactly 'only servers' if site adverts can steal your bank details.

Re: Should have been optional from the start!

[Luckyo]

This was nuked almost instantly by all major browser vendors. Javascript engine in browsers no longer has access to timings tight enough to utilize this bug.

Re:Should have been optional from the start!

[Howitzer86]

If you're worried about performance, don't install the new firmware. The Windows patch can't mitigate Spectre/Meltdown without it, and you'll have to do it yourself. If you're worried about security... I guess you're boned no matter what.

Just do what you probably always do: keep regular backups, keep an updated antivirus, use adblock, and avoid shady websites.

Re: Should have been optional from the start!

[Luckyo]

Evidence is in the fact that in spite of massive attention this exploit got, and its supposed pervasiveness, no one utilized it to attack browsers in any meaningful capacity to this date.

Re:Should have been optional from the start!

[drinkypoo]

It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.

Hurt me again, daddy! That's a lot of nonsense, because people execute code from untrusted sources all the time. On any computer where you might wind up running untrusted code, it's a problem. And that describes the average user desktop. You sound like an Intel apologist to me. Are you getting paid, or do you just have a lot of Intel kit and you don't want to feel stupid?

Re:Should have been optional from the start!

[Waccoon]

PLEASE MAKE FIXES OPTIONAL.

Indeed. I nearly had a heart attack when I discovered my Gigabyte motherboard doesn't allow you to revert your BIOS after an update. So, does that mean if I installed the Meltdown patch and it screwed up, I couldn't fix it myself by downgrading? I didn't even take the chance!

I expect that crap from companies that build fully pre-built systems, but now even the aftermarket parts market is making choice difficult. Isn't choice the whole point of building your own PC? How long before firmware updates are mandatory, too?

Re:Should have been optional from the start!

[thegarbz]

They WERE optional from the start. All the added features of the patch can be disabled via a registry entry.

Re: Should have been optional from the start!

[Luckyo]

Exploits that have been stated as "unpatchable" and drummed about in every single piece of media the way meltdown and spectre were?

Weeks at most. In most cases, probably days. Malware industry is a for-profit one, and you could make nine-ten digits easily if you actually had an exploit to vaccuum people's passwords en masse with just a javascript.

Greed is a very powerful motivator.

Re:Should have been optional from the start!

[duke_cheetah2003]

You sound like an Intel apologist to me. Are you getting paid, or do you just have a lot of Intel kit and you don't want to feel stupid?

Why is this the assumption when someone disagrees with you? I wish I were getting paid for speaking my mind, but I'm not. Must be a painful unpleasant reality you exist in where everyone who disagrees with you is a shill. So much paranoia.

Re:Should have been optional from the start!

[duke_cheetah2003]

....And that describes the average user desktop.

And frankly, if the average user downloads malware and installs it, or browses a malicious website. They deserve whatever they get. Stay away from untrusted programs and websites, plain and simple. I have no sympathy for people who browse untrusted sites and download garbage they don't need.

I actually like these people. They pay my bills, since I have to remove their stupid from their machines and teach them how to not be stupid.

No amount of anti-virus, flaw correction, security patches or arm twisting will fix the levels of stupid of the average user, so stop gimping ALL OF OUR PC's because some people can't take 5 seconds out of their busy lives to learn how to use a computer properly.

Re:Should have been optional from the start!

[ElizabethGreene]

>> When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.

They did.
The fixes for Spectre and Meltdown can be disabled with two registry keys,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

FeatureSettingsOverride =3
FeatureSettingsOverrideMask =3

They are disabled by default on server operating systems.

Ref: KB4073119

Re:Should have been optional from the start!

[ElizabethGreene]

... fairly straight forward fixes

Are you familiar with the Dunning-Kruger effect? It seems like this might be relevant to your understanding of the effort and complexity required here.

Re:Should have been optional from the start!

[drinkypoo]

Why is this the assumption when someone disagrees with you?

You're disagreeing with reality. Please consider how the world really works, in this case what users really do, and then consider your comment in that light.

Re: Should have been optional from the start!

[Brockmire]

Fuck off, you dumb cunt. You probably missed all the stories of legit ad networks being fooled into serving malware on big name sites? Perhaps you've heard of zero days? Do you work in an office with dumb, gullible people? Plenty of really smart, really careful people get infected all the time.

True patch?

[ELCouz]

What is the good KB##### patch for meltdown/spectre as today?

That's a load of nonsense

[OneHundredAndTen]

You cannot make Windows more insecure.

Break this patch out of the cumulative update?

[slincolne]

The March rollup comes with several issues that make it a bit of a risk in itself to deploy (https://support.microsoft.com/en-au/help/4088875/windows-7-update-kb4088875). Of note:

• A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.

  Static IP address settings are lost after you apply this update.

  In both instances the advisory states that "Microsoft is working on a resolution and will provide an update in an upcoming release."

submission

[rastos1]

I was first to submit this story to /. I could live with my submission being rejected in favor of submission of someone else. Although my submission had link straight to the Ulf Frisk's blog. But marking my submission as SPAM? Really? That hurts.

Re:submission

Don't bother. msmash and beauhd only repost stories from a fixed list of web sites.

They don't care about the submission queue one bit.

Re: I am owed an apology

You sound very happy and well-adjusted. Im sure your coworkers love seeing you every day.