Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure (theregister.co.uk)

Posted by msmash on from the closer-look dept.

Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. From a report: This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM. The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.

17 of 84 comments (clear)

  1. I am still waiting to apply these patches... by ls671 · · Score: 4, Insightful

    I am still waiting to apply these patches. About 2 months ago, I wrote here that it looked like a 2-3 months waiting period could be a nice ballpark figure. Will I have to wait even longer?

    --
    Everything I write is lies, read between the lines.
    1. Re:I am still waiting to apply these patches... by techno-vampire · · Score: 2

      OK, you use Windows for a living; I don't. Tell me, do you find this report surprising, or is it what you expect from Microsoft?

      --
      Good, inexpensive web hosting
    2. Re:I am still waiting to apply these patches... by Anonymous Coward · · Score: 2

      I will never apply any of the so-called "fixes" for Spectre and Meltdown on my personal PCs. The "vulnerabilities" (actually FEATURES BY DESIGN for over two decades) just aren't serious and the media blew it way out of proportion. My computers are secure as ever, nothing has changed and no hackers are going to be gaining access to them or anything stored on them. I'm not going to suffer massive performance hits because some crackpipe smoking, tinfoil hat wearing idiot said that it was a "bad thing(tm)" and all of the lemmings followed him over the edge.

    3. Re:I am still waiting to apply these patches... by NicknameUnavailable · · Score: 3, Insightful

      Still use Windows, but don't find it surprising. They've been known to release patches which cripple vital OS functionality (e.g. the XP phase-out) in order to get people to upgrade, in very subversive ways they don't know actually happened most of the time (e.g. making network or local files disappear at random from the file explorer, but not to other programs.) They probably see Spectre/Meltdown as an opportunity to cripple Windows 7 with minor backlash. Windows 7 machines should not be upgraded beyond the first time they announced the end of life (definitely none of the ongoing support patches after they extended the end of life.) You need to keep such machines behind several firewalls and browse safely to use them (with all telemetry and update services shut off.) Do that and it's solid, don't do that and it will keep breaking. Sadly there are still a bunch of things you just can't do on Linux because of people not porting their apps over (especially when you get into high end computing which requires simulating specialty engineering stuff.)

    4. Re:I am still waiting to apply these patches... by rtb61 · · Score: 2

      You, 'HOPE'. No matter what you do, they want to hack you, they will. Security is a balance, being more secure than you are worth hacking. That worth hacking can take on all sorts of metrics, from being a target of three letter agencies, to manipulating your psychology, to identity fraud against credit card acceptors. In this case of M$ wanting to push Windows anal probe 10, you can bet patches will far and few and likely shite, to kick you off what they already sold you, to force you to buy what amounts to spyware, full up, no holds barred, spyware.

      --
      Chaos - everything, everywhere, everywhen
    5. Re:I am still waiting to apply these patches... by jwhyche · · Score: 2

      I would keep waiting. For the past two months I have heard horror stories about the patches. Yet, I have not heard of any exploits that use the problems. Seems to me this is a case of the cure being worse than the illness.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
  2. Security in a complex system is hard by davidwr · · Score: 2

    "Fast, good, cheap, pick (no more than) two."

    Sometimes you only get to pick one, or none.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Security in a complex system is hard by rrohbeck · · Score: 2

      Open source often manages to give you all three.

      --
      thegodmovie.com - watch it
  3. translation by Anonymous Coward · · Score: 3, Interesting

    microsoft is intentionally crippling windows 7 security.. stay tuned for the press release touting windows 10 as the 'best' fix for these issues.

    1. Re:translation by webmistressrachel · · Score: 5, Interesting

      This is exactly what I was thinking.

      Microsoft released a decent operating system and then killed it on purpose when they couldn't persuade people to upgrade to Windows 8, 8.1, or 10 - there was no need to upgrade while everything worked so well under 7!!

      I only upgraded from Windows 2003 "workstation" after I had observed feedback from 7 users for about a year. I will not upgrade to 10, even if they try to force me to with "exclusive" releases - I will play my games on 7 until that market ends, and I will continue to use Linux for my work as I always have, all of which simply means that eventually my hobby will die with Windows 7. Thanks M$.

      I strongly suspect that I'm not the only person thinking like this. M$ created a whole industry, now they want to destroy it.

      --
      This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
    2. Re:translation by Tyger-ZA · · Score: 2

      Funny, I "upgraded" a toasted kubuntu (I fucked it up) install yesterday to Min 18.3 (Cinnamon). Looked nice and slick at first. But I fucked with it again and now it's broken so I'll blame the OS

      All on bog std hardware. The neighbouring Win 10 pro machine with the same hardware (That I didn't fuck up, apparently) has no issues at all.

      Linux has always been crap with multiple monitors and usable desktops. Ironically we use the desktops to remote onto VM's running on a Linux cluster.

      FTFY

      Now my turn for anecdotal evidence:

      I've been running Mint for years on my work machine (js, Python, C, C++ dev); with Windows (C# dev) banished to a Virtual Machine before it can cause any trouble.

      The host OS gives me no trouble, the guest OS typically wastes my time by being unusable while it updates, because the retarded shit gibbons at MS have written an overly complicated update system that takes 100% of a CPU core to download & copy files + edit registry

      The only reason I would want to run Windows as a host OS is for gaming, and even that use case can be solved with a Linux host and GPU passthrough

  4. It's the chips by WillAffleckUW · · Score: 2, Interesting

    Ask yourself, who would design chips so that they could be backdoored?

    There you go.

    Oh, and, yes, we're in your keyboards, mice, printers, and so many devices in your "smartphones".

    --
    -- Tigger warning: This post may contain tiggers! --
  5. Should have been optional from the start! by duke_cheetah2003 · · Score: 5, Informative

    When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.

    Mainly because these 'flaws,' and I do use that word loosely. I'm not entirely convinced it's an actual flaw. It's just how it works. Anyway, gimping the execution predicting to protect against these 'flaws' is really stupid on a desktop computer, where there's no VM's, very little if any usage outside of 1 user. They're hurting computing performance for a non-issue.

    On server systems, data center, etc, yes, fix this bug, it's a real issue on shared computing resources. On a desktop where there's 1 maybe 2 users whom browse the web, play games, type documents and otherwise 'use' their computer normally, it should be left as is. It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.

    All that aside, Microsoft making it worse it just laughable. And pretty much non-surprising. I'd wager Microsoft is one of the few companies that could take a 'problem' with fairly straight forward fixes and fuck it up, making a bigger problem than originally existed. Par for the course, for Microsoft.

    1. Re:Should have been optional from the start! by Howitzer86 · · Score: 2

      If you're worried about performance, don't install the new firmware. The Windows patch can't mitigate Spectre/Meltdown without it, and you'll have to do it yourself. If you're worried about security... I guess you're boned no matter what.

      Just do what you probably always do: keep regular backups, keep an updated antivirus, use adblock, and avoid shady websites.

  6. That's a load of nonsense by OneHundredAndTen · · Score: 4, Funny

    You cannot make Windows more insecure.

  7. Break this patch out of the cumulative update? by slincolne · · Score: 3
    The March rollup comes with several issues that make it a bit of a risk in itself to deploy (https://support.microsoft.com/en-au/help/4088875/windows-7-update-kb4088875). Of note:
    • A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.

      Static IP address settings are lost after you apply this update.

      In both instances the advisory states that "Microsoft is working on a resolution and will provide an update in an upcoming release."

  8. submission by rastos1 · · Score: 3, Insightful

    I was first to submit this story to /. I could live with my submission being rejected in favor of submission of someone else. Although my submission had link straight to the Ulf Frisk's blog. But marking my submission as SPAM? Really? That hurts.