Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure

Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. From a report: This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM. The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.

I am still waiting to apply these patches...

[ls671]

I am still waiting to apply these patches. About 2 months ago, I wrote here that it looked like a 2-3 months waiting period could be a nice ballpark figure. Will I have to wait even longer?

Re:I am still waiting to apply these patches...

[NicknameUnavailable]

Still use Windows, but don't find it surprising. They've been known to release patches which cripple vital OS functionality (e.g. the XP phase-out) in order to get people to upgrade, in very subversive ways they don't know actually happened most of the time (e.g. making network or local files disappear at random from the file explorer, but not to other programs.) They probably see Spectre/Meltdown as an opportunity to cripple Windows 7 with minor backlash. Windows 7 machines should not be upgraded beyond the first time they announced the end of life (definitely none of the ongoing support patches after they extended the end of life.) You need to keep such machines behind several firewalls and browse safely to use them (with all telemetry and update services shut off.) Do that and it's solid, don't do that and it will keep breaking. Sadly there are still a bunch of things you just can't do on Linux because of people not porting their apps over (especially when you get into high end computing which requires simulating specialty engineering stuff.)

translation

microsoft is intentionally crippling windows 7 security.. stay tuned for the press release touting windows 10 as the 'best' fix for these issues.

Re:translation

[webmistressrachel]

This is exactly what I was thinking.

Microsoft released a decent operating system and then killed it on purpose when they couldn't persuade people to upgrade to Windows 8, 8.1, or 10 - there was no need to upgrade while everything worked so well under 7!!

I only upgraded from Windows 2003 "workstation" after I had observed feedback from 7 users for about a year. I will not upgrade to 10, even if they try to force me to with "exclusive" releases - I will play my games on 7 until that market ends, and I will continue to use Linux for my work as I always have, all of which simply means that eventually my hobby will die with Windows 7. Thanks M$.

I strongly suspect that I'm not the only person thinking like this. M$ created a whole industry, now they want to destroy it.

Should have been optional from the start!

[duke_cheetah2003]

When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.

Mainly because these 'flaws,' and I do use that word loosely. I'm not entirely convinced it's an actual flaw. It's just how it works. Anyway, gimping the execution predicting to protect against these 'flaws' is really stupid on a desktop computer, where there's no VM's, very little if any usage outside of 1 user. They're hurting computing performance for a non-issue.

On server systems, data center, etc, yes, fix this bug, it's a real issue on shared computing resources. On a desktop where there's 1 maybe 2 users whom browse the web, play games, type documents and otherwise 'use' their computer normally, it should be left as is. It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.

All that aside, Microsoft making it worse it just laughable. And pretty much non-surprising. I'd wager Microsoft is one of the few companies that could take a 'problem' with fairly straight forward fixes and fuck it up, making a bigger problem than originally existed. Par for the course, for Microsoft.

That's a load of nonsense

[OneHundredAndTen]

You cannot make Windows more insecure.

Break this patch out of the cumulative update?

[slincolne]

The March rollup comes with several issues that make it a bit of a risk in itself to deploy (https://support.microsoft.com/en-au/help/4088875/windows-7-update-kb4088875). Of note:

• A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.

  Static IP address settings are lost after you apply this update.

  In both instances the advisory states that "Microsoft is working on a resolution and will provide an update in an upcoming release."

submission

[rastos1]

I was first to submit this story to /. I could live with my submission being rejected in favor of submission of someone else. Although my submission had link straight to the Ulf Frisk's blog. But marking my submission as SPAM? Really? That hurts.