Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Issues Out-Of-Band Security Update To Patch a Meltdown Patch It Released Earlier This Year (bleepingcomputer.com)

Posted by msmash on from the patch-ception dept.

On Friday, Microsoft issued an out-of-band security update for 64-bit versions of Windows 7 and Windows Server 2008 R2. From a report: The security update -- KB4100480 -- addresses a security bug discovered by a Swedish security expert earlier this week. The bug was caused by a patch meant to fix the Meltdown vulnerability but accidentally opened the kernel memory wide open. According to Ulf Frisk, Microsoft's January 2018 Meltdown patch (for CVE-2017-5754) allowed any app to extract or write content from/to the kernel memory. This all happened because the Meltdown patch accidentally flipped a bit that controlled access permissions to kernel memory. Frisk said that the March Patch Tuesday appears to have "fixed" the issue, as he was not able to interact with kernel memory.

36 comments

  1. Put a tent over this circus by Anonymous Coward · · Score: 0

    Patches to patches to patches, Oh My!

    1. Re:Put a tent over this circus by FatdogHaiku · · Score: 4, Funny

      Patches to patches to patches, Oh My!

      It's patches all the way down!

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    2. Re:Put a tent over this circus by ColdWetDog · · Score: 1

      Those responsible for the patches that had been sacked have been sacked.

      --
      Faster! Faster! Faster would be better!
    3. Re:Put a tent over this circus by Anonymous Coward · · Score: 0

      That's what you get when you hire a bunch of inexperienced and incompetent "developers" who don't understand proper software programming practices. A bunch of kids who code by trial and error with no QA is why there is a constant stream of patches from software companies who don't know what they are doing.

    4. Re:Put a tent over this circus by Anonymous Coward · · Score: 0

      You also get management types that always want to have a "clean new UI" every now and then, so things don't look stale. The old UI was perfectly functional, but they prioritize spending time writing all sorts of new code that ultimately the end users don't even want.

    5. Re:Put a tent over this circus by Anonymous Coward · · Score: 0

      Everything works as the management wanted. They laid off their QA people, so the barrier between users and developers was removed. Of course bugs do happen, but a competent and responsible company would test the software before shipping it.

  2. For real? by Anonymous Coward · · Score: 0

    'allowed any app to extract or write content from/to the kernel memory'

    The fuck, who lets toddlers create Windows patches... Satay Nutella needs to go.

    1. Re:For real? by Anonymous Coward · · Score: 0

      toddlers or the NSA? Or toddlers working for the NSA?

  3. I use APK's hosts file, is my computer safe? by Anonymous Coward · · Score: 0

    I use APK's hosts file engine, is my computer safe until I get home and install this patch?

    1. Re:I use APK's hosts file, is my computer safe? by Anonymous Coward · · Score: 0

      I use APK's hosts file engine, is my computer safe until I get home and install this patch?

      Probably, though as a side-effect you might experience an overwhelming urge to rant and rave like the TimeCube guy on forums while making strange punctuation/capitalization choices, totally ignoring any evidence or reasoning to the contrary, and declaring your great victory.

  4. Patch it around... by Thelasko · · Score: 5, Funny

    99 little bugs in the code.
    99 little bugs.
    Take one down, patch it around.
    127 little bugs in the code...

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    1. Re:Patch it around... by Ol+Olsoc · · Score: 1

      99 little bugs in the code. 99 little bugs. Take one down, patch it around. 127 little bugs in the code...

      I see a fight brewing as people alternately mod this truth or funny. Can hardly see what this patch breaks.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:Patch it around... by Anonymous Coward · · Score: 0

      My mind rejects the lack of symmetry.

      It should start with 63 bugs, if it is going to jump to 127.

      *mutter*

  5. accidentally by Anonymous Coward · · Score: 0

    right

  6. in case of meltdown push this button by Joe_Dragon · · Score: 2

    in case of meltdown push this button

  7. patch the patch on the patch by Anonymous Coward · · Score: 0

    Soon Windows will be 100% duck tape.

  8. I just removed kb4056897 by blind+biker · · Score: 1

    I removed kb4056897 and for now, won't accept any Microsoft patches for the time being. I'll take care of Meltdown by keeping Javascript disabled on all non-essential websites.

    --
    "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
    1. Re:I just removed kb4056897 by Anonymous Coward · · Score: 0

      Glad I'm still on XP

    2. Re:I just removed kb4056897 by Anonymous Coward · · Score: 0

      You are glad you are even more vulnerable?

    3. Re:I just removed kb4056897 by Anonymous Coward · · Score: 1

      Vulnerable to what? Hackers, maybe if they have access or your firewall sucks. You're more vulnerable to Microsoft with newer versions with no way to secure against that threat.

    4. Re:I just removed kb4056897 by blind+biker · · Score: 1

      You're more vulnerable to Microsoft with newer versions with no way to secure against that threat.

      There is truth in this, and as time goes by, the more I find it truthful.

      --
      "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
  9. If they'd written Windows properly by jd · · Score: 3, Interesting

    In the first place, then none of this would have been an issue. It's no bloody wonder Microsoft no longer sells software, only licenses, because they'd get sued under the lemon laws. This is grossly incompetent on their part.

    Can you write an OS, cleanly, that is secure against CPU bugs? Yes, yes you can. You design the code properly and then you do this thing that is quite remarkable. You write a full set of tests.

    But what if you don't know about the specific bug? Why should you have to? A bug, by definition, involves behaviour that falls outside the specification of behaviour. If your specification says that if you perform the task x, the information y is not visible at point z, and you find it is visible, you have a bug.

    But we know from the antitrust case that Microsoft has no specification, no documented API, no set behaviours and minimal testing. And this is why their software failed on the bug, and this is why their patch failed on the bug. (In case people have forgotten, back in the old days standard policy was to NEVER install odd-numbered service packs because they had too many bugs.)

    Linux also messed up on these kernel bugs. This is because there's inadequate documentation and inadequate testing outside of actual use. This means that Linux has very very few bugs along active pathways. It averages 1/10th the defect density of commercial software, impressive by any count. Since active pathways are actively and thoroughly tested, the defect density along those will be far far lower still. The bugs will be off the regular beaten path and that's why Linux fell foul.

    It should not have fallen foul, since the solution is pretty much the solution people have been using to secure against all kinds of direct access attacks for at least 20 years now.

    However, there's also a difference. Because of the Linux development model, the most you could do is hire testers and technical writers. Some vendors already do. The defect density can be reduced further but you have diminishing returns.

    With closed-source cathedral software like Microsoft's Windows, defects are a choice for the bulk of it. Turing's Halting Problem applies to certain types of programming, not to all types. You can place all the unprovable software into a single non-critical component. And, yes, a lack of security is a defect. Windows is defective by design, by choice, because it's more profitable to sell crap to you repeatedly than to get it right. There's no consequences for getting it wrong.

    OpenBSD complained that the disclosure was done stupidly. Maybe so, I want to know why anything exploitable was laid out in a highly exploitable way. That doesn't sound terribly secure. Why should there be anything positionally-dependent anywhere, given that we've always known CPUs are improperly tested - one of the first things most of us learned in CS was not to trust the CPU would get it right and also to validate the results by looking at them rather than looking at the code generating them.

    Would this push the cost up? Yes. It would mean instead of a mountain of e-waste and smart devices nobody wants to be smart, you'd have rather fewer devices that WORKED.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:If they'd written Windows properly by Anonymous Coward · · Score: 0

      So, the root cause was a bug in the processor, not in the OS code. Microsoft didn't write that code.

      And anyway, the notion that a correct software-development process can produce bug-free code is a complete farce. It is true that bug count goes down as quality control measures go up....but....it is not a linear relationship. The returns diminish. Eventually you reach a point where it is costing more to make the software than anyone will ever pay for it.

      Furthermore, if you spent too much on quality, people will buy software from your competition instead just because it is cheaper. They are willing to accept a measure of bug risk in return for much more affordable software. Because of this, you can't succeed as a business if you aim for bug-free code (which is impossible to achieve, anyway).

    2. Re: If they'd written Windows properly by Anonymous Coward · · Score: 0

      In the really old days the rule was never install an even numbered DOS.

    3. Re:If they'd written Windows properly by AHuxley · · Score: 1

      If they'd written Windows properly

      People would have found the NSA inside.
      All the extra code allows the NSA to hide and collect it all.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re: If they'd written Windows properly by Anonymous Coward · · Score: 0

      Yet Linux and MacOS work. While MS is doing mostly running auto updates and anti viruses.

      Perhaps the corporate kickbacks culture is the only reason we still keep hearing of MS products.

    5. Re:If they'd written Windows properly by jd · · Score: 1

      It doesn't matter if they didn't write that code, they wrote Windows for a specific platform. They should have TESTED it for that platform. They didn't.

      The chips worked as designed, so this was not an undisclosed problem, this was something Microsoft designed Windows for.

      If you spend too much on quality, sure, people will buy the ticket for the airliner with one engine hanging off and fuel pouring out the tank. Except this wouldn't have required much at all. One design decision rather than another at the implementation stage, and your choice costs you maybe a couple of thousand dollars (twenty licenses, or 1/100,000 an EU fine).

      Microsoft ATE that EU fine for breakfast, burped slightly, and then carried on. Think about how much QA they could have done with that same money. And since it was so trivial to them, think of what they could be doing right now with the same amount of money.

      No, this isn't about taking a risk to make more affordable software. They have 95% of the market and the most significant rival charges nothing at all.

      You want to talk about bug-free software? Look up VST and tell me about bug-free. But I say again, this isn't about bug-free. This is about isolating the parts of the code that may have bugs and placing the provable parts (which you CAN have, because the Halting Problem allows provably correct software, just not provably correct in the general case - specific cases are fine) at critical points.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    6. Re:If they'd written Windows properly by jd · · Score: 1

      So what you're saying is that the processor bug might have been on request? The bug is in one ring, after all.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  10. house of cards a falling by Anonymous Coward · · Score: 0

    When will the patch to patch the patch be ready?

  11. No problems for me by Anonymous Coward · · Score: 0

    I installed the repatch and things are working perfectlyбез помеÑ...

  12. "Accidentally", my ass.... by gweihir · · Score: 2

    The correct word is "incompetently" and lacking independent review. Good old MS, screwing the customer even when they do not profit from it.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  13. Deliberately destructive, or wildly incompetent? by Anonymous Coward · · Score: 0

    "... MS, screwing the customer even when they do not profit from it."

    Maybe just utter incompetence.

  14. Windows 10 upgraded from Windows 7 affected? by shanen · · Score: 1

    Or am I just too paranoid and suspicious? The story got me to check the upgrade history, which showed nothing for the last few weeks, but that got me to check for upgrades, which has triggered a download and installation for KB4089848... Can't see exactly what it is in the middle of the upgrade, but if I don't come back afterwards, "Arrgh, the got me!"

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  15. Should have used apps! by Anonymous Coward · · Score: 0

    Modern app appers know that only apps can app apps, and Appdows 10 S can't be hacked by LUDDITE hackers, unlike LUDDITE Windows 7!

    Apps!

  16. Not surprised.. by LVSlushdat · · Score: 1

    So now Microsoft is patching their patches... Kinda makes one think of the little dutch boy putting his fingers in the dike, till he ran out of fingers/toes to plug all of the holes in the dike... Sooooooooooo damn glad I got off the "Microsoft train" 8 years ago when I retired after 20 years of supporting the insanity that is Microsoft and its products... LINUX FTW!!!

    --
    THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
  17. Re:Deliberately destructive, or wildly incompetent by gweihir · · Score: 1

    Well, I am not sure. Ordinarily, utter incompetence would be enough, but with the massive degree of damage they do I think at least some maliciousness or lack of caring about the customer comes into play.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.