Microsoft Issues Rare Out-of-Band Emergency Windows Update For Processor Security Bugs

An anonymous reader shares a report: Microsoft is issuing a rare out-of-band security update to supported versions of Windows today (Wednesday). The software update is part of a number of fixes that will protect against a newly-discovered processor bug in Intel, AMD, and ARM chipsets. Sources familiar with Microsoft's plans tell The Verge that the company will issue a Windows update that will be automatically applied to Windows 10 machines at 5PM ET / 2PM PT today. The update will also be available for older and supported versions of Windows today, but systems running operating systems like Windows 7 or Windows 8 won't automatically be updated through Windows Update until next Tuesday. Windows 10 will be automatically updated today.

Re:

[Killall -9 Bash]

Unpatched win7 running on Ryzen.... what slowdown?

Re:

[Joce640k]

Also no speedup, so, meh.

Re:

[G00F]

There is KB4012982, which is an update that detects newer CPU, and disables futher updates.

https://support.microsoft.com/... [microsoft.com]

The workaround for that is quite simple, uninstall and block that update, and you can continue to patch...

Re:

[Z00L00K]

Unpatched Win7 running on Atom? Can it get slower?

Re:

[F.Ultra]

Depends, will it run Vista?

Re:

[Joce640k]

Unpatched win7 running on Ryzen.... what slowdown?

Luckily for us Windows 7 users Microsoft has chosen Windows 10 as the guinea pig. We'll get to see what happens performance-wise before we choose to update (or not).

Should be user-configurable or based on trust

[JoeyRox]

Due to the performance impact of this workaround it should have an option to disable it like Linux is providing. An alternate, more refined approach would be to selectively enable the kernel page-table isolation on a per-process basis, based on either user configuration or an automatic trust determination such as whether the app is signed by a trusted certificate source (ie, downloaded, unsigned apps would run with page isolation enabled).

Re:

[olsmeister]

http://pythonsweetness.tumblr.... [tumblr.com]

Re:

[Joce640k]

Yeah, of course it's much better to just apply the fix and *then* find out your performance has gone to shit.

Luckily for us Windows 7 users, Microsoft has chosen Windows 10 as the guinea pigs.

Re:

[networkBoy]

There is very strong evidence that (for example) applications which do a lot of I/O, like databases, will have a measurable hit.

Actually we're past that, we're now at:
There is empirical data that applications that do a lot of Kernel calls (such as disk I/O like databases) will see a large impact.

Can't risk sanctity of kernel-enforced DRM

[Miamicanes]

Since the most likely result of the vulnerability to desktop users is being able to defeat kernel-enforced DRM and Windows licensing, it's no surprise Microsoft would push this out as a mandatory update of the highest priority.

Re:

[thegarbz]

When has Microsoft ever provided kernel level security bypasses?

Re:

[Waccoon]

Good idea. I took this as a cue to download the latest rollups. With one exception, my Win7 machines are offline, so they don't need to be "fixed".

I'll still keep my old downloads, though. Microsoft has already been caught updating old KB updates without issuing notices or new version numbers, so I wouldn't be surprised if anything DRM related is applied retroactively to the existing downloads.

Re: Can't risk sanctity of kernel-enforced DRM

[Miamicanes]

Apple: probably has the same priorities & agenda as Microsoft insofar as DRM and "trusted" computing is concerned. And Apple's culture tends towards "make decisions for users".

Linux: users are free to disable the patch if they'd rather have better performance.

Re:

[ebyrob]

They probably did it because it's a flaw and at their tempo, it wasn't out of band...

Re:

[jason777]

Thats actually a great idea

Re:

[jezwel]

IIRC the proof of concept had JS in a web browser that can read your kernel memory, dump any credentials or authorisation keys plus the urls used in conjunction with that data. Pretty handy to get account details for your online banking, social media, webmail blah blah blah. Bit like all that mining in a browser controversy happening, but instead of using your PC to mine currency, their trawling your RAM for anything useful.
Oh, yeah all that hypervisor stuff, where a VM running this malware can obtain the

Re:

[ebyrob]

Wow! See, now that's the kind of detail we need in these articles. I had NO IDEA this could be exploited from Java Script.

And yet it's the old Sun Java sandbox that was too insecure to survive and "addons" and "extensions" that are the security problem in modern web browsers. Right.

Which browser? Or are you claiming Chrome, Internet Explorer, and Firefox all fell down on this one?

AMD getting the Patch despite not being vulnerable

[mastagee]

to Meltdown. . . which is the only thing PTI will help with. Seems like an unnecessary performance penalty to push on AMD users. Most likely down for simplicity/consistency on Microsoft's side for kernel code management.

Re:

[Anonymous Coward]

PTI doesn't fix Spectre

Re:

[Anonymous Coward]

There are two kinds of vulnerabilities: One which allows reads across privilege boundaries. Page table isolation prevents reads of kernel memory from user mode and is needed to mitigate this vulnerability, which has only been shown on Intel processors. The other vulnerability does not cross privilege boundaries and is thus not mitigated by PTI. The performance penalty resulting from PTI is unnecessary on AMD processors.

Re:

[networkBoy]

Correct.
But as GP noted, this is likely for ease of code mgt on MS's part.

Re:

[DontBeAMoran]

Isn't that James Bond's problem?

Re:

[Z00L00K]

I was waiting for this.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[HiThere]

I believe that's true of the Linux patch. Do you have any reason to believe it's true of the MSWind patch?

Re:

[Mashiki]

Seems like an unnecessary performance penalty to push on AMD users. Most likely down for simplicity/consistency on Microsoft's side for kernel code management.

Doesn't seem to have any impact at all on my AMD machine, though I'm seeing around a 5-13% drop in performance with my Intel machine. Both are running the current version of Win10, I'm sure there's going to be a lot of screeching on gaming forums later today when people suddenly start having serious performance issues, especially since Intel holds around 80-90% of the gaming marketshare according to steam. [steampowered.com] My development machine that's in slow ring right now hasn't seen a patch pushed out yet, probably wo

Re:

[Mashiki]

Yeah and ignore that impact bit. Since it appears that it was a force nvidia driver update, that decided to install itself despite telling it never to update the driver. What a fucking shitshow on that one.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[PingSpike]

Some versions of embedded versions of Windows XP are still in extended support until 2019, since they were released in 2009.
Windows Embedded Standard 2009: Extended Support will end on Jan. 8, 2019.
Windows Embedded POSReady 2009: Extended support will end on April 9, 2019.
https://blogs.msdn.microsoft.c... [microsoft.com]

Re:

[Z00L00K]

Which means a lot of ATMs out there. Maybe a few voting machines too? Could be fun at the mid term election in the US.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Read more than the headlines.

There are two bugs. Some articles have reported that one of the bugs is Intel-specific, and one of them is not (Intel, AMD, and ARM). Whether the necessary patches will carry the same performance hit for each is not yet clear from what I've been reading, but it looks like the latter one might be less serious.

Re:

[Anonymous Coward]

There is no fix for either of the bugs. Page Table Isolation (PTI) mitigates the bug that allows kernel memory to be read from user mode, which has only been shown on Intel CPUs. That's the one with the reported slowdowns up to 30% depending on the type of workload (basically how much it uses syscalls).
The other bug is present in all modern CPUs and the only way around it is to prevent certain code patterns from being run. This will require modifications to JIT compilers, mostly, because that's how untruste

Re:

[blind biker]

Read more than the headlines.

There are two bugs. Some articles have reported that one of the bugs is Intel-specific, and one of them is not (Intel, AMD, and ARM). Whether the necessary patches will carry the same performance hit for each is not yet clear from what I've been reading, but it looks like the latter one might be less serious.

Spectre cannot be patched, but it cannot be exploited, either (as far as we know).

Meltdown, meanwhile, is seriously dangerous because it is very easy to use, even with just a malicious webpage!

Re:

[Anonymous Coward]

You should be more careful with "cannot be exploited" comments. All three bugs have been exploited on actual hardware. You might think that a process reading some of its own memory through a convoluted exploit of a CPU behavior isn't a problem. But we run untrusted code all the time. We allow it, because we assume that it cannot read all in-process memory. That's what Javascript in a web browser is. Your browser holds secrets in memory that must be kept hidden from scripts. If a script is translated into ma

Re:What?

[Anonymous Coward]

That's what comes from just barely reading the headlines. There are 2 classes of bugs (Spectre, Meltdown) and 3 exploits (Spectre-1, Spectre-2, and Meltdown-1). AMD and ARM are resistant to only to Meltdown. They are susceptible to Spectre.
Meltdown goes back to Core2, Spectre goes back down to Pentium Pro. Many other processors are likely vulnerable to Spectre, any CPU that does speculative execution may be vulnerable. Mainframes have been doing this since the 60's IIRC.

Re:What?

[blind biker]

There seem to be Intel sockpuppets flooding technical forums, making the false equivalence between Meltdown (affects only Intel) and Spectre (affects all CPUs), whereas Meltdown is a clearly exploitable and in fact the exploit was demonstrated in a fucking browser running a Javascript. There is no known way to exploit Spectre. Spectre does not cross userspace-kernelspace.

Re:

[Jody Bruchon]

I'd mod you up if I had mod points. I've noticed plenty of unusually worded Intel-AMD equivocation comments across a variety of tech forums since this broke and it doesn't smell right for "Intel fanboys," it just smells like shilling.

This was yesterday!

[Guyle]

The date of TFA was January 3rd. The verbage in the article saying "today" was referring to January 3rd. The patches for Windows 10 rolled out already. I installed mine last night.

Re:

[Guyle]

Ah, wait, summary says (Wednesday) in parentheses. Confusing AF.

Re:

[tsqr]

Thursday is Wednesday. Thursday has always been Wednesday. Thursday will always be Wednesday.

Odd. I must have missed that when I read 1984.

Re:

[EvilSS]

What, are you new here? This is /., being only a day behind is being 3 days ahead here. It probably was Wednesday when the story was submitted. Feel lucky you aren't reading this on Sunday!

Did you get a chance to do any benchmarking?

[rsilvergun]

curious what the damage is.

Re:

[Guyle]

Damn! No, I didn't even think to do a before/after to see what the exact impact was. >:( I'll do that on my other machines before updating though, I have both an Intel and an AMD desktop to test.

Re:

[rsilvergun]

Thanks :). I'm dying to know what the hit's going to be. Right now it's all kind of up in the air. I do a bunch of virtualization. My bro does even more with an entire computer lab devoted to it.

If it hits Virtualization but not gaming expect to see a ton of cheap CPUs on ebay as companies are forced to dump them. If that happens I can probably get back to square one for about $300 bucks by upgrading my i5s to i7s.

Damn you, Microsoft!

[DontBeAMoran]

I was planning on playing games at exactly 17:00 EST today! My gaming session is totally ruuinned! /Stewie

Re:

[dstyle5]

It came out yesterday, so you can install at your leisure before 17:00 EST today! :) I just installed it, so far I can still login and check my email. And /.

Performance hit?

[poached]

Anyone care to comment on the performance hit after the patch? Is it obvious, measureable?

Re: Performance hit?

[Anonymous Coward]

Win10 Ent 1709, i5 4cores 2.6GHz. You can feel it. Tasks that usually reported 0-0.1% now show 1-4%. Before average CPU consumption was below 10% now varies between 20 and 40%.
Subjective perception of the system performance is better than numbers show, but noticeable.

Some links from Microsoft

[clovis]

https://support.microsoft.com/... [microsoft.com]

https://support.microsoft.com/... [microsoft.com]

https://support.microsoft.com/... [microsoft.com]

https://portal.msrc.microsoft.... [microsoft.com]

https://docs.microsoft.com/en-... [microsoft.com]
https://www.powershellgallery.... [powershellgallery.com]

Doesn't help me a bit

[Unknown User]

All Windows updates have failed on my machine since 2015 or so, and I have tried every assistant, hot fix and third party assistant on earth trying to fix this issue.

Re:

[bspus]

At the very least you should have been able to download the latest version 1703, burn the iso or make a bootable stick and reinstall, while keeping all apps and settings. It generally works, I've been updating this way for years

It still doesn't explain you you even got to this weird position where nothing works update-wise and it is the first time I hear of such a serious disability.

Is it a brand name laptop like dell or HP perhaps, where OS updating only works through their own specialized application?

Re:

[dstyle5]

Could you have malware that is preventing the updates from being installed? Pretty sure I've heard of this happening in older versions of Windows. I would do a clean install.

Re:

[Unknown User]

Sure, I could have malware that no existing anitivirus is able to detect. Clean install is out of question, though, because that would mean having to manually install hundreds of VST audio plugins, each with its own shitty proprietary DRM. I'm buying a new machine within the next few weeks anyway - or at least that was the plan. Now with these bugs, I'm wondering whether waiting even longer might not be worth it. I'd expect there will be updates to the current chip families soon? Maybe I should wait. :/

Re:

[sgage]

Have you tried Sysnative.com? I had a serious and convoluted f-up with Windows Update, made worse no doubt by trying various incantations posted around the net by people who really don't know what they're talking about. The folks at Sysnative basically assign you a case worker who gives you things to try and troubleshooting procedures to report back, in a systematic manner. I was incredulous when, after a long and complicated exchange of procedures, the darn thing worked! And for free! (I sent them a few bu

Not in the UK yet...

[Archtech]

I have run Windows Update several times today, but five minutes ago it was still telling me that there are no updates for my computer. (Windows 7 SP1, i7-940).

And I am running MSE, not any "third party" anti-virus.

This is normal behaviour. For many years Windows updates have not appeared here in the UK until at least 24 hours after the USA.

Re:

[Archtech]

Apologies. After posting the parent I went back and read the last line of TFA.

Apparently, those of us running Windows 7 in the UK are now second-class citizens in two different ways: geography and version.

Re:

[antdude]

I got nothing in my old 64-bit W7 HPE SP1 Intel desktop PC.

Re:

[Archtech]

Are you running a non-Microsoft AV package? If so you might need to install the appropriate update for it.

Re:

[antdude]

I have its internal Defender (got its daily updates from WU), SAS, & MBAM.

Re:

[Archtech]

All done now. When I started my PC this morning Windows Update offered me the patch, and installed it quickly.

Broken sandbox patch? Give me a break!

[ebyrob]

Seriously, this is an escalation flaw on Windows and it's a "priority patch"?!!!

I don't really care how many processors the "same bug" might affect, how can any version of Windows come close to saying that the most humble executable can't own the whole system if written correctly?

Linux can't say this, Apple can't say this, OpenBSD won't even try to say this and yet suddenly plugging one such hole in Windows requires an out of band patch that also trashes performance? What, did someone's digital restriction

Re:

[ebyrob]

I don't think you get it.

Every OS has holes in this area, many of them known and unpatched for years. Why is this layer that won't be secure after the patch anyway suddenly important?

Re:

[ebyrob]

I don't know why I'm bothering to respond to anonymous cowards but...

This is a patch for a privilege escalation attack [wikipedia.org] on Microsoft Windows.

From the article:

There appears to be a flaw in modern processors that let attackers bypass kernel access protections so that regular apps can read the contents of kernel memory.

So, yes it's a processor flaw, but the only problem is that some application processes may get to read some kernel memory that they aren't supposed to read. That's the very definition of privilege escalation, and not even total privilege escalation, just being able to take one more privilege than normal temporarily.

This is a Microsoft Windows patch.

To Upgrade or Not To Upgrade

[NicknameUnavailable]

So, I don't trust Microsoft upgrades for shit - they tend to add telemetry, and they tend to break older OS versions to force upgrades. That said - just how bad are these exploits this time around? Will my firewall protect me if I don't browse porn sites or is opening any page in a browser guaranteed to result in infection?

Re:

[Zorro]

Porn sites want to give you more porn.

It is the Governments you have to worry about.

Re:

[NicknameUnavailable]

But the governments control the world, meaning they control the porn.

Re:

[cfalcon]

You are sending much more information than my Linux box sends, which is NOTHING. More importantly, unless you are routinely port sniffing, you don't even know how much you are sending, and unless you can decrypt their spybot garbage, you have no idea WHAT you are sending either.

conspiracy hat time

[magarity]

Is it a coincidence that this flaw in CPUs since '96 has only been recently discovered and the article from a few days ago that top tech snoops are leaving the NSA?

Re:

[magarity]

Please elaborate. What's the link between the NSA snoops leaving, and this being discovered? Because I don't see it. Why would *anyone* leave a job at the NSA because of this discovery?

Per that other article, people are leaving the NSA because of sucky pay and management, obviously not because of this discovery. Then someone who was there and has been exploiting this problem for a while "discovers" it now that they're in the private sector primarily because they don't want to be snooped by their former colleagues.

why AMD and will this messup Xbox as well?

[Joe_Dragon]

why AMD and will this messup Xbox as well?

Re: Mac OS X

[Anonymous Coward]

Apple already deployed a fix in Mac OS X 10.12.3

Re:

[DontBeAMoran]

Oh, sure. Leave all of us PowerPC Mac users in the dust...

Re:

[Bing Tsher E]

You've been mired there for quite awhile.

Re:

[Doctor Memory]

OMG this affects PowerPC too! It's bigger than I thought!

Re:

[Bing Tsher E]

I still have some 680x0 Macs.

Re:

[Anonymous Coward]

10.13.2.

10.12.3 is still quite vulnerable, as is every Mac unable to run Sierra (any hardware prior to 2009).

Re: Mac OS X

[Anonymous Coward]

While Microsoft can manage to patch an OS circa 2009, Apple couldnâ(TM)t be bothered to patch anything older than Sept 2017.

Re: Mac OS X

[Anonymous Coward]

Dont look here then https://twitter.com/aionescu/status/948609809540046849

Confirmation bias

[sjbe]

I'll not hold my breath waiting for Apple. They're getting worse and worse lately.

Don't let the fact that they've already addressed [9to5mac.com] the issue interfere with your anti Apple bias.

Re:

[Sir Holo]

So Microsoft has out-of-band access to the CPUs of Windows users computers so that they can make updates to it? What in the world? Glad I don't use that operating system.

Indeed. MS has the ability to install, as root, changes to the OS on your computer (and presumably anything else on the HD).

That is the very definition of a Back Door.

This "out-of-band pushed hot-fix" only shows the fact in bright relief. Windows machines (on X86 at least) have been back-doored since 1995. Whether anyone put it there, or exploited it before the patch, is the unknown.

BTW, the last "out-of-band pushed update", the one about a month ago, between Thursday and Friday, played hell with my comp