Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure (theregister.co.uk) 84
Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. From a report: This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM. The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.
I am still waiting to apply these patches... (Score:5, Insightful)
I am still waiting to apply these patches. About 2 months ago, I wrote here that it looked like a 2-3 months waiting period could be a nice ballpark figure. Will I have to wait even longer?
Re: (Score:3)
Re: (Score:2)
"Using Windows for a living" is far fetched! I have a couple Windows VM running under qemu. I wait to apply these patches on all OS flavors that I manage, I will spare you the list.
Re: (Score:2)
I will never apply any of the so-called "fixes" for Spectre and Meltdown on my personal PCs. The "vulnerabilities" (actually FEATURES BY DESIGN for over two decades) just aren't serious and the media blew it way out of proportion. My computers are secure as ever, nothing has changed and no hackers are going to be gaining access to them or anything stored on them. I'm not going to suffer massive performance hits because some crackpipe smoking, tinfoil hat wearing idiot said that it was a "bad thing(tm)" and
Re: (Score:2)
Just add pti=off to your kernel command line and its off, but you can still benefit from any other updates going forward.
Re: (Score:3)
You, 'HOPE'. No matter what you do, they want to hack you, they will. Security is a balance, being more secure than you are worth hacking. That worth hacking can take on all sorts of metrics, from being a target of three letter agencies, to manipulating your psychology, to identity fraud against credit card acceptors. In this case of M$ wanting to push Windows anal probe 10, you can bet patches will far and few and likely shite, to kick you off what they already sold you, to force you to buy what amounts to
Re: (Score:3, Insightful)
Re: I am still waiting to apply these patches... (Score:2)
Re: (Score:1)
They just revealed another side-channel attack.
Best is likely to buy some future product which don't have these faults. Hard to do now though.
Re: (Score:1)
No worries, we are due for a worm to come along that attacks some "unfixable" part of the operating system affecting Windows 7, 8, and 8.1. Everyone does remember the worm attacking WindowsXP pre-service pack 1? In that instance, Microsoft had to kill off all the pirated and leaked copies of XP. This time it will be to push everyone to 10.
Re: (Score:3)
I would keep waiting. For the past two months I have heard horror stories about the patches. Yet, I have not heard of any exploits that use the problems. Seems to me this is a case of the cure being worse than the illness.
Re: (Score:2)
I thought about it, and realized that really the only credible threat to my machines would be something in the browser written in Javascript. All the major browsers have modified their Javascript implementations to basically make that vector impossible, to which I said "good enough".
And that's just the desktops. As the servers go, I couldn't think of any way, assuming everything nothing is broken, that someone could run their own code on the server as to exploit Spectre or Meltdown. Sure, maybe they coul
Security in a complex system is hard (Score:2)
"Fast, good, cheap, pick (no more than) two."
Sometimes you only get to pick one, or none.
Re: (Score:3)
Open source often manages to give you all three.
Re: (Score:1)
These are brilliantly done exploites, and the Linux-x64 house is made of just as much glass as Windows.
Difference being, Microsoft and Intel actually have to report to shareholders, so there is some accountability.
I'm a little off the reservation on what the proper path is sin
Re: (Score:1)
Open source often manages to give you all three [fast, cheap, and good].
Measure the cost in man-hours instead of "how much the end user paid for it" and "cheap" tends to disappear.
I will grant you one major difference between a large-team distributed project - most large FOSS projects are distributed - and a large-team project run by a single entity: Project management is usually very different, and as a result, the cost of project management may be very different.
The Meltdown meltdown. (Score:2)
Fixing one problem in haste sometimes creates other problems.
For example, as Jason Mendoza, from The Good Place [wikipedia.org], noted:
Jason: Any time I had a problem, I threw a Molotov Cocktail and, boom, I had a different problem.
translation (Score:3, Interesting)
microsoft is intentionally crippling windows 7 security.. stay tuned for the press release touting windows 10 as the 'best' fix for these issues.
Re:translation (Score:5, Interesting)
This is exactly what I was thinking.
Microsoft released a decent operating system and then killed it on purpose when they couldn't persuade people to upgrade to Windows 8, 8.1, or 10 - there was no need to upgrade while everything worked so well under 7!!
I only upgraded from Windows 2003 "workstation" after I had observed feedback from 7 users for about a year. I will not upgrade to 10, even if they try to force me to with "exclusive" releases - I will play my games on 7 until that market ends, and I will continue to use Linux for my work as I always have, all of which simply means that eventually my hobby will die with Windows 7. Thanks M$.
I strongly suspect that I'm not the only person thinking like this. M$ created a whole industry, now they want to destroy it.
Re: (Score:2)
Funny, I "upgraded" a toasted kubuntu install yesterday to Min 18.3 (Cinnamon). Looked nice and slick at first. But the taskbar is a PITA in vertical mode, no pinned apps on taskbar, fullscreen rdp on one monitor killed the desktop on the other monitor. Apps open at random location and I just don't have the time to yet again tweak the crap out of it.
All on bog std hardware. The neighbouring Win 10 pro machine with the same hardware has no issues at all.
Linux has always been crap with multiple monitors an
Re: (Score:2)
Funny, I "upgraded" a toasted kubuntu (I fucked it up) install yesterday to Min 18.3 (Cinnamon). Looked nice and slick at first. But I fucked with it again and now it's broken so I'll blame the OS
All on bog std hardware. The neighbouring Win 10 pro machine with the same hardware (That I didn't fuck up, apparently) has no issues at all.
Linux has always been crap with multiple monitors and usable desktops. Ironically we use the desktops to remote onto VM's running on a Linux cluster.
FTFY
Now my turn for anecdotal evidence:
I've been running Mint for years on my work machine (js, Python, C, C++ dev); with Windows (C# dev) banished to a Virtual Machine before it can cause any trouble.
The host OS gives me no trouble, the guest OS typically wastes my time by being unusable while it updates, because the retarded shit gibbons at MS have written an overly complicated update system that takes 100% of a CPU core to download & copy files + edit registry
The only reason I would want to run W
Re: (Score:2)
Ah the classic Linux fanboy. Finding bugs in the software by your desktop to work the way you need it = breaking it.
Re: (Score:1)
Ah the classic Linux fanboy. Finding bugs in the software by your desktop to work the way you need it = breaking it.
No, to give you a counter example:
The upgrade process in Mint works, without eating crazy amounts of CPU, and there's actually a repo on Mint. If this were as frustrating as it is on Windows, I would be complaining to the devs and looking into whether I can fix it myself. Now if I fucked up my OS for example by interfering with parts I don't understand, that would be my fault if it broke. Example, interfering with fstab and then complaining when I can't find hard drives is akin to you touching things you ap
Re: translation (Score:2)
Re: translation (Score:2)
Re: (Score:1)
This is also why Microsoft never truly fixed Windows Update (the routines that checks updates is horribly slow) on pre-Windows 10 PCs.
On Windows 10, they never really fixed it either, instead opting for 'upgrades' (vs 'update') every six months to reset the baseline; and, of course, taking away user control over the entire update/upgrade process and forcing whatever they want to install onto PCs.
It's the chips (Score:2, Interesting)
Ask yourself, who would design chips so that they could be backdoored?
There you go.
Oh, and, yes, we're in your keyboards, mice, printers, and so many devices in your "smartphones".
Should have been optional from the start! (Score:5, Informative)
When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.
Mainly because these 'flaws,' and I do use that word loosely. I'm not entirely convinced it's an actual flaw. It's just how it works. Anyway, gimping the execution predicting to protect against these 'flaws' is really stupid on a desktop computer, where there's no VM's, very little if any usage outside of 1 user. They're hurting computing performance for a non-issue.
On server systems, data center, etc, yes, fix this bug, it's a real issue on shared computing resources. On a desktop where there's 1 maybe 2 users whom browse the web, play games, type documents and otherwise 'use' their computer normally, it should be left as is. It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.
All that aside, Microsoft making it worse it just laughable. And pretty much non-surprising. I'd wager Microsoft is one of the few companies that could take a 'problem' with fairly straight forward fixes and fuck it up, making a bigger problem than originally existed. Par for the course, for Microsoft.
Re: Should have been optional from the start! (Score:1)
didn't the proof of concept include a chrome based javascript file that could dump all your user credentials/logins on your windows machine? Not exactly 'only servers' if site adverts can steal your bank details.
Re: (Score:2)
This was nuked almost instantly by all major browser vendors. Javascript engine in browsers no longer has access to timings tight enough to utilize this bug.
Re: (Score:2)
Evidence is in the fact that in spite of massive attention this exploit got, and its supposed pervasiveness, no one utilized it to attack browsers in any meaningful capacity to this date.
Re: (Score:2)
Exploits that have been stated as "unpatchable" and drummed about in every single piece of media the way meltdown and spectre were?
Weeks at most. In most cases, probably days. Malware industry is a for-profit one, and you could make nine-ten digits easily if you actually had an exploit to vaccuum people's passwords en masse with just a javascript.
Greed is a very powerful motivator.
Re: (Score:3)
If you're worried about performance, don't install the new firmware. The Windows patch can't mitigate Spectre/Meltdown without it, and you'll have to do it yourself. If you're worried about security... I guess you're boned no matter what.
Just do what you probably always do: keep regular backups, keep an updated antivirus, use adblock, and avoid shady websites.
Re: (Score:2)
It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.
Hurt me again, daddy! That's a lot of nonsense, because people execute code from untrusted sources all the time. On any computer where you might wind up running untrusted code, it's a problem. And that describes the average user desktop. You sound like an Intel apologist to me. Are you getting paid, or do you just have a lot of Intel kit and you don't want to feel stupid?
Re: (Score:2)
You sound like an Intel apologist to me. Are you getting paid, or do you just have a lot of Intel kit and you don't want to feel stupid?
Why is this the assumption when someone disagrees with you? I wish I were getting paid for speaking my mind, but I'm not. Must be a painful unpleasant reality you exist in where everyone who disagrees with you is a shill. So much paranoia.
Re: (Score:2)
Why is this the assumption when someone disagrees with you?
You're disagreeing with reality. Please consider how the world really works, in this case what users really do, and then consider your comment in that light.
Re: (Score:2)
....And that describes the average user desktop.
And frankly, if the average user downloads malware and installs it, or browses a malicious website. They deserve whatever they get. Stay away from untrusted programs and websites, plain and simple. I have no sympathy for people who browse untrusted sites and download garbage they don't need.
I actually like these people. They pay my bills, since I have to remove their stupid from their machines and teach them how to not be stupid.
No amount of anti-virus, flaw correction, security patches or arm twisting
Re: Should have been optional from the start! (Score:2)
Re: (Score:2)
PLEASE MAKE FIXES OPTIONAL.
Indeed. I nearly had a heart attack when I discovered my Gigabyte motherboard doesn't allow you to revert your BIOS after an update. So, does that mean if I installed the Meltdown patch and it screwed up, I couldn't fix it myself by downgrading? I didn't even take the chance!
I expect that crap from companies that build fully pre-built systems, but now even the aftermarket parts market is making choice difficult. Isn't choice the whole point of building your own PC? How long before firmware updates are
Re: (Score:2)
They WERE optional from the start. All the added features of the patch can be disabled via a registry entry.
Re: (Score:2)
>> When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.
They did.
The fixes for Spectre and Meltdown can be disabled with two registry keys,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
FeatureSettingsOverride =3
FeatureSettingsOverrideMask =3
They are disabled by default on server operating systems.
Ref: KB4073119
Re: (Score:2)
Are you familiar with the Dunning-Kruger effect [wikipedia.org]? It seems like this might be relevant to your understanding of the effort and complexity required here.
Re: I am owed an apology (Score:1)
You sound very happy and well-adjusted. Im sure your coworkers love seeing you every day.
True patch? (Score:2)
That's a load of nonsense (Score:5, Funny)
Break this patch out of the cumulative update? (Score:4)
Static IP address settings are lost after you apply this update.
In both instances the advisory states that "Microsoft is working on a resolution and will provide an update in an upcoming release."
submission (Score:4, Insightful)
Re: (Score:1)
Don't bother. msmash and beauhd only repost stories from a fixed list of web sites.
They don't care about the submission queue one bit.