Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Bug Intel Security Windows

Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure (theregister.co.uk) 84

Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. From a report: This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM. The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.
This discussion has been archived. No new comments can be posted.

Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure

Comments Filter:
  • by ls671 ( 1122017 ) on Wednesday March 28, 2018 @04:46PM (#56343743) Homepage

    I am still waiting to apply these patches. About 2 months ago, I wrote here that it looked like a 2-3 months waiting period could be a nice ballpark figure. Will I have to wait even longer?

    • OK, you use Windows for a living; I don't. Tell me, do you find this report surprising, or is it what you expect from Microsoft?
      • by ls671 ( 1122017 )

        "Using Windows for a living" is far fetched! I have a couple Windows VM running under qemu. I wait to apply these patches on all OS flavors that I manage, I will spare you the list.

      • by Anonymous Coward

        I will never apply any of the so-called "fixes" for Spectre and Meltdown on my personal PCs. The "vulnerabilities" (actually FEATURES BY DESIGN for over two decades) just aren't serious and the media blew it way out of proportion. My computers are secure as ever, nothing has changed and no hackers are going to be gaining access to them or anything stored on them. I'm not going to suffer massive performance hits because some crackpipe smoking, tinfoil hat wearing idiot said that it was a "bad thing(tm)" and

        • by rtb61 ( 674572 )

          You, 'HOPE'. No matter what you do, they want to hack you, they will. Security is a balance, being more secure than you are worth hacking. That worth hacking can take on all sorts of metrics, from being a target of three letter agencies, to manipulating your psychology, to identity fraud against credit card acceptors. In this case of M$ wanting to push Windows anal probe 10, you can bet patches will far and few and likely shite, to kick you off what they already sold you, to force you to buy what amounts to

      • Re: (Score:3, Insightful)

        Still use Windows, but don't find it surprising. They've been known to release patches which cripple vital OS functionality (e.g. the XP phase-out) in order to get people to upgrade, in very subversive ways they don't know actually happened most of the time (e.g. making network or local files disappear at random from the file explorer, but not to other programs.) They probably see Spectre/Meltdown as an opportunity to cripple Windows 7 with minor backlash. Windows 7 machines should not be upgraded beyond
      • What the fuck is your point? We all know what code Intel submitted to the kernel and got ripped by Linus for being stupid and shitty. Any developer or QA tester that claims they don't make mistakes is fucking stupid. This is an issue of a rushed fix that wasn't properly tested. How many fixes did it take to fix bash issues that were there for years? At least 3?
    • by aliquis ( 678370 )

      They just revealed another side-channel attack.

      Best is likely to buy some future product which don't have these faults. Hard to do now though.

      • by Anonymous Coward

        No worries, we are due for a worm to come along that attacks some "unfixable" part of the operating system affecting Windows 7, 8, and 8.1. Everyone does remember the worm attacking WindowsXP pre-service pack 1? In that instance, Microsoft had to kill off all the pirated and leaked copies of XP. This time it will be to push everyone to 10.

    • by jwhyche ( 6192 )

      I would keep waiting. For the past two months I have heard horror stories about the patches. Yet, I have not heard of any exploits that use the problems. Seems to me this is a case of the cure being worse than the illness.

      • I thought about it, and realized that really the only credible threat to my machines would be something in the browser written in Javascript. All the major browsers have modified their Javascript implementations to basically make that vector impossible, to which I said "good enough".

        And that's just the desktops. As the servers go, I couldn't think of any way, assuming everything nothing is broken, that someone could run their own code on the server as to exploit Spectre or Meltdown. Sure, maybe they coul

  • "Fast, good, cheap, pick (no more than) two."

    Sometimes you only get to pick one, or none.

    • Open source often manages to give you all three.

      • Yeah I think we both know that is not true. I love open source, but know that is not some magical force field against hardware-level bugs, so stop claiming there is. The most common examples of these exploits are done IN LINUX.

        These are brilliantly done exploites, and the Linux-x64 house is made of just as much glass as Windows.

        Difference being, Microsoft and Intel actually have to report to shareholders, so there is some accountability.

        I'm a little off the reservation on what the proper path is sin

      • by davidwr ( 791652 )

        Open source often manages to give you all three [fast, cheap, and good].

        Measure the cost in man-hours instead of "how much the end user paid for it" and "cheap" tends to disappear.

        I will grant you one major difference between a large-team distributed project - most large FOSS projects are distributed - and a large-team project run by a single entity: Project management is usually very different, and as a result, the cost of project management may be very different.

  • Fixing one problem in haste sometimes creates other problems.

    For example, as Jason Mendoza, from The Good Place [wikipedia.org], noted:

    Jason: Any time I had a problem, I threw a Molotov Cocktail and, boom, I had a different problem.

  • translation (Score:3, Interesting)

    by Anonymous Coward on Wednesday March 28, 2018 @04:59PM (#56343803)

    microsoft is intentionally crippling windows 7 security.. stay tuned for the press release touting windows 10 as the 'best' fix for these issues.

    • Re:translation (Score:5, Interesting)

      by webmistressrachel ( 903577 ) on Wednesday March 28, 2018 @05:09PM (#56343855) Journal

      This is exactly what I was thinking.

      Microsoft released a decent operating system and then killed it on purpose when they couldn't persuade people to upgrade to Windows 8, 8.1, or 10 - there was no need to upgrade while everything worked so well under 7!!

      I only upgraded from Windows 2003 "workstation" after I had observed feedback from 7 users for about a year. I will not upgrade to 10, even if they try to force me to with "exclusive" releases - I will play my games on 7 until that market ends, and I will continue to use Linux for my work as I always have, all of which simply means that eventually my hobby will die with Windows 7. Thanks M$.

      I strongly suspect that I'm not the only person thinking like this. M$ created a whole industry, now they want to destroy it.

      • by Anonymous Coward

        This is also why Microsoft never truly fixed Windows Update (the routines that checks updates is horribly slow) on pre-Windows 10 PCs.

        On Windows 10, they never really fixed it either, instead opting for 'upgrades' (vs 'update') every six months to reset the baseline; and, of course, taking away user control over the entire update/upgrade process and forcing whatever they want to install onto PCs.

  • It's the chips (Score:2, Interesting)

    Ask yourself, who would design chips so that they could be backdoored?

    There you go.

    Oh, and, yes, we're in your keyboards, mice, printers, and so many devices in your "smartphones".

  • by duke_cheetah2003 ( 862933 ) on Wednesday March 28, 2018 @05:14PM (#56343887) Homepage

    When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.

    Mainly because these 'flaws,' and I do use that word loosely. I'm not entirely convinced it's an actual flaw. It's just how it works. Anyway, gimping the execution predicting to protect against these 'flaws' is really stupid on a desktop computer, where there's no VM's, very little if any usage outside of 1 user. They're hurting computing performance for a non-issue.

    On server systems, data center, etc, yes, fix this bug, it's a real issue on shared computing resources. On a desktop where there's 1 maybe 2 users whom browse the web, play games, type documents and otherwise 'use' their computer normally, it should be left as is. It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.

    All that aside, Microsoft making it worse it just laughable. And pretty much non-surprising. I'd wager Microsoft is one of the few companies that could take a 'problem' with fairly straight forward fixes and fuck it up, making a bigger problem than originally existed. Par for the course, for Microsoft.

    • didn't the proof of concept include a chrome based javascript file that could dump all your user credentials/logins on your windows machine? Not exactly 'only servers' if site adverts can steal your bank details.

      • by Luckyo ( 1726890 )

        This was nuked almost instantly by all major browser vendors. Javascript engine in browsers no longer has access to timings tight enough to utilize this bug.

    • If you're worried about performance, don't install the new firmware. The Windows patch can't mitigate Spectre/Meltdown without it, and you'll have to do it yourself. If you're worried about security... I guess you're boned no matter what.

      Just do what you probably always do: keep regular backups, keep an updated antivirus, use adblock, and avoid shady websites.

    • It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.

      Hurt me again, daddy! That's a lot of nonsense, because people execute code from untrusted sources all the time. On any computer where you might wind up running untrusted code, it's a problem. And that describes the average user desktop. You sound like an Intel apologist to me. Are you getting paid, or do you just have a lot of Intel kit and you don't want to feel stupid?

      • You sound like an Intel apologist to me. Are you getting paid, or do you just have a lot of Intel kit and you don't want to feel stupid?

        Why is this the assumption when someone disagrees with you? I wish I were getting paid for speaking my mind, but I'm not. Must be a painful unpleasant reality you exist in where everyone who disagrees with you is a shill. So much paranoia.

        • Why is this the assumption when someone disagrees with you?

          You're disagreeing with reality. Please consider how the world really works, in this case what users really do, and then consider your comment in that light.

      • ....And that describes the average user desktop.

        And frankly, if the average user downloads malware and installs it, or browses a malicious website. They deserve whatever they get. Stay away from untrusted programs and websites, plain and simple. I have no sympathy for people who browse untrusted sites and download garbage they don't need.

        I actually like these people. They pay my bills, since I have to remove their stupid from their machines and teach them how to not be stupid.

        No amount of anti-virus, flaw correction, security patches or arm twisting

        • Fuck off, you dumb cunt. You probably missed all the stories of legit ad networks being fooled into serving malware on big name sites? Perhaps you've heard of zero days? Do you work in an office with dumb, gullible people? Plenty of really smart, really careful people get infected all the time.
    • PLEASE MAKE FIXES OPTIONAL.

      Indeed. I nearly had a heart attack when I discovered my Gigabyte motherboard doesn't allow you to revert your BIOS after an update. So, does that mean if I installed the Meltdown patch and it screwed up, I couldn't fix it myself by downgrading? I didn't even take the chance!

      I expect that crap from companies that build fully pre-built systems, but now even the aftermarket parts market is making choice difficult. Isn't choice the whole point of building your own PC? How long before firmware updates are

    • They WERE optional from the start. All the added features of the patch can be disabled via a registry entry.

    • >> When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.

      They did.
      The fixes for Spectre and Meltdown can be disabled with two registry keys,

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

      FeatureSettingsOverride =3
      FeatureSettingsOverrideMask =3

      They are disabled by default on server operating systems.

      Ref: KB4073119

    • ... fairly straight forward fixes

      Are you familiar with the Dunning-Kruger effect [wikipedia.org]? It seems like this might be relevant to your understanding of the effort and complexity required here.

  • What is the good KB##### patch for meltdown/spectre as today?
  • by OneHundredAndTen ( 1523865 ) on Wednesday March 28, 2018 @06:25PM (#56344251)
    You cannot make Windows more insecure.
  • by slincolne ( 1111555 ) on Wednesday March 28, 2018 @07:31PM (#56344539)
    The March rollup comes with several issues that make it a bit of a risk in itself to deploy (https://support.microsoft.com/en-au/help/4088875/windows-7-update-kb4088875). Of note:
    • A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.

      Static IP address settings are lost after you apply this update.

      In both instances the advisory states that "Microsoft is working on a resolution and will provide an update in an upcoming release."

  • submission (Score:4, Insightful)

    by rastos1 ( 601318 ) on Thursday March 29, 2018 @08:18AM (#56346219)
    I was first to submit [slashdot.org] this story to /. I could live with my submission being rejected in favor of submission of someone else. Although my submission had link straight to the Ulf Frisk's blog. But marking my submission as SPAM? Really? That hurts.
    • by Anonymous Coward

      Don't bother. msmash and beauhd only repost stories from a fixed list of web sites.

      They don't care about the submission queue one bit.

Beware the new TTY code!

Working...