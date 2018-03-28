Microsoft's Windows 7 Meltdown Fixes From January and February Made PCs More Insecure (theregister.co.uk) 22
Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. From a report: This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM. The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.
I am still waiting to apply these patches. About 2 months ago, I wrote here that it looked like a 2-3 months waiting period could be a nice ballpark figure. Will I have to wait even longer?
"Using Windows for a living" is far fetched! I have a couple Windows VM running under qemu. I wait to apply these patches on all OS flavors that I manage, I will spare you the list.
They just revealed another side-channel attack.
Best is likely to buy some future product which don't have these faults. Hard to do now though.
In the same boat as you, though I'm not really "waiting". I intentionally chose not to apply said updates, given how both motherboard vendors (ex. Dell or HP, I forget which) and OS vendors (ex. Ubuntu) botched things (in different manners). Further compounded by Intel releasing subsequent microcode patches (i.e. the first set apparently wasn't enough) and the low-level complexity of Meltdown and Spectre, I opted to do absolutely nothing for our bare-metal machines on entirely private/segregated networks.
"Fast, good, cheap, pick (no more than) two."
Sometimes you only get to pick one, or none.
Fixing one problem in haste sometimes creates other problems.
For example, as Jason Mendoza, from The Good Place [wikipedia.org], noted:
Jason: Any time I had a problem, I threw a Molotov Cocktail and, boom, I had a different problem.
microsoft is intentionally crippling windows 7 security.. stay tuned for the press release touting windows 10 as the 'best' fix for these issues.
This is exactly what I was thinking.
Microsoft released a decent operating system and then killed it on purpose when they couldn't persuade people to upgrade to Windows 8, 8.1, or 10 - there was no need to upgrade while everything worked so well under 7!!
I only upgraded from Windows 2003 "workstation" after I had observed feedback from 7 users for about a year. I will not upgrade to 10, even if they try to force me to with "exclusive" releases - I will play my games on 7 until that market ends, and I will continue to use Linux for my work as I always have, all of which simply means that eventually my hobby will die with Windows 7. Thanks M$.
I strongly suspect that I'm not the only person thinking like this. M$ created a whole industry, now they want to destroy it.
Ask yourself, who would design chips so that they could be backdoored?
People in too big a hurry or too cheap to do it right.
These flaws were almost certainly unforeseen side effects of otherwise-smart design decisions, not intentional.
When Meltdown and Spectre were first revealed, I know I posted on here: PLEASE MAKE FIXES OPTIONAL.
Mainly because these 'flaws,' and I do use that word loosely. I'm not entirely convinced it's an actual flaw. It's just how it works. Anyway, gimping the execution predicting to protect against these 'flaws' is really stupid on a desktop computer, where there's no VM's, very little if any usage outside of 1 user. They're hurting computing performance for a non-issue.
On server systems, data center, etc, yes, fix this bug, it's a real issue on shared computing resources. On a desktop where there's 1 maybe 2 users whom browse the web, play games, type documents and otherwise 'use' their computer normally, it should be left as is. It's not a flaw on desktops. The flaw is fixing this on desktop, because it gimps performance.
All that aside, Microsoft making it worse it just laughable. And pretty much non-surprising. I'd wager Microsoft is one of the few companies that could take a 'problem' with fairly straight forward fixes and fuck it up, making a bigger problem than originally existed. Par for the course, for Microsoft.
This was nuked almost instantly by all major browser vendors. Javascript engine in browsers no longer has access to timings tight enough to utilize this bug.
If you're worried about performance, don't install the new firmware. The Windows patch can't mitigate Spectre/Meltdown without it, and you'll have to do it yourself. If you're worried about security... I guess you're boned no matter what.
Just do what you probably always do: keep regular backups, keep an updated antivirus, use adblock, and avoid shady websites.
