Microsoft Issues Out-Of-Band Security Update To Patch a Meltdown Patch It Released Earlier This Year (bleepingcomputer.com) 36
On Friday, Microsoft issued an out-of-band security update for 64-bit versions of Windows 7 and Windows Server 2008 R2. From a report: The security update -- KB4100480 -- addresses a security bug discovered by a Swedish security expert earlier this week. The bug was caused by a patch meant to fix the Meltdown vulnerability but accidentally opened the kernel memory wide open. According to Ulf Frisk, Microsoft's January 2018 Meltdown patch (for CVE-2017-5754) allowed any app to extract or write content from/to the kernel memory. This all happened because the Meltdown patch accidentally flipped a bit that controlled access permissions to kernel memory. Frisk said that the March Patch Tuesday appears to have "fixed" the issue, as he was not able to interact with kernel memory.
Re:Put a tent over this circus (Score:5, Funny)
Patches to patches to patches, Oh My!
It's patches all the way down!
Re: (Score:2)
Those responsible for the patches that had been sacked have been sacked.
in case of meltdown push this button (Score:3)
in case of meltdown push this button
Patch it around... (Score:5, Funny)
99 little bugs.
Take one down, patch it around.
127 little bugs in the code...
Re: (Score:2)
99 little bugs in the code. 99 little bugs. Take one down, patch it around. 127 little bugs in the code...
I see a fight brewing as people alternately mod this truth or funny. Can hardly see what this patch breaks.
I just removed kb4056897 (Score:2)
I removed kb4056897 and for now, won't accept any Microsoft patches for the time being. I'll take care of Meltdown by keeping Javascript disabled on all non-essential websites.
Re: (Score:1)
Vulnerable to what? Hackers, maybe if they have access or your firewall sucks. You're more vulnerable to Microsoft with newer versions with no way to secure against that threat.
Re: (Score:2)
You're more vulnerable to Microsoft with newer versions with no way to secure against that threat.
There is truth in this, and as time goes by, the more I find it truthful.
If they'd written Windows properly (Score:4, Interesting)
In the first place, then none of this would have been an issue. It's no bloody wonder Microsoft no longer sells software, only licenses, because they'd get sued under the lemon laws. This is grossly incompetent on their part.
Can you write an OS, cleanly, that is secure against CPU bugs? Yes, yes you can. You design the code properly and then you do this thing that is quite remarkable. You write a full set of tests.
But what if you don't know about the specific bug? Why should you have to? A bug, by definition, involves behaviour that falls outside the specification of behaviour. If your specification says that if you perform the task x, the information y is not visible at point z, and you find it is visible, you have a bug.
But we know from the antitrust case that Microsoft has no specification, no documented API, no set behaviours and minimal testing. And this is why their software failed on the bug, and this is why their patch failed on the bug. (In case people have forgotten, back in the old days standard policy was to NEVER install odd-numbered service packs because they had too many bugs.)
Linux also messed up on these kernel bugs. This is because there's inadequate documentation and inadequate testing outside of actual use. This means that Linux has very very few bugs along active pathways. It averages 1/10th the defect density of commercial software, impressive by any count. Since active pathways are actively and thoroughly tested, the defect density along those will be far far lower still. The bugs will be off the regular beaten path and that's why Linux fell foul.
It should not have fallen foul, since the solution is pretty much the solution people have been using to secure against all kinds of direct access attacks for at least 20 years now.
However, there's also a difference. Because of the Linux development model, the most you could do is hire testers and technical writers. Some vendors already do. The defect density can be reduced further but you have diminishing returns.
With closed-source cathedral software like Microsoft's Windows, defects are a choice for the bulk of it. Turing's Halting Problem applies to certain types of programming, not to all types. You can place all the unprovable software into a single non-critical component. And, yes, a lack of security is a defect. Windows is defective by design, by choice, because it's more profitable to sell crap to you repeatedly than to get it right. There's no consequences for getting it wrong.
OpenBSD complained that the disclosure was done stupidly. Maybe so, I want to know why anything exploitable was laid out in a highly exploitable way. That doesn't sound terribly secure. Why should there be anything positionally-dependent anywhere, given that we've always known CPUs are improperly tested - one of the first things most of us learned in CS was not to trust the CPU would get it right and also to validate the results by looking at them rather than looking at the code generating them.
Would this push the cost up? Yes. It would mean instead of a mountain of e-waste and smart devices nobody wants to be smart, you'd have rather fewer devices that WORKED.
Re: (Score:2)
It doesn't matter if they didn't write that code, they wrote Windows for a specific platform. They should have TESTED it for that platform. They didn't.
The chips worked as designed, so this was not an undisclosed problem, this was something Microsoft designed Windows for.
If you spend too much on quality, sure, people will buy the ticket for the airliner with one engine hanging off and fuel pouring out the tank. Except this wouldn't have required much at all. One design decision rather than another at the im
Re: (Score:2)
People would have found the NSA inside.
All the extra code allows the NSA to hide and collect it all.
Re: (Score:2)
So what you're saying is that the processor bug might have been on request? The bug is in one ring, after all.
"Accidentally", my ass.... (Score:3)
The correct word is "incompetently" and lacking independent review. Good old MS, screwing the customer even when they do not profit from it.
Re: (Score:2)
Well, I am not sure. Ordinarily, utter incompetence would be enough, but with the massive degree of damage they do I think at least some maliciousness or lack of caring about the customer comes into play.
Windows 10 upgraded from Windows 7 affected? (Score:2)
Or am I just too paranoid and suspicious? The story got me to check the upgrade history, which showed nothing for the last few weeks, but that got me to check for upgrades, which has triggered a download and installation for KB4089848... Can't see exactly what it is in the middle of the upgrade, but if I don't come back afterwards, "Arrgh, the got me!"
Not surprised.. (Score:2)
So now Microsoft is patching their patches... Kinda makes one think of the little dutch boy putting his fingers in the dike, till he ran out of fingers/toes to plug all of the holes in the dike... Sooooooooooo damn glad I got off the "Microsoft train" 8 years ago when I retired after 20 years of supporting the insanity that is Microsoft and its products... LINUX FTW!!!