Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft promises firmware patches for Surface devices to nullify Meltdown and Spectre

    Posted on January 4th, 2018 at 20:19 woody Comment on the AskWoody Lounge

    There’s a new post out from the Surface team: Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability. It says:

    Microsoft will provide UEFI updates for the following devices:

    Surface Pro 3
    Surface Pro 4
    Surface Book
    Surface Studio
    Surface Pro Model 1796
    Surface Laptop
    Surface Pro with LTE Advanced
    Surface Book 2

    The updates will be available for the above devices running Windows 10 Creators Update (OS version 15063) and Windows 10 Fall Creators Update (OS version 16299). You will be able to receive these updates through Windows Update or by visiting the Microsoft Download Center.

    Apparently if you aren’t running Win10 1703 or 1709, you’re out of luck.

    Annoyingly, the post speaks in the future tense. I don’t see any notice of availability on the official release pages for those devices. (See, for example, the Surface Pro 2017 page, which lists the last firmware/driver update as Dec. 6.) I also don’t see any of the patches in the Update Catalog.

  • Windows 7 Monthly Rollup patch is out

    Posted on January 4th, 2018 at 20:03 woody Comment on the AskWoody Lounge

    The guesses were right. Late today, January 4, Microsoft released the usual Patch Tuesday Monthly Rollup for Windows 7.

    KB 4056894 2018-01 Security Monthly Quality Rollup for Windows 7

    I’m installing it right now on my “Group A” test Win7 machine, using Windows Update.

    The description only mentions the Meltdown-related patch. As far as I can tell, that’s the only fix for Win7 in January.

    No word yet on the Windows 8.1 Monthly Rollup. No word on whether we can expect another Win7 Monthly Rollup this month – but it seems unlikely.

  • Meltdown and Spectre from a Windows user’s point of view

    Posted on January 4th, 2018 at 08:59 woody Comment on the AskWoody Lounge

    I continue to recommend that you keep your PC locked down. There’s no compelling reason to apply yesterday’s myriad Windows patches right now. You’ll have to apply them eventually, but a certain degree of caution and skepticism is in order.

    Besides, you aren’t completely patched until all of the other pieces — firmware, antivirus, browser — are in place, and none of those are ready.

    Computerworld Woody on Windows.

    UPDATE: Here’s one that scares me. A handful of researchers just published a method for using JavaScript to surreptitiously read data, via a browser:

    In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.

    Note, in particular, that there are no fixes yet for Spectre — and there’s lots of speculation that such fixes may be a long, long way off.

    UPDATE: A very insightful post from Alasdair Allan

    UPDATE: Intel issued a press release that says, in part:

    Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years.

    What of processors that are more than five years old? Intel doesn’t say. But I was very surprised to discover, in the list of affected processors, references to:

    • Intel Atom® Processor C Series
    • Intel Atom® Processor E Series
    • Intel Atom® Processor A Series
    • Intel Atom® Processor x3 Series
    • Intel Atom® Processor Z Series
    • Intel® Celeron® Processor J Series
    • Intel® Celeron® Processor N Series
    • Intel® Pentium® Processor J Series
    • Intel® Pentium® Processor N Series

    I thought all of those were immune. Looks like they aren’t.