February patches bring key Outlook fixes and a rebirth of KB 2952664

Topic

New Reply

Unless you use an installed version of Outlook, there’s no reason to patch just yet. Even if you have a bought-n-paid-for version of Outlook, patching
[See the full post at: February patches bring key Outlook fixes and a rebirth of KB 2952664]

Reply | Quote

Replies

Guinea pig reporting in, Win 7 Ultimate 32-bit, Intel Haswell (Pentium G3440), Group B, hadn’t installed the Jan security only patch so far (had installed the IE one), now first set the registry settings to disable both Meltdown and Spectre fixes, then installed the original Jan security only patch (KB4056897) (did not install KB4073578) and the Feb security-only (KB4074587) and IE (KB4074736) patches. Due to that comment on the other thread about the IE patch failing to install for an user when installed after the Feb security-only patch, I just didn’t take the chance and installed that first, before either of the others.

All went fast and so far all seems fine. Only thing is a logged error, event ID 3, “Session “Admin_PS_Provider” stopped due to the following error: 0xC0000022″. Last I see this one logged was in Oct 2015. But may be due to Comodo glitching, as that bug that makes it </span>sometimes lose HIPS settings on reboot triggered again now and I wasn’t quick to import the exported configuration, so seconds after that event log entry I see in its logs that it blocked System from editing C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTAdmin_PS_Provider.etl So assuming it’s just the fact that it wasn’t allowed to log something?

It’s still very early though, having just installed all of this. And, again, this does not say anything about Meltdown/Spectre fixes, as I have those disabled.

— Cavalary

(Decided to take the advice to at least sign my nick if I don’t register and kept commenting annonymously so far…)

3 users thanked author for this post.

Elly, woody, MrBrian

Reply | Quote

Thank you for sharing your real world experience, Cavalary.

Do you have any intensive tasks you regularly use your computer for, with which you can compare performance before and after the patches?

If so I would be interested in your reading on how much slower those activities are after the patches. Ideally, objective before/after time measurements to complete the same or very similar tasks would be awesome.

For example, on some systems I have tasks I have scheduled to run overnight and I can see how long the tasks took to run before and after the patches by looking at time stamps in log files. Some of my tasks don’t take much longer (e.g., 22 minutes vs. 20 to do a particular compilation).

So far the various things I’ve got my computers doing seem to be in the vicinity of 5% to 25% slower. 5% performance loss in the name of security I can live with. 10% is pushing it, and 25% is unacceptable in light of the fact that a computer that’s 25% faster costs a good bit more.

The part that concerns me is that not accepting these patches essentially means one gets off the update train entirely.

Ideally newer software ought to generally get faster – NOT slower – because of improvements in optimization. Yet as the software maker thinks of more things to hang all over it, and of course patches it to close some of the holes they left in it in the first place, in practice we see Windows get less and less efficient. And our choices as to what to accept and what to not accept are simply taken away.

Who would accept a car that got 30 MPG when they first bought it, but now only gets 22 MPG because of things the manufacturer did to it after the purchase? Microsoft just wants us all to buy new cars. Is that acceptable?

If they have had to reduce efficiency to work around processor issues, why haven’t they worked to increase efficiency in other ways to compensate – or given us the choice at run time of whether to take the hit? This may seem academic for home users, but there are a whole lot of people in the world who need every bit of the power their computers have.

-Noel

6 users thanked author for this post.

HiFlyer, Cybertooth, SueW, Cascadian, Elly, Sessh

Reply | Quote

Home users are only isolated from this effect when using local applications for local tasks that use the lower third of available resources. As soon as they connect to interact with another domain, whether it is LOLcat or the doctor’s office, county courthouse, financial institution, or academically required interaction to further their life goals, they become subject to the same slowdown effects, slightly magnified by secondhand experience.

Those packets of data have to travel through other intermediaries that may also be operating in the upper third of available resources. And of course, as you have demonstrated, the closer a system runs to performance limits, the greater the observed slowdown. I presume it is a geometric increase, if not fully exponential. But I know those are the kind of figures you continue to seek.

Reply | Quote

For me, those patches have completely ruined Outlook 2010 32-bit English on Windows 10 build 1709. ReplyAll doesn’t work (the object reports “Not implemented” on ReplyAll method, and the UI menu item doesn’t work either). No IMAP accounts are accessible. The Accounts property of the MailItem doesn’t work (“not accessible”), so plenty of other functionality doesn’t work too. I am wondering, if reinstalling MS Office would work.

Reply | Quote

If the problems are caused by this months patches, uninstalling the patch should fix the the problems. Have you tried to uninstall?

1 user thanked author for this post.

JDeC

Reply | Quote

Patching my desktop Outlook 365 Click-to-Run (on Win7 SP1 x64) ‘as we speak’ after reading your article on Computerworld. (Had automatic updates off and will take it off again.)

Noticed my taskbar icons refreshing when Outlook was restarting.

I’m on Version 1801 build 9001.2171 now. All seems well.

Thank you as always, @woody et al

Reply | Quote

My employer pushed out the February patches today and I installed them on my Windows 7 work computer.  Everything seemed to go smoothly.

On my home computer, I hid the KB 2952664 patch again. I’m not going to install any of the remaining patches until we are at MS-DEFCON 3 (or higher).

3 users thanked author for this post.

SueW, Elly, Noel Carboni

Reply | Quote

The most ridiculous thing is that Microsoft requires a registry key being set to receive Windows updates, but overlooked that Windows Server 2012 R2 (or any previous server version) never shipped with anti-virus software so the registry key is not set, and those servers won’t get updated any longer… Of course, quite a number of Web hosting companies stick to Windows Updates and certainly won’t notice and servers are left unpatched… Good job, Microsoft!

Reply | Quote

Not at all; third party AV software (which you’d be using in an enterprise environment in most cases anyway) will set the key when it has confirmed it is compatible with the Jan patch.  Failing that, administrators can set the key themselves.

1 user thanked author for this post.

woody

Reply | Quote

I hid the telemetry update, too.

I’m not actually the type that gets too concerned about telemetry in general. I leave it on on my web browser, since I know what info they are taking (they are open source, after all), and none of it is stuff I care to keep secret. But this cagey stuff makes me not want to risk it for Microsoft.

Reply | Quote

I’ve hidden KB2952664 – and something I noticed which seems different to before, although possibly didn’t pay too much attention before, but even when hiding this – it hasn’t disappeared merely become fainter and when highlighting speaks of ‘restoring’ so it appears to be definitely hidden. Is this a new strategy on MS’s part.
I’m sure that before when hiding – the respective patch was no more to be seen! I haven’t hidden patches for a long time – mainly because the ‘iffy’ ones were in optional and weren’t ticked! But I must admit I do not like to see this sort of patch ticked and in with the Important updates! LT

“What the world really needs is more love and less paper work.” – Pearl Bailey

Reply | Quote

If you close WU, then open it again and look, they will have disappeared from the important list and be among the hidden.

1 user thanked author for this post.

lizzytish

Reply | Quote

As PKCano mentioned, closing and then reopening Windows Update will move the hidden update to being truly hidden. Alternatively, my preferred method after hiding updates is to have Windows Update once again check for updates. Why do I do this? Because once one or more updates are manually hidden, sometimes other updates will show up when you once again check for updates. This behavior correctly occurs as a result of supersedence issues with some updates.

For example, let’s assume that a user has never installed any of the Monthly Rollups. Windows Update initially presents only the latest rollup. If the user hides the latest rollup and then rechecks for updates, the previous month’s rollup will then appear since the user hid the latest rollup which supersedes the rollup which now appears in Windows Update.

3 users thanked author for this post.

SueW, woody, lizzytish

Reply | Quote

Many thanks PK and GoneToPlaid for your quick replies. And yes…… it’s disappeared now!
Also meant to say earlier I’ve updated both our machines – thats Win7 SP1 and Win8.1 in Group B with the Security and IE Updates, plus the Net Security and Roll up in Win7 that was ticked in Important, and Office 2007………… and all seems to be well so far! LT

“We started off trying to set up a small anarchist community,
but people wouldn’t obey the rules.” Alan Bennet

Reply | Quote

Regarding Outlook I am getting more and more scary to approve those patches in general. There hasn’t been any month where this product “patches” were not listed as defective.

Regards

Markus

Reply | Quote

anonymous wrote:

The most ridiculous thing is that Microsoft requires a registry key being set to receive Windows updates, but overlooked that Windows Server 2012 R2 (or any previous server version) never shipped with anti-virus software so the registry key is not set, and those servers won’t get updated any longer… Of course, quite a number of Web hosting companies stick to Windows Updates and certainly won’t notice and servers are left unpatched… Good job, Microsoft!

Hopefully whatever third party AV software which users install on their Windows Servers will properly set the required registry key. If not, those users will have to do this manually — after first checking that the AV software is compatible with having this registry key set by the user.

Reply | Quote

Sure, tell businesses running thousands of servers…

Reply | Quote

Okay, so now KB2952664 for Win7 and whatever the equivalent KB is for Win8x will now check if mitigations are installed for Meltdown and at least one of the variants of Spectre. At the end of the day, Microsoft could have issued separate KBs to do the same thing. I surmise that Microsoft did not do this since their end goal is to install deep telemetry monitoring on all Win7 and Win8x computers. This of course is no surprise to anyone.

Regarding Meltdown and Spectre

Everybody received a Valentine’s Day present yesterday, courtesy of researchers at Princeton University. These researchers devised a new type of attack method in order to exploit the Meltdown and Spectre vulnerabilities, and they published working C language proof of concept code. Since their attack method is different, they have dubbed their newly discovered vulnerabilities as MeltdownPrime and SpectrePrime. This is real, unlike the news articles about Solace and Skyfall. Simply Google MeltdownPrime or SpectrePrime. Or see their PDF at:

https://arxiv.org/pdf/1802.03802.pdf

for more information.

The upshot is that the originally published proof of concept code utilized precise timing techniques to pollute the CPU cache during speculative execution, whereas the newly published proof of concept code uses write requests which are sent out speculatively. This is a bit of an overly simplistic summary, yet is meant to convey that an entirely new attack method has not only been devised, but is also proven to work. Even more interesting is that the researchers use one CPU core in order to read cached memory for programs which are running under one or more other CPU cores.

The researchers, testing on real hardware, also observed that their method produces more accurate results in comparison to the original Spectre proof of concept code. The original Spectre proof of concept code was 97.9% accurate, whereas the researchers’ new SpectrePrime proof of concept code is 99.95% accurate. The scary thing about these numbers is that this if the first research article which unequivocally states just how effective both types of proof of concept code really are in terms of being able to accurately read exposed cached data from computer memory. The other scary thing is that they published one line in their proof of concept code which they really shouldn’t have:

uint8_t temp = 0; /* Used so compiler wonat optimize out victim_function() */

The above line appears to be key to making their proof of concept code actually work after it has been compiled. Notice the typo for won’t in the comment portion of the above code line.

 

6 users thanked author for this post.

SueW, Bill C., Cascadian, woody, MrBrian, geekdom

Reply | Quote

GoneToPlaid wrote:

The original Spectre proof of concept code was 97.9% accurate, whereas the researchers’ new SpectrePrime proof of concept code is 99.95% accurate. The scary thing about these numbers is that this if the first research article which unequivocally states just how effective both types of proof of concept code really are in terms of being able to accurately read exposed cached data from computer memory. 

Can one block or effectively erase cache?

 

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b2 MicrosoftDefender

Reply | Quote

No.

1 user thanked author for this post.

geekdom

Reply | Quote

The easiest way to mitigate such kind of vulnerabilities is to not install non-trusted software and disable scripting for non-trusted Web sites. Having scripting enabled for all Web sites is bad practice anyway. Sure, running Internet payloads on a different machine with non-sensitive data is even better.

1 user thanked author for this post.

woody

Reply | Quote

I have KB2976978 sitting in WU for my W8.1 x64 system. I really don’t need this patch but as an aside, the KB article suggests that the telemetry is only activated if the user participates in the CEIP (Customer Experience Improvement Program). The documentation also states that the patch contains no GWX or upgrade functionality features. I always have CEIP participation disabled on my system but I wonder if, given MS’s tendency to disrespect settings, the telemetry will be enabled regardless of your setting. I am only asking for opinions here because MS has heavily strained my goodwill and trust  in recent years. It would seem harmless to install if you believe their documentation and you have CEIP disabled but I guess my problem is I do not entirely believe much of anything out of Redmond anymore.

Reply | Quote

You might be interested in topic Care to join a Win7 snooping test? although I didn’t test Windows 8.1 there.

Reply | Quote

I have no problem with Office 2010 patches, but i didnt install telemetry patch.

1 user thanked author for this post.

SueW

Reply | Quote

Win7-64Pro SP1 on Intel i7-960 Bloomfield X58 home built box with spinning HDDs. Group B for IE and OS, WU for .NET 4.7.1 and MSOffice 2010 Home and Office 32bit install. All January patches completed in January with no adverse issues discovered to date.

I took the plunge on the February Outlook 2010 patch due to what I read in the KB article. I have had no issues so far. I tried ‘reply to all’ specifically since it was reported as an issue by a poster here, but they were on Win10. I also use Mozilla Thunderbird as a backup for Outlook.

Feeling brave, and finding no negatives from searching the web, I also installed the other Office patches. Testing revealed no issues at present.

Holding off on the Feb_2018 Group B Security Only, IE, and .NET patches.

So far I have not seen attributable slowdowns due to the January 2018 Spectre/Meltdown patches in ‘my’ gaming and what I do on the PC, but I do not have a test suite.

I may try a video transcoding test using the GRC InSpectre on/off switch.

Oh, KB2952664 was hidden. Many, many thanks to GoneToPlaid for his DISM scripts. No evidence of KB2952664. I guess I caught it way back at version 1.

1 user thanked author for this post.

SueW

Reply | Quote

Bill C. wrote:

…Many, many thanks to GoneToPlaid for his DISM scripts. No evidence of KB2952664. I guess I caught it way back at version 1.

Months ago, somehow I missed hiding KB2952664 on one of my four Win7 computers when I installed Windows Updates. Thus, KB2952664 on that computer was never subsequently shown in Windows Update. Yet subsequent versions of KB2952664 did indeed silently install when I ran Windows Update. The only thing which lead me to discover that KB2952664 was actually installed was because the most recent installed version of KB2952664 caused my AV program to periodically lose its connection to the AV program’s servers. That is what caught my attention, and is what caused me to review all installed updates on that particular computer.

Yep. You are hearing me correctly. At least one version of KB2952664 can send out so much telemetry at once such that KB2952664 can interfere with AV programs from being able to contact, in real time, the AV program’s cloud servers when the maximum LM host connections has been exceeded. This is a really big “Oops” for Microsoft.

Apparently Microsoft’s gathering of telemetry takes precedence over making sure that such gathering of telemetry doesn’t break AV program connections with the AV program’s servers.

It is what it is.

 

1 user thanked author for this post.

Bill C.

Reply | Quote

The first indicator for me was back with version 1 of KB2952664 and the subsequent GWX scans was that in a game it would come to a near halt and frame rates would drop precipitously. It was not until the GWX icon made me begin searching that I found all the info and relationships and uninstalled all the telemetry patches.

With their demise the disk thrashing and lags went away.

AND, thanks to Woody for aggregating much of that info and sources available.

Reply | Quote

In your main Computerworld article “February patches bring ominous Outlook fixes and a rebirth of KB 2952664” you mention that CVE-2018-0852 and CVE-2018-0850 are particularly worrisome/frightening (“No, you don’t need to open the email. It just infects.”) because the bug is reportedly in Outlook’s Preview Pane handling.

But what neither you nor anyone else (not even Microsoft!) mentions is, if you have your Outlook security settings configured to read all email in plain text, then the preview pane displays, even for HTML email, just … (wait for it!) … PLAIN TEXT!

Now I don’t have any details are regarding these two particular vulnerabilities, but in my experience virtually ALL email-based exploits use either javascript or some other type of HTML-based vulnerability as their exploit mechanism, so I’m highly doubting that simply displaying PLAIN TEXT in your Outlook Preview Pane can somehow trigger the exploit.

The ONLY way I can conceive of such email-based exploits as having any chance of infecting you when you have your Outlook configured to read ALL email in PLAIN TEXT only, is if the actual bug was in the parsing of the HTML itself.

But if that was the case then there would be mention of that in some reported Internet Explorer patch as well, and I’m just not seeing that anywhere.

That’s it. That’s all I have to say. I just wanted to remind people that HTML email by its very nature is obviously quite exploitable, but if you read all of your email in PLAIN TEXT (the way email was meant to be read) then it’s highly unlikely you can become infected via some type of email-based exploit.

Thanks and keep up the good work.

2 users thanked author for this post.

Cascadian, MrBrian

Reply | Quote

Some things are malicious, some things are marketing. These are not exclusive. Yes most of my communication is both sent and received in plain text. But over in that isolated account, I do receive legitimate mail from subscribed accounts that make extensive use of html . And not just for decoration. A portion of the sense of the message may be in those elements, and viewing in plain text only alters the message.

Safest approach is to give clearance on each individual piece of mail, at the time it is actually requested to be opened and read. But I’ll admit that with the history of not falling for any of the obvious stuff, I’ve never had a problem [knock wooden skull]. And so I routinely allow full display of all elements from recognized addresses. I even find it annoying when when some logic subroutine tries to protect me from myself and demands an additional permission to be granted.

The day I succumb to the exploit, it will definitely be my fault for allowing it.

Reply | Quote

@Noel Carboni

Based upon your comments on this thread, I surmise that you have not yet installed the January Meltdown/Spectre  patch on your production system. I have also not installed the patch yet because I wanted more time to study the issue of performance degradation because I use my W8.1 system to perform computationally intensive Monte Carlo simulations and other financial modeling activities. The system is also used for graphics editing and so, like you, I have my concerns. The problem leaves everyone in a conundrum inasmuch as the MS cumulative patching protocol will force you to install the patch or forego patches from this point forward. And, there is currently no Intel processor with better performance than my Haswell  i7 4770K that is devoid of the Meltdown?Spectre vulnerabilities and that would not be subject to the recent MS withdrawal of WU support for anything other than W10. There may be processors available in a year or two with a changed architecture but for now the options seem narrow and unavoidable to me. W10 may become a usable OS at some point in the future but I would not consider as a viable OS for me at this time which keeps me from upgrading my rig. Yes, Satya, W10 is retarding hardware sales! If there are any options you may be considering I would appreciate hearing about them. At this time, I would install Linux  as the bare metal install on a new rig and at best run W10 as a virtual machine to have access to legacy apps.

1 user thanked author for this post.

Bill C.

Reply | Quote

What the heck! (Not my first choice of words). I have (or rather had) 4 services disabled on a Windows 10 Pro 1703 PC I use as a server. I need it to be reliable, rock-solid and NOT subject to MS whims. As a result I disabled the following 4 services: Background Intelligent Transfer Service (bits), Delivery Optimization (dosvc), Update Orchestrator Service (UsoSvc) and Windows Update (wuauserv). “Should be safe”, I reasoned. It was acting a bit sluggish today so I went to restart it only to see ‘Update and restart’ in the Start menu. I needed it working again so felt I had no option but to follow through. It’s now almost an hour later and it’s still only 84% through ‘working on updates’. I absolutely hate, detest and loathe Microsoft.

Reply | Quote

Follow-up. It’s now restarted to a stable desktop… and is now 1709 Build 16299.1256 (although, strangely, the right-click Power menu shows ‘Command Prompt’ rather than PowerShell).

I’ve just checked the 4 services that I had previously disabled. BITS was set to manual (but not running). I’ve disabled it again. Delivery Optimisation was set to Manual (Trigger Start) but not running. Update Orchestrator Service was set to Manual (but not running). I’ve disabled it again. Windows Update was set to Manual (Trigger Start) and running. I’ve stopped it and disabled it again. I also note all the Xbox services have been re-enabled as have the two HomeGroup services.

There are now loads more useless services installed and running automatically (e.g. User Data Access_1c36c4 and User Data Storage_1c36c4, for example, which – interestingly – cannot be disabled. Nor can Contact Data_1c36c4 or Windows Push Notifications User Service_1c364.) Is it totally beyond Microsoft morons to work out that the device is using a local account with absolutely no connection (or interest) in its online services? I’m going to have to waste my time going through them, working out what they are and stopping/disabling them as appropriate.

Here’s the biggie (for me anyway)… Connected User Experiences and Telemetry was set to Automatic and running. I never, ever, ever have this service running. I haven’t just disabled it again… I’ve used SC to stop, disable then delete it (sc delete diagtrack). I should have done this earlier so more fool me for believing that ‘disabled’ would be honoured.

I’ve added a VBS script to show the state of the wuaserv service for Technet’s BgInfo now running on the server’s desktop.

Microsoft…. you absolutely suck big time. Not just for your absolute arrogance but because of the amount of time I now need to spend clearing up after your absolute arrogance. You have shot yourself in the foot big time. Whilst I was previously just cynical, I am now anti-MS big time!

My apologies, Woody. Feel free to move this to ‘Rants;.

Reply | Quote

Further follow-up. I’ve never actually heard it before but now its fans are racing, even though Task Manager shows 0% for CPU, disk and network. What the heck is going on?

Reply | Quote

Futher investigation shows that I now have a new program installed… Windows Setup Remediations (x64) (KB4023057).  A Google search shows nothing relevant. Anybody know what this nonsense is?

Reply | Quote

https://www.askwoody.com/2018/kb-4023057-is-back-again-again/

Reply | Quote

PKCano wrote:

https://www.askwoody.com/2018/kb-4023057-is-back-again-again/

Many thanks, PKCano… I just didn’t search well enough whilst other things on my mind.

Busy now… preparing to wipe/restore my ‘pseudo-server’ to earlier version of Win 10 temporarily in order to keep working whilst I look into reverting to Win 7 or migrating to another OS completely.

Well done Microshaft for shooting yourself in the foot. May you benefit appropriately from your actions. 🙂

Reply | Quote

Whoa… I still have no idea what’s happening behind the scenes (‘cos Task Manager still shows 0,5,0,0 for CPU, Memory, Disk and Network respectively) but my pseudo-server’s fans have just increased their spin/noise levels yet again. What the heck is happening?

Have decided to just shut my ‘pseudo-server’ down completely whilst I work out what to do.

(Did I mention that I now hate Microshaft?)

Reply | Quote

Switched my pseudo-server back on again to list installed programs prior to making clean install (and so I can pull off ISO for 1703). I note that KB4023057 is apparently installed twice, the first time 2 days ago as Update for Windows 10 for x64-based Systems (KB4023057) (686KB) and second time today as Windows Setup Remediations (x64) (KB4023057) (but no publisher or install date info).

Internal fans rose quickly to racing despite Task Manager showing 0,5,0,0 for CPU, Memory, Disk and Network.

Also note again the Lounge Rules re: no swearing… so just thinking beautiful thoughts of sweetness and light towards Microshaft.

Reply | Quote

I’ve come to the realisation that whilst I’m fairly confident that I know enough about Linux Mint to use it full time as a client, I just don’t have enough familiarity with it to use as a storage server… for the moment. (That’s going to change…)

I’ve learned a lot about Win 10 in the last 2 years (and even more in the last 24 hours) so have decided to carry out a clean install of Win 10 instead of reverting to one of my backups (with all the SXS bloat).

Thanks to Rufus I now have a bootable USB flash drive to re-install Win 10 Pro 1703 on the OS SSD of my ‘pseudo-server’.

I’m going to disconnect the 2 internal ‘storage’ HDD’s in my ‘pseudo-server’ as a ‘just in case’ precaution beforehand… ‘cos my faith in Microshaft has now been completely destroyed.

Did I perhaps mention that I now hate Microshaft?

Reply | Quote