|
There are isolated problems with current patches, but they are well-known and documented on this site. |
.Just sync’d up to my WSUS server is KB4100480. Based on trying to follow the KB I can’t tell if this fixes the Spectre/Meltdown fix that introduced n
[See the full post at: Patch Lady – new update for Windows 7 KB 4100480]
Susan Bradley Patch Lady/Prudent patcher
Tweet from Total Meltdown vulnerability discoverer Ulf Frisk: “#TotalMeltdown OOB patches available now! No longer ZERO-DAY! APPLY PATCHES NOW! (Win7/2008R2) CVE-2018-1038 . Awesome turnaround time and support from @msftsecresponse! Super impressive work given the time frame! […]”
Yep. Yesterday, Ulf said the original holes were plugged in the March Monthly Rollup. Now he says that they’re patched in this new security patch. And the new security patch says that it’s necessary if you installed the March Monthly Rollup because the Total Meltdown bug was introduced in the March Monthly Rollup.
They also released it on Thursday afternoon, before many people are headed out for a three day weekend.
This is ridiculous. I need a drink.
According to https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038, many Windows 7 updates from January 2018 to March 2018 have the Total Meltdown vulnerability.
“So the march updates didn’t fix this gaping hole that microsoft introduced either?”
From http://blog.frizk.net/2018/03/total-meltdown.html: “2018-03-28: Found out that the March patches only partially resolved the vulnerability. Contacted MSRC again.”
“This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows. This vulnerability is documented in CVE-2018-1038. Users must apply this update to be fully protected against this vulnerability if their computers were updated in or after January 2018 by applying any of the following updates.”
So does this patch also contain a patch for the original issue,or is it just a patch for the previous 11 patches?
Ah, yeah… we’ve produced at least 11 botched up hotfixes in a row which made a gaping security hole out of a theoretical exploit, the most recent of them not even one week old yet, but 12th time’s the charm… absolutely trust us.
CVE-2018-1038 acknowledges Ulf Frisk.
Kevin Beaumont explains:
https://twitter.com/GossiTheDog/status/979488260140556293
No, [this patch is] purely for that [“Total Meltdown”] security issue. I agree it’s not great, they have some really big stability issues in March update and this fix also brings those, while trying to fix a new issue introduced in January. So orgs are left having to roll known bad update again.
Man. I hope it works.
KB4100480 might have some of the issues present in the Windows 7 March 2018 Windows monthly rollup.
Separately, updates were also released today for “Stop error 0xAB when you log off a session.”
I think it’s fair to say that Microsoft are the problem, not the solution
As far as i can tell (and it’s increasingly difficult to follow this mess), KB4100480 is only a fix for the flaw microsoft themselves introduced in the january, february and march updates. The so called “total meltdown” flaw. I don’t believe it includes any of march’s security patches but i may be wrong.
edit: According to kevin beaumont’s tweet further up this fix brings with it all the flaws with the march update as well… i have a headache.
I just checked for updates and now my Windows Update resembles Susan’s screenshot, with three entries: KB4088875 (unchecked), KB4100480 (checked) and KB890830 (checked).
Anxiously awaiting Woody’s guidance for navigating this minefield.
P.S. I love the new faster server!
Directions to see KB4088875 in Windows Update: see https://www.askwoody.com/forums/topic/microsoft-patch-alert-suddenly-windows-7-patching-is-an-unholy-mess/#post-178695.
So Group B should not expect to see KB4088875 since it requires installing the February Monthly Rollup and hiding the February preview rollup?
Non-techy Win 10 Pro and Linux Mint experimenter
Please don’t be so confused. Just wait until Woody gives the go-ahead — MS-DEFCON 3 (or 4 or 5) — along with the link to his latest ComputerWorld article detailing his instructions.
I would assume that this new emergency security update KB4100480, which was supposed to fix the Total Meltdown flaw introduced during Microsoft’s misguided attempts to fix the Meltdown flaw, does not correct the problems in the March 2018 security updates.
Therefore I still stand my previous decision. I shall restore the December 2017 system images back onto my systems running Windows 7, and I shall stop patching them until I am satisfied that this mess has been resolved. If the mess is not resolved in the future then I shall just continue to run Windows 7 on the December 2017 patch level, and leave it at that. By doing this I also will not suffer any performance degradation brought by the Meltdown “fixes”.
P.S. One of the above “anonymous” messages was posted by me. I have forgotten to login before I post. Please feel free to remove it.
Hope for the best. Prepare for the worst.
So it’s clearly a 64-bit only issue, in which case doesn’t affect me, being on 32-bit. Is it confirmed that the vulnerability itself was introduced on 64-bit only though? Or is it just that us on 32-bit aren’t getting the patch?
As for the other one for the BSOD when you log off, I wonder if rebooting to install it counts as logging off, in which case how would one install it successfully? But maybe it doesn’t count and it’s only in case of simply logging off, not rebooting?
— Cavalary
“So it’s clearly a 64-bit only issue, in which case doesn’t affect me, being on 32-bit. Is it confirmed that the vulnerability itself was introduced on 64-bit only though?”
See section “Affected Products” at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038.
OK, this is frustrating. I think their WSUS detection is botched. I’ve approved KB4100480 for Win7 x64 and Server 2008R2. It’s definitely been downloaded. Three test Win 7 systems and a 2008R2 server check for updates and find zero. But if I download KB4100480 from the catalog and run the .msu file manually, they install.
So, if someone wants to protect their Windows 7 clients, the usual WSUS method provides no help. Hopefully they will reissue with fixed detection soon.
We’re seeing similar issues with out WSUS environment. Of approximately 200 Win2008R2 systems all of which have installed more than at least one of the qualifying Jan-Mar updates only 18 are showing that KB4100480 is applicable. On top of that, since we do utilize WSUS, nearly all of those 200 systems are patched identically.
And there is a similar story with the Win7x64 systems.
Something is fishy in Redmond.
Jim
I installed KB4100480 and rebooted the computer. The system booted without error. The patch appears not to have borked my system.
Trying to figure out all of this gives me as big of a headache as doing my taxes every year.
This update makes boot faster for me.
I compared the contents of KB4088875 x64 vs. KB4100480. (All three Catalog downloads of KB4100480 are identical.) KB4100480 contains a subset of the files in KB4088875 x64, with the exception of these files, which have newer versions in KB4100480 than in KB4088875 x64:
ntoskrnl.exe
ntkrnlpa.exe
This is broadly consistent with abbodi86’s analysis.
Here is a list of the files in KB4100480, excluding some types of files that aren’t important for the purposes of this post.
The supersedence associated with Windows updating will retain the correct (newer) files correctly.
The Windows servicing system is “smart” enough to handle situations like these without doing things like overwriting newer files with older files.
UPDATE:
Extra testing report:
1. Unfortunately I found that after install of KB4100480 both mentioned issues yet more or less chaotically occur with any possible win7 registry setting concerning disabling/enabling Meltdown protection:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 3 (disabled)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 2 (disabled)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 0 (enabled)
and even in case when both keys in charge are non-existed/deleted, i.e. their default status after KB4100480 install.
2. The best available combination of registry setting found to avoid dwm.exe errors in log is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 2 (Meltdowm protection disabled in default way of InSpectre#7 Utility)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverrideMask’ value = 3
plus another extra registry key created manually:
HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM\ DWORD UseMachineCheck with a value of 0
However the above combination seems a pretty much fragile way of patching, especially when windows leftovers issue rarely but yet occurs in same chaotic way, so finally I’ve removed this KB4100480 from win7 with even more fragile hope for better patching fun in coming April.
Rgds,
If you submit/edit/submit in too rapid succession, your post gets caught in the spambucket. I have retrieved both copies and will delete one of them.
Slow down between submit-edit-submit operations and let the system process the change. 🙂
Could i just ask those who haven’t installed either the january or february monthly rollups through windows update, were you offered KB4100480 through update? I wasn’t offered this and after a confusing few minutes i realised it’s most likely due to not having any monthly rollups installed, particularly january and february so all i see currently are the february rollup, the demon child KB2952664 and the malicious software removal tool for march.
As a test, I installed the March 2018 Windows security-only update, but didn’t have any of the other 10 updates listed at https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038 installed. I rebooted and checked for Windows updates. I didn’t see KB4100480 listed.
This post discusses whether KB4100480 likely contains each issue in KB4088875. KB4100480 contains a subset of the files in KB4088875 x64, with the exception of these files.
Of the issues listed in KB4088875, these issues probably aren’t present in KB4100480:
“After you install this update, security settings in some organizations that are running Windows 7 SP1 or Windows Server 2008 R2 may prevent Internet Explorer 11 from starting because of an invalid SHA1 certificate.”
Reason: Doesn’t contain files related to Internet Explorer.
“A new Ethernet Network Interface Card (NIC) that has default settings may replace the previously existing NIC, causing network issues after you apply this update. Any custom settings on the previous NIC persist in the registry but are unused.”
Reason: Doesn’t contain file pci.sys that has been implicated in this issue. The list of files in KB4100480 (excluding some file types that aren’t important for the purposes of this site) is at https://pastebin.com/jnTDbtx5.
“Static IP address settings are lost after you apply this update.”
Reason: Doesn’t contain file pci.sys that has been implicated in this issue.
“After you install this update, you may receive a Stop error message that resembles the following when you log off the computer:
SESSION_HAS_VALID_POOL_ON_EXIT (ab)”
Reason: Doesn’t contain file Win32k.sys that has been implicated in this issue.
These two KB4088875 issues may or may not be present in KB4100480, but they were already present in the January 2018 Windows updates anyway:
“Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY.”
“After you install this update, SMB servers may leak memory.”
That leaves these two KB4088875 issues that may or may not be present in KB4100480:
“A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.”
“A Stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).”
Both of the two issues above are discussed at https://www.askwoody.com/forums/topic/massive-march-patch-tuesday-relaxes-antivirus-restrictions-but-there-are-problems/#post-175554.
Thank you so much MrBrian. This is exactly the information I hoped I would find. It makes my decision to install KB4100480 much easier.
I hope you’re having – or will have – a good holiday weekend despite the fact that you are doing yeomans work at askwoody
Win 7-64 here. Group A – Up to date through February.
I ignored the KB4088875 for now [listed as important but unchecked] and the MSRT.
I installed KB4100480 and rebooted as per instructions and haven’t had any problems so far. I have been playing online games, checking email and surfing the net, etc. So far it is business as usual.
-firemind
From https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038:
I doubt it, but I expect the fix to be included in the April 2018 updates.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
