• Patch Lady – new update for Windows 7 KB 4100480

    Home » Forums » Newsletter and Homepage topics » Patch Lady – new update for Windows 7 KB 4100480

    Author
    Topic
    #179097

    Just sync’d up to my WSUS server is KB4100480.  Based on trying to follow the KB I can’t tell if this fixes the Spectre/Meltdown fix that introduced n
    [See the full post at: Patch Lady – new update for Windows 7 KB 4100480]

    Susan Bradley Patch Lady/Prudent patcher

    10 users thanked author for this post.
    Viewing 37 reply threads
    Author
    Replies
    • #179108

      Tweet from Total Meltdown vulnerability discoverer Ulf Frisk: “#TotalMeltdown OOB patches available now! No longer ZERO-DAY! APPLY PATCHES NOW! (Win7/2008R2) CVE-2018-1038 . Awesome turnaround time and support from @msftsecresponse! Super impressive work given the time frame! […]”

      1 user thanked author for this post.
    • #179106

      Ah, yeah… we’ve produced at least 11 botched up hotfixes in a row which made a gaping security hole out of a theoretical exploit, the most recent of them not even one week old yet, but 12th time’s the charm… absolutely trust us.

      5 users thanked author for this post.
    • #179116

      CVE-2018-1038 acknowledges Ulf Frisk.

      4 users thanked author for this post.
    • #179124

      Kevin Beaumont explains:

      https://twitter.com/GossiTheDog/status/979488260140556293

      No, [this patch is] purely for that [“Total Meltdown”] security issue. I agree it’s not great, they have some really big stability issues in March update and this fix also brings those, while trying to fix a new issue introduced in January. So orgs are left having to roll known bad update again.

      Man. I hope it works.

      4 users thanked author for this post.
      • #179167

        I want it confirmed if this fix really does introduce all the known issues from the march update because if it does then why is it ticked in windows update? The march rollup is unticked for some and not showing at all for others because of these quite serious flaws, yet this one is good to go? It makes no sense but nothing does these last few days.

        • #179187

          KB4100480 might have some of the issues present in the Windows 7 March 2018 Windows monthly rollup.

          1 user thanked author for this post.
    • #179125

      Separately, updates were also released today for “Stop error 0xAB when you log off a session.”

      2 users thanked author for this post.
    • #179132

      I think it’s fair to say that Microsoft are the problem, not the solution

      2 users thanked author for this post.
    • #179140

      For Group B: should we uninstall the Jan and Feb security-only updates and not install the Mar security-only update. I am not sure by the description if KB4100480 replaces them, or not?

      • #179165

        As far as i can tell (and it’s increasingly difficult to follow this mess), KB4100480 is only a fix for the flaw microsoft themselves introduced in the january, february and march updates. The so called “total meltdown” flaw. I don’t believe it includes any of march’s security patches but i may be wrong.

        edit: According to kevin beaumont’s tweet further up this fix brings with it all the flaws with the march update as well… i have a headache.

        2 users thanked author for this post.
      • #179188

        I wouldn’t expect that KB4100480 can be considered a replacement for any of the Windows security-only updates.

        3 users thanked author for this post.
    • #179158

      I just checked for updates and now my Windows Update resembles Susan’s screenshot, with three entries: KB4088875 (unchecked), KB4100480 (checked) and KB890830 (checked).

      Anxiously awaiting Woody’s guidance for navigating this minefield.

      P.S. I love the new faster server!

      2 users thanked author for this post.
    • #179159

      ohhhh!  I’m so confused.  Is it right to say I shouldn’t install “8875”  “8881”

      • #179389

        Please don’t be so confused.  Just wait until Woody gives the go-ahead — MS-DEFCON 3 (or 4 or 5) — along with the link to his latest ComputerWorld article detailing his instructions.

        Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'
        3 users thanked author for this post.
    • #179201

      I would assume that this new emergency security update KB4100480, which was supposed to fix the Total Meltdown flaw introduced during Microsoft’s misguided attempts to fix the Meltdown flaw, does not correct the problems in the March 2018 security updates.

      Therefore I still stand my previous decision. I shall restore the December 2017 system images back onto my systems running Windows 7, and I shall stop patching them until I am satisfied that this mess has been resolved. If the mess is not resolved in the future then I shall just continue to run Windows 7 on the December 2017 patch level, and leave it at that. By doing this I also will not suffer any performance degradation brought by the Meltdown “fixes”.

      P.S. One of the above “anonymous” messages was posted by me. I have forgotten to login before I post. Please feel free to remove it.

      Hope for the best. Prepare for the worst.

      2 users thanked author for this post.
    • #179169

      Just received – and read – this: Total Meltdown: How Microsoft’s Meltdown patch created an even bigger flaw for hackers

      The vulnerability affects Windows 7 and Windows Server 2008 R2, and gives complete memory access to hackers.

      By James Sanders | March 28, 2018

    • #179170

      So it’s clearly a 64-bit only issue, in which case doesn’t affect me, being on 32-bit. Is it confirmed that the vulnerability itself was introduced on 64-bit only though? Or is it just that us on 32-bit aren’t getting the patch?

      As for the other one for the BSOD when you log off, I wonder if rebooting to install it counts as logging off, in which case how would one install it successfully? But maybe it doesn’t count and it’s only in case of simply logging off, not rebooting?

      — Cavalary

      1 user thanked author for this post.
    • #179210

      So where do I stand? All I have is KB4100480 and 3 updates for Office 2010 as Important and KB4088881 shown as Optional. The latter is Preview for month March 2018. This is on my desktop.

      On my laptop which does not have Office it show KB4100480 as Important and KB4088881 as Optional (Preview for March 2018).

      Now scratching my head. Happy Easter from ‘Down Under”!

    • #179194

      I am a group B installer and I will install this update now. Losing confidence in MS….

    • #179199

      I would assume this emergency security update KB4100480, which was supposed to fix the Total Meltdown flaw introduced during Microsoft’s misguided attempts to fix the Meltdown flaw, does not correct the problems introduced by the March 2018 security updates.

      Therefore, I still stand by my previous decision. I will restore the December 2017 system images back on my systems running Windows 7, and I will stop patching them until I am satisfied that the mess has been resolved. If the mess is not resolved in the future, then I should just continue to run Windows 7 on the December 2017 patch level, and leave it at that. By doing that, I will also not suffer any performance degradations from the Meltdown patch.

      • #179229

        I have installed all the Group B updates and I can’t detect any performance differences.

        The catch 22 is that if there are any performance degradations, then you are probably more secure.

        To me the Meltdown exploit is the nasty one and I would like to surf the web without protection, but it is all about risk ratings.

    • #179324

      OK, this is frustrating.  I think their WSUS detection is botched.  I’ve approved KB4100480 for Win7 x64 and Server 2008R2.  It’s definitely been downloaded.  Three test Win 7 systems and a 2008R2 server check for updates and find zero.  But if I download KB4100480 from the catalog and run the .msu file manually, they install.

       

      So, if someone wants to protect their Windows 7 clients, the usual WSUS method provides no help.  Hopefully they will reissue with fixed detection soon.

      2 users thanked author for this post.
      • #179365

        We’re seeing similar issues with out WSUS environment.  Of approximately 200 Win2008R2 systems all of which have installed more than at least one of the qualifying Jan-Mar updates only 18 are showing that KB4100480 is applicable.  On top of that, since we do utilize WSUS, nearly all of those 200 systems are patched identically.

        And there is a similar story with the Win7x64 systems.

        Something is fishy in Redmond.

        Jim

        2 users thanked author for this post.
    • #179335

      I installed KB4100480 and rebooted the computer. The system booted without error. The patch appears not to have borked my system.

      On permanent hiatus {with backup and coffee}
      offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
      offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
      online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender
      3 users thanked author for this post.
    • #179337

      Trying to figure out all of this gives me as big of a headache as doing my taxes every year.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      2 users thanked author for this post.
    • #179350

      Strange.  I’m in “Group B” with two Windows 7 x64 PCs.  Windows Update is set to check for updates, but let me decide what to download.  I’ve already installed the March 2018 security-only patches and Office 2010, IE 11 security patches.

      However, I’ve run Windows Update multiple times last night and this morning and all it shows on both PCs are the two .NET updates that have been sitting there for more than a month.  No sign of KB 4100480.  I assume I could grab the file from the MS Update Catalog and manually update it.  I wonder if MS is staggering the release of this patch.  I’m in the Midwest.

    • #179380

      This update makes boot faster for me.

      1 user thanked author for this post.
    • #179391

      A couple of Microsoft Update queries. Spent the past 3-4 days reading through all the posts on the vulnerabilities opened by installing 2018-01 & 2018-02 the Win 7 Security Updates. Have just installed KB4100480 to rectify the vulnerabilities with no problems encountered on reboot. However, Update had 4 other updates ticked as “important”: KB4033342 .Net Framework 4.7.1, KB2952664 Win7 x64 update, 03-2018 Win Malware Removal Tool, ( I know what this is) and finally, Synaptics Mouse 8/16/2017, 19.0.19.63, this one I have been unchecking for months. Are they that important? Since we’re at DEFCON 2 I’m not doing anything at the moment

    • #179396

      I compared the contents of KB4088875 x64 vs. KB4100480. (All three Catalog downloads of KB4100480 are identical.) KB4100480 contains a subset of the files in KB4088875 x64, with the exception of these files, which have newer versions in KB4100480 than in KB4088875 x64:

      ntoskrnl.exe

      ntkrnlpa.exe

      This is broadly consistent with abbodi86’s analysis.

      Here is a list of the files in KB4100480, excluding some types of files that aren’t important for the purposes of this post.

      2 users thanked author for this post.
      • #179401

        It makes sense that KB4100480 would contain newer files than KB4088875 but now i’m curious as to the effect of installing KB4100480 before installing KB4088875 which i presume a lot us are going to be doing. Wouldn’t that result in older files overwriting the newer files? Provided anyone even wants to install the march update at this point but i’m just wondering if it’d be better installing KB4088875 (or the rollup) and then installing KB4100480.

        • #179403

          The supersedence associated with Windows updating will retain the correct (newer) files correctly.

          1 user thanked author for this post.
          T
        • #179404

          The Windows servicing system is “smart” enough to handle situations like these without doing things like overwriting newer files with older files.

          1 user thanked author for this post.
          T
    • #179435

      Well, well, well… I assume applying of this KB4100480 out-of-band patch as a good compromise if you wanna get win7sp1x64 kernel update regarding the Meltdown protection (and maybe the Spectre one but not for older CPUs!) option enabled but yet don’t wanna apply all these messy rollup and/or preview of rollup massive patches of 2018, so I gave it a try install onto win7sp1x64ultimate laptop without any of 2018 massive patches installed despite of the direct request of M$ to apply this patch only next to any of listed 2018 patches install.

      1. 1st attempt of install took a real while then win7 boot just frozen/failed > then tried to repair win7 launch w/o restore and got no errors as all 0x0 > then got a luck to boot thru F8 in safe mode > then reboot to normal and found that this patch install failed with status 0x80070643 > then 2nd try was all normal & successful.

      2. After install of this patch the InSpectre utility https://www.grc.com/inspectre.htm now of its revision #7 showed up Meltdown protection GOOD, Spectre one NO (no surprise with older CPUID 10676) & Performance SLOWER.

      3. Naturally I don’t wanna any performance lost against this fuzzy & yet incomplete protection at least due to its Spectre component is yet missed so I’ve disabled Meltdown protection by InSpectre utility. As it’s well known such disabling simply adds 2 keys to win7 registry:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ with value 2 or 3 (if disabled) or 0 or 1 (if enabled back) and DWORD ‘FeatureSettingsOverrideMask’ with always 3 value.

      By default this InSpectre utility now sets 1st key to 2 that differs from recommended by M$ value of 3 by default (at least for servers!) However this 2 value almost immediately returns me single entries of both 2 issues of dwm.exe as ‘The Desktop Window Manager has encountered a fatal error (0x8898009b)’ as well as the leftover of one of already closed application window in win7 taskbar. Please refer to my earlier report(s) here:
      https://www.askwoody.com/2018/friday-night-patch-dump-kb-4088881-a-flawed-win7-monthly-rollup-preview-and-kb-4089187-an-ie-fix/#post-178425

      So I’ve manually changed this value to 3 and both issues seem gone.

      Anyhow, at the moment this patch is left installed  – at least for extra testing but likely as permanent deployment.

      Rgds,

      P.S. I guess I got a clear confirmation that both reported by me issues of 2018 are linked not to windows components’ updating like a graphics one but the Meltdown/Spectre protection deployment in particular (and likely its subsequent disabling in win7 registry!)

       

      P.P.S. Also I didn’t apply the advised by M$ .vbs registry patch concerning HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI  at all!

      • #179647

        UPDATE:

        Extra testing report:

        1. Unfortunately I found that after install of KB4100480 both mentioned issues yet more or less chaotically occur with any possible win7 registry setting concerning disabling/enabling Meltdown protection:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 3 (disabled)

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 2 (disabled)

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 0 (enabled)

        and even in case when both keys in charge are non-existed/deleted, i.e. their default status after KB4100480 install.

        2. The best available combination of registry setting found to avoid dwm.exe errors in log is:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 2 (Meltdowm protection disabled in default way of InSpectre#7 Utility)

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverrideMask’ value = 3

        plus another extra registry key created manually:

        HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM\ DWORD UseMachineCheck with a value of 0

        However the above combination seems a pretty much fragile way of patching, especially when windows leftovers issue rarely but yet occurs in same chaotic way, so finally I’ve removed this KB4100480 from win7 with even more fragile hope for better patching fun in coming April.

        Rgds,

        2 users thanked author for this post.
    • #179439

      Sorry it seems some little mess with posting here now.

      I’ve posted a pretty long message. Then it first appeared posted, then vanished after a minor editing, and now if I try to post it again there is a notice of duplicate posting.

      Please check for solution if any.

      Thanks.

      UPDATE: Thanks it’s resolved now!

      • #179441

        If you submit/edit/submit in too rapid succession, your post gets caught in the spambucket. I have retrieved both copies and will delete one of them.

        Slow down between submit-edit-submit operations and let the system process the change. 🙂

        3 users thanked author for this post.
    • #179506

      I installed KB4100480 today, and now the websites I use are no longer saving my login information.  Could this update affect auto login information or is this just a coincidence?

      Any ideas/suggestions would be appreciated.  I’m ‘technically-challenged’ and not  sure how to proceed.

      • #179519

        I use lastpass to keep track of my passwords. The only problem I seem to be having is with I/E 11. It keeps crashing at the moment but then it comes good. My default browser though is Google Chrome and Firefox as a standby. No solution I can think of – maybe a complete system shutdown and power up (Cold start)?

    • #179627

      Win 7 SP1 HE, Group B, Haven’t installed March 2018 updates yet. Just installed KB4100480 (Total Meltdown Patch). All seems well thus far. Plan to wait for Defcon 3 or higher before installing rest of March’s patches.

    • #179725

      Could i just ask those who haven’t installed either the january or february monthly rollups through windows update, were you offered KB4100480 through update? I wasn’t offered this and after a confusing few minutes i realised it’s most likely due to not having any monthly rollups installed, particularly january and february so all i see currently are the february rollup, the demon child KB2952664 and the malicious software removal tool for march.

      1 user thanked author for this post.
    • #179830
    • #179854

      This post discusses whether KB4100480 likely contains each issue in KB4088875. KB4100480 contains a subset of the files in KB4088875 x64, with the exception of these files.

      Of the issues listed in KB4088875, these issues probably aren’t present in KB4100480:

      “After you install this update, security settings in some organizations that are running Windows 7 SP1 or Windows Server 2008 R2 may prevent Internet Explorer 11 from starting because of an invalid SHA1 certificate.”

      Reason: Doesn’t contain files related to Internet Explorer.

      “A new Ethernet Network Interface Card (NIC) that has default settings may replace the previously existing NIC, causing network issues after you apply this update. Any custom settings on the previous NIC persist in the registry but are unused.”

      Reason: Doesn’t contain file pci.sys that has been implicated in this issue. The list of files in KB4100480 (excluding some file types that aren’t important for the purposes of this site) is at https://pastebin.com/jnTDbtx5.

      “Static IP address settings are lost after you apply this update.”

      Reason: Doesn’t contain file pci.sys that has been implicated in this issue.

      “After you install this update, you may receive a Stop error message that resembles the following when you log off the computer:

      SESSION_HAS_VALID_POOL_ON_EXIT (ab)”

      Reason: Doesn’t contain file Win32k.sys that has been implicated in this issue.

       

      These two KB4088875 issues may or may not be present in KB4100480, but they were already present in the January 2018 Windows updates anyway:

      “Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY.”

      “After you install this update, SMB servers may leak memory.”

       

      That leaves these two KB4088875 issues that may or may not be present in KB4100480:

      “A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.”

      “A Stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).”

      Both of the two issues above are discussed at https://www.askwoody.com/forums/topic/massive-march-patch-tuesday-relaxes-antivirus-restrictions-but-there-are-problems/#post-175554.

       

      10 users thanked author for this post.
      • #179901

        Thank you so much MrBrian. This is exactly the information I hoped I would find. It makes my decision to install KB4100480 much easier.

        I hope you’re having – or will have – a good holiday weekend despite the fact that you are doing yeomans work at askwoody

        3 users thanked author for this post.
      • #180652

        Hi for this known issue

        “After you install this update, you may receive a Stop error message that resembles the following when you log off the computer:

        SESSION_HAS_VALID_POOL_ON_EXIT (ab)”

        by “log off”, is it the same with turning off/shutdown the computer?

    • #180300

      Win 7-64 here. Group A – Up to date through February.
      I ignored the KB4088875 for now [listed as important but unchecked] and the MSRT.
      I installed KB4100480 and rebooted as per instructions and haven’t had any problems so far. I have been playing online games, checking email and surfing the net, etc. So far it is business as usual.
      -firemind

      2 users thanked author for this post.
    • #180601

      OK, this is frustrating. I think their WSUS detection is botched.

      Same here.  We have maybe 115 x64 Windows 7 machines being updated with WSUS. They had the Jan., and then the Feb., security only rollup installed.

      Of those, only 4 show 4100480 as ‘needed’.

      What a mess, all of this.

    • #180860

      Also new “VM-Ware NIC static IP lost” hotfix is there now: https://support.microsoft.com/en-us/help/4099950

      So if you are still on dez/jan/feb Sec-Rollup on VMware and are waiting cause of the problems, perhaps this is the best order to install the patches, to get a complete march fix for those Win7/ 2008R2 Servers:

      “VM-Ware nic” Pre-Fix:

       
      March-Rollup:

       

      OOB-TotalMeltdown Hotfix:

    • #181047

      ok so KB4100480 needs to be applied on all workstations where March patches are installed, but in SCCM/WSUS console, it only shows required to some machines and not all machines.even if we push this emergency patch to all machines, it will only install on machines which shows required?

      Any info regarding this?

      Regards,

      Rohit B

      Edit to remove HTML: Use the ‘text’ tab in the post entry box when you copy/paste.

    • #181722

      From https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038:

      • “This security update was updated on April 5, 2018 to address applicability issues in the original release of the update.
      • Applicability rules have been expanded for this update. Therefore, this update will be offered via Windows Update and Windows Server Update Service (WSUS) if any of the Security Only (SO) updates that are listed in the table above are applied.
      • No specific functional changes have been made to this security update. Therefore, no additional action is needed if this update has already been applied.”
      4 users thanked author for this post.
    • #184792

      Well no one is gonna fix Spectre expect motherboard manufacturers witch they are lazy to do.. not releasing bios updates for a supported cpus which they already have microcode fix for some cpus

    • #186939

      Anybody in touch with the Apple or Linux communities re: the Meltdown/Spectre mitigations?

      Old news over there, or still dealing with problems too?

      -Noel

    • #186961

      I have win 7 32 bit and I tried to check on mMS’s site for the patch KB4100480 but I haven’t seen traces of it.

      https://portal.msrc.microsoft.com/en-US/security-guidance

       

    • #187179

      Looks like the Linux folks have most of it covered including old processors via patches to kernel and applications/drivers.

      https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

    • #179186

      I doubt it, but I expect the fix to be included in the April 2018 updates.

      1 user thanked author for this post.
    Viewing 37 reply threads
    Reply To: Patch Lady – new update for Windows 7 KB 4100480

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: