Just sync’d up to my WSUS server is KB4100480. Based on trying to follow the KB I can’t tell if this fixes the Spectre/Meltdown fix that introduced n
[See the full post at: Patch Lady – new update for Windows 7 KB 4100480]
Susan Bradley Patch Lady
![]() |
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
Home » Forums » Newsletter and Homepage topics » Patch Lady – new update for Windows 7 KB 4100480
Tags: KB 4100480 Patch Lady Posts
Just sync’d up to my WSUS server is KB4100480. Based on trying to follow the KB I can’t tell if this fixes the Spectre/Meltdown fix that introduced n
[See the full post at: Patch Lady – new update for Windows 7 KB 4100480]
Susan Bradley Patch Lady
Tweet from Total Meltdown vulnerability discoverer Ulf Frisk: “#TotalMeltdown OOB patches available now! No longer ZERO-DAY! APPLY PATCHES NOW! (Win7/2008R2) CVE-2018-1038 . Awesome turnaround time and support from @msftsecresponse! Super impressive work given the time frame! […]”
Yep. Yesterday, Ulf said the original holes were plugged in the March Monthly Rollup. Now he says that they’re patched in this new security patch. And the new security patch says that it’s necessary if you installed the March Monthly Rollup because the Total Meltdown bug was introduced in the March Monthly Rollup.
They also released it on Thursday afternoon, before many people are headed out for a three day weekend.
This is ridiculous. I need a drink.
According to https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038, many Windows 7 updates from January 2018 to March 2018 have the Total Meltdown vulnerability.
This is quite unbelievable. So the march updates didn’t fix this gaping hole that microsoft introduced either? The march updates were supposed to fix this. Presumably the fix will be included in april but supposing the ever growing list of issues are fixed in april it looks like march will never get installed if you’re in group b. I’m certainly not installing it in the state it’s in and i’m not switching to group a either.
“So the march updates didn’t fix this gaping hole that microsoft introduced either?”
From http://blog.frizk.net/2018/03/total-meltdown.html: “2018-03-28: Found out that the March patches only partially resolved the vulnerability. Contacted MSRC again.”
“This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows. This vulnerability is documented in CVE-2018-1038. Users must apply this update to be fully protected against this vulnerability if their computers were updated in or after January 2018 by applying any of the following updates.”
So does this patch also contain a patch for the original issue,or is it just a patch for the previous 11 patches?
Ah, yeah… we’ve produced at least 11 botched up hotfixes in a row which made a gaping security hole out of a theoretical exploit, the most recent of them not even one week old yet, but 12th time’s the charm… absolutely trust us.
Kevin Beaumont explains:
https://twitter.com/GossiTheDog/status/979488260140556293
No, [this patch is] purely for that [“Total Meltdown”] security issue. I agree it’s not great, they have some really big stability issues in March update and this fix also brings those, while trying to fix a new issue introduced in January. So orgs are left having to roll known bad update again.
Man. I hope it works.
I want it confirmed if this fix really does introduce all the known issues from the march update because if it does then why is it ticked in windows update? The march rollup is unticked for some and not showing at all for others because of these quite serious flaws, yet this one is good to go? It makes no sense but nothing does these last few days.
As far as i can tell (and it’s increasingly difficult to follow this mess), KB4100480 is only a fix for the flaw microsoft themselves introduced in the january, february and march updates. The so called “total meltdown” flaw. I don’t believe it includes any of march’s security patches but i may be wrong.
edit: According to kevin beaumont’s tweet further up this fix brings with it all the flaws with the march update as well… i have a headache.
I just checked for updates and now my Windows Update resembles Susan’s screenshot, with three entries: KB4088875 (unchecked), KB4100480 (checked) and KB890830 (checked).
Anxiously awaiting Woody’s guidance for navigating this minefield.
P.S. I love the new faster server!
I still only see the February rollup and the March Preview. I only saw KB4088875 once as checked, and then it was gone (and not hidden or installed), and KB4100480 does not appear, period, no matter if I hide the preview or not.
Maybe it is because my PCI.SYS is version 6.1.7601.17514 dated 11/20/2010. WHo knows…
Please don’t be so confused. Just wait until Woody gives the go-ahead — MS-DEFCON 3 (or 4 or 5) — along with the link to his latest ComputerWorld article detailing his instructions.
I would assume that this new emergency security update KB4100480, which was supposed to fix the Total Meltdown flaw introduced during Microsoft’s misguided attempts to fix the Meltdown flaw, does not correct the problems in the March 2018 security updates.
Therefore I still stand my previous decision. I shall restore the December 2017 system images back onto my systems running Windows 7, and I shall stop patching them until I am satisfied that this mess has been resolved. If the mess is not resolved in the future then I shall just continue to run Windows 7 on the December 2017 patch level, and leave it at that. By doing this I also will not suffer any performance degradation brought by the Meltdown “fixes”.
P.S. One of the above “anonymous” messages was posted by me. I have forgotten to login before I post. Please feel free to remove it.
Hope for the best. Prepare for the worst.
Just received – and read – this: Total Meltdown: How Microsoft’s Meltdown patch created an even bigger flaw for hackers
The vulnerability affects Windows 7 and Windows Server 2008 R2, and gives complete memory access to hackers.
By James Sanders | March 28, 2018
So it’s clearly a 64-bit only issue, in which case doesn’t affect me, being on 32-bit. Is it confirmed that the vulnerability itself was introduced on 64-bit only though? Or is it just that us on 32-bit aren’t getting the patch?
As for the other one for the BSOD when you log off, I wonder if rebooting to install it counts as logging off, in which case how would one install it successfully? But maybe it doesn’t count and it’s only in case of simply logging off, not rebooting?
— Cavalary
“So it’s clearly a 64-bit only issue, in which case doesn’t affect me, being on 32-bit. Is it confirmed that the vulnerability itself was introduced on 64-bit only though?”
See section “Affected Products” at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038.
So where do I stand? All I have is KB4100480 and 3 updates for Office 2010 as Important and KB4088881 shown as Optional. The latter is Preview for month March 2018. This is on my desktop.
On my laptop which does not have Office it show KB4100480 as Important and KB4088881 as Optional (Preview for March 2018).
Now scratching my head. Happy Easter from ‘Down Under”!
I would assume this emergency security update KB4100480, which was supposed to fix the Total Meltdown flaw introduced during Microsoft’s misguided attempts to fix the Meltdown flaw, does not correct the problems introduced by the March 2018 security updates.
Therefore, I still stand by my previous decision. I will restore the December 2017 system images back on my systems running Windows 7, and I will stop patching them until I am satisfied that the mess has been resolved. If the mess is not resolved in the future, then I should just continue to run Windows 7 on the December 2017 patch level, and leave it at that. By doing that, I will also not suffer any performance degradations from the Meltdown patch.
I have installed all the Group B updates and I can’t detect any performance differences.
The catch 22 is that if there are any performance degradations, then you are probably more secure.
To me the Meltdown exploit is the nasty one and I would like to surf the web without protection, but it is all about risk ratings.
OK, this is frustrating. I think their WSUS detection is botched. I’ve approved KB4100480 for Win7 x64 and Server 2008R2. It’s definitely been downloaded. Three test Win 7 systems and a 2008R2 server check for updates and find zero. But if I download KB4100480 from the catalog and run the .msu file manually, they install.
So, if someone wants to protect their Windows 7 clients, the usual WSUS method provides no help. Hopefully they will reissue with fixed detection soon.
We’re seeing similar issues with out WSUS environment. Of approximately 200 Win2008R2 systems all of which have installed more than at least one of the qualifying Jan-Mar updates only 18 are showing that KB4100480 is applicable. On top of that, since we do utilize WSUS, nearly all of those 200 systems are patched identically.
And there is a similar story with the Win7x64 systems.
Something is fishy in Redmond.
Jim
I installed KB4100480 and rebooted the computer. The system booted without error. The patch appears not to have borked my system.
Strange. I’m in “Group B” with two Windows 7 x64 PCs. Windows Update is set to check for updates, but let me decide what to download. I’ve already installed the March 2018 security-only patches and Office 2010, IE 11 security patches.
However, I’ve run Windows Update multiple times last night and this morning and all it shows on both PCs are the two .NET updates that have been sitting there for more than a month. No sign of KB 4100480. I assume I could grab the file from the MS Update Catalog and manually update it. I wonder if MS is staggering the release of this patch. I’m in the Midwest.
A couple of Microsoft Update queries. Spent the past 3-4 days reading through all the posts on the vulnerabilities opened by installing 2018-01 & 2018-02 the Win 7 Security Updates. Have just installed KB4100480 to rectify the vulnerabilities with no problems encountered on reboot. However, Update had 4 other updates ticked as “important”: KB4033342 .Net Framework 4.7.1, KB2952664 Win7 x64 update, 03-2018 Win Malware Removal Tool, ( I know what this is) and finally, Synaptics Mouse 8/16/2017, 19.0.19.63, this one I have been unchecking for months. Are they that important? Since we’re at DEFCON 2 I’m not doing anything at the moment
I compared the contents of KB4088875 x64 vs. KB4100480. (All three Catalog downloads of KB4100480 are identical.) KB4100480 contains a subset of the files in KB4088875 x64, with the exception of these files, which have newer versions in KB4100480 than in KB4088875 x64:
ntoskrnl.exe
ntkrnlpa.exe
This is broadly consistent with abbodi86’s analysis.
Here is a list of the files in KB4100480, excluding some types of files that aren’t important for the purposes of this post.
It makes sense that KB4100480 would contain newer files than KB4088875 but now i’m curious as to the effect of installing KB4100480 before installing KB4088875 which i presume a lot us are going to be doing. Wouldn’t that result in older files overwriting the newer files? Provided anyone even wants to install the march update at this point but i’m just wondering if it’d be better installing KB4088875 (or the rollup) and then installing KB4100480.
Well, well, well… I assume applying of this KB4100480 out-of-band patch as a good compromise if you wanna get win7sp1x64 kernel update regarding the Meltdown protection (and maybe the Spectre one but not for older CPUs!) option enabled but yet don’t wanna apply all these messy rollup and/or preview of rollup massive patches of 2018, so I gave it a try install onto win7sp1x64ultimate laptop without any of 2018 massive patches installed despite of the direct request of M$ to apply this patch only next to any of listed 2018 patches install.
1. 1st attempt of install took a real while then win7 boot just frozen/failed > then tried to repair win7 launch w/o restore and got no errors as all 0x0 > then got a luck to boot thru F8 in safe mode > then reboot to normal and found that this patch install failed with status 0x80070643 > then 2nd try was all normal & successful.
2. After install of this patch the InSpectre utility https://www.grc.com/inspectre.htm now of its revision #7 showed up Meltdown protection GOOD, Spectre one NO (no surprise with older CPUID 10676) & Performance SLOWER.
3. Naturally I don’t wanna any performance lost against this fuzzy & yet incomplete protection at least due to its Spectre component is yet missed so I’ve disabled Meltdown protection by InSpectre utility. As it’s well known such disabling simply adds 2 keys to win7 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ with value 2 or 3 (if disabled) or 0 or 1 (if enabled back) and DWORD ‘FeatureSettingsOverrideMask’ with always 3 value.
By default this InSpectre utility now sets 1st key to 2 that differs from recommended by M$ value of 3 by default (at least for servers!) However this 2 value almost immediately returns me single entries of both 2 issues of dwm.exe as ‘The Desktop Window Manager has encountered a fatal error (0x8898009b)’ as well as the leftover of one of already closed application window in win7 taskbar. Please refer to my earlier report(s) here:
https://www.askwoody.com/2018/friday-night-patch-dump-kb-4088881-a-flawed-win7-monthly-rollup-preview-and-kb-4089187-an-ie-fix/#post-178425
So I’ve manually changed this value to 3 and both issues seem gone.
Anyhow, at the moment this patch is left installed – at least for extra testing but likely as permanent deployment.
Rgds,
P.S. I guess I got a clear confirmation that both reported by me issues of 2018 are linked not to windows components’ updating like a graphics one but the Meltdown/Spectre protection deployment in particular (and likely its subsequent disabling in win7 registry!)
P.P.S. Also I didn’t apply the advised by M$ .vbs registry patch concerning HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI at all!
UPDATE:
Extra testing report:
1. Unfortunately I found that after install of KB4100480 both mentioned issues yet more or less chaotically occur with any possible win7 registry setting concerning disabling/enabling Meltdown protection:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 3 (disabled)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 2 (disabled)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 0 (enabled)
and even in case when both keys in charge are non-existed/deleted, i.e. their default status after KB4100480 install.
2. The best available combination of registry setting found to avoid dwm.exe errors in log is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverride’ value = 2 (Meltdowm protection disabled in default way of InSpectre#7 Utility)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ DWORD ‘FeatureSettingsOverrideMask’ value = 3
plus another extra registry key created manually:
HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM\ DWORD UseMachineCheck with a value of 0
However the above combination seems a pretty much fragile way of patching, especially when windows leftovers issue rarely but yet occurs in same chaotic way, so finally I’ve removed this KB4100480 from win7 with even more fragile hope for better patching fun in coming April.
Rgds,
Sorry it seems some little mess with posting here now.
I’ve posted a pretty long message. Then it first appeared posted, then vanished after a minor editing, and now if I try to post it again there is a notice of duplicate posting.
Please check for solution if any.
Thanks.
UPDATE: Thanks it’s resolved now!
If you submit/edit/submit in too rapid succession, your post gets caught in the spambucket. I have retrieved both copies and will delete one of them.
Slow down between submit-edit-submit operations and let the system process the change. 🙂
I use lastpass to keep track of my passwords. The only problem I seem to be having is with I/E 11. It keeps crashing at the moment but then it comes good. My default browser though is Google Chrome and Firefox as a standby. No solution I can think of – maybe a complete system shutdown and power up (Cold start)?
Could i just ask those who haven’t installed either the january or february monthly rollups through windows update, were you offered KB4100480 through update? I wasn’t offered this and after a confusing few minutes i realised it’s most likely due to not having any monthly rollups installed, particularly january and february so all i see currently are the february rollup, the demon child KB2952664 and the malicious software removal tool for march.
As a test, I installed the March 2018 Windows security-only update, but didn’t have any of the other 10 updates listed at https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038 installed. I rebooted and checked for Windows updates. I didn’t see KB4100480 listed.
This post discusses whether KB4100480 likely contains each issue in KB4088875. KB4100480 contains a subset of the files in KB4088875 x64, with the exception of these files.
Of the issues listed in KB4088875, these issues probably aren’t present in KB4100480:
“After you install this update, security settings in some organizations that are running Windows 7 SP1 or Windows Server 2008 R2 may prevent Internet Explorer 11 from starting because of an invalid SHA1 certificate.”
Reason: Doesn’t contain files related to Internet Explorer.
“A new Ethernet Network Interface Card (NIC) that has default settings may replace the previously existing NIC, causing network issues after you apply this update. Any custom settings on the previous NIC persist in the registry but are unused.”
Reason: Doesn’t contain file pci.sys that has been implicated in this issue. The list of files in KB4100480 (excluding some file types that aren’t important for the purposes of this site) is at https://pastebin.com/jnTDbtx5.
“Static IP address settings are lost after you apply this update.”
Reason: Doesn’t contain file pci.sys that has been implicated in this issue.
“After you install this update, you may receive a Stop error message that resembles the following when you log off the computer:
SESSION_HAS_VALID_POOL_ON_EXIT (ab)”
Reason: Doesn’t contain file Win32k.sys that has been implicated in this issue.
These two KB4088875 issues may or may not be present in KB4100480, but they were already present in the January 2018 Windows updates anyway:
“Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY.”
“After you install this update, SMB servers may leak memory.”
That leaves these two KB4088875 issues that may or may not be present in KB4100480:
“A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.”
“A Stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).”
Both of the two issues above are discussed at https://www.askwoody.com/forums/topic/massive-march-patch-tuesday-relaxes-antivirus-restrictions-but-there-are-problems/#post-175554.
Thank you so much MrBrian. This is exactly the information I hoped I would find. It makes my decision to install KB4100480 much easier.
I hope you’re having – or will have – a good holiday weekend despite the fact that you are doing yeomans work at askwoody
Win 7-64 here. Group A – Up to date through February.
I ignored the KB4088875 for now [listed as important but unchecked] and the MSRT.
I installed KB4100480 and rebooted as per instructions and haven’t had any problems so far. I have been playing online games, checking email and surfing the net, etc. So far it is business as usual.
-firemind
OK, this is frustrating. I think their WSUS detection is botched.
Same here. We have maybe 115 x64 Windows 7 machines being updated with WSUS. They had the Jan., and then the Feb., security only rollup installed.
Of those, only 4 show 4100480 as ‘needed’.
What a mess, all of this.
Also new “VM-Ware NIC static IP lost” hotfix is there now: https://support.microsoft.com/en-us/help/4099950
So if you are still on dez/jan/feb Sec-Rollup on VMware and are waiting cause of the problems, perhaps this is the best order to install the patches, to get a complete march fix for those Win7/ 2008R2 Servers:
“VM-Ware nic” Pre-Fix:
March-Rollup:
OOB-TotalMeltdown Hotfix:
ok so KB4100480 needs to be applied on all workstations where March patches are installed, but in SCCM/WSUS console, it only shows required to some machines and not all machines.even if we push this emergency patch to all machines, it will only install on machines which shows required?
Any info regarding this?
Regards,
Rohit B
Edit to remove HTML: Use the ‘text’ tab in the post entry box when you copy/paste.
From https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038:
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.