News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – we have another Spectre/Meltdown

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – we have another Spectre/Meltdown

    This topic contains 27 replies, has 17 voices, and was last updated by  DriftyDonN 1 week, 1 day ago.

    • Author
      Posts
    • #1904428 Reply

      Susan Bradley
      AskWoody MVP

      So included in the July patches was another Spectre/Meltdown patch that the information about it is just coming out today.  I’m still not convinced th
      [See the full post at: Patch Lady – we have another Spectre/Meltdown]

      Susan Bradley Patch Lady

      10 users thanked author for this post.
    • #1904623 Reply

      PKCano
      Da Boss

      According to the Windows Kernel Information link documentation, the fix for this vulnerability is contained in July updates KB4507456 (Win7 SO) and KB4507457 (Win8.1 SO).

      So that will affect the Win7 Group B patchers who also have to contend with the KB3953664 functionality (Compatibility Appraiser) included in KB4507456 too.

      This would seem to leave Group B between a rock and a hard place.

      3 users thanked author for this post.
      • #1904624 Reply

        anonymous

        I’m not installing KB4507456 (Win7 SO) ever! So I’ll just have to live with that side channel vulnerability that’s probably difficult to pull off anyways. And most of my laptops where not even offered any microcode(Firmware) updates for any of Intel’s other Spectre/Meltdown vulnerabilities.

        I’ll have to live with the fact that MS has not followed its Security Only policy when that Telemetry was pushed out in a Security Only update(July 2019) that was not Security Only. And any further Telemetry pushed out in any later Security Only updates will not have those updates getting installed on my laptops.

        If MS was really concerned about Security they maybe should include that Security Only portion that addresses the new Vulnerability in the Aug 2019 Security Only update as well to catch the folks that will never install KB4507456 (Win7 SO) that has that Telemetry included. If the Aug Security Only patch is of the Non Security Only variety then it’s getting skipped as well.

        I’m not playing a game of Telemetry whack-a-mole with MS and it’s “Security Only” updating policy that comes with Telemetry inside.

      • #1904626 Reply

        Microfix
        Da Boss

        Has there been ANY reports of Meltdown/Spectre attacks in the last 30 months?
        I wonder what view @canadian-tech has on this since he hasn’t patched 130+ Win7 PC’s beyond May 2017..

        ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

        3 users thanked author for this post.
      • #1904683 Reply

        GoneToPlaid
        AskWoody Plus

        I am Win7 Group B. On both of my Win7 computers, the KB3953664 functionality (Compatibility Appraiser) included in KB4507456 did not change my disabled CEIP settings, and no data was transmitted to MS overnight. If one is really paranoid, it looks like one can follow the already posted instructions for completely disabling the two related tasks in Task Manager. Personally, I see no real need to disable these two tasks, unless someone can show that these two tasks do more than simply gathering information about all installed programs, device drivers, and all installed updates.

        4 users thanked author for this post.
        • #1904725 Reply

          abbodi86
          AskWoody_MVP

          What’s the point of letting it gather the information? it’s only valuable if you intend to upgrade or want to share it with Microsoft for CEIP

          4 users thanked author for this post.
        • #1904724 Reply

          anonymous

          Security Only should be Security Only and MS is the one that’s having to come clean with why they thought it necessary to add any non security only related software in a Security Only  patch.

          Just having any of that functionality on my systems is a no go! And what’s to prevent the same kinds of constant re-enabling and re-disabling game for the users of Windows 7 that the  users of Windows 10 have to constantly play to keep all of that nonsense turned off.

          From the looks of it this new Spectre/Meltdown issue does not affect AMD’s CPUs and may only affect Intel’s CPUs, but more testing will be needed.  And I can not stress enough how much I wish that some Linux OS laptop OEM would begin offering Linux OS laptops with AMD’s Zen/Vega APUs inside and Intel’s CPUs not required.

          • #1904854 Reply

            Susan Bradley
            AskWoody MVP

            Has anyone thought that maybe the telemetry code had security vulnerabilities?

            Susan Bradley Patch Lady

            4 users thanked author for this post.
            • #1904881 Reply

              abbodi86
              AskWoody_MVP

              It would not hurt to announce that then
              plus, the telemetry code should not exist originally to need patching
              it’s like when install IE11 cumulative when you didn’t install IE11 itself

              i think the addition of telemetry appraiser components is intended for Enterprises that use Security-Only scenario and Upgrade Readiness project

              since it need the appraiser to work, but KB2952664 stopped being updated separately when they included it with Monthly Rollup in late 2018

              • This reply was modified 4 months ago by  abbodi86.
              1 user thanked author for this post.
            • #1904936 Reply

              mn–
              AskWoody Lounger

              I’m fairly sure I actually did mention that somewhere around here, the other day… and how the current security-only patch has to apply on top of intermediate rollups too, which would already have the telemetry.

            • #1905184 Reply

              abbodi86
              AskWoody_MVP

              Why it has to exactly?
              the two models should be used separately, either rollup or security only

            • #1905356 Reply

              Susan Bradley
              AskWoody MVP

              One would think so but if they thought that customers had opted into telemetry patch.  There’s a lot of enterprises right now that are in the process of moving to 10.  So if they are security only and if they had the telemetry patches on sometimes Microsoft tries to be Patch God.

              All of this is theory of course and should not be relied upon as being fact.

              Susan Bradley Patch Lady

            • #1905954 Reply

              walker
              AskWoody Lounger

              @mn:  Noted your comment, and hope that all will continue to go well with that KB4507449.   I am unable to attempt to do that one (because of its telemetry, and I have no way to create an off computer back-up).    Good luck to you with this!

        • #1904809 Reply

          Bill C.
          AskWoody Plus

          GTP, Thanks for the patching info.

          Finally a Spectre/Meltdown related patch that allegedly works on Win7 and does not list a firmware requirement.

          ~~ Group B, Win7-64Pro on Intel DX58SO2 MB, i7-960 CPU, 12GB Ram, wired ethernet ~~

          I too installed the July SO and IE installed manually, with all the Office 2010, and the Net.4.7.1 Cumulative using WU.

          I found only that two items in CEIP (and their triggers) were reactivated. They were the KernalCeipTask and the Consolidator. The UsbCeip task was left disabled. Neither task executed or ran and have been re-disabled, including their triggers. It has been 7 days since the patching and all settings have reamind the same in Tasks and WU.

          I did find after the SO, WU now presented the Update for Windows 7 for x64-based Systems (KB3150513), which provides the latest set of definitions for compatibility diagnostics that are performed on the system. If you did not have KB2952664, this would not appear, but with the capabilities in the SO, it now appeared. Listed as Optional, unchecked. This has never been offered before. From the MS website, “This update will be offered only if the following prerequisite updates are installed: On Windows 7 Service Pack 1 (SP1): update 2952664.”

          I did NOT install it. End result, no issues with the July updates here.

          After updating, Media Player again wanted to re-configure, and now appears to have again reverted back to not allowing data retrieval for populating the tracks on CD rips. That happened a while ago, and then I found the capability had returned, so I ripped some more of the collection, and now it is gone again. Need to find a good open-source ripper with that capability.

          I watched a colleague do his group A update and would love the simplicity, but while I remain concerned about telemetry, I am now more concerned about a ‘disabling’ patch that limits some of Win7 functionality after EOL or removes the ability to turn off WU.

          2 users thanked author for this post.
          • #1904857 Reply

            Susan Bradley
            AskWoody MVP

            Keep in mind that Windows 7 will have tons of businesses that will pay for extended security patches.  Like Windows XP, they won’t disable functionality of anything.  Too many companies still use it.

            I’m going to be horrible Susan here.  If you really think Microsoft is that devious, should you still be running Windows at all?  If you think they are that potentially evil to shove out a disabling patch perhaps moving to a platform where you trust the vendor completely would be a wise move?  Operating systems are complicated and there’s no way any of us can fully know what they do.  If you don’t trust the vendor, you don’t trust the vendor and it’s time to move on.

            Apologize in advance, no disrespect intended, I just know each one of us personally have to get to a trust place and if you don’t trust, you should question if you should run the platform.  You know what I mean?

            Susan Bradley Patch Lady

            5 users thanked author for this post.
          • #1904919 Reply

            GoneToPlaid
            AskWoody Plus

            I still don’t see that MS is providing Spectre protection in Win7 — only Meltdown protection.

      • #1904742 Reply

        samak
        AskWoody Plus

        Isn’t it KB2952664, not 3953664 ?

        W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

        1 user thanked author for this post.
    • #1904732 Reply

      John
      AskWoody Lounger

      Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal  pc or work stations.

      2 users thanked author for this post.
      • #1904740 Reply

        zero2dash
        AskWoody Lounger

        Cripple my CPU’s by halving the threads?
        Thanks but no thanks; that will never be an option IMHO.
        I’ll deal with the performance loss given by accepting the microcode update – which in the end is surely less than the performance loss if one disables HT.

        2 users thanked author for this post.
        • #1905440 Reply

          Ascaris
          AskWoody_MVP

          From what I have gathered, it seems like the microcode updates alone don’t cause very much of a performance hit.  The biggest hit is in the OS-level changes needed to mitigate Spectre, which work (AFAIK!) in conjunction with the microcode changes.  The OS-level changes have caused severe performance losses in some use cases.

          I’ve tried to find benchmark data of just the microcode changes on older (pre-Spectre) OS/kernel releases, but I have not found much.  The ones I have seen tend to show the old microcode with the old OS, the new OS with the old microcode, and the new OS with the new microcode.

          I personally am not concerned about Spectre or any other side-channel exploits at present.  I have some doubt that they will ever be seen in the wild; they’re hard to exploit, and even if they are successfully performed, the data that’s revealed is random, and may or may not contain anything worth the effort.

          The malware authors know that many (expensive, in terms of performance) fixes have been pushed out there in the hysteria over these vulnerabilities.  The most likely vector for these attacks would be javascript on compromised websites, and that would mean that browser vendors could harden their products against the known attacks, once there are some, and the same goes for anti-malware programs.  In addition, the kinds of behavior that scripts would have to engage in to exploit Spectre would be relatively easy to detect heuristically.

          All of this makes it unlikely, IMO, that any widespread attack of the side-channel vulnerabilities will materialize anytime soon.  If I hear about such an exploit in the wild, I will have to consider what needs to be done to limit its threat, but until that happens, it’s all hypothetical.  I’m not about to make my PCs run noticeably slower just to mitigate a threat that doesn’t even exist yet!  I’m leaving hyperthreading on in my Dell G3 (i7 hexacore) and disabling the more performance-robbing kernel mitigations on my performance-challenged and ironically named Acer Swift, which needs all the performance it can get.  I’ll put the shields fully up once a threat is identified!

           

          Group "L" (KDE Neon User Edition 5.17.4).

          1 user thanked author for this post.
    • #1904815 Reply

      Bill C.
      AskWoody Plus

      Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal  pc or work stations.

      That is why my new build has targeted the Intel i7-9700K CPU. 8 cores, no HT.

      1 user thanked author for this post.
    • #1904858 Reply

      DriftyDonN
      AskWoody Plus

      Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal  pc or work stations.

      agree. I have seen steve gibson utility that removes the disables those patches. He contends the danger is minimal…..has ANYONE seen or heard of an attack?

      1 user thanked author for this post.
    • #1904889 Reply

      It would be interesting (if only to me, maybe) if someone did an unbiased study regarding CVE’s, Zero Days and other vulnerabilities vs. actual exploits for them found in the wild on a percentage basis, broken further down by:

      Attack surface:

      A) DNS servers

      B) Enterprise Level Machines and Servers

      C) Small Business Level

      D) Home user Level (C and D are sometimes very similar.)

      The reason I ask this question is I really want to know how much damage has been inflicted, and at what level(s) over the years. I did some research, but turned up very little that was specific.

      Now this statement may tweak a few noses, but there’s an awful lot of money to be made by spreading FUD among the general public by makers of AV and Anti-Malware products.

      (Conclusions would be hard to draw, since severe CVE’s get patched, making them unattractive, and even if they are, the smaller fish down the food chain just aren’t worth the effort it takes to bring off a successful exploit.)

      But I wonder if anyone’s ever done a study on this.  Natch, no one wants to play against the house, so to speak; I just wonder if a study like this has ever been done. I don’t expect to find Stuxnet on my machine, but it would be valuable to weigh the AV/Anti-Malware Vendors of the world shriekings vs. the actual damage inflicted, and at what level, over the years

      (For C and D above, the variables in user sophistication might render such a study useless.)

      Thoughts?

      (Helmet on, dives in trench.)

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

      1 user thanked author for this post.
    • #1904981 Reply

      WildBill
      AskWoody Plus

      I’m on Win8.1 & the M$ vulnerability statement says that they released security updates on July 9 to address the Spectre Variant 1 problem. Nice of them to announce on Aug. 6 something they already fixed. Here’s where it relates to me: The security update for my OS is KB4507457. I installed the 64-bit version on Aug. 2, along with the other updates… so I’m already patched? Good to know…

      Also, about Spectre/Meltdown: Intel always talks about the microcode to fix it. I have an Ivy Bridge processor & the microcode is in production. I’ve never seen Intel download the microcode to my machine, through Intel driver updates. How do I know if I have it? Has Microsoft already provided it through an update a while back?

      Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V1909. As long as it's a Lot Less Buggy!
      Wild Bill Rides Again...

      • #1905975 Reply

        Ascaris
        AskWoody_MVP

        It would not be an Intel driver update, if it is packaged like previous updates.  It would be a Microsoft update, and I can’t find any reference to any of these being made available for Windows 8.1.  It looks like they’ve reserved those for Windows 10 users, despite Windows 8.1 still being in extended support, which means only security and bug fixes will be provided.  Just not this security update.

        Group "L" (KDE Neon User Edition 5.17.4).

    • #2013776 Reply

      MrToad28
      AskWoody Lounger

      Loads of patches..more flaws..Intel plays whack-a-mole:

      11/12/19 https://www.extremetech.com/computing/301812-New-Spectre-Related-CPU-Flaw-Tops-Intels-Latest-Critical-Security-Fixes
      77 patches to OEMs and partners as part of its Intel Platform Update program.

      NEW FLAWS 8/6/19 https://www.pcmag.com/news/369990/spectre-meltdown-patches-wont-fix-new-swapgs-intel-flaw

      New secret-spilling flaw affects almost every Intel chip since 2011


      10/18 https://www.digitaltrends.com/computing/intel-9-series-cpu-spectre/

      I’ve been waiting to buy a Win10 PC until flaws get fixed..looks like a really long wait.

    • #2013816 Reply

      DriftyDonN
      AskWoody Plus

      AMD?

      • This reply was modified 1 week, 1 day ago by  DriftyDonN. Reason: add last thoght
      • This reply was modified 1 week, 1 day ago by  DriftyDonN.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – we have another Spectre/Meltdown

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.