News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – we have another Spectre/Meltdown

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – we have another Spectre/Meltdown

    • This topic has 27 replies, 17 voices, and was last updated 6 months ago.
    Viewing 8 reply threads
    • Author
      Posts
      • #1904428 Reply
        Susan Bradley
        AskWoody MVP

        So included in the July patches was another Spectre/Meltdown patch that the information about it is just coming out today.  I’m still not convinced th
        [See the full post at: Patch Lady – we have another Spectre/Meltdown]

        Susan Bradley Patch Lady

        10 users thanked author for this post.
      • #1904623 Reply
        PKCano
        Da Boss

        According to the Windows Kernel Information link documentation, the fix for this vulnerability is contained in July updates KB4507456 (Win7 SO) and KB4507457 (Win8.1 SO).

        So that will affect the Win7 Group B patchers who also have to contend with the KB3953664 functionality (Compatibility Appraiser) included in KB4507456 too.

        This would seem to leave Group B between a rock and a hard place.

        3 users thanked author for this post.
        • #1904624 Reply
          anonymous
          Guest

          I’m not installing KB4507456 (Win7 SO) ever! So I’ll just have to live with that side channel vulnerability that’s probably difficult to pull off anyways. And most of my laptops where not even offered any microcode(Firmware) updates for any of Intel’s other Spectre/Meltdown vulnerabilities.

          I’ll have to live with the fact that MS has not followed its Security Only policy when that Telemetry was pushed out in a Security Only update(July 2019) that was not Security Only. And any further Telemetry pushed out in any later Security Only updates will not have those updates getting installed on my laptops.

          If MS was really concerned about Security they maybe should include that Security Only portion that addresses the new Vulnerability in the Aug 2019 Security Only update as well to catch the folks that will never install KB4507456 (Win7 SO) that has that Telemetry included. If the Aug Security Only patch is of the Non Security Only variety then it’s getting skipped as well.

          I’m not playing a game of Telemetry whack-a-mole with MS and it’s “Security Only” updating policy that comes with Telemetry inside.

        • #1904626 Reply
          Microfix
          AskWoody MVP

          Has there been ANY reports of Meltdown/Spectre attacks in the last 30 months?
          I wonder what view @Canadian-Tech has on this since he hasn’t patched 130+ Win7 PC’s beyond May 2017..

          Win7 Pro x86/x64 | Win8.1 Pro x64 | Linux Hybrids x86/x64 |
          3 users thanked author for this post.
        • #1904683 Reply
          GoneToPlaid
          AskWoody Plus

          I am Win7 Group B. On both of my Win7 computers, the KB3953664 functionality (Compatibility Appraiser) included in KB4507456 did not change my disabled CEIP settings, and no data was transmitted to MS overnight. If one is really paranoid, it looks like one can follow the already posted instructions for completely disabling the two related tasks in Task Manager. Personally, I see no real need to disable these two tasks, unless someone can show that these two tasks do more than simply gathering information about all installed programs, device drivers, and all installed updates.

          4 users thanked author for this post.
          • #1904725 Reply
            abbodi86
            AskWoody_MVP

            What’s the point of letting it gather the information? it’s only valuable if you intend to upgrade or want to share it with Microsoft for CEIP

            4 users thanked author for this post.
          • #1904724 Reply
            anonymous
            Guest

            Security Only should be Security Only and MS is the one that’s having to come clean with why they thought it necessary to add any non security only related software in a Security Only  patch.

            Just having any of that functionality on my systems is a no go! And what’s to prevent the same kinds of constant re-enabling and re-disabling game for the users of Windows 7 that the  users of Windows 10 have to constantly play to keep all of that nonsense turned off.

            From the looks of it this new Spectre/Meltdown issue does not affect AMD’s CPUs and may only affect Intel’s CPUs, but more testing will be needed.  And I can not stress enough how much I wish that some Linux OS laptop OEM would begin offering Linux OS laptops with AMD’s Zen/Vega APUs inside and Intel’s CPUs not required.

            • #1904854 Reply
              Susan Bradley
              AskWoody MVP

              Has anyone thought that maybe the telemetry code had security vulnerabilities?

              Susan Bradley Patch Lady

              4 users thanked author for this post.
              • #1904881 Reply
                abbodi86
                AskWoody_MVP

                It would not hurt to announce that then
                plus, the telemetry code should not exist originally to need patching
                it’s like when install IE11 cumulative when you didn’t install IE11 itself

                i think the addition of telemetry appraiser components is intended for Enterprises that use Security-Only scenario and Upgrade Readiness project

                since it need the appraiser to work, but KB2952664 stopped being updated separately when they included it with Monthly Rollup in late 2018

                • This reply was modified 10 months ago by abbodi86.
                1 user thanked author for this post.
              • #1904936 Reply
                mn–
                AskWoody Lounger

                I’m fairly sure I actually did mention that somewhere around here, the other day… and how the current security-only patch has to apply on top of intermediate rollups too, which would already have the telemetry.

              • #1905184 Reply
                abbodi86
                AskWoody_MVP

                Why it has to exactly?
                the two models should be used separately, either rollup or security only

              • #1905356 Reply
                Susan Bradley
                AskWoody MVP

                One would think so but if they thought that customers had opted into telemetry patch.  There’s a lot of enterprises right now that are in the process of moving to 10.  So if they are security only and if they had the telemetry patches on, sometimes Microsoft tries to be Patch G**.

                All of this is theory of course and should not be relied upon as being fact.

                Susan Bradley Patch Lady

              • #1905954 Reply
                walker
                AskWoody Lounger

                @mn:  Noted your comment, and hope that all will continue to go well with that KB4507449.   I am unable to attempt to do that one (because of its telemetry, and I have no way to create an off computer back-up).    Good luck to you with this!

          • #1904809 Reply
            Bill C.
            AskWoody Plus

            GTP, Thanks for the patching info.

            Finally a Spectre/Meltdown related patch that allegedly works on Win7 and does not list a firmware requirement.

            ~~ Group B, Win7-64Pro on Intel DX58SO2 MB, i7-960 CPU, 12GB Ram, wired ethernet ~~

            I too installed the July SO and IE installed manually, with all the Office 2010, and the Net.4.7.1 Cumulative using WU.

            I found only that two items in CEIP (and their triggers) were reactivated. They were the KernalCeipTask and the Consolidator. The UsbCeip task was left disabled. Neither task executed or ran and have been re-disabled, including their triggers. It has been 7 days since the patching and all settings have reamind the same in Tasks and WU.

            I did find after the SO, WU now presented the Update for Windows 7 for x64-based Systems (KB3150513), which provides the latest set of definitions for compatibility diagnostics that are performed on the system. If you did not have KB2952664, this would not appear, but with the capabilities in the SO, it now appeared. Listed as Optional, unchecked. This has never been offered before. From the MS website, “This update will be offered only if the following prerequisite updates are installed: On Windows 7 Service Pack 1 (SP1): update 2952664.”

            I did NOT install it. End result, no issues with the July updates here.

            After updating, Media Player again wanted to re-configure, and now appears to have again reverted back to not allowing data retrieval for populating the tracks on CD rips. That happened a while ago, and then I found the capability had returned, so I ripped some more of the collection, and now it is gone again. Need to find a good open-source ripper with that capability.

            I watched a colleague do his group A update and would love the simplicity, but while I remain concerned about telemetry, I am now more concerned about a ‘disabling’ patch that limits some of Win7 functionality after EOL or removes the ability to turn off WU.

            2 users thanked author for this post.
            • #1904857 Reply
              Susan Bradley
              AskWoody MVP

              Keep in mind that Windows 7 will have tons of businesses that will pay for extended security patches.  Like Windows XP, they won’t disable functionality of anything.  Too many companies still use it.

              I’m going to be horrible Susan here.  If you really think Microsoft is that devious, should you still be running Windows at all?  If you think they are that potentially evil to shove out a disabling patch perhaps moving to a platform where you trust the vendor completely would be a wise move?  Operating systems are complicated and there’s no way any of us can fully know what they do.  If you don’t trust the vendor, you don’t trust the vendor and it’s time to move on.

              Apologize in advance, no disrespect intended, I just know each one of us personally have to get to a trust place and if you don’t trust, you should question if you should run the platform.  You know what I mean?

              Susan Bradley Patch Lady

              5 users thanked author for this post.
            • #1904919 Reply
              GoneToPlaid
              AskWoody Plus

              I still don’t see that MS is providing Spectre protection in Win7 — only Meltdown protection.

        • #1904742 Reply
          samak
          AskWoody Plus

          Isn’t it KB2952664, not 3953664 ?

          W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

          1 user thanked author for this post.
      • #1904732 Reply
        John
        AskWoody Lounger

        Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal  pc or work stations.

        2 users thanked author for this post.
        • #1904740 Reply
          zero2dash
          AskWoody Lounger

          Cripple my CPU’s by halving the threads?
          Thanks but no thanks; that will never be an option IMHO.
          I’ll deal with the performance loss given by accepting the microcode update – which in the end is surely less than the performance loss if one disables HT.

          2 users thanked author for this post.
          • #1905440 Reply
            Ascaris
            AskWoody_MVP

            From what I have gathered, it seems like the microcode updates alone don’t cause very much of a performance hit.  The biggest hit is in the OS-level changes needed to mitigate Spectre, which work (AFAIK!) in conjunction with the microcode changes.  The OS-level changes have caused severe performance losses in some use cases.

            I’ve tried to find benchmark data of just the microcode changes on older (pre-Spectre) OS/kernel releases, but I have not found much.  The ones I have seen tend to show the old microcode with the old OS, the new OS with the old microcode, and the new OS with the new microcode.

            I personally am not concerned about Spectre or any other side-channel exploits at present.  I have some doubt that they will ever be seen in the wild; they’re hard to exploit, and even if they are successfully performed, the data that’s revealed is random, and may or may not contain anything worth the effort.

            The malware authors know that many (expensive, in terms of performance) fixes have been pushed out there in the hysteria over these vulnerabilities.  The most likely vector for these attacks would be javascript on compromised websites, and that would mean that browser vendors could harden their products against the known attacks, once there are some, and the same goes for anti-malware programs.  In addition, the kinds of behavior that scripts would have to engage in to exploit Spectre would be relatively easy to detect heuristically.

            All of this makes it unlikely, IMO, that any widespread attack of the side-channel vulnerabilities will materialize anytime soon.  If I hear about such an exploit in the wild, I will have to consider what needs to be done to limit its threat, but until that happens, it’s all hypothetical.  I’m not about to make my PCs run noticeably slower just to mitigate a threat that doesn’t even exist yet!  I’m leaving hyperthreading on in my Dell G3 (i7 hexacore) and disabling the more performance-robbing kernel mitigations on my performance-challenged and ironically named Acer Swift, which needs all the performance it can get.  I’ll put the shields fully up once a threat is identified!

             

            Group "L" (KDE Neon User Edition 5.18.5).

            1 user thanked author for this post.
      • #1904815 Reply
        Bill C.
        AskWoody Plus

        Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal  pc or work stations.

        That is why my new build has targeted the Intel i7-9700K CPU. 8 cores, no HT.

        1 user thanked author for this post.
      • #1904858 Reply
        DriftyDonN
        AskWoody Plus

        Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal  pc or work stations.

        agree. I have seen steve gibson utility that removes the disables those patches. He contends the danger is minimal…..has ANYONE seen or heard of an attack?

        "Vision without action is a daydream. Action without vision is a nightmare."

        1 user thanked author for this post.
      • #1904889 Reply

        It would be interesting (if only to me, maybe) if someone did an unbiased study regarding CVE’s, Zero Days and other vulnerabilities vs. actual exploits for them found in the wild on a percentage basis, broken further down by:

        Attack surface:

        A) DNS servers

        B) Enterprise Level Machines and Servers

        C) Small Business Level

        D) Home user Level (C and D are sometimes very similar.)

        The reason I ask this question is I really want to know how much damage has been inflicted, and at what level(s) over the years. I did some research, but turned up very little that was specific.

        Now this statement may tweak a few noses, but there’s an awful lot of money to be made by spreading FUD among the general public by makers of AV and Anti-Malware products.

        (Conclusions would be hard to draw, since severe CVE’s get patched, making them unattractive, and even if they are, the smaller fish down the food chain just aren’t worth the effort it takes to bring off a successful exploit.)

        But I wonder if anyone’s ever done a study on this.  Natch, no one wants to play against the house, so to speak; I just wonder if a study like this has ever been done. I don’t expect to find Stuxnet on my machine, but it would be valuable to weigh the AV/Anti-Malware Vendors of the world shriekings vs. the actual damage inflicted, and at what level, over the years

        (For C and D above, the variables in user sophistication might render such a study useless.)

        Thoughts?

        (Helmet on, dives in trench.)

        Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Patch List", Multiple Air-Gapped backup drives in different locations, "Don't auto-check for updates-Full Manual Mode."
        --
        "A committee is the only known form of life that has at least six legs and no brain."

        -Robert Heinlein

        1 user thanked author for this post.
      • #1904981 Reply
        WildBill
        AskWoody Plus

        I’m on Win8.1 & the M$ vulnerability statement says that they released security updates on July 9 to address the Spectre Variant 1 problem. Nice of them to announce on Aug. 6 something they already fixed. Here’s where it relates to me: The security update for my OS is KB4507457. I installed the 64-bit version on Aug. 2, along with the other updates… so I’m already patched? Good to know…

        Also, about Spectre/Meltdown: Intel always talks about the microcode to fix it. I have an Ivy Bridge processor & the microcode is in production. I’ve never seen Intel download the microcode to my machine, through Intel driver updates. How do I know if I have it? Has Microsoft already provided it through an update a while back?

        Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V2004. As long as it's a Lot Less Buggy!
        Wild Bill Rides Again...

        • #1905975 Reply
          Ascaris
          AskWoody_MVP

          It would not be an Intel driver update, if it is packaged like previous updates.  It would be a Microsoft update, and I can’t find any reference to any of these being made available for Windows 8.1.  It looks like they’ve reserved those for Windows 10 users, despite Windows 8.1 still being in extended support, which means only security and bug fixes will be provided.  Just not this security update.

          Group "L" (KDE Neon User Edition 5.18.5).

      • #2013776 Reply
        MrToad28
        AskWoody Lounger

        Loads of patches..more flaws..Intel plays whack-a-mole:

        11/12/19 https://www.extremetech.com/computing/301812-New-Spectre-Related-CPU-Flaw-Tops-Intels-Latest-Critical-Security-Fixes
        77 patches to OEMs and partners as part of its Intel Platform Update program.

        NEW FLAWS 8/6/19 https://www.pcmag.com/news/369990/spectre-meltdown-patches-wont-fix-new-swapgs-intel-flaw

        New secret-spilling flaw affects almost every Intel chip since 2011


        10/18 https://www.digitaltrends.com/computing/intel-9-series-cpu-spectre/

        I’ve been waiting to buy a Win10 PC until flaws get fixed..looks like a really long wait.

      • #2013816 Reply
        DriftyDonN
        AskWoody Plus

        AMD?

        "Vision without action is a daydream. Action without vision is a nightmare."

        • This reply was modified 6 months ago by DriftyDonN. Reason: add last thoght
        • This reply was modified 6 months ago by DriftyDonN.
    Viewing 8 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – we have another Spectre/Meltdown

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.