|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
So included in the July patches was another Spectre/Meltdown patch that the information about it is just coming out today. I’m still not convinced th
[See the full post at: Patch Lady – we have another Spectre/Meltdown]
Susan Bradley Patch Lady/Prudent patcher
According to the Windows Kernel Information link documentation, the fix for this vulnerability is contained in July updates KB4507456 (Win7 SO) and KB4507457 (Win8.1 SO).
So that will affect the Win7 Group B patchers who also have to contend with the KB3953664 functionality (Compatibility Appraiser) included in KB4507456 too.
This would seem to leave Group B between a rock and a hard place.
Has there been ANY reports of Meltdown/Spectre attacks in the last 30 months?
I wonder what view @Canadian-Tech has on this since he hasn’t patched 130+ Win7 PC’s beyond May 2017..
I am Win7 Group B. On both of my Win7 computers, the KB3953664 functionality (Compatibility Appraiser) included in KB4507456 did not change my disabled CEIP settings, and no data was transmitted to MS overnight. If one is really paranoid, it looks like one can follow the already posted instructions for completely disabling the two related tasks in Task Manager. Personally, I see no real need to disable these two tasks, unless someone can show that these two tasks do more than simply gathering information about all installed programs, device drivers, and all installed updates.
What’s the point of letting it gather the information? it’s only valuable if you intend to upgrade or want to share it with Microsoft for CEIP
It would not hurt to announce that then
plus, the telemetry code should not exist originally to need patching
it’s like when install IE11 cumulative when you didn’t install IE11 itself
i think the addition of telemetry appraiser components is intended for Enterprises that use Security-Only scenario and Upgrade Readiness project
since it need the appraiser to work, but KB2952664 stopped being updated separately when they included it with Monthly Rollup in late 2018
GTP, Thanks for the patching info.
Finally a Spectre/Meltdown related patch that allegedly works on Win7 and does not list a firmware requirement.
~~ Group B, Win7-64Pro on Intel DX58SO2 MB, i7-960 CPU, 12GB Ram, wired ethernet ~~
I too installed the July SO and IE installed manually, with all the Office 2010, and the Net.4.7.1 Cumulative using WU.
I found only that two items in CEIP (and their triggers) were reactivated. They were the KernalCeipTask and the Consolidator. The UsbCeip task was left disabled. Neither task executed or ran and have been re-disabled, including their triggers. It has been 7 days since the patching and all settings have reamind the same in Tasks and WU.
I did find after the SO, WU now presented the Update for Windows 7 for x64-based Systems (KB3150513), which provides the latest set of definitions for compatibility diagnostics that are performed on the system. If you did not have KB2952664, this would not appear, but with the capabilities in the SO, it now appeared. Listed as Optional, unchecked. This has never been offered before. From the MS website, “This update will be offered only if the following prerequisite updates are installed: On Windows 7 Service Pack 1 (SP1): update 2952664.”
I did NOT install it. End result, no issues with the July updates here.
After updating, Media Player again wanted to re-configure, and now appears to have again reverted back to not allowing data retrieval for populating the tracks on CD rips. That happened a while ago, and then I found the capability had returned, so I ripped some more of the collection, and now it is gone again. Need to find a good open-source ripper with that capability.
I watched a colleague do his group A update and would love the simplicity, but while I remain concerned about telemetry, I am now more concerned about a ‘disabling’ patch that limits some of Win7 functionality after EOL or removes the ability to turn off WU.
Keep in mind that Windows 7 will have tons of businesses that will pay for extended security patches. Like Windows XP, they won’t disable functionality of anything. Too many companies still use it.
I’m going to be horrible Susan here. If you really think Microsoft is that devious, should you still be running Windows at all? If you think they are that potentially evil to shove out a disabling patch perhaps moving to a platform where you trust the vendor completely would be a wise move? Operating systems are complicated and there’s no way any of us can fully know what they do. If you don’t trust the vendor, you don’t trust the vendor and it’s time to move on.
Apologize in advance, no disrespect intended, I just know each one of us personally have to get to a trust place and if you don’t trust, you should question if you should run the platform. You know what I mean?
Susan Bradley Patch Lady/Prudent patcher
Isn’t it KB2952664, not 3953664 ?
Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie
Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal pc or work stations.
Cripple my CPU’s by halving the threads?
Thanks but no thanks; that will never be an option IMHO.
I’ll deal with the performance loss given by accepting the microcode update – which in the end is surely less than the performance loss if one disables HT.
From what I have gathered, it seems like the microcode updates alone don’t cause very much of a performance hit. The biggest hit is in the OS-level changes needed to mitigate Spectre, which work (AFAIK!) in conjunction with the microcode changes. The OS-level changes have caused severe performance losses in some use cases.
I’ve tried to find benchmark data of just the microcode changes on older (pre-Spectre) OS/kernel releases, but I have not found much. The ones I have seen tend to show the old microcode with the old OS, the new OS with the old microcode, and the new OS with the new microcode.
I personally am not concerned about Spectre or any other side-channel exploits at present. I have some doubt that they will ever be seen in the wild; they’re hard to exploit, and even if they are successfully performed, the data that’s revealed is random, and may or may not contain anything worth the effort.
The malware authors know that many (expensive, in terms of performance) fixes have been pushed out there in the hysteria over these vulnerabilities. The most likely vector for these attacks would be javascript on compromised websites, and that would mean that browser vendors could harden their products against the known attacks, once there are some, and the same goes for anti-malware programs. In addition, the kinds of behavior that scripts would have to engage in to exploit Spectre would be relatively easy to detect heuristically.
All of this makes it unlikely, IMO, that any widespread attack of the side-channel vulnerabilities will materialize anytime soon. If I hear about such an exploit in the wild, I will have to consider what needs to be done to limit its threat, but until that happens, it’s all hypothetical. I’m not about to make my PCs run noticeably slower just to mitigate a threat that doesn’t even exist yet! I’m leaving hyperthreading on in my Dell G3 (i7 hexacore) and disabling the more performance-robbing kernel mitigations on my performance-challenged and ironically named Acer Swift, which needs all the performance it can get. I’ll put the shields fully up once a threat is identified!
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)
Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal pc or work stations.
That is why my new build has targeted the Intel i7-9700K CPU. 8 cores, no HT.
Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal pc or work stations.
agree. I have seen steve gibson utility that removes the disables those patches. He contends the danger is minimal…..has ANYONE seen or heard of an attack?
It would be interesting (if only to me, maybe) if someone did an unbiased study regarding CVE’s, Zero Days and other vulnerabilities vs. actual exploits for them found in the wild on a percentage basis, broken further down by:
Attack surface:
A) DNS servers
B) Enterprise Level Machines and Servers
C) Small Business Level
D) Home user Level (C and D are sometimes very similar.)
The reason I ask this question is I really want to know how much damage has been inflicted, and at what level(s) over the years. I did some research, but turned up very little that was specific.
Now this statement may tweak a few noses, but there’s an awful lot of money to be made by spreading FUD among the general public by makers of AV and Anti-Malware products.
(Conclusions would be hard to draw, since severe CVE’s get patched, making them unattractive, and even if they are, the smaller fish down the food chain just aren’t worth the effort it takes to bring off a successful exploit.)
But I wonder if anyone’s ever done a study on this. Natch, no one wants to play against the house, so to speak; I just wonder if a study like this has ever been done. I don’t expect to find Stuxnet on my machine, but it would be valuable to weigh the AV/Anti-Malware Vendors of the world shriekings vs. the actual damage inflicted, and at what level, over the years
(For C and D above, the variables in user sophistication might render such a study useless.)
Thoughts?
(Helmet on, dives in trench.)
Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Windows Update? Bah! I could carve a better ecosystem out of a banana!" -Jamrach Holobom
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
