Patch Lady – we have another Spectre/Meltdown

Topic

New Reply

So included in the July patches was another Spectre/Meltdown patch that the information about it is just coming out today.  I’m still not convinced th
[See the full post at: Patch Lady – we have another Spectre/Meltdown]

Susan Bradley Patch Lady

10 users thanked author for this post.

Lori, SueW, CADesertRat, Myst, Microfix, PKCano, woody, Fred, satrow, Elly

Reply | Quote

Replies

According to the Windows Kernel Information link documentation, the fix for this vulnerability is contained in July updates KB4507456 (Win7 SO) and KB4507457 (Win8.1 SO).

So that will affect the Win7 Group B patchers who also have to contend with the KB3953664 functionality (Compatibility Appraiser) included in KB4507456 too.

This would seem to leave Group B between a rock and a hard place.

3 users thanked author for this post.

Lori, walker, Microfix

Reply | Quote

I’m not installing KB4507456 (Win7 SO) ever! So I’ll just have to live with that side channel vulnerability that’s probably difficult to pull off anyways. And most of my laptops where not even offered any microcode(Firmware) updates for any of Intel’s other Spectre/Meltdown vulnerabilities.

I’ll have to live with the fact that MS has not followed its Security Only policy when that Telemetry was pushed out in a Security Only update(July 2019) that was not Security Only. And any further Telemetry pushed out in any later Security Only updates will not have those updates getting installed on my laptops.

If MS was really concerned about Security they maybe should include that Security Only portion that addresses the new Vulnerability in the Aug 2019 Security Only update as well to catch the folks that will never install KB4507456 (Win7 SO) that has that Telemetry included. If the Aug Security Only patch is of the Non Security Only variety then it’s getting skipped as well.

I’m not playing a game of Telemetry whack-a-mole with MS and it’s “Security Only” updating policy that comes with Telemetry inside.

Reply | Quote

Has there been ANY reports of Meltdown/Spectre attacks in the last 30 months?
I wonder what view @Canadian-Tech has on this since he hasn’t patched 130+ Win7 PC’s beyond May 2017..

Keep IT Lean, Clean and Mean!

3 users thanked author for this post.

Myst, Nibbled To Death By Ducks, David F

Reply | Quote

I am Win7 Group B. On both of my Win7 computers, the KB3953664 functionality (Compatibility Appraiser) included in KB4507456 did not change my disabled CEIP settings, and no data was transmitted to MS overnight. If one is really paranoid, it looks like one can follow the already posted instructions for completely disabling the two related tasks in Task Manager. Personally, I see no real need to disable these two tasks, unless someone can show that these two tasks do more than simply gathering information about all installed programs, device drivers, and all installed updates.

4 users thanked author for this post.

Lori, Nibbled To Death By Ducks, Bill C., zero2dash

Reply | Quote

What’s the point of letting it gather the information? it’s only valuable if you intend to upgrade or want to share it with Microsoft for CEIP

4 users thanked author for this post.

Myst, Nibbled To Death By Ducks, Bill C., Microfix

Reply | Quote

Security Only should be Security Only and MS is the one that’s having to come clean with why they thought it necessary to add any non security only related software in a Security Only  patch.

Just having any of that functionality on my systems is a no go! And what’s to prevent the same kinds of constant re-enabling and re-disabling game for the users of Windows 7 that the  users of Windows 10 have to constantly play to keep all of that nonsense turned off.

From the looks of it this new Spectre/Meltdown issue does not affect AMD’s CPUs and may only affect Intel’s CPUs, but more testing will be needed.  And I can not stress enough how much I wish that some Linux OS laptop OEM would begin offering Linux OS laptops with AMD’s Zen/Vega APUs inside and Intel’s CPUs not required.

Reply | Quote

Has anyone thought that maybe the telemetry code had security vulnerabilities?

Susan Bradley Patch Lady

4 users thanked author for this post.

rc primak, Myst, WildBill, Kirsty

Reply | Quote

[abbodi86]

It would not hurt to announce that then
plus, the telemetry code should not exist originally to need patching
it’s like when install IE11 cumulative when you didn’t install IE11 itself

i think the addition of telemetry appraiser components is intended for Enterprises that use Security-Only scenario and Upgrade Readiness project

since it need the appraiser to work, but KB2952664 stopped being updated separately when they included it with Monthly Rollup in late 2018

• This reply was modified 3 years, 7 months ago by abbodi86.

1 user thanked author for this post.

Myst

Reply | Quote

I’m fairly sure I actually did mention that somewhere around here, the other day… and how the current security-only patch has to apply on top of intermediate rollups too, which would already have the telemetry.

Reply | Quote

Why it has to exactly?
the two models should be used separately, either rollup or security only

Reply | Quote

One would think so but if they thought that customers had opted into telemetry patch.  There’s a lot of enterprises right now that are in the process of moving to 10.  So if they are security only and if they had the telemetry patches on, sometimes Microsoft tries to be Patch G**.

All of this is theory of course and should not be relied upon as being fact.

Susan Bradley Patch Lady

Reply | Quote

@mn:  Noted your comment, and hope that all will continue to go well with that KB4507449.   I am unable to attempt to do that one (because of its telemetry, and I have no way to create an off computer back-up).    Good luck to you with this!

Reply | Quote

GTP, Thanks for the patching info.

Finally a Spectre/Meltdown related patch that allegedly works on Win7 and does not list a firmware requirement.

~~ Group B, Win7-64Pro on Intel DX58SO2 MB, i7-960 CPU, 12GB Ram, wired ethernet ~~

I too installed the July SO and IE installed manually, with all the Office 2010, and the Net.4.7.1 Cumulative using WU.

I found only that two items in CEIP (and their triggers) were reactivated. They were the KernalCeipTask and the Consolidator. The UsbCeip task was left disabled. Neither task executed or ran and have been re-disabled, including their triggers. It has been 7 days since the patching and all settings have reamind the same in Tasks and WU.

I did find after the SO, WU now presented the Update for Windows 7 for x64-based Systems (KB3150513), which provides the latest set of definitions for compatibility diagnostics that are performed on the system. If you did not have KB2952664, this would not appear, but with the capabilities in the SO, it now appeared. Listed as Optional, unchecked. This has never been offered before. From the MS website, “This update will be offered only if the following prerequisite updates are installed: On Windows 7 Service Pack 1 (SP1): update 2952664.”

I did NOT install it. End result, no issues with the July updates here.

After updating, Media Player again wanted to re-configure, and now appears to have again reverted back to not allowing data retrieval for populating the tracks on CD rips. That happened a while ago, and then I found the capability had returned, so I ripped some more of the collection, and now it is gone again. Need to find a good open-source ripper with that capability.

I watched a colleague do his group A update and would love the simplicity, but while I remain concerned about telemetry, I am now more concerned about a ‘disabling’ patch that limits some of Win7 functionality after EOL or removes the ability to turn off WU.

2 users thanked author for this post.

walker, SueW

Reply | Quote

Keep in mind that Windows 7 will have tons of businesses that will pay for extended security patches.  Like Windows XP, they won’t disable functionality of anything.  Too many companies still use it.

I’m going to be horrible Susan here.  If you really think Microsoft is that devious, should you still be running Windows at all?  If you think they are that potentially evil to shove out a disabling patch perhaps moving to a platform where you trust the vendor completely would be a wise move?  Operating systems are complicated and there’s no way any of us can fully know what they do.  If you don’t trust the vendor, you don’t trust the vendor and it’s time to move on.

Apologize in advance, no disrespect intended, I just know each one of us personally have to get to a trust place and if you don’t trust, you should question if you should run the platform.  You know what I mean?

Susan Bradley Patch Lady

5 users thanked author for this post.

rc primak, mledman, Lars220, Myst, abbodi86

Reply | Quote

? says:

thank you, Susan! been doing more light reading hoping to resolve love\hate conflict about this question.

https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguish

https://en.wikipedia.org/wiki/Halloween_documents

https://en.wikipedia.org/wiki/AARD_code

https://en.wikipedia.org/wiki/Criticism_of_Microsoft

i would love to buy extended Windows XP and Windows 7 support, however it is a little out of my price range

Reply | Quote

I still don’t see that MS is providing Spectre protection in Win7 — only Meltdown protection.

Reply | Quote

Isn’t it KB2952664, not 3953664 ?

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

Microfix

Reply | Quote

Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal  pc or work stations.

2 users thanked author for this post.

Nibbled To Death By Ducks, DriftyDonN

Reply | Quote

Cripple my CPU’s by halving the threads?
Thanks but no thanks; that will never be an option IMHO.
I’ll deal with the performance loss given by accepting the microcode update – which in the end is surely less than the performance loss if one disables HT.

2 users thanked author for this post.

rc primak, Microfix

Reply | Quote

From what I have gathered, it seems like the microcode updates alone don’t cause very much of a performance hit.  The biggest hit is in the OS-level changes needed to mitigate Spectre, which work (AFAIK!) in conjunction with the microcode changes.  The OS-level changes have caused severe performance losses in some use cases.

I’ve tried to find benchmark data of just the microcode changes on older (pre-Spectre) OS/kernel releases, but I have not found much.  The ones I have seen tend to show the old microcode with the old OS, the new OS with the old microcode, and the new OS with the new microcode.

I personally am not concerned about Spectre or any other side-channel exploits at present.  I have some doubt that they will ever be seen in the wild; they’re hard to exploit, and even if they are successfully performed, the data that’s revealed is random, and may or may not contain anything worth the effort.

The malware authors know that many (expensive, in terms of performance) fixes have been pushed out there in the hysteria over these vulnerabilities.  The most likely vector for these attacks would be javascript on compromised websites, and that would mean that browser vendors could harden their products against the known attacks, once there are some, and the same goes for anti-malware programs.  In addition, the kinds of behavior that scripts would have to engage in to exploit Spectre would be relatively easy to detect heuristically.

All of this makes it unlikely, IMO, that any widespread attack of the side-channel vulnerabilities will materialize anytime soon.  If I hear about such an exploit in the wild, I will have to consider what needs to be done to limit its threat, but until that happens, it’s all hypothetical.  I’m not about to make my PCs run noticeably slower just to mitigate a threat that doesn’t even exist yet!  I’m leaving hyperthreading on in my Dell G3 (i7 hexacore) and disabling the more performance-robbing kernel mitigations on my performance-challenged and ironically named Acer Swift, which needs all the performance it can get.  I’ll put the shields fully up once a threat is identified!

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, OpenSUSE Tumbleweed

1 user thanked author for this post.

anita.yk

Reply | Quote

_Reassigned Account wrote:

Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal  pc or work stations.

That is why my new build has targeted the Intel i7-9700K CPU. 8 cores, no HT.

1 user thanked author for this post.

rc primak

Reply | Quote

_Reassigned Account wrote:

Eventually everyone will be onboard just turning off hyperthreading. Only a few have been honest enough to know this is the only real solution. Of course in some Uefi you can’t turn it off. I find in some newer HP laptops there is no option to adjust any CPU features. Personally I want to see real world attacks before getting to concerned. Most of these exploits are too complicated for hackers to consider at least for personal  pc or work stations.

agree. I have seen steve gibson utility that removes the disables those patches. He contends the danger is minimal…..has ANYONE seen or heard of an attack?

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

It would be interesting (if only to me, maybe) if someone did an unbiased study regarding CVE’s, Zero Days and other vulnerabilities vs. actual exploits for them found in the wild on a percentage basis, broken further down by:

Attack surface:

A) DNS servers

B) Enterprise Level Machines and Servers

C) Small Business Level

D) Home user Level (C and D are sometimes very similar.)

The reason I ask this question is I really want to know how much damage has been inflicted, and at what level(s) over the years. I did some research, but turned up very little that was specific.

Now this statement may tweak a few noses, but there’s an awful lot of money to be made by spreading FUD among the general public by makers of AV and Anti-Malware products.

(Conclusions would be hard to draw, since severe CVE’s get patched, making them unattractive, and even if they are, the smaller fish down the food chain just aren’t worth the effort it takes to bring off a successful exploit.)

But I wonder if anyone’s ever done a study on this.  Natch, no one wants to play against the house, so to speak; I just wonder if a study like this has ever been done. I don’t expect to find Stuxnet on my machine, but it would be valuable to weigh the AV/Anti-Malware Vendors of the world shriekings vs. the actual damage inflicted, and at what level, over the years

(For C and D above, the variables in user sophistication might render such a study useless.)

Thoughts?

(Helmet on, dives in trench.)

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"...all the people, all the time..."Peter Ustinov ad-lib in "Logan's Run"

1 user thanked author for this post.

anita.yk

Reply | Quote

I’m on Win8.1 & the M$ vulnerability statement says that they released security updates on July 9 to address the Spectre Variant 1 problem. Nice of them to announce on Aug. 6 something they already fixed. Here’s where it relates to me: The security update for my OS is KB4507457. I installed the 64-bit version on Aug. 2, along with the other updates… so I’m already patched? Good to know…

Also, about Spectre/Meltdown: Intel always talks about the microcode to fix it. I have an Ivy Bridge processor & the microcode is in production. I’ve never seen Intel download the microcode to my machine, through Intel driver updates. How do I know if I have it? Has Microsoft already provided it through an update a while back?

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

It would not be an Intel driver update, if it is packaged like previous updates.  It would be a Microsoft update, and I can’t find any reference to any of these being made available for Windows 8.1.  It looks like they’ve reserved those for Windows 10 users, despite Windows 8.1 still being in extended support, which means only security and bug fixes will be provided.  Just not this security update.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, OpenSUSE Tumbleweed

Reply | Quote

Loads of patches..more flaws..Intel plays whack-a-mole:

11/12/19 https://www.extremetech.com/computing/301812-New-Spectre-Related-CPU-Flaw-Tops-Intels-Latest-Critical-Security-Fixes
77 patches to OEMs and partners as part of its Intel Platform Update program.

NEW FLAWS 8/6/19 https://www.pcmag.com/news/369990/spectre-meltdown-patches-wont-fix-new-swapgs-intel-flaw
https://techcrunch.com/2019/05/14/zombieload-flaw-intel-processors/
10/18 https://www.digitaltrends.com/computing/intel-9-series-cpu-spectre/

I’ve been waiting to buy a Win10 PC until flaws get fixed..looks like a really long wait.

Reply | Quote

[DriftyDonN]

AMD?

• This reply was modified 3 years, 3 months ago by DriftyDonN. Reason: add last thoght
• This reply was modified 3 years, 3 months ago by DriftyDonN.

Reply | Quote