|
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches
Posted on Comment on the AskWoody Lounge- This topic has 64 replies, 23 voices, and was last updated 2 years, 12 months ago.
Viewing 29 reply threads-
-
More fun ‘n games. Last night, Microsoft released KB 4078130, which is specifically designed to turn off the Intel-identified buggy code in the Mel[See the full post at: Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches]
-
My own suspicion is that the Universe is not only queerer than we suppose, but queerer than we can suppose. — J. B. S. Haldane
(John Burdon Sanderson Haldane, FRS; 5 November 1892 – 1 December 1964)
4 users thanked author for this post.
-
You have to like this new patching system – install a patch to enable something and then install another patch to disable it. I hope whoever devised these patches hasn’t been paid twice.
Thanks for the information. Don’t hurry to review the DefCon rating, Woody, I’m quite happy waiting and doing all the normal things my computer allows me to do when MS, Intel and others aren’t trying their hardest to thwart me.
To be absolutely honest, I’m dreading the moment I access the site and see DefCon 3!
-
-
In windy cyberspace..
No problem can be solved from the same level of consciousness that created IT- AE1 user thanked author for this post.
-
-
Sounds to me like more “Much ado about nothing”. Just creating more dust to settle before doing ANYTHING.
1 user thanked author for this post.
-
For those who are serving or have served in the military, & those with family & friends who do the same, a familiar theme is showing up: “Hurry up and wait”. The all clear (or not) will eventually sound. Thanks to Woody & all the MVP’s staying on top of things.
2 Machines for Now!
#1: Windows 8.1, 64-bit, back in Group A.
#2: Getting close to buying a refurbished Windows 10 64-bit, recently updated to v1909. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...5 users thanked author for this post.
-
That applies, but what really applies is the SNAFU one…
6 users thanked author for this post.
-
Absolutely. And, if I remember correctly, in the Navy there is the saying:
Don’t just sit there! Get up and run to screw up something!
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
1 user thanked author for this post.
-
-
Wow talk about being late to the party.
Gibsons InSpectre gave you the ability to easily turn the MS KB Update(s) Meltdown / Spectre mitigations On/Off about 9 days ago ONLY IF your install was actually able to use / be effected by them. InSpectre’s Enable/Disable buttons were greyed out if not. InSpectre sets the bit value (0 to 3) of the FeatureSettingsOverride registry value just like MS does.
Note that with the exception of 32b W10 v1709 only 64b Windows installs can actually use, or be effected by, the MS KB Update Meltdown mitigation.
The Spectre mitigation in these same MS KB Update(s) can only be used or effect your 32b or 64b install (in any way) IF the new 01/08/2017 Intel Microcodes were applied to your system either by a bios update to your motherboard or directly injected into Windows using VMwares microcode update drivers.
Viper
-
-
-
See @MrBrian ‘s answer here
1 user thanked author for this post.
-
-
-
Yes, same Reg entry.
1 user thanked author for this post.
-
-
-
-
-
I neither flash (nor streak).
Beta Work {Got backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
online▸ Win10Pro 2004.19041.746 x64 i5-9400 RAM16GB HDD Firefox85.0 WindowsDefender TRV=2004 WuMgr1 user thanked author for this post.
-
“Don’t look, Ethel!”
but it was too late,
she’d been mooned!lyrics to a novelty song that spoofed the crazy fads in the early 1970s.
1 user thanked author for this post.
-
For those born after 1974, the song was “The Streak” by Ray Stevens. He spoofed the college fad of running nude (‘streaking’) by having a reporter cover incidents in the song. He always wound up interviewing the same guy with his wife, Ethel. Check Wikipedia or Google “The Streak”.
2 Machines for Now!
#1: Windows 8.1, 64-bit, back in Group A.
#2: Getting close to buying a refurbished Windows 10 64-bit, recently updated to v1909. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...
-
-
-
More fun ‘n games. Last night, Microsoft released KB 4078130, which is specifically designed to turn off the Intel-identified buggy code in the Mel[See the full post at: Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches]
After looking all over the internet for news and support for the ‘very poor quality’ of the socalled vuneralibility updates and bios patch…. I finally had reset/reimaged my pcs to the date end of december 2017; so problems caused by this problemssolutions were ‘solved’ and got back to the original processor-/operatingsystem vunerabilities….
This message here acknowledges all these problems of bluescreens and lacks of speed… grrr. nevertheless thanks to this site to give some clarity!
So, waiting to get some adult and quality patches and solutions from the industry, or is that too much to ask for?;
For now the suspicion is more and over that these socalled processor flaws are intended-build-in.Has the “George Orwells 1984 syndrome” finally infected me too?
~ ~ ~ -
We have a saying, ‘too many cooks spoil the broth’ , another is ‘the more haste, the less speed’, now the broth smells and tastes foul with PC’s spitting, spluttering and choking.
No problem can be solved from the same level of consciousness that created IT- AE -
Yes, same Reg entry.
FYI – The settings available on:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] “FeatureSettingsOverride”=dword:value
value = 00000000 = Both Meltdown and Spectre Mitigations Enabled
value = 00000001 = Meltdown Enabled and Spectre Disabled
value = 00000002 = Meltdown Disabled and Spectre Enabled
value = 00000003 = Both Meltdown and Spectre Mitigations Disabled
With Gibsons InSpectre you can set all these values using the separate Meltdown / Spectre Enable / Disable switches. Note the Spectre switch will be greyed out if you do not have Spectre mitigation enabling Microcode installed and the Meltdown switch will be greyed out on 32-bit installs (except 32B W10 v1709).
I believe from reading MS’s info on the KB4078130 update it sets the “FeatureSettingsOverride” value at an all disabled 00000003. I have not actually tried it but that is how it’s documentation reads to me.
Viper
-
If I recall from my test, KB4078130 sets this:
value = 00000001 = Meltdown Enabled and Spectre Disabled
which makes sense to me.
1 user thanked author for this post.
-
Yes, this article states that too
-
-
-
If I recall from my test, KB4078130 sets this: value = 00000001 = Meltdown Enabled and Spectre Disabled which makes sense to me.
Yes, this article states that too Disable mitigation against Spectre Variant 2 independently
Well I reread the article pointed to and I still believe an argument could be made that the value actully set by the KB4078130 update could be either 1 or 3. It’s typical MicroSoft “clear as mud” speak.
Since MrBrian has tested the KB4078130 update I will bow to his recall of 0000001. I agree it does make the most sense with a title of “Update to Disable Mitigation against Spectre Variant 2” but with MS these days “if ya don’t test ya don’t know for sure”.
It’s unfortunate that “making sense” and “Microsoft” in the same sentence has become an oxymoron due to a conflict in terms.
Viper
-
-
-
The best way to prevent a new machine from installing anything is to do the first boot OFFLINE. In other words, don’t hook up a network cable, and when it asks about WiFi setup, say “later.”
I hope your new machine has Win10 Pro. If you have Win10 Home, you have very little control over updates. With Home, you can set your Internet connection to “don’t download over metered connections.” But this also affects other Internet facing software. You can use Mictosoft’s troubleshooter wushowhide to hide updates, but that too doesn’t always work if MS wants to push an update.
If your new machine comes with Win10 Home, it is well worth the $99.99 to upgrade it to Win10 Pro.
-
-
In Win10 Pro, there are settings in Windows Update to put off quality updates for 30 days and feature updates (upgrades) for up to 365 days. There are also settings in Group Policy to have WU notify for download/install instead of “just do it.” And, again, you can use wushowhide. Woody has a ComputerWorld article on how to block Win10 updates.
-
-
-
-
-
-
-
Woody hasn’t published his recommendations for January patching yet. When he raises the DEFCON number to 3 or above, he will publish his recommendations at that time.
We are at DEFCON-2, which means installing patches at this time is not recommended unless you have a critical reason to do so (like a BSOD, for example). Otherwise the advise is to WAIT.
-
-
As PKCano & Woody recommend, wait until MS-DEFCON changes to a higher number. For more information, click on the ‘MS-DEFCON System’ tab above. IMO, it will probably change to DEFCON 4, but DEFCON 3 is possible too.
Memo to Da Boss: Details will change, but I see patching possibly going in 2 groups (not necessarily the usual ones) this time:
Group S1 (for Shy one), who follow MS-DEFCON almost religiously: Install only needed patches, including the usual. Also flashing firmware updates at this time, if OK’ed by Intel/AMD.
Group B2 (for Bitten twice), who have rushed into things: Install patches that fix various screwups, both Microsoft & Intel/AMD related. Flash or re-flash firmware updates, if needed & OK’ed.
2 Machines for Now!
#1: Windows 8.1, 64-bit, back in Group A.
#2: Getting close to buying a refurbished Windows 10 64-bit, recently updated to v1909. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...-
It is a fracturing of what should be kept as simple as ‘possible’. But I cannot argue the logic. Directions when given, are going to be hard to follow and hinge on some dicey syntax. But I found, actually followed a recommendation by Canadian Tech, this site when things did not make sense. So IF it can be simple enough for a dummy, this is the place to get it.
Looking forward to the product of all efforts here. Thanks all.
1 user thanked author for this post.
-
-
I am getting a win10 machine in the next couple of days. What is the best way to control win10 updates/patches?[/quote
Well the BEST WAY would be a disk format and an Install of Windows 7. Short of that perfect solution do first boot with you Internet Modem powered off / disconnected but leave your router powered up so W10 on your new rig can still detect and config its network connection be it wireless or cabled ethernet. After that follow PKCano advice just a few posts up.
Viper
2 users thanked author for this post.
-
-
KB4078130 is not intended for everyone’s use, nor will it be released through Windows Update. It may help those who installed faulty firmware microcode to bypass the faulty function. You don’t need it unless you meet a special criteria.
Just because Microsoft releases an update doesn’t mean everyone should immediately jump on it and install the patch. Especially those patches released for Catalog only manual download/install which are usually intended for a special purpose and not general distribution. This is one of the reasons for the DEFCON system – so you don’t install patches that are unsafe or not needed. You WAIT for Woody’s approval and guidance.
-
-
At the top of the home page, the number will change to somewhere between 3 and 5. And there will be a post with a link to an article giving instructions on patching.
1 user thanked author for this post.
-
-
-
From Microsoft rushes Spectre patch to disable Intel’s broken update:
‘A source at Microsoft, who wished to stay anonymous, told SearchSecurity the Spectre patch was a difficult situation because “you can’t fix it in firmware alone or software alone.”
“The chip vendor releases a firmware capability, which the OSes use in a certain way in key situations to mitigate against potential abuse [or] attack. So, to mitigate, you need a firmware update plus an OS that leverages [that update]. It’s symbiotic [and] collaborative,” the source said. “Given that you need both, it was possible that an OS update would rollout on machines that didn’t yet have a firmware update, so the mitigation needed to be able to be ‘on’ or ‘off’ depending [on the presence of Intel’s microcode update].”‘
-
Viewing 29 reply threads
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Recent Replies
Alex5723 on iOS/iPadOS 14.3, WatchOS 7.2 released
22 minutes agoPaul T on Freeware Spotlight – Immunet 7
39 minutes ago- 43 minutes ago
anonymous on Kudos to NWS for their new radar site
45 minutes agowavy on Websites that still require Flash after EOL
55 minutes agoGoneToPlaid on Freeware Spotlight – Immunet 7
1 hour, 2 minutes agob on Windows 10 2004/20H2 Not Being Offered Due to Conexant HD Audio Issue
1 hour, 4 minutes ago- 1 hour, 7 minutes ago
Susan Bradley on Windows 10 2004/20H2 Not Being Offered Due to Conexant HD Audio Issue
1 hour, 13 minutes agoCybertooth on Outlook on Vista
1 hour, 26 minutes agojoep517 on Latest increase in no. of Win 10 services
1 hour, 54 minutes ago- 2 hours, 18 minutes ago
- 2 hours, 20 minutes ago
WCHS on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
3 hours, 4 minutes ago- 3 hours, 26 minutes ago
Paul on Windows 10 2004/20H2 Not Being Offered Due to Conexant HD Audio Issue
3 hours, 32 minutes ago- 3 hours, 37 minutes ago
ussrankin on Linking a graphic to a website
3 hours, 43 minutes agotpbrownec on SFC errors not repairable, upgrade to 2004?
3 hours, 52 minutes agoTex265 on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
4 hours, 36 minutes agodmt_3904 on iOS 14 : Bug with Mail aliases
4 hours, 51 minutes ago- 5 hours, 25 minutes ago
Slacker2008 on Stop paying $200 a year for your Internet cable modem
5 hours, 28 minutes ago- 5 hours, 50 minutes ago
rc primak on Freeware Spotlight – Immunet 7
6 hours, 43 minutes ago- 7 hours, 15 minutes ago
Ascaris on What Linux is and why it has persisted
7 hours, 28 minutes agoCraigS26 on Comments on AKB 2000016: Guide for Windows Update Settings for Windows 10
8 hours, 3 minutes ago- 8 hours, 19 minutes ago
- 8 hours, 22 minutes ago