Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches

[woodyDa Boss]

More fun ‘n games. Last night, Microsoft released KB 4078130, which is specifically designed to turn off the Intel-identified buggy code in the Mel[See the full post at: Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches]

11 users thanked author for this post.

Fred, Microfix, JDeC, Cascadian, Tiernan, SueW, HiFlyer, WildBill, Pepsiboy, MrBrian, AJNorth

[AJNorthAskWoody Plus]

My own suspicion is that the Universe is not only queerer than we suppose, but queerer than we can suppose.  — J. B. S. Haldane

(John Burdon Sanderson Haldane, FRS; 5 November 1892 – 1 December 1964)

4 users thanked author for this post.

Cascadian, Tiernan, HiFlyer, windows7forever

[SeffAskWoody Plus]

You have to like this new patching system – install a patch to enable something and then  install another patch to disable it. I hope whoever devised these patches hasn’t been paid twice.

Thanks for the information. Don’t hurry to review the DefCon rating, Woody, I’m quite happy waiting and doing all the normal things my computer allows me to do when MS, Intel and others aren’t trying their hardest to thwart me.

To be absolutely honest, I’m dreading the moment I access the site and see DefCon 3!

10 users thanked author for this post.

Mele20, BobbyB, Microfix, Cybertooth, JDeC, Tiernan, AJNorth, SueW, HiFlyer, Elly

[Jan K.AskWoody Lounger]

If we see MS-DEFCON 5, Woody’s site clearly has been hacked…

Btw. Defcon 3 isn’t really “good”. Even Defcon 4 has troublesome patches, but these will be perfectly documented here.

2 users thanked author for this post.

Cascadian, SueW

[abbodi86AskWoody_MVP]

The dust yet to settle 🙂

10 users thanked author for this post.

walker, BobbyB, Microfix, Cybertooth, JDeC, woody, AJNorth, SueW, HiFlyer, Elly

[MicrofixDa Boss]

In windy cyberspace..

********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

1 user thanked author for this post.

Elly

[PepsiboyAskWoody Lounger]

Sounds to me like more “Much ado about nothing”. Just creating more dust to settle before doing ANYTHING.

1 user thanked author for this post.

HiFlyer

[WildBillAskWoody Plus]

For those who are serving or have served in the military, & those with family & friends who do the same, a familiar theme is showing up: “Hurry up and wait”. The all clear (or not) will eventually sound. Thanks to Woody & all the MVP’s staying on top of things.

Windows 8.1, 64-bit, now in Group B!
Wild Bill Rides Again...

5 users thanked author for this post.

John in Mtl, Pepsiboy, JDeC, Elly, HiFlyer

[Bill C.AskWoody Plus]

That applies, but what really applies is the SNAFU one…

6 users thanked author for this post.

John in Mtl, SueW, Pepsiboy, Cybertooth, Elly, WildBill

[anonymous]

Bill C. wrote:

That applies, but what really applies is the SNAFU one

Certainly true, except for the folks with persistent BSODs/bricked PCs…

6 users thanked author for this post.

John in Mtl, SueW, Elly, Pepsiboy, Bill C., WildBill

[OscarCPAskWoody Plus]

Absolutely. And, if I remember correctly, in the Navy there is the saying:

Don’t just sit there! Get up and run to screw up something!

Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

1 user thanked author for this post.

Elly

[HiFlyerAskWoody Plus]

Oh the Merry-Go-Round broke down…..

Th-th-that’s NOT all, folks!

2 users thanked author for this post.

Steve, Elly

[ViperJohnAskWoody Lounger]

Wow talk about being late to the party.

Gibsons InSpectre gave you the ability to easily turn the MS KB Update(s) Meltdown / Spectre mitigations On/Off about 9 days ago ONLY IF your install was actually able to use / be effected by them.  InSpectre’s Enable/Disable buttons were greyed out if not.  InSpectre sets the bit value (0 to 3) of the FeatureSettingsOverride registry value just like MS does.

Note that with the exception of 32b W10 v1709 only 64b Windows installs can actually use, or be effected by, the MS KB Update Meltdown mitigation.

The Spectre mitigation in these same MS KB Update(s) can only be used or effect your 32b or 64b install (in any way) IF the new 01/08/2017 Intel Microcodes were applied to your system either by a bios update to your motherboard or directly injected into Windows using VMwares microcode update drivers.

Viper

2 users thanked author for this post.

MrBrian, HiFlyer

[anonymous]

I’m hesitant to download something that erases a mitigation against Spectre.

If this was so important and everyone should use it why didn’t Microsoft put it out through WU?

4 users thanked author for this post.

anita.yk, rontpxz81, Seff, HiFlyer

[woodyDa Boss]

Precisely.

2 users thanked author for this post.

Elly, HiFlyer

[MrBrianAskWoody_MVP]

In my opinion, only some should use it.

[rontpxz81AskWoody Lounger]

Yes, if so important why isn’t it appearing in Windows Update?

[bobcat5536AskWoody Plus]

So if I run Gibson’s scanner and tell it to turn off the Meltdown fix, this would be the same as getting the patch from WU catalog? Would this be a recommended coarse of action, or just wait ?

[PKCanoDa Boss]

See @mrbrian ‘s answer here

1 user thanked author for this post.

woody

[bobcat5536AskWoody Plus]

That link take me to a profile page 🙂

[PKCanoDa Boss]

Oops. Try “answer here”

[bobcat5536AskWoody Plus]

So if I read that correctly, if I’m not having any problems leave things alone. I’m still wondering if the disable option in Gibson’s scanner is the same as the Microsoft 4078130 ?

[PKCanoDa Boss]

Yes, same Reg entry.

1 user thanked author for this post.

bobcat5536

[anonymous]

Bottom line:  I downloaded KB4056894 earlier this month and am not seeing any problems with data or file corruption so far, so I probably don’t have to download this new update right now?

[bhenAskWoody Lounger]

As somebody with an AMD (A4-5000) and Intel (i5-3337 Ivy Bridge) that hasn’t been hit by the problems that impacted AMD or Intel and have been living peacefully on 16299.192 for a few weeks, I’m not really expecting to get anything. I’ll see soon enough if that’s an accurate prediction.

[geekdomAskWoody Plus]

I neither flash (nor streak).

Group G{ot backup} TestBeta
Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall

1 user thanked author for this post.

Cascadian

[CascadianAskWoody Lounger]

“Don’t look, Ethel!”
but it was too late,
she’d been mooned!

lyrics to a novelty song that spoofed the crazy fads in the early 1970s.

1 user thanked author for this post.

Elly

[WildBillAskWoody Plus]

For those born after 1974, the song was “The Streak” by Ray Stevens. He spoofed the college fad of running nude (‘streaking’) by having a reporter cover incidents in the song. He always wound up interviewing the same guy with his wife, Ethel. Check Wikipedia or Google “The Streak”.

Windows 8.1, 64-bit, now in Group B!
Wild Bill Rides Again...

3 users thanked author for this post.

woody, Elly, Cascadian

[CascadianAskWoody Lounger]

Couldn’t dig the name out of memory, thanks for closing the loop. I think Ray did Guitarzan, too. Yep, took the time to verify this time. Forgot about Would Jesus Wear a Rolex.

2 users thanked author for this post.

Elly, WildBill

[anonymous]

I hope you never have to switch to Defcon NaN because of any foolery.

1 user thanked author for this post.

Tiernan

[FredAskWoody Plus]

woody wrote:

More fun ‘n games. Last night, Microsoft released KB 4078130, which is specifically designed to turn off the Intel-identified buggy code in the Mel[See the full post at: Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches]

After looking all over the internet for news and support for the ‘very poor quality’ of the socalled vuneralibility updates and bios patch….  I finally had reset/reimaged my pcs to the date end of december 2017; so problems caused by this problemssolutions were ‘solved’ and got back to the original processor-/operatingsystem vunerabilities….

This message here acknowledges all these problems of bluescreens and lacks of speed…  grrr. nevertheless thanks to this site to give some clarity!

So, waiting to get some adult and quality patches and solutions from the industry, or is that too much to ask for?;
For now the suspicion is more and over that these socalled processor flaws are intended-build-in.

Has the “George Orwells 1984 syndrome” finally infected me too?

[PGP-ID available]

2 users thanked author for this post.

HiFlyer, Microfix

[MicrofixDa Boss]

Imaging is the saviour of all hiccups when mis-prescribed patches for PC’s are rife.

********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

6 users thanked author for this post.

HiFlyer, Capella, Cascadian, SueW, Elly, MrBrian

[MicrofixDa Boss]

We have a saying, ‘too many cooks spoil the broth’ , another is ‘the more haste, the less speed’, now the broth smells and tastes foul with PC’s spitting, spluttering and choking.

********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

2 users thanked author for this post.

Cascadian, Fred

[CascadianAskWoody Lounger]

Turn off the heat, dump a full box of baking soda on top, wait to cool, and dispose of according to local hazardous waste regulations. Which means bury in an unmarked hole after midnight.

Humor, of course. And on reread, never dump baking soda on a liquid PH<4ish. Results in volcano science project.

[JohnAskWoody Lounger]

Just more fixes for the fixes, as the Windows turn soap opera.  Also I wonder having updated Chrome browser to 64 if anyone else noticed any speed loss? Google says the mitigation for Spectre and Meltdown could cause speed issues. Pertains mostly to Google/Chromium V8 as I read it. I then wonder as it stands all these fixes alone probably don’t add up to much in performance loss. But combine them and maybe its a bit worse, considering you have OS fixes, Firmware, browser updates, even potential issues with battery life. We still have yet to get bios fixes that stick, and we could be months before we know how effective any of this is.

[ViperJohnAskWoody Lounger]

PKCano wrote:

Yes, same Reg entry.

FYI – The settings available on:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] “FeatureSettingsOverride”=dword:value

value = 00000000 = Both Meltdown and Spectre Mitigations Enabled

value = 00000001 = Meltdown Enabled and Spectre Disabled

value = 00000002 = Meltdown Disabled and Spectre Enabled

value = 00000003 = Both Meltdown and Spectre Mitigations Disabled

 

With Gibsons InSpectre you can set all these values using the separate Meltdown / Spectre Enable / Disable switches. Note the Spectre switch will be greyed out if you do not have Spectre mitigation enabling Microcode installed and the Meltdown switch will be greyed out on 32-bit installs (except 32B W10 v1709).

I believe from reading MS’s info on the KB4078130 update it sets the “FeatureSettingsOverride” value at an all disabled 00000003.  I have not actually tried it but that is how it’s documentation reads to me.

Viper

5 users thanked author for this post.

SueW, woody, HiFlyer, Cascadian, MrBrian

[MrBrianAskWoody_MVP]

If I recall from my test, KB4078130 sets this:

value = 00000001 = Meltdown Enabled and Spectre Disabled

which makes sense to me.

1 user thanked author for this post.

woody

[abbodi86AskWoody_MVP]

Yes, this article states that too

Disable mitigation against Spectre Variant 2 independently

2 users thanked author for this post.

woody, MrBrian

[ViperJohnAskWoody Lounger]

MrBrian wrote:

If I recall from my test, KB4078130 sets this: value = 00000001 = Meltdown Enabled and Spectre Disabled which makes sense to me.

abbodi86 wrote:

Yes, this article states that too Disable mitigation against Spectre Variant 2 independently

Well I reread the article pointed to and I still believe an argument could be made that the value actully set by the KB4078130 update could be either 1 or 3. It’s typical MicroSoft “clear as mud” speak.

Since MrBrian has tested the KB4078130 update I will bow to his recall of 0000001. I agree it does make the most sense with a title of “Update to Disable Mitigation against Spectre Variant 2” but with MS these days “if ya don’t test ya don’t know for sure”.

It’s unfortunate that “making sense” and “Microsoft” in the same sentence has become an oxymoron due to a conflict in terms.

Viper

2 users thanked author for this post.

SueW, HiFlyer

[anonymous]

All this microcode talk I don’t understand. I downloaded the first update, KB4056892 after AVG updated the registry entry at the beginning of the month.. for the first variant and meltdown.. and made sure my BIOS was up to date etc but I don’t understand anything with variant 2 that MS released the update for recently.

I have an Intel Kaby Lake S CPU PRIME Z270-K and in an article I read that we should check Intel’s microcode revision guide. I found mine (I think) on the list I think but I don’t understand all the numbers etc but then I read in the article about MS update KB4078130 but can’t find it when I search in the MS Update Catalog so I’m like hmm what do I do?

I haven’t had any crazy and odd things happening with my computer that I’ve noticed.. even after Update restarts after installing an update but I wanted to be safe be I’m good with computers but this microcode, virus stuff confuses me.

Alece

EDIT html to txt

[woodyDa Boss]

You aren’t alone. It confuses the %$#@! out of me, too.

[MrBrianAskWoody_MVP]

The basic idea is that the updated microcodes add new CPU instructions that the January 2018 Windows updates use to try to mitigate Spectre variant 2. KB 4078130 sets settings that tell Windows not to call those new CPU instructions (for those CPUs that have them).

[sheldonAskWoody Plus]

Hi,

 

I have a win7 machine, which is easy to control patches/updates…   I am getting a win10 machine in the next couple of days.   What is the best way to control win10 updates/patches?  On the first boot-up of a new machine, is there anyway to prevent it from installing all the patches?

[PKCanoDa Boss]

The best way to prevent a new machine from installing anything is to do the first boot OFFLINE. In other words, don’t hook up a network cable, and when it asks about WiFi setup, say “later.”

I hope your new machine has Win10 Pro. If you have Win10 Home, you have very little control over updates. With Home, you can set your Internet connection to “don’t download over metered connections.” But this also affects other Internet facing software. You can use Mictosoft’s troubleshooter wushowhide to hide updates, but that too doesn’t always work if MS wants to push an update.

If your new machine comes with Win10 Home, it is well worth the $99.99 to upgrade it to Win10 Pro.

6 users thanked author for this post.

Cascadian, woody, Elly, BobbyB, HiFlyer, WildBill

[sheldonAskWoody Plus]

My new machine will have win10 pro.  What is the best way to control updates/patches?

[PKCanoDa Boss]

In Win10 Pro, there are settings in Windows Update to put off quality updates for 30 days and feature updates (upgrades) for up to 365 days. There are also settings in Group Policy to have WU notify for download/install instead of “just do it.” And, again, you can use wushowhide. Woody has a ComputerWorld article on how to block Win10 updates.

3 users thanked author for this post.

Elly, BobbyB, WildBill

[anonymous]

Thanks

[anonymous]

The Register has a good article on Spectre.
“You can’t ignore Spectre. Look, it’s pressing its nose against your screen.”
Makes one wonder how screwed up things are going to get as State funded
hackers get into the game.

[anonymous]

So @woody, would you recommend as a best pratice installing the Jan 3rd Security Only patch (witch as more updates than just the Spectre / Meltdown), and then install this one (or run Steve Gibson’s tool) to deactivate the Spectre / Meltdown yet keep all the other security updates?

[PKCanoDa Boss]

Woody hasn’t published his recommendations for January patching yet. When he raises the DEFCON number to 3 or above, he will publish his recommendations at that time.

We are at DEFCON-2, which means installing patches at this time is not recommended unless you have a critical reason to do so (like a BSOD, for example). Otherwise the advise is to WAIT.

6 users thanked author for this post.

Cascadian, SueW, woody, walker, Elly, WildBill

[WildBillAskWoody Plus]

As PKCano & Woody recommend, wait until MS-DEFCON changes to a higher number. For more information, click on the ‘MS-DEFCON System’ tab above. IMO, it will probably change to DEFCON 4, but DEFCON 3 is possible too.

Memo to Da Boss: Details will change, but I see patching possibly going in 2 groups (not necessarily the usual ones) this time:

Group S1 (for Shy one), who follow MS-DEFCON almost religiously: Install only needed patches, including the usual. Also flashing firmware updates at this time, if OK’ed by Intel/AMD.

Group B2 (for Bitten twice), who have rushed into things: Install patches that fix various screwups, both Microsoft & Intel/AMD related. Flash or re-flash firmware updates, if needed & OK’ed.

Windows 8.1, 64-bit, now in Group B!
Wild Bill Rides Again...

2 users thanked author for this post.

Cascadian, woody

[CascadianAskWoody Lounger]

It is a fracturing of what should be kept as simple as ‘possible’. But I cannot argue the logic. Directions when given, are going to be hard to follow and hinge on some dicey syntax. But I found, actually followed a recommendation by Canadian Tech, this site when things did not make sense. So IF it can be simple enough for a dummy, this is the place to get it.

Looking forward to the product of all efforts here. Thanks all.

1 user thanked author for this post.

WildBill

[ViperJohnAskWoody Lounger]

sheldon wrote:

I am getting a win10 machine in the next couple of days. What is the best way to control win10 updates/patches?[/quote

Well the BEST WAY would be a disk format and an Install of Windows 7.  Short of that perfect solution do first boot with you Internet Modem powered off / disconnected but leave your router powered up so W10 on your new rig can still detect and config its network connection be it wireless or cabled ethernet. After that follow PKCano advice just a few posts up.

https://www.computerworld.com/article/3138088/microsoft-windows/woodys-win10tip-block-forced-win10-updates.html

Viper

2 users thanked author for this post.

HiFlyer, Cybertooth

[sheldonAskWoody Plus]

Thanks – actually isn’t this article the most up to date: https://www.computerworld.com/article/3215668/windows-pcs/8-steps-to-install-windows-10-patches-like-a-pro.html

[MrBrianAskWoody_MVP]

Woody’s initial post was updated to add a link to Windows surprise patch KB 4078130: The hard way to disable Spectre 2.

[anonymous]

Well Microsoft is obviously having some sort of issues at the moment.. I was going to wait like PKCano said, but I wanted to load the MS Update Catalog and see if they finally got KB4078130 on the catalog because when I wrote earlier I couldn’t find it.. but NOW the MS Update Catalog is temporatly unavailable but then I reloaded it and saw the update.. it says that the update is only 24KB so I downloaded it and went to install it but nothing happened.. nothing loaded etc. but I had Windows Update open at the time because I had already checked for updates before I downloaded KB4078130  to try and install it. Windows Update said that my device was up to date so I went to install KB4078130  all and the Windows Update randomly started checking for updates and said I had an update for my Kodak Printer that was awaiting to be installed but there was NO install button and it kept randomly checking for updates then it just stopped and Windows Update said that my computer was up to date but NOTHING was installed.. tried it twice but the same thing and after I loaded my Programs & Features menu in Windows 10 through the Control Panel and viewed the installed updates and searched for KB4078130  but nothing was installed.

I don’t get it.. so should I just WAIT until MS does something more about this whenever the DEFCON rises and MS decides to do more about it then send you to download an update from the catalog instead of sending it to everyone through Windows Update because it didn’t install and it’s not showing in my installed updates.

Like I said earlier.. I haven’t had any weird issues happening with my desktop that I’ve noticed, just want to be safe but UGHH all this stuff is confusing me and then the MS update from the catalog doesn’t install.. nothing makes sense anymore to me and I’m pretty good with computers for being a girl.

Alece

EDIT html to text (we can only use simple BBCodes, not html, so no size changes or colors work by copy>paste)

[MrBrianAskWoody_MVP]

KB4078130 needs to be run with admin privileges. KB4078130 doesn’t install or uninstall; it merely runs.

[PKCanoDa Boss]

KB4078130 is not intended for everyone’s use, nor will it be released through Windows Update. It may help those who installed faulty firmware microcode to bypass the faulty function. You don’t need it unless you meet a special criteria.

Just because Microsoft releases an update doesn’t mean everyone should immediately jump on it and install the patch. Especially those patches released for Catalog only manual download/install which are usually intended for a special purpose and not general distribution. This is one of the reasons for the DEFCON system – so you don’t install patches that are unsafe or not needed. You WAIT for Woody’s approval and guidance.

7 users thanked author for this post.

HiFlyer, SueW, Elly, woody, Cybertooth, MrBrian, WildBill

[MrBrianAskWoody_MVP]

This answer is also a good answer to other comments in this post asking why this update isn’t available on Windows Update.

4 users thanked author for this post.

HiFlyer, SueW, Elly, WildBill

[anonymous]

I’ll just wait then, since the update didn’t install anything. So you’re suggesting to wait until Woody updates the DEFCON warning on here? When that happens, where would I look?

Alece

[PKCanoDa Boss]

At the top of the home page, the number will change to somewhere between 3 and 5. And there will be a post with a link to an article giving instructions on patching.

1 user thanked author for this post.

SueW

[JohnAskWoody Lounger]

Noticed this morning the update not available through Update Catalog? Maybe another dud?

[MrBrianAskWoody_MVP]

I see it.

2 users thanked author for this post.

HiFlyer, woody

[MrBrianAskWoody_MVP]

This text has been added to KB4078130: “Note Users who do not have the affected Intel microcode do not have to download this update.”

1 user thanked author for this post.

Bill C.

[MrBrianAskWoody_MVP]

From Microsoft rushes Spectre patch to disable Intel’s broken update:

‘A source at Microsoft, who wished to stay anonymous, told SearchSecurity the Spectre patch was a difficult situation because “you can’t fix it in firmware alone or software alone.”

“The chip vendor releases a firmware capability, which the OSes use in a certain way in key situations to mitigate against potential abuse [or] attack. So, to mitigate, you need a firmware update plus an OS that leverages [that update]. It’s symbiotic [and] collaborative,” the source said. “Given that you need both, it was possible that an OS update would rollout on machines that didn’t yet have a firmware update, so the mitigation needed to be able to be ‘on’ or ‘off’ depending [on the presence of Intel’s microcode update].”‘

4 users thanked author for this post.

HiFlyer, SueW, Bill C., Cascadian

[Author]

Posts