|
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches
Posted on Comment on the AskWoody LoungeThis topic contains 64 replies, has 23 voices, and was last updated by
PKCano 1 year, 9 months ago.
-
More fun ‘n games. Last night, Microsoft released KB 4078130, which is specifically designed to turn off the Intel-identified buggy code in the Mel[See the full post at: Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches]
-
My own suspicion is that the Universe is not only queerer than we suppose, but queerer than we can suppose. — J. B. S. Haldane
(John Burdon Sanderson Haldane, FRS; 5 November 1892 – 1 December 1964)
4 users thanked author for this post.
-
You have to like this new patching system – install a patch to enable something and then install another patch to disable it. I hope whoever devised these patches hasn’t been paid twice.
Thanks for the information. Don’t hurry to review the DefCon rating, Woody, I’m quite happy waiting and doing all the normal things my computer allows me to do when MS, Intel and others aren’t trying their hardest to thwart me.
To be absolutely honest, I’m dreading the moment I access the site and see DefCon 3!
-
-
For those who are serving or have served in the military, & those with family & friends who do the same, a familiar theme is showing up: “Hurry up and wait”. The all clear (or not) will eventually sound. Thanks to Woody & all the MVP’s staying on top of things.
Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V1909. As long as it's a Lot Less Buggy!
Wild Bill Rides Again...5 users thanked author for this post.
-
That applies, but what really applies is the SNAFU one…
6 users thanked author for this post.
-
-
Wow talk about being late to the party.
Gibsons InSpectre gave you the ability to easily turn the MS KB Update(s) Meltdown / Spectre mitigations On/Off about 9 days ago ONLY IF your install was actually able to use / be effected by them. InSpectre’s Enable/Disable buttons were greyed out if not. InSpectre sets the bit value (0 to 3) of the FeatureSettingsOverride registry value just like MS does.
Note that with the exception of 32b W10 v1709 only 64b Windows installs can actually use, or be effected by, the MS KB Update Meltdown mitigation.
The Spectre mitigation in these same MS KB Update(s) can only be used or effect your 32b or 64b install (in any way) IF the new 01/08/2017 Intel Microcodes were applied to your system either by a bios update to your motherboard or directly injected into Windows using VMwares microcode update drivers.
Viper
-
anonymous -
-
See @mrbrian ‘s answer here
1 user thanked author for this post.
-
-
-
Yes, same Reg entry.
1 user thanked author for this post.
-
-
-
-
anonymous -
I neither flash (nor streak).
Group G{ot backup} TestBeta On hiatus.
Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall1 user thanked author for this post.
-
“Don’t look, Ethel!”
but it was too late,
she’d been mooned!lyrics to a novelty song that spoofed the crazy fads in the early 1970s.
1 user thanked author for this post.
-
For those born after 1974, the song was “The Streak” by Ray Stevens. He spoofed the college fad of running nude (‘streaking’) by having a reporter cover incidents in the song. He always wound up interviewing the same guy with his wife, Ethel. Check Wikipedia or Google “The Streak”.
Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V1909. As long as it's a Lot Less Buggy!
Wild Bill Rides Again...
-
-
-
More fun ‘n games. Last night, Microsoft released KB 4078130, which is specifically designed to turn off the Intel-identified buggy code in the Mel[See the full post at: Yet another surprise patch, KB 4078130, for all versions of Windows, disables part of the Meltdown/Spectre patches]
After looking all over the internet for news and support for the ‘very poor quality’ of the socalled vuneralibility updates and bios patch…. I finally had reset/reimaged my pcs to the date end of december 2017; so problems caused by this problemssolutions were ‘solved’ and got back to the original processor-/operatingsystem vunerabilities….
This message here acknowledges all these problems of bluescreens and lacks of speed… grrr. nevertheless thanks to this site to give some clarity!
So, waiting to get some adult and quality patches and solutions from the industry, or is that too much to ask for?;
For now the suspicion is more and over that these socalled processor flaws are intended-build-in.Has the “George Orwells 1984 syndrome” finally infected me too?
After all.. Just because we're paranoid doesn't mean they aren't out to get us. -
We have a saying, ‘too many cooks spoil the broth’ , another is ‘the more haste, the less speed’, now the broth smells and tastes foul with PC’s spitting, spluttering and choking.
********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********
-
Yes, same Reg entry.
FYI – The settings available on:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] “FeatureSettingsOverride”=dword:value
value = 00000000 = Both Meltdown and Spectre Mitigations Enabled
value = 00000001 = Meltdown Enabled and Spectre Disabled
value = 00000002 = Meltdown Disabled and Spectre Enabled
value = 00000003 = Both Meltdown and Spectre Mitigations Disabled
With Gibsons InSpectre you can set all these values using the separate Meltdown / Spectre Enable / Disable switches. Note the Spectre switch will be greyed out if you do not have Spectre mitigation enabling Microcode installed and the Meltdown switch will be greyed out on 32-bit installs (except 32B W10 v1709).
I believe from reading MS’s info on the KB4078130 update it sets the “FeatureSettingsOverride” value at an all disabled 00000003. I have not actually tried it but that is how it’s documentation reads to me.
Viper
-
If I recall from my test, KB4078130 sets this:
value = 00000001 = Meltdown Enabled and Spectre Disabled
which makes sense to me.
1 user thanked author for this post.
-
Yes, this article states that too
-
-
-
If I recall from my test, KB4078130 sets this: value = 00000001 = Meltdown Enabled and Spectre Disabled which makes sense to me.
Yes, this article states that too Disable mitigation against Spectre Variant 2 independently
Well I reread the article pointed to and I still believe an argument could be made that the value actully set by the KB4078130 update could be either 1 or 3. It’s typical MicroSoft “clear as mud” speak.
Since MrBrian has tested the KB4078130 update I will bow to his recall of 0000001. I agree it does make the most sense with a title of “Update to Disable Mitigation against Spectre Variant 2” but with MS these days “if ya don’t test ya don’t know for sure”.
It’s unfortunate that “making sense” and “Microsoft” in the same sentence has become an oxymoron due to a conflict in terms.
Viper
-
anonymous -
-
The best way to prevent a new machine from installing anything is to do the first boot OFFLINE. In other words, don’t hook up a network cable, and when it asks about WiFi setup, say “later.”
I hope your new machine has Win10 Pro. If you have Win10 Home, you have very little control over updates. With Home, you can set your Internet connection to “don’t download over metered connections.” But this also affects other Internet facing software. You can use Mictosoft’s troubleshooter wushowhide to hide updates, but that too doesn’t always work if MS wants to push an update.
If your new machine comes with Win10 Home, it is well worth the $99.99 to upgrade it to Win10 Pro.
-
-
In Win10 Pro, there are settings in Windows Update to put off quality updates for 30 days and feature updates (upgrades) for up to 365 days. There are also settings in Group Policy to have WU notify for download/install instead of “just do it.” And, again, you can use wushowhide. Woody has a ComputerWorld article on how to block Win10 updates.
-
anonymous
-
-
-
-
-
anonymous -
anonymous-
Woody hasn’t published his recommendations for January patching yet. When he raises the DEFCON number to 3 or above, he will publish his recommendations at that time.
We are at DEFCON-2, which means installing patches at this time is not recommended unless you have a critical reason to do so (like a BSOD, for example). Otherwise the advise is to WAIT.
-
-
As PKCano & Woody recommend, wait until MS-DEFCON changes to a higher number. For more information, click on the ‘MS-DEFCON System’ tab above. IMO, it will probably change to DEFCON 4, but DEFCON 3 is possible too.
Memo to Da Boss: Details will change, but I see patching possibly going in 2 groups (not necessarily the usual ones) this time:
Group S1 (for Shy one), who follow MS-DEFCON almost religiously: Install only needed patches, including the usual. Also flashing firmware updates at this time, if OK’ed by Intel/AMD.
Group B2 (for Bitten twice), who have rushed into things: Install patches that fix various screwups, both Microsoft & Intel/AMD related. Flash or re-flash firmware updates, if needed & OK’ed.
Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V1909. As long as it's a Lot Less Buggy!
Wild Bill Rides Again...-
It is a fracturing of what should be kept as simple as ‘possible’. But I cannot argue the logic. Directions when given, are going to be hard to follow and hinge on some dicey syntax. But I found, actually followed a recommendation by Canadian Tech, this site when things did not make sense. So IF it can be simple enough for a dummy, this is the place to get it.
Looking forward to the product of all efforts here. Thanks all.
1 user thanked author for this post.
-
-
I am getting a win10 machine in the next couple of days. What is the best way to control win10 updates/patches?[/quote
Well the BEST WAY would be a disk format and an Install of Windows 7. Short of that perfect solution do first boot with you Internet Modem powered off / disconnected but leave your router powered up so W10 on your new rig can still detect and config its network connection be it wireless or cabled ethernet. After that follow PKCano advice just a few posts up.
Viper
2 users thanked author for this post.
-
anonymous-
KB4078130 is not intended for everyone’s use, nor will it be released through Windows Update. It may help those who installed faulty firmware microcode to bypass the faulty function. You don’t need it unless you meet a special criteria.
Just because Microsoft releases an update doesn’t mean everyone should immediately jump on it and install the patch. Especially those patches released for Catalog only manual download/install which are usually intended for a special purpose and not general distribution. This is one of the reasons for the DEFCON system – so you don’t install patches that are unsafe or not needed. You WAIT for Woody’s approval and guidance.
-
anonymous
-
-
From Microsoft rushes Spectre patch to disable Intel’s broken update:
‘A source at Microsoft, who wished to stay anonymous, told SearchSecurity the Spectre patch was a difficult situation because “you can’t fix it in firmware alone or software alone.”
“The chip vendor releases a firmware capability, which the OSes use in a certain way in key situations to mitigate against potential abuse [or] attack. So, to mitigate, you need a firmware update plus an OS that leverages [that update]. It’s symbiotic [and] collaborative,” the source said. “Given that you need both, it was possible that an OS update would rollout on machines that didn’t yet have a firmware update, so the mitigation needed to be able to be ‘on’ or ‘off’ depending [on the presence of Intel’s microcode update].”‘
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Recent Replies
Rick Corbett on BgInfo
2 minutes agoKirsty on Canadian Tech: How to rebuild a Win7 system with minimal snooping
34 minutes agoLars220 on Canadian Tech: How to rebuild a Win7 system with minimal snooping
37 minutes agoSparky on MS-DEFCON 4: It’s time to get patched
1 hour, 1 minute ago- 1 hour, 36 minutes ago
- 3 hours, 51 minutes ago
Nibbled To Death By Ducks on Restoring to a New HDD with Macrium Reflect Free: Impossible-Software Ideas?
4 hours, 3 minutes ago- 4 hours, 27 minutes ago
- 5 hours, 10 minutes ago
anonymous on Please say goodbye to my Sainted Aunt Martha
5 hours, 15 minutes agoSlowpoke47 on Setting up backup in Mint Mate 19.2 OS
5 hours, 34 minutes agoRcsnhCwucz on How to switch AV from MSE to Bitdefender at EOL
5 hours, 41 minutes ago- 6 hours, 3 minutes ago
Noel Carboni on Have you been pushed from Win10 version 1803?
6 hours, 3 minutes agoVolume Z on Canadian Tech: How to rebuild a Win7 system with minimal snooping
6 hours, 11 minutes agoSusan Bradley on MS-DEFCON 4: It’s time to get patched
6 hours, 18 minutes agob on Have you been pushed from Win10 version 1803?
6 hours, 22 minutes ago- 6 hours, 30 minutes ago
- 6 hours, 34 minutes ago
- 6 hours, 37 minutes ago