Patch Watch: Tracking Issues with the Spectre Patches on AMD Machines

Patch Watch: Tracking Issues with the Spectre Patches on AMD Machines

Beware, AMD chip owners. For you Windows Secrets readers who have computers with AMD inside, these Spectre/Meltdown patches are causing more issues than they are preventing. So much so that Microsoft has halted release of the updates on machines that have AMD chipsets. Some of the relevant security posts include the following:

• Microsoft’s KB4073707 on the issues with AMD chip sets and how Microsoft is blocking the patches until the issue is resolved.
• Microsoft’s KB4073757 recapping the overall guidance

Let’s recap the big picture:

• Intel CPU chips have a bug in their very architecture.
• Researchers found a way for attackers to possibly steal passwords and other confidential information from our machines. As of publication, the attack has not been used in the wild. However, the potential is there and it’sreally concerning up in cloud servers as it could mean that fellow virtual servers could read information from a tenant next door.
• It won’t be enough to patch for the Windows operating system, you’ll need to patch the firmware on your computer as well.
• It’s not a Microsoft bug, but because everything uses CPUs, pretty much everything needs to be patched ranging from phones to firewalls. So after you get your patches for Windows, go look for updates for anything else that has a CPU included in it (I’m not kidding or overstating the issue).
• A bigger concern to many will be the performance hit this “fix” will make on your system as discussed in a Microsoft blog. The older your computer the more the “hit” will be. If you have a computer that is a 2015-era PC with Haswell or older CPU – you will notice a difference.
• CERT goes so far as to recommend replacing the CPU hardware in their blog post. I’m not ready to go that far, but it would be wise to review how old your computer hardware is, evaluate the performance hit and plan accordingly.

Check That Your Antivirus Is Supported

Because this is a kernel update, antivirus vendors who have hooked into the kernel for additional protection could trigger blue screens of death if they are not updated for the change introduced by this patch. Thus Microsoft is requiring that before the January Windows and .NET updates are installed that a registry entry is made by the vendor – or by you if your vendor doesn’t provide the registry key in an update – before the January updates are installed.

Make sure you review the antivirus listing page that is tracking all of the antivirus vendors and when they plan to support these January updates. If your vendor doesn’t support these updates, it’s time to find a new vendor. If you don’t use antivirus (say on a specialized server), you’ll need to manually add the following:

• HKEY_LOCAL_MACHINE
• SOFTWARE
• Microsoft
• Windows
• CurrentVersion
• QualityCompat

In the right hand side in the registry look for the value as shown below:

• Value Name=”cadca5fe-87d3-4b96-b7fb-a231484277cc”
• Type=”REG_DWORD”
• Data=”0x00000000”

For those who have to patch servers, you need to be aware that you’ll need to perform all the steps done as you did on Windows client workstations – checking that antivirus is ready, and installing the updates – but also manually add two or three registry keys on the server. You will need to add two registry keys for a “normal” server, and all three registry keys as noted in the KB4072698 if the server is a HyperV or virtualization host.

The registry keys that need to be added include:

• reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
• reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
• reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

And finally remember that just about every device uses CPU chips. Start reviewing your phones, your devices, to see if these items need patches and firmware updates as well.

What to do: Review that you are ready for this update and feel free to wait a bit longer to be sure your system and your antivirus is ready for this update.

Adobe Released Updates to Flash Player

For Windows 10, and 8.1 expect to see KB4056887 that should be installed as soon as possible. For Windows 7 machines, if you have flash installed, expect to see a standalone update offered from Adobe Flash addressing this Adobe issue.

What to do: Check your Flash and expect an update for Windows 7 machines.

Windows 10 Releases

Last week’s security updates include the following:

• KB4056892 for Windows 10 1709
• KB4056891 for Windows 10 1703
• KB4056890 for Windows 10 1607
• KB4056888 for Windows 10 1511
• KB4056893 For Windows 10 RTM (for those running Long Term Servicing Branch

As stated earlier, the side effects include BSOD’s on AMD machines and performance hits. Microsoft is currently blocking these updates on AMD machines until the issue is resolved.

The 1709 release includes quite a few fixes including:

• Addresses issue where event logs stop receiving events when a maximum file size policy is applied to the channel.
• Addresses issue where printing an Office Online document in Microsoft Edge fails.
• Addresses issue where the touch keyboard doesn’t support the standard layout for 109 keyboards.
• Addresses video playback issues in applications such as Microsoft Edge that affect some devices when playing back video on a monitor and a secondary, duplicated display.
• Addresses issue where Microsoft Edge stops responding for up to 3 seconds while displaying content from a software rendering path.
• Addresses issue where only 4 TB of memory is shown as available in Task Manager in Windows Server version 1709 when more memory is actually installed, configured, and available.
• Addresses issue where update installation may stop at 99% and may show elevated CPU or disk utilization. This occurs if a device was reset using the Reset this PC functionality after installing KB4054022.

At the present time, if you have not received these updates, I’ll recommend you pause updates on your 1709 machine. To pause updates, you’ll need the Windows Pro version. You cannot pause updates on Home versions. You’ll need to go into the advanced settings of the Windows update app and choose to pause updates as shown on the blog.

What to do: Pause these updates until more issues get resolved.

Windows 7 Updates

The Windows 7 updates released this month in the form of KB4056894 includes the security updates for Spectre/Meltdown CPU bugs as well as Windows SMB Server, Windows Kernel, Microsoft Graphics Component, Internet Explorer, and Windows Graphic. Like the Windows 10 updates, you will need to ensure your antivirus is ready for this update.

What to do: Consider stopping updates at this time if you have not yet received this update.

Windows 8.1 Updates

Windows 8.1 includes security updates for the Spectre/Meltdown CPU bugs in the form of KB4056895. Like the Windows 10 updates, you will need to nensure your antivirus is ready for this update.

What to do: Consider stopping updates at this time if you have not yet received this update.

.NET Patches Need Registry Key

Because .net updates are part of Windows 10, they too have a registry key dependency..

The .net updates as noted by the .NET blog include the following updates:

• KB4055532 for 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 updates for Windows 7 SP1 and Windows Server 2008 R2 SP1
• KB4054998 for .NET Framework 3.5.1 for Windows 7 SP1 and Windows Server 2008 R2 SP1
• KB4054995 for .NET Framework 4.5.2 for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
• KB4055002 for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and .NET Framework 4.6 on Windows Server 2008 SP2
• KB4054995 for .NET Framework 4.5.2 for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2

What to do: Consider stopping updates at this time if your antivirus is not ready for this update.

Office Update Releases

After all of the issues with the Windows updates, Office updates appear to be tame in comparison.

For those of you on Office click to run versions, you should expect to be upgraded to the latest version in the background. If however, you have the old fashioned MSI – or patch based Office deployments expect to see the following updates:

Office 2016

• KB4011627 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011574 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011622 This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011632 This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011626 This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. It also fixes an issue whereby if you select multiple attachments and try to cancel one of the attachments, all the other attachments are cancelled.
• KB4011643 This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.

Office 2013

• KB4011639 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011580 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011636 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011637 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. It also fixes the issue whereby if you send an email message from Outlook.com to a recipient outside of Office 365, the recipient always gets a winmail.dat attachment in the message.
• KB4011651 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.

Office 2010

• KB4011660 Fixing a vulnerability in Microsoft Excel that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011658 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011611 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011273 Fixing a vulnerability in Microsoft Outlook that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011659 Fixing a vulnerability in Microsoft Word that could allow remote code execution if a user opens a specially crafted Office file.

Office 2007

• KB4011602 Fixing a vulnerability in Microsoft Excel that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011606 Fixing a vulnerability in Microsoft Excel Viewer that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011607 Fixing a vulnerability in Microsoft Office Compatibility Pack that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011605 Fixing a vulnerability in Microsoft Office Compatibility Pack that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011201 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011656 Fixing a vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011213 Fixing a vulnerability in Microsoft Outlook that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011657 Fixing a vulnerability in Microsoft Word 2007 that could allow remote code execution if a user opens a specially crafted Office file.
• KB4011641 Fixing a vulnerability in Microsoft Word Viewer that could allow remote code execution if a user opens a specially crafted Office file.

What to do: Due to the number of remote code execution bugs in these, I’ll recommend you install these updates as soon as possible.

Holding Off on the Rest of Office Updates

Hold off as usual for the following non security updates that were released earlier this month:

Office 2013

• January 2, 2018 update for PowerPoint 2013 KB401165 After you install February 7, 2017, update for PowerPoint 2013 (KB3141461), when you send a presentation file that contains some special characters, such as a number sign (#) in the name as an attachment, the file name is truncated.
• January 2, 2018 update for Project 2013 KB4011640 This update fixes various issues with Project 2013.
• January 2, 2018 update for Skype for Business 2015 KB4011638 This update also includes the new Skype for Business client.

Office 2016

• January 2, 2018, update for Access 2016 KB4011221 Access 2016 may crash when you try to add a lookup column to a related table in the Datasheet view.
• January 2, 2018 update for Office 2016 KB3178662 This update improves the thesaurus for modern usage guidelines for all Office 2016 products.
• January 2, 2018, update for Office 2016 KB4011146 Translates some terms in multiple languages to make sure that the meaning is accurate.
• January 2, 2018, update for Office 2016 KB4011569 This update improves font selection to display the text correctly.
• January 2, 2018 update for Office 2016 KB4011625 After you click the Attach File option, the drop-down list of attachments in Outlook may display “Updating” and then disappear. After you install this update, the drop-down list will not disappear, and the attachments will be presented as expected.
• Janury 2, 2018, update for Office 2016 KB4011630 This update adds a registry key that enables authentication to continue even if the Online Content is disabled.
• January 2, 2018 update for Office 2016 KB4011631 This update improves font selection to display the text correctly.
• January 2, 2018, update for Office 2016 KB4011644 In a scatter chart or a chart that contains a series line, line endings (such as arrowheads) may display inversely when you do a slide presentation. This update corrects the display inconsistency issue.
• January 2, 2018, update for PowerPoint 2016 KB4011564 This update corrects the translation for the string “Slides” in the Korean version of PowerPoint 2016.
• January 2, 2018, update for Project 2016 KB4011633 Fixes various issues in Project 2016.
• January 2, 2018, update for Office 2016 KB4011215 This update fixes a reliability issue that can occur when Visio runs in automation mode. To fix this issue, install this update and then follow the steps in the Registry information section.
• January 2, 2018, update for Skype for Business KB4011623 Fixes several issues in Skype 2016.

What to do: I recommend not installing these updates at this time.

Regularly Updated Problem-Patch Chart

This table provides the status of recent Windows and Microsoft application security updates. Patches listed below as safe to install will typically be removed from the table about a month after they appear. Status changes are highlighted in bold.

For Microsoft’s list of recently released patches, go to the MS Security TechCenter page.

Patch	Released	Description	Status
KB405689	1-03	Windows 7 rollup	*Hold*
KB4056898	1-03	Windows 8	*Hold
KB4056892 [1709]	1-03	Windows 10 1709	*Hold
KB4056891 [1703]	1-03	Windows 10 1703	*Hold
KB4056890 [1607]	1-03	Windows 10 1607	*Hold

*Hold: Please note if you’ve installed these updates and are not seeing any side effects you can leave the updates installed. I’m only recommended holding off if you are severely impacted by these side effects.

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

How to Recover a Lost Word Document

Is that missing Word document gone for good or is there a way to recover it? Let’s find out.

Uh, oh. That Word document you spent the past few hours writing has mysteriously vanished. Do you have to start it from scratch? Not necessarily. Your Word documents can sometimes go kerflooey, either disappearing completely or losing the latest changes. Those scenarios can occur if a document crashes or freezes or just doesn’t save properly. That recently happened to me even though I had been saving a now-lost document regularly.

So how can you find the document? You have a few options. You can scour the Recycle Bin. Depending on your settings in Word, you may be able to dig up a backup or an AutoRecovered version of your document. If those searches come up empty, you can look for temp files and files with the tilde (~) character. Let’s check out the different ways to recover a lost Word document.

As always, I’m using Word 2016 via my Office 365 subscription, but the steps I cover here work with the prior few versions of Word as well. Let’s start by assuming that you’d been working on a document and now can no longer find it. Or maybe, as in my case, you’ve opened your document only to discover that none of your recent changes appear. You’ve been saving it regularly or perhaps you neglected to save it at all.

First, let’s cover the basics if you haven’t already done so. Open File Explorer and look in the default document location and other locations throughout your hard drive for the file. If you use a file backup service, such as OneDrive, search your online storage as well as any synced computers for the file. Don’t forget to look in the OneDrive Recycle bin. If you run Windows 10 or 8.1 and have enabled File History, check the location of your file backups for the missing document. Still coming up empty? Okay, let’s move on.

The next spot to look is the Windows Recycle Bin. Open the Bin from your desktop and search for the document. If the Bin opens in icon view, click on the View menu and change the view to Details. You can now sort the list of deleted items by name, location, date deleted, or date modified. You can also run a search for the document by specifying its filename or at least its extension, e.g., *.doc or *.docx. If you find the file, great. Just right-click on it and click on Restore to bring it back to life. If not, let’s segue to the next step.

If you configured Word to always save a backup copy of your documents, you may be able to recover the backup file. To check this setting, click on the File menu and select Options. At the Word Options window, click on Advanced. Scroll down to the Save section and make sure the option to Always create backup copy is checked.

If the option is turned off, then check it to avoid trouble in the future. If it is checked, then open File Explorer and navigate to the default file location for your Word documents. Look for files with a .wbk extension by specifying *.wbk in the Search field. If a backup of the file exists, it will pop up with the words Backup of at the beginning of the filename. Open that file, and you should be in business. If not, let’s try the next step.

By default, Word saves backups of your current document into an AutoRecover location. This even includes documents that you neglected to save on your own. To confirm the location, click on the File menu and select Options. At the Word Options window, click on Save. In the Save documents section, you should see an entry for AutoRecover with the interval for saving a document and the location in which the document is saved. Select and copy the path for the AutoRecover file location.

There are two locations that could house a lost or unsaved document. Close the Word Options window. Click on the File menu and (in Word 2016 or 2013) click on the Manage Document button and then select Recover Unsaved Documents. In the Open window look for any files with an ASD extension. Open any of those files with Microsoft Word to see if your lost document appears.

If not, close Word. Open File Explorer and paste the path for the AutoRecover file location in the address field. Search through the different folders in that location for the missing document. Again, look for any documents with an ASD extension and open them with Microsoft Word.

If you’re still coming up empty, you can search for temporary files in the hopes that one of them might be your missing document. This is the way I managed to find the document that had lost all my recent changes. Open File Explorer. Select your primary drive and include the entire drive in the search to cover all locations. Change the view to Details so you can sort the files. In the search field, type *.tmp. After all the file results appear, click on the Date Modified header to sort the files by date, starting with the most recent ones first.

Assuming you started work on the document today, limit yourself to checking just files with today’s date. You can also bypass any files with a 0KB size. Then open each qualifying file with Microsoft Word to see if you recover your lost document. If not, then run another search, this time specifying ~*.* as the search parameter. If you still can’t find the file, you may want to try a file recovery tool, such as Recuva. Such programs can dig deep to hunt down files you may not be able to find otherwise.

Losing an important document that you slaved over for hours can be frustrating. But by following the steps I’ve described here, hopefully you’ll be able to recover such a document the next time it goes missing.