AMD Ryzen processor vulnerability

It’s been all over the news, but I’m not yet convinced that there’s anything there, there.

Dan Goodin at Ars Technica has a technical analysis:

The flaws—in AMD’s EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile lines of processors—require attackers to first gain administrative rights on a targeted network or computer, which is a hurdle that’s difficult but by no means impossible to clear. From there, attackers can exploit the vulnerabilities to achieve a variety of extraordinary feats that would be catastrophic for the owners’ long-term security.

That — and the whole super-hyped marketing pitch — have given me pause.

I like the balance from Kevin Beaumont on his personal blog:

I would encourage security researchers not to disclose vulnerabilities like this. If you have vulnerabilities that you truly think are serious and truly want to provide information so people can protect themselves, work to get them resolved and work with the cyber security community around mitigations. The only real public exploit here at the moment is a press exploit. This situation should not be happening.

Which is exactly why I’m not going to write anything about it for Computerworld.

https://twitter.com/GossiTheDog/status/973829653772361728

March 2018 Patch Tuesday

The patches are starting to appear. I’ll keep this post updated as the situation becomes more clear.

OF COURSE We’re still at MS-DEFCON 2. You’d have to be a real glutton for punishment — and a daft one at that — to install any of these patches just yet.

SANS Internet Storm Center has its visual analysis. There are no “critical” vulnerabilities that have been disclosed, or used in the wild.

Martin Brinkmann has his usual in-depth look on ghacks.net. And it’s a busy Tuesday:

Windows 7: 21 vulnerabilities of which 21 are rated important
Windows 8.1: 20 vulnerabilities of which 20 are rated important
Windows 10 version 1607: 29 vulnerabilities of which 29 are rated important
Windows 10 version 1703: 28 vulnerabilities of which 28 are rated important
Windows 10 version 1709: 24 vulnerabilities of which 24 are rated important
Internet Explorer 11: 7 vulnerabilities, 2 critical, 5 important
Microsoft Edge: 16 vulnerabilities, 12 critical, 4 important

Don’t tell me how Edge is so much more secure than IE.

@PKCano has updated the list in AKB2000003, for those of you who apply Win7 and 8.1 Security-only patches manually.

I’ve updated the list of recently revised KB articles, KBNew. Quick check confirms that this month’s new KBs are listed there.

The master list — the Security Update Guide — is up on the MSRC Security TechCenter blog. Looks like there are 157 separately identified patches.

John Cable has the official Patch Tuesday announcement on the Windows blog.

Based on our analysis of available data, we are now lifting the AV compatibility check for the March Windows security updates for supported Windows 10 devices via Windows Update.

(Note that the antivirus check is still in effect for Win7 and 8.1.)

Microsoft has updated its Security Advisory ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities:

The following updates have been made: 1. Microsoft has released security updates for Windows Server 2008 and Windows Server 2012 to provide mitigations against the vulnerabilities discussed in this advisory. See the Affected Products table for links to download and install the updates. Note that these updates are also available via Windows Update. 2. Microsoft has also released security updates to provide additional protections for the 32-bit (x86) versions of Windows 7 and Windows 8.1. These updates are included in the March Security Only and Monthly Rollup updates. See the Affected Products table for links to download and install the updates. 3. Updated FAQ #14 to announce that the following stand-alone updates for Windows 10 are available via the Microsoft Update Catalog. These updates include microcode updates from Intel: For devices running Windows 10 Version 1703, for the latest available microcode updates see Microsoft Knowledge Base Article 4091663 (https://support.microsoft.com/en-us/help/4091663). For devices running Windows 10 Version 1607 and Windows Server 2016, for the latest available microcode updates see Microsoft Knowledge Base Article 4091664 (https://support.microsoft.com/en-us/help/4091664). For devices running Windows 10, for the the latest available microcode updates see Microsoft Knowledge Base Article 4091666 (https://support.microsoft.com/en-us/help/4091666). 4. Corrected FAQ #12 to better describe what customers need to do if they have not installed the January or February 2018 Security Only updates, and they want to be protected from the vulnerabilities described in this advisory.

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1703. For more information and the latest available microcode update for devices running Windows 10 Version 1703, see Microsoft Knowledge Base Article 4091663.

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10 Version 1607 and Windows Server 2016. For more information and the latest available microcode update for devices running Windows 10 Version 1607 or Windows Server 2016, see Microsoft Knowledge Base Article 4091664.

These updates are currently available via the Microsoft Update Catalog for devices running Windows 10. For more information and the latest available microcode update for devices running Windows 10, see Microsoft Knowledge Base Article 4091666.

Microsoft will make available Intel microcode updates for Windows operating systems as they become available.

Worth noting: “Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. ”

Ed Bott’s overview is up on ZDNet:

a variety of security updates for all supported Windows versions, as well as removing a compatibility check for antivirus software. A separate release significantly expands available microcode updates for affected Intel CPUs… includes security updates that defend against the Meltdown vulnerability on PCs running x86 versions of Windows 7 and 8.1. With those updates, all currently supported Windows releases now include defense against this vulnerability.

Trend Micro’s ZeroDay Initiative posted its analysis:

Microsoft released a whopping 75 security patches for March covering Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Microsoft Office, and ASP.NET Core. Of these 75 CVEs, 14 are listed as Critical and 61 are rated Important in severity. Six of these CVEs came through the ZDI program. Two of these bugs are listed as being publicly known, but none are listed as being under active attack.

The official Office Update page is up:

The March 2018 Public Update releases for Office are now available! This month, there are 23 security updates and 26 non-security updates. All of the security and non-security updates are listed in KB article 4090988.

Thx @PKCano, @sb

MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update

Once more unto the breach, dear friends, once more.

In preparation for tomorrow’s Patch Tuesday, we’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Computerworld Woody on Windows.

Microsoft admits that it forced Win10 1703 machines to upgrade to Win10 1709, even with updates blocked

Third time they’ve pulled this “Gawrsh” garbage in the past four months.

Computworld Woody on Windows.

Patch Lady – getting 1709 TO install

While everyone else is wanting to keep 1709 at bay, I was wanting to get it to install on a small 32 gig hard drive.

I had previously tried a usb flash drive, purchased and installed a SD card and neither one worked.  A good (geek) friend of mind recommended that I try using an external usb hard drive during the feature install process. I initially said to him that I had already used a flash drive and he kindly pointed out that he didn’t say to use a flash drive, he said to use an external USB hard drive.

While everyone historically swears that external usb powered hard drives and flash drives are the same, clearly in this feature release update process it’s not.  When I was attempting to use either the flash drive or the SD card, I would get to a point in the install process where it would say I didn’t have enough room and I would have to prompt the system to use these devices.  When it would attempt to use them, it would fail and roll back the install.

When I used the usb external hard drive, it never prompted me for the need for additional storage.

After installing the update it immediately began properly installing unlike all of the previous sessions where it would stop and roll back.

The moral of this story?  If you are like me and you DO want 1709 to install, you have a hard drive tight on space and you are having issues, go get a usb external hard drive and see if that does the trick.

Patch Lady – Microsoft admits the bug (again)

Susan here… Just spotted the acknowledgement that Woody was right in KB4023814:

Important

Microsoft is aware that this notification was incorrectly delivered to some Windows 10 Version 1703 devices that had a user-defined feature update deferral period configured. Microsoft mitigated this issue on March 8, 2018.

Microsoft releases new version of Win10 patch KB 4023057

Many people are blaming the KB 4023057 patch for all of the forced-upgrade-to-1709 woes.

Guess what? Microsoft released a new version of the KB article last night.

KB 4023057 — Update to Windows 10 Versions 1507, 1511, 1607, and 1703 for update reliability: March 8, 2018

Only certain builds of Windows 10 Versions 1507, 1511, 1607, and 1703 require this update. Devices that are running those builds will automatically get the update downloaded and installed through Windows Update… This update is not offered from the Microsoft Update Catalog.

Anybody want to bet that Microsoft just went through an “Aw, jeeez” experience and pulled whatever was cramming 1709 down customers’ throats?

Man, I can’t believe this…..

P.S. Thanks once again to @MrBrian. I found this by looking through this morning’s KBNew list.

UPDATE: Günter Born has an explanation for the last version of  KB 4023057, dated Feb. 8.

Please welcome @Microfix to the realm of the MVPs

Ladeeeeees and gentlemen……

We have a new AskWoody MVP, whom you may know as @Microfix. Now elevated to the lofty heights of AskWoody MVP-dom, @Microfix stands ready to lend a hand. Or two or three.

Please join me in welcoming @Microfix to the MVP fold.