Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – light reading for the evening

    Posted on June 13th, 2018 at 21:49 Susan Bradley Comment on the AskWoody Lounge

    For those of you that like to dig a bit deeper into the details of patching, I highly recommend the Zero Day blog.  For those who remember the detailed Microsoft MSRC blogs from years ago, the author is one that USED to write those detailed Microsoft blogs:  Dustin Childs.  Now he works for the Zero day Initiative and writes these fantastic blogs that go a long way to help me understand the risks of *not* patching.

    The other day I said that when the point in time occurs that I’m more scared of *not* patching than I am of patching, that’s the point in time I need to patch.

    So right now, we are day four of the updating process.  I’ve installed updates on a few of my home pcs, I will be rolling an update on a sample (in my office that means ONE) production machine to see if I spot any issues.  I’m watching the forums for side effects.  I’m waiting for Microsoft to fix any metadata detection issues (they already expired KB4284880 as there was a duplicate up there), and I’m basically not approving anything at this time until my testing process is done.  

    But what I am doing is reading and understanding what this month’s updates include.   Here’s my light reading I’m doing tonight:


    The blog post spells out the security issues per CVE or Common Vulnerabilities and Exposures, not per patch.  So while it doesn’t showcase the updates as you can I see them on your computer, (as we see them in one glob per operating system) it does give a way better deep dirty explanation of the overall risks related to not updating so you and I can get a feel for how long we should wait before we update.

    It also helps me to determine what I currently have in place for mitigations or protections that will also give me time to not patch.

    Flash zero day – “primarily targeting the Middle East region and is wrapped in an Office document”.  Okay so I’m not located in the Middle East and I not only warn users about opening attachments, we have email attachment filtering.

    DNS server bug –   “The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response”.  In small firms or home users, the way I see this probably used is getting your system to reach out to a malicious DNS server bypassing your DNS entries (or your ISPs).  For servers in large firms that handle handling out DNS inside of a firm, because you can’t always control what your servers connect to, this is one you’ll probably want to patch sooner versus later.

    Http.sys bug – bug in a web service, “A remote attacker could cause code execution by sending a malformed packet to a target server”.  If I’ve got a web server out there, I’ll be testing this and rolling it out sooner versus later.  But we don’t (well, we shouldn’t) run web servers on workstations so this will be lower risk there.

    Cortana bug – “someone close enough to speak to a Cortana-enabled system could execute programs with elevated privileges”  Doesn’t impact Windows 7, and like the Alexa bugs, you have to be local to the machine to do your evil deeds.  Bottom line anything these days that you yell “Hey….” to is being targeted these days because it’s sexy to go after the voice recognition stuff.

    The other thing of interest to me that ran across my radar was YASMB (yet another Spectre Meltdown bug).  This time the v4 bug is NOT enabled by default.  Based on my read it’s due to two things:

    Thing one, it’s another Spectre Meltdown with a performance hit.  As per this blog post “If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks.”.  Thing two there are no active attacks and it reads to me that it’s going to be hard to exploit.  Not to say it’s impossible to exploit, but there are lots of other low hanging fruit that they can use to get me.

    There’s a nice recap on the bottom of the portal page that describes which patches are and are not enabled by default in the Spectre/Meltdown patches:

      • After installing Windows updates, refer to the following table for further action to be protected from Spectre/Meltdown vulnerabilities:
    Operating System CVE-2017-5715 CV-2017-5754 CVE-2018-3639
    Windows 10 Enabled by default Enabled by default Disabled by default – see ADV180012
    Windows Server 2016 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Disabled by default – see ADV180012
    Windows 8.1 Enabled by default Enabled by default Not available – see ADV180012
    Windows Server 2012 R2 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Not available – see ADV180012
    Windows RT 8.1 Enabled by default Enabled by default Not available – see ADV180012
    Windows 7 Enabled by default Enabled by default Disabled by default – see ADV180012
    Windows Server 2008 R2 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Disabled by default – see ADV180012
    Windows Server 2008 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Not available – see ADV180012

    I’m still not convinced that on desktops this is as big of an issue we are making it, I still think this is a bigger risk on cloud servers or hosted servers where you may not monitor the access as much as you do on a desktop in front of you.

    Just hot off the presses tonight we have another Intel vulnerability that will make our heads hurt trying to figure out the patches on.  Called Lazy FP State restore vulnerability


    Intel Releases Security Advisory on Lazy FP State Restore Vulnerability
    06/13/2018 06:47 PM EDT

    Original release date: June 13, 2018

    Intel has released recommendations to address a vulnerability—dubbed Lazy FP state restore—affecting Intel Core-based microprocessors. An attacker could exploit this vulnerability to obtain access to sensitive information.

    NCCIC encourages users and administrators to review Intel’s Security Advisory INTEL-SA-00145, apply the necessary mitigations, and refer to software vendors for appropriate patches, when available.

    At this time Microsoft is still determining updates to be released.  If you have VM’s in Azure they are not affected by this vulnerability.

    All of this just showcases that you can’t just update your operating system these days, you HAVE to update your bios and hardware drivers.

    Here’s another example of hardware patches — Surface 3 has a standalone TPM update tool in order to fix that vulnerability. It can’t come down via Windows update, it has to be done manually.

    Lots of fun.

  • Microsoft offers more Spectre v2 microcode updates, KB 4090007, KB 4091663, KB 4091664

    Posted on April 26th, 2018 at 09:42 woody Comment on the AskWoody Lounge

    Yesterday, I posted a note about two new Spectre v2 patches, KB 4078407 and KB 4091666.

    The first is a Win10-only fix that has to be combined with a microcode change from your hardware manufacturer in order to accomplish anything. As @abbodi86 notes:

    KB4078407 is not a patch, it’s just an executable that enables the Spectre mitigation protection by changing two registry entries

    The second is a microcode-only, Intel-only, Win10 1507-only patch that changes the microcode for a large number of Intel processors.

    This morning, Günter Born notes on Borncity that there are now four of these microcode patches:

    In addition to the one I described yesterday, KB4091666 for Win10 1507.

    None of them are available through Windows Update. You have to manually dig into the Update Catalog to get them.

    As noted (voluminously) there are no known exploits as yet for Meltdown, Spectre v1 or Spectre v2. You might want to tuck these away in case we ever see a reason to use them.

  • Are Windows customers getting Meltdown/Spectre bullied into buying new computers?

    Posted on April 25th, 2018 at 02:29 woody Comment on the AskWoody Lounge

    Just got this from @dportenlanger:

    I think Windows users are getting snubbed. I have an old Clarksfield processor that Intel will not be updating via the BIOS. However, the Linux microcode 20180312 exists for my processor…. the Intel® Core™ i7-920XM Processor Extreme Edition (8M Cache, 2.00 GHz) at this link:


    So what fixes are in the 20180312 Linux Microcode? Here is a clue:


    I believe this is why Linux users are secure and Windows users are getting bullied (sorry, I hate that word, how about “marketed”) into new computers.

    I know this is a site for Windows Updates and news. I think this is Windows news if my conclusions are right and someone needs to call out Intel and Microsoft.

    Is that a strange conspiracy theory — or is there an element of truth to it?

  • So, where’s the 32-bit Windows 7 Meltdown patch?

    Posted on March 7th, 2018 at 14:37 woody Comment on the AskWoody Lounge

    Just got this from LB:

    Hey Woody,

    What do you think about doing a story on the missing Windows 7 32-bit meltdown fix? Or maybe mentioning it in next week’s update writeup (unless it finally hits.)

    It seems very odd that it’s taken microsoft so long to issue a fix when the problem, and the solution (kpti), are clear cut (as opposed to the much tougher spectre problems.) 32-bit Win7 should still be getting security fixes until Jan 2020, last I knew.

    Anyway, just a thought. Thanks for all the work you do to keep us informed!

    take care,

    Anybody out there have some insight? Microsoft was slow to get the 32-bit Meltdown patches to Win10. Surely they wouldn’t just give up on Win7, would they?

    Er, would they?

  • Intel releases more Meltdown/Spectre firmware fixes, while Microsoft unveils a new Surface Pro 3 firmware fix that doesn’t exist

    Posted on February 21st, 2018 at 09:01 woody Comment on the AskWoody Lounge

    You’d have to be incredibly trusting — of both Microsoft and Intel — to manually install any Surface firmware patch at this point. Particularly when you realize that not one single Meltdown or Spectre-related exploit is in the wild. Not one.

    Computerworld Woody on Windows.

  • Intel says its new Spectre-busting Skylake firmware patch is ready

    Posted on February 8th, 2018 at 07:08 woody Comment on the AskWoody Lounge

    Oh boy. I love the smell of fresh bricked PCs in the morning.

    Yesterday, Intel said it has released new firmware that — this time, really, for sure, honest — plugs the Meltdown/Spectre security hole. Says honcho Navin Shenoy:

    Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days.

    What he’s actually saying is something like, “Hey, we spent six months coming up with new firmware to fix Spectre, released it, and bricked a bunch of machines. We went back to the drawing board and, two weeks later, came up with new firmware that won’t brick your machines. Have at it.”

    According to the freshly updated Microcode Revision Guidance, Intel has released updates for Skylake U-, Y-, U23e-, H-, and S- chips.

    Shenoy goes on to say:

    Ultimately, these updates will be made available in most cases through OEM firmware updates. I can’t emphasize enough how critical it is for everyone to always keep their systems up-to-date. Research tells us there is frequently a substantial lag between when people receive updates and when they actually implement them. In today’s environment, that must change.

    To which I say:

    Fool me once, shame on me. Fool me twice… well, you know.

    Folks, you’d have to be absolutely batbox crazy to install these new BIOS/UEFI patches as they’re being rolled out. Give them time to break other peoples’ machines — or to prove their worth in open combat. I’m sure the folks who made the new firmware are quite competent and tested the living daylights out of everything. But they did that the last time, too.

    Again, I repeat, for emphasis, there is exactly NO known Meltdown or Spectre-based malware out in the wild.

  • Update: No, Virginia, there are no Meltdown/Spectre exploits in the wild

    Posted on February 1st, 2018 at 14:33 woody Comment on the AskWoody Lounge

    A reassuring tweet from Kevin Beaumont.

    The AV-Test red line graph shows that, yes, there are more and more samples being submitted to AV-Test — but, according to people who know these things, none of them are in the wild. They’re “Proof of Concept” test samples.

    UPDATE: And AV-Test responds:

  • Putting Meltdown/Spectre in perspective

    Posted on January 26th, 2018 at 08:27 woody Comment on the AskWoody Lounge

    Just saw a set of tweets from Kevin Beaumont, a.k.a. @GossiTheDog:

    That’s so, so true.

    A little translation, if I may: The Meltdown/Spectre problem was revealed by Google’s Project Zero and a group of Ph.D.s at the University of Graz. Burger King has a great explainer on Net Neutrality:

    Did I ever mention that Beaumont’s one of my favorite white hats?