|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
With the publication yesterday of Ulf Frisk’s “Total Meltdown” vulnerability, patching this month has turned into a damned-if-you-do/damned-if-you-don
[See the full post at: Microsoft Patch Alert: Suddenly, Windows 7 patching is an unholy mess]
NOTE: I’ve merged two other AskWoody threads on “Total Meltdown” into this thread…
It seems, something went terribly wrong: January/February 2018 Meltdown patches from Microsoft opens even a bigger hole. No more exploit is necessary to access the memory from user processes (and even write it).
See Windows 7 Jan./Feb. 2018 patches opens Total Meltdown vulnerability
Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author
https://www.borncity.com/win/
So, should people who had installed the Meltdown patches now go back and uninstall them?
They blatantly and obviously have taken all the decent patching engineers and put them at Win10 desks… it just gets worse and worse every month for everyone not on 10. And unfortunately it will most likely only get worse, because there is no recourse. They’re fulfilling their end of the deal, supporting 7 in extended support, “pray I don’t alter it further.” Imagine if GWX 2.0 came out now… people would be even more fubbernucked if they wanted to stay on 7.
I haven’t seen any evidence that Windows 10 is any better. It has more vulnerabilities than the other Windows versions each month, and its updates are no more reliable. If anything, the forced new version every six months makes Windows 10 even more problematic.
We seem to me to be on course for welcoming the end of life support for Windows 7 with a sigh of relief. Those who argue that there are better ways of protecting your system than Microsoft’s monthly updates may yet be proved to have a point!
it just gets worse and worse every month for everyone not on 10
Well, not really. Month to month 8.1 has least vulnerabilities and there are no issues with the patches. I just recall being unable to log to MS account a few months ago. It (W8.1) just keeps doing its job and is maintenance free.
I had a “Eureka!” moment a few hours ago that ties together various seemingly unrelated aspects, and testing has confirmed it! 😀 In order for Windows 7 users (or at least Windows 7 x64 users) to see the March 2018 Windows monthly rollup in Windows Update, you need to do prerequisites first. Here is one set of prerequisites that works: 1) Install the Feb. 2018 Windows monthly rollup, and 2) Hide the Feb. 2018 preview Windows monthly rollup, and 3) Set the QualityCompat registry item (discussed previously). There may be others sets of prerequisites that work also.
Here are the various seemingly unrelated aspects that I have discovered to be related:
1. Why the March 2018 Windows monthly rollup isn’t listed in Windows Update for some users.
2. The unusual supersedence behavior of KB4091290 that I observed.
3. The unusual value of the update attribute supersedenceBehavior used for the updates mentioned in points #1 and #2.
4. Why did Microsoft do the things mentioned above? I believe it’s quite likely related to the Total Meltdown vulnerability mentioned in topics https://www.askwoody.com/forums/topic/january-patches-opens-total-meltdown-hole/ and https://www.askwoody.com/forums/topic/microsoft-patch-alert-suddenly-windows-7-patching-is-an-unholy-mess/. I believe that Microsoft did this to try to make it harder for reverse engineers to discover the Total Meltdown vulnerability that Microsoft quietly fixed in the Windows 7 x64 March 2018 Windows monthly rollup.
This is the first known instance (to me anyway) of the need to hide an Optional update in order to see a non-Optional update in Windows Update in Window 7.
My previous hypothesis that Microsoft is blacklisting the March 2018 Windows monthly rollup in Windows Update for some computers known to have trouble with it seems to have been disproven.
Whew!!!!!!!!!!!
I would like to credit this abbodi86 post and this post (specifically the sentence “Windows 7 and Server 2008 R2 users should make sure they installed both the January 2018 and March 2018 Patch Tuesday releases.”), without which I may not have had the “Eureka!” moment.
If you’re using Windows Update and want to hide the Feb. 2018 preview Windows monthly rollup, you’ll need to do these first:
1. Hide the March 2018 preview Windows monthly rollup.
2. Check for updates again.
Ok, so I saw KB4088875 offered to me by WU for a couple of days after the 13th but then by Saturday the 17th it was gone from WU, leaving me being offered MSRT and Office patches.
Fast forward to a few minutes ago. I had been offered KB4088881, the March preview for April as an optional update. I hid that and reran WU. Was then offered the Feb preview for March, and subsequently hid that. Was then offered KB4088875 and KB4091290, both unchecked. I had never been offered KB4091290 before, and have installed BOTH January’s and February’s rollups when Woody has raised the MS-DEFCON level to 3 or higher for that given month’s patches.
After unhiding the March preview for April (KB4088881), I’m still being offered 4088875 and 4091290 (both unchecked by default) along with the March preview for April, KB4088881! Go figure. Since I don’t have a smart card reader installed on either of my machines, I plan to hide KB4091290.
I also believe that KB4088881 probably does have the fix that MS quietly incorporated into KB4088875, the March patch. Therefore, for now, I plan to wait until we get the green light to install April’s wave of patches unless we hear of extenuating circumstances that would make patching with March’s rollup more prudent than playing the waiting game.
I can confirm your observations.
On one of my VMs on which the March Rollup did NOT appear at all, I hid the 3-18 Preview and the 2-18 Preview.
On searching for updates, both KB 4091290 and KB 4088875 appeared in WU UNCHECKED.
The current directions @geekdom are to do nothing. Zilch. Zero. We’re at DefCon 2 rating, which means quite simply sitting tight. There is as yet no recommendation to install the March updates, nor is there any recommendation to uninstall any earlier updates.
If it’s unchecked it means don’t do anything. WAIT
Those who follow my (unofficial) update hiding advice for Windows 7 and Windows 8.1 should see the March 2018 Windows monthly rollup in Windows Update, assuming that you installed the Feb. 2018 Windows monthly rollup, and also set the QualityCompat registry item.
If you’re following Woody’s system, then it’s not time to install the March 2018 updates yet.
@MrBrian
You may have found something, but I don’t think that this issue affect users who patch regularly, every month. This has not changed from previous instances.
It is impossible for Microsoft to test every style of patching in the wild and there is likely a certain degree of complacency when it comes to Windows 7 as only those who don’t want, will not notice. Time to move to Windows 10 Pro or higher if available or non-Microsoft products. Windows 7 is almost dead.
What may be the case with the current patch is the common throttling which was described very long time ago in a post elsewhere by the Patch Lady and which was explained here by me in the past. This time it is “pseudo-throttling”, in the sense that the implementation is related to further testing rather than server load, very much so like the Office Updates in Week A.
For consistency, I will mention that there are certain configurations and update sequences which I tested and where the famous KB3021917 behaves in the same way, either checked or not.
From my point of view, any important patch available should be installed sooner or later, checked or unchecked. The only notable exception for Windows 7 is KB971033 which can be safely hidden. Everything else should be installed, including KB2952664, while turning off the well-documented CEIP, Windows Error Reporting and related Scheduled Tasks.
When i checked Windows 7 updates with powershell script, i noticed that all updates has the same value for AutoSelection/AutoDownload = 0
except 3 updates: KB4091290 (Feb 2019 preview), KB4088875 (March 2018 Security), KB3021917 (Win10 related)
those has the values as:
AutoSelection : 1
AutoDownload : 2
It is impossible for Microsoft to test every style of patching in the wild
Yes, but they did a lot better job of it before disbanding their testing dept. Also, when they did individual patches rather than one big rollup, you could block one that caused issues. No more; now, it’s either all or none.
It’s been an “unholy mess” since January at least. So, let me get this straight. Those who were frantically scrambling to update their Win7 PC’s against Meltdown have created an even WORSE vulnerability than what was there previously? You can’t make this stuff up.. and people think it’s dangerous to run unpatched? Stuff like this just proves my point and even further solidifies my decision to stop patching permanently. My machine is way more secure without these destructive patches.
MS is deliberately sabotaging Windows 7 (and 8.1 too perhaps? Does the meltdown patch for 8.1 cause the same vulnerability?) and if they’re not, then they are consistently incompetent on levels never seen before. This is still GWX only now (and for awhile now), it has changed from forcing upgrades to maliciously destroying the OS in an attempt to scare people to upgrade to Windows 10 voluntarily. It’s even more reason to avoid it IMO.
It’s a shame they continue shooting themselves in the foot over Win10 because it really is a fantastic OS. But the doubts and negativity surrounding it – and their behaviors over the last few years – it’s just not a good environment, and it’s undoubtedly all their own fault. They’re too eager to slurp data and control things that they’re circumventing and ignoring more than 20 years of processes and standards.
Agreed. 🙁
Based on MS’ track record, only an idiot would use their IoT stuff:
https://blogs.microsoft.com/iot/2018…manufacturing/
-lehnerus2000
More observations found the other day:
PS: Tried to access the site earlier but could not get in (for obvious reasons)
That was the last straw. I’ve just removed all updates newer than January 2018 from my small Win 7 system, which was patched to January level Group A style, and lo and behold my max I/O throughput is now back to historically high levels. Thank goodness that uninstalling updates worked. Good riddance to the (now clearly ineffective) mitigations and the associated performance losses. I’ll continue to rely upon my other security layers.
I never did put those mitigations into my Win 8.1 workstation in the first place, because I could stand the performance hits even less on that system.
Always ask yourself, “What price security?” and know that nothing can ever be completely secure. It’s always about risk/reward tradeoffs.
-Noel
I’m thinking my mother and father should roll their computers back to the pre-January update state. All this literally less than one week after they updated.
Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code
I just finished reading Woody’s Computerworld article.
I did download the script from Microsoft’s web page. Furthermore, I did hide the March and then February previews, so I was able to get KB4088875 to reappear in Windows Update as an unchecked update.
But that’s as far as I’ve gone. I haven’t run the script or installed the update. So what, if anything, should Windows 7 users be doing about Total Meltdown?
Thank you for answering my question. I can’t say I’m surprised by the answer of “do nothing”.
Perhaps you know the answer to this one: “How can Microsoft employees screw up so badly month after month and not lose their jobs?”
Who says Microsoft thinks they screwed up?
Gosh, if anything they made Win 7 seem less attractive to people trying to stick with it a little longer. Did a fraction of a percent of the BILLION+ Windows users get fed up THIS time and just buy a new computer?
If anything, a real screwup would be to make the old operating systems better somehow.
-Noel
Who says Microsoft thinks they screwed up? Gosh, if anything they made Win 7 seem less attractive to people trying to stick with it a little longer. Did a fraction of a percent of the BILLION+ Windows users get fed up THIS time and just buy a new computer? If anything, a real screwup would be to make the old operating systems better somehow. -Noel
The only people really paying attention to this stuff are the ones who read tech headlines. And they don’t strike me as the type to buy a new Windows computer in a fit of pique.
And yes, Microsoft must know they screwed up, even though they wish all Windows 7 users would just “upgrade” to Windows 10.
Is it recommended to uninstall the Meltdown fixes at this stage then? This whole mess has me confused. Group B so I only installed the AMD-centric Meltdown update.
I’m looking for some clarity here, I installed the Jan 2018 & Feb 2018 “Rollups” ( win 7 x64 & x86 ) when Woody announced that it was time to get patched. I have stayed away from the March 2018 updates altogether so far.
After reading Woody’s Computerworld article, should I uninstall Jan & Feb 2018 Rollups??? Any advice appreciated.
Note: I haven’t noticed any problems with the Rollups but according to what I read in the article, they put a massive hole in your security. Please correct me if I have misread something.
Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).
Ok, my earlier submission got swallowed by a server timeout error, so I’ll try again.
I’m looking for some clarity here, I installed the Jan 2018 & Feb 2018 “Rollups” ( win 7 x64 & x86 ) when Woody announced that it was time to get patched. I have stayed away from the March 2018 updates altogether so far. After reading Woody’s Computerworld article, should I uninstall Jan & Feb 2018 Rollups??? Any advice appreciated. Note: I haven’t noticed any problems with the Rollups but according to what I read in the article, they put a massive hole in your security. Please correct me if I have misread something.
The standard advice for now is to sit tight, and don’t install the March patch until Woody gives the go-ahead for it. By the same token, don’t uninstall any patches already installed unless they’re causing visible problems with your computer right now, or unless Woody or one of the highly regarded MVP’s here tell us to do so.
Although there is the massive hole caused by the January and/or February patch(es) that’s been described, there’s nothing out there yet taking advantage of it. Just like the Meltdown and Spectre holes, nothing currently taking advantage of them.
So, sit tight for now, but keep checking back here at least once a day to see if there’s a change to the MS-DEFCON level. If there is, you can bet Woody will give us the full details on what to do, patching-wise.
You’re Very Welcome, @CaDesertRat and @Demeter. BTW, I’ve had Windows Update set to “Never Check for Updates” since the days of Windows XP.
I saw a very good friend’s computer completely bricked by Windows Update when there were about 15 or so updates for it to download and install by itself. He and I left to run some errands, returning about an hour or so later. Upon returning, instead of finding his computer updated after having rebooted after installing all the updates, we found a BSOD greeting us. It took quite a bit (the better part of a whole weekend day) to uninstall the mess and get his machine up and running again with all the patches installed successfully.
Ever since then, I only install Windows security updates one at a time and reboot after each one of them, whether it needs it or not. Although this takes longer than just clicking all the boxes for the updates in Windows Update and letting it do it’s thing, it’s less of a hassle uninstalling only one update that’s causing problems instead of uninstalling several updates to find which one has caused a problem.
@Demeter: “I didn’t know it was possible to uninstall an update. How is that done?”
– Click on Start > Control Panel > Windows Update
– Click on ‘Installed Updates’ in the lower left corner of your screen
(it may take time, so give your computer some time to show all the updates)
– At the top of the page you’ll see
“Uninstall an update
To uninstall an update, select it from the list and then click Uninstall or Change.”
– You can also right-click on an update in order to Uninstall it.
P.S. Please do not comment in ‘bold’ as it makes it difficult to read 🙂
Thanks SueW for the straightforward instructions. Seeking advice from those more techie than me, uninstall KB4056894 & KB4074598 or best to just wait it out?
Woody hasn’t given the go-ahead to do anything yet. Microsoft is recommending to install KB4100480 “immediately” if you previously installed any of the updates listed at https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038. I installed KB4100480 last night.
TotalMeltdown ain’t the half of it. In my opinion, TotalMeltdown is so serious that one is left with only two choices:
1. Dump the Microsoft January and February Meltdown patches, make sure that you only use web browsers which have been updated to prevent Meltdown, be extremely careful with regards to installing any new software, and use an AV program which alerts you to any new and unknown process which mysteriously shows up and tries to run on your computer. Far from all AV programs have features to automatically block new and unknown processes which try to launch without your approval.
2. Install the incredibly flawed March update (rollup or security only) in order to resolve the TotalMeltdown issue which was created by inept Microsoft programming.
I have been following various online forums in which experts about CPU design reiterate that Meltdown and Spectre are just the tip of the iceberg in terms of various specific types of vulnerabilities and attack methods which will be discovered in years to come and which are related to the branch predictor, speculative execution, and side-channel vulnerabilities. None of them are discussing what new types of vulnerabilities and exploit methods will be found in the next few to several years, yet all of them are saying that “this is as bad as it gets.”
So, here is a new one which was announced on March 27, 2018…
A totally new type of side-channel attack, called BranchScope, was announced yesterday. BranchScope is the first side-channel attack which targets extracting information by forcing collisions in the branch predictor, and which achieves a success rate of over 99%. Fortunately, BranchScope runs very slowly. It can take BranchScope up to 30 minutes to fully initialize. Mitigating running BranchScope malware is theoretically possible, yet it appears that doing so would have severe performance impacts. More importantly, BranchScope isn’t related to Meltdown. Instead, BranchScope is related to the Spectre vulnerabilities. Intel’s latest CPU microcode which mitigates against Spectre has zero effect on BranchScope. And of course, Microsoft’s Meltdown patches have zero effect on BranchScope.
I predict that the list of newly discovered methods which exploit the underlying CPU hardware issues will slowly yet exponentially grow over the next several months to years.
Nothing mitigates BranchScope in any way. Not the Meltdown patches. Not the Intel Spectre patches which Intel implements via new CPU microcode. Presently, it is unclear to me if there actually is any way to mitigate against BranchScope. See:
BranchScope vulnerability could be the next Spectre/Meltdown flaw for the enterprise
I do hope that I am raining on everyone’s parade who thinks that Meltdown and Spectre are over-hyped and that such attacks which are based on the underlying and inherent CPU design flaws are not forthcoming. I can assure you that they are since that is what all of the CPU design experts who I have been following are saying, in between the lines, since they realize just how deep this rabbit hole goes. And it would appear that BranchScope could well be the first “bulletproof” new type of attack vector in terms of Microsoft’s Meltdown mitigations and in terms of Intel’s latest CPU microcode mitigations.
To top all of the above off, another type of vulnerability called SgxPectre was disclosed earlier in March, around March 5, 2018. The SgxPectre vulnerability is capable of reading all the contents of Intel SGX-powered secure enclaves. See:
Spectre-like attack exposes entire contents of Intel’s SGX secure enclave
In layman’s terms, it is back to the drawing board in terms of resolving all possible exploit scenarios for the inherent CPU design flaws.
It is what it is, and it is so far from pretty — six ways from Sunday.
If it is possible, you have understated the scope and extent of the problem. Inside the hardware side of the community, there has been a effort to get Intel to do a complete redesign. In broad terms chip design stopped, while software development took off, and well, here we are. Will this be fixed and will this take time, oh yeah, but there is no choice. Intel put themselves on the hook for this, and some very powerful forces are not letting them off.
@ GoneToPlaid
That’s what you get when Intel prioritized speedy performance over security, in their ha$te to out-market AMD chips during the 1990s.
___ What is the point of a faster-performing Intel CPU when the Meltdown & Spectre mitigations result in a performance-hit of about 20%.?
IMO, branch prediction and speculative execution should not have been introduced by the tech industry. Fake-speed.? … like the fake-RAID of Intel’s RST driver.?
___ Branch prediction and speculative execution are like a servant/server trying to predict and speculate on what his/her employer wants to eat for lunch, by processing/peparing 5 different lunch-meals in the morning, based on what the employer had eaten for lunch the previous days. Similarly for the employer’s dinner, supper and breakfast everyday.
Also, branch prediction and speculative execution use more RAM memory and consume more electricity. Why not just let the CPU be idle when the computer user does not need it, instead of constantly doing predictions and speculations, eg when the user is watching a lengthy movie.?
You make a lot of sense, but I think your conclusion about the wide range of potential vulnerabilities points to the inadequacy of relying on [buggy] Microsoft patches in the future, at least until chip design catches up. That leaves your first option.
Woody :
Windows 7 x64 Intel processor – I never could get the Jan Security Only update to install, but Feb did. Should I uninstall Feb in this case and install only the March Security Only update when you give the all clear? This is getting a bit much to try and figure out. Thanks
I am so glad that I didn’t install the Win. 7 January or February patches. I kept my head down, because despite all the pressure my gut feeling was that I would be safer risking a Spectre/Meltdown attack. I was right.
I think an Anonymous poster on The Register site hits the nail squarely on the head with this comment on the topic “Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE”:
“Microsoft ain’t done til Windows 7 won’t run!”
This makes the third month in a row where the risk-reward ratio is upside down.
I compiled “A really simple test you can compile with cygwin – if it doesn’t crash, the bug is present” from https://news.ycombinator.com/item?id=16693599#16695529 and no matter when March updates I install IT STILL SAYS MY PC IS VULNERABLE.
I compiled it once with 64 bit gcc and once with Visual Studio 2017 Community and both agree so I’m fairly sure about this.
PLEASE somebody find out which update is supposed to fix this.
Edit to remove HTML Please use the “text” tab in the entry box when you copy/paste
Perhaps “Total Meltdown” would more accurately be described as “Microsoft Meltdown”.
I’ve said it before and it bears repeating – my Linux Mint installation looks better and better every day!
https://support.microsoft.com/en-hk/help/4088875/windows-7-update-kb4088875 has been updated today. Can anyone see if it is the script that has been altered?
~ Annemarie
A data point: I’ve had March 13, 2018—KB4088875 (Monthly Rollup) installed since March 25 on a home computer, with no apparent problems thus far. The other Windows 7 updates were installed on March 18, also with no apparent problems thus far.
Unholy mess is correct. First time I’m reading about this total meltdown thing and like everyone else I am royally p****ed off at Microsoft. I have no idea the best course of action now other than uninstalling both January and February because March certainly isn’t fit for purpose. The only upside is that there are no known exploits as yet but I feel like a mug for keeping updated, thinking I’m doing the right thing and all along making it worse! Microsoft, you are a disgrace to the profession.
Win7-64Pro_SP1, Office 2010, Group B for OS and IE, WU for Office and .NET.
An unholy mess! Well said! I personally would describe it differently and with far more vivid terms, but the posting rules and decorum were made to prevent such an occurrence. 🙂
Both of my remaining Win7 computers (laptop and desktop) are up to date with the exception of the March Security Only patches. No negative effects from the March IE and Office 2010 patches, or the older Jan/Feb patches as far as booting, BSODs, etc.
However, on the laptop (4th Generation i5), after the Jan/Feb Security Only patches, and a Lenovo UEFI update it is SLOW due to the Spectre/Meltdown mitigations. Boot time has gotten 40% longer, and AV scans are slower. Some program launches are slower to load, but run normally. Inspectre utility says “not vulnerable” to both Spectre and Meltdown. The laptop; is not for any gaming or daily usage, but for photo-editing when on travel and email, although the email task has largely been eclipsed by the iPad Pro (thinner, lighter, more reliable, less of a [pain], etc.). However the photo-editing programs are Windows only, although there are Mac versions available from the camera manufacturer at no cost. This device would be a good Linux candidate, but I just do not like Gimp, a Linux photo editor.
The desktop (i7-960 and Intel brand MB), and my preferred PC, will never get a new BIOS or firmware update for the Spectre/Meltdown issue. The only impact I see from the January/Feb Meltdown “fixes” is searches are slower. Apparently, according the Intel website, they have no access to the programming (or more likely to laid off programmers) of the BIOS or firmware of that age device(s). So be it. This box is the gaming machine and the main PC and runs like a top on Windows 7 and the games are not adversely affected..
I have been planning (and delaying) a Linux build to replace the desktop for over a year. I tell myself the delay is partially to wait for Ubuntu 18.04 LTS and the next gen Linux Mint, however I find in all honesty, I just have heartburn paying for Intel CPUs with a major feature (now called a flaw), and with no fix of the feature/flaw on the near horizon. AMD may be an option, but I have found Intel-based systems are easier, due to market share, when trying to resolve an issue under Linux.
I am now at the point where I find I have to make decisions within the following parameters. Win10 is absolutely, positively out for all the reasons so often discussed on this and other sites, plus I absolutely, positively will not reward MS for their sabotage and negligence. I enjoy gaming as relaxation, but I am now finding the aggravation of the updating has negated the fun of keeping Windows for the gaming, and just general PC use and productivity. Patching is one thing, but needing to run VBScripts in order to patch a STANDARD WU offered patch is another. BTW, how does a regular user, (i.e., the PC as an appliance user) address that issue? I am leaning towards Noel’s tact of uninstalling the January and February OS patches to fix the “new” vulnerability caused by the flawed patches, and just running unpatched until such time as it is fixed. However, I honestly do not see ‘being fixed’ as possible as I believe this current situation is as much by deliberate design as GWX was. I am sure it is merely coincidence that this is occurring as reports are showing progress in Win10 adoption by the enterprise – the only customers with the clout to get MS attention.
I will just start the Linux build. Some of the games are available on Linux under Steam, and I guess I will just have to learn to like Gimp. That will become the main PC, with the Win7 desktop to be the backup for those rare Windows critical tasks, and gaming.
Bill:
If you have 64-bit Linux as your host OS, and if you have sufficient memory (say, 8GB), you can install VMWare Workstation Player, then install Windows 7 and all of your Windows software in a virtual machine. This will make your transition to Linux a lot easier, because Windows will be just a click away if you can’t do a particular task under Linux.
Jim
Thanks @MrJimPhelps.
I was just reading your comments on the Linux for Windows wonks and was beginning to see that as a potential solution. Since I will be building the box, I was going to go with 8 or 16GB of ram, so a VM have enough RAM to work.
I am not familiar with actually working with VMs, so forgive it this question is a bit amateurish, but could you use an existing Windows install on a HDD (assuming it is for the hardware you have), to launch in the VM? I like the concept of the VM as I do not want to do a dual boot since I have had problems in the past with an update to Linux messing up the dual bootability. The dual boot capabilities are now much improved, but I would prefer to avoid that issue.
I had also been thinking of using a removable drive caddy, but from my reading they are not designed for routine swapping (at least not the lower cost ones).
Disk2VHD may be what you’re looking for. Disk2VHD copies an active Windows install and creates a new Virtual Machine you can then run. Not quite what you’re asking for (you’re not using the actual Windows install, just a copy of it), but very useful for people who want to run a Windows VM in Linux, (or a Windows 7 VM under Win10).
https://www.veeam.com/blog/how-to-convert-physical-machine-hyper-v-virtual-machine-disk2vhd.html
Security update KB4100480 was released by Microsoft on March 29, 2018. I believe this update fixes the Total Meltdown vulnerability. More info: Windows kernel update for CVE-2018-1038.
I don’t know offhand. I’d prefer installing KB4100480 instead of uninstalling updates.
Here is the MS info and the way I understand it,
1-an attacker would have to physically log on your machine to take advantage of it
2- If you have installed ANY of the updates since 1/1/18, you should install 4100480:
CVE-2018-1038 | Windows Kernel Elevation of Privilege Vulnerability
Security Vulnerability
Published: 03/29/2018
MITRE CVE-2018-1038
On this page
Executive Summary
Exploitability Assessmen
Affected Products
Mitigations
Workarounds
FAQ
Acknowledgements
Disclaimer
Revisions
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
FAQ
I am running Windows 7 or Windows Server 2008 R2 on my system. At what point do I need to install security update 4100480?
If you are running Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, and you have installed any of the servicing updates released during or after January 2018, you need to install 4100480 immediately to be protected from this vulnerability.
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038
PS: So in my case, I installed Jan. & Feb. Rollups so this update would be critical for me other than the fact that no one else physically accesses my computers. Is that correct?
Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).
“PS: So in my case, I installed Jan. & Feb. Rollups so this update would be critical for me other than the fact that no one else physically accesses my computers. Is that correct?”
No. Malware could exploit this also.
KB 4074736 is the Win8.1 stand-alone cumulative update for IE11. It has to be downloaded from the MS Update Catalog and manually installed.
If you install the Feb Rollup KB 4074594 through Win Update, it will contain that patch and you don’t have to install it separately.
Hi guys, this is my first post here. I sent Woody an email with my experience and suggestions on how to stop Win 10 from its continuous and forced attempts to upgrade, and he asked me to post it here. So here I go. (FYI: I still have version 1703, because version 1709 destroys my WiFi and therefore renders my laptop useless, so I’m avoiding this upgrade as far as I can.)
I do the following:
1. Disable Windows Update service. But as you know, Win 10 doesn’t care about that and enables it without your permission, so I constantly check if Windows has enabled it. In that case, I disable it again (and again, and again…).
2. When the Windows 10 Update Assistant pops up, I open the Task Manager and manually force the task to end.
3. This is the most important step. I keep checking the folder C:\Windows\SoftwareDistribution\Download, where Windows downloads the upgrades. Then I permanently delete all folders and files located there (with Shift-Del, and with Administrator rights). In case Windows doesn’t let you delete them, you should go back to steps 1 and 2 (that is, force those tasks and services to end). In any case, it’s not necessary to wipe out every file or folder from C:\Windows\SoftwareDistribution\Download, because Windows won’t install an upgrade if the download is incomplete. That is, Windows checks the integrity of that folder before installing anything.
Repeat steps 1, 2 and 3 every now and then, with infinite patience… It’s a torture, I know, but in this way I’ve been able to avoid Windows from installing version 1709.
In practice, what I do is keep checking periodically the folder C:\Windows\SoftwareDistribution\Download. If it’s not empty, it means Windows is forcing again the download of the upgrades. So I repeat steps 1 through 3.
This even works if Windows tells you it is ready for installing the upgrade (that is, it has downloaded everything and checked for the integrity of the download). In this case, just delete all files from C:\Windows\SoftwareDistribution\Download, and Windows won’t be able to install the update.
Hope this helps a little.
Bernie
I don’t use Windows 10, yet what you describe is a most interesting technique. Perhaps some bright programmer somewhere will write a “scrubber” program which accomplishes what you have described. Thanks a million for your insightful post.
“1. Disable Windows Update service. But as you know, Win 10 doesn’t care about that and enables it without your permission, so I constantly check if Windows has enabled it. In that case, I disable it again (and again, and again…).”
Two different ways of disabling the Windows Update service that might work permanently are found in Windows Update Blocker and this script from AveYo.
“2. When the Windows 10 Update Assistant pops up, I open the Task Manager and manually force the task to end.”
I’ve previously suggested blocking execution of officeassistant.exe, which is what the tasks that KB4023814 installs run. One neat way to block execution of an .exe is the Image File Execution Options debugger method. I haven’t tested blocking of officeassistant.exe yet.
“3. This is the most important step. I keep checking the folder C:\Windows\SoftwareDistribution\Download, where Windows downloads the upgrades.”
The text in the Windows 7 March 2018 updates KB4088881, KB4088875, and KB4088878 has been changed in a manner that suggests that KB4099950 is now being bundled with these three updates for those installing them via Windows Update or WSUS. I believe that this bundling does not happen for those using the Catalog versions of these three updates.
KB4093118 probably is the patch tueday rollup, and they are relaxing (lifting) the QualityCompat Allow key requirement, like Windows 10
You’ll first have to decide whether to install any updates this month.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
