Updating KB4343900 for Defcon 4 Confusion

Topic

New Reply

I’m turning to the group here with hopes that someone can clarify using KB3433900 KB4343900.

On my Wndows 7 x64 professional personal machine, I haven’t patched since June of this year.   Currently, I have two offers from Windows Update:

KB4345590 (2018-08 .NET Quality Rollup)

KB4343900 (2081-08 Security Monthly Quality Rollup)

Two questions:

1.  Looking at KB4343900 it appears to patch the vulnerabilities for Intel chips.  So, my confusion is……shouldn’t we avoid that ?

2.  Also, I have no idea whether or not I even meet the conditions for patching (as described in the Microsoft article below).

Any help would be appreciated.

Mike

https://support.microsoft.com/en-us/help/4343900/windows-7-update-kb4343900

Reply | Quote

Replies

KB4343900 is the August Group A monthly rollup update. Yes, it addresses security issues, such as L1TF (& FP, for those with x32 bitness).

It does have a note about a L1FT prerequisite:

Make sure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)

The known issues mentioned are “(oem # .inf)” & in IE11, “AD FS & SSO”; the first has a workaround, the 2nd is sorted out by installing the August preview patch.

Patch Lady has rated this as “Ok to Install”, but it’s your call as to whether it should be on your machine now, or to wait until next month. Next month’s patch will include the fix that’s in the Preview Patch KB4343894.

Do you have the earlier protections mentioned under the Intel chip keypoint installed yet?
Are you using IE11?

Reply | Quote

Thanks for the reply (and to whoever fixed my post).

It sounds like I should wait for a complete patch (patched patch)

 

You know, I have no idea if I have the earlier protections.   Is there an easy way to query for that?   And, no I’m not using IE11.

Image shows all updates.  Notice that the last security update was the rollup on 6/4.  Anything after that was strictly for MS Security Essentials.

Reply | Quote

Mike wrote:

2. Also, I have no idea whether or not I even meet the conditions for patching (as described in the Microsoft article below).

The information for IT Pros is in these MS pages.
But when it talks about the Client (consumer) it has this to say:

Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

KB4343900 is the 2081-08 Security Monthly Quality Rollup. It is released through Windows Update to the general “Joe User” population who knows nothing about Registry changes or microcode mitigations. So unless you have been “messing” with your Registry on a frequent basis (in which case you are not the regular “Joe User”), you should be OK to install it where this is concerned.

There are two known issues with KB4343900. One is the NIC (oem .inf) issue that has been there since March. If you have not had a problem so far, you shouldn’t have one now.

The other issue is in Internet Explorer 11, a blank page may appear for some redirects. Additionally, if you open a site that uses Active Directory Federation Services (AD FS) or Single sign-on (SSO), the site may be unresponsive. If you are not using SSO, this shouldn’t be a problem either. If you are using SSO, then you can install the Preview which has the fix, or wait till the Sept. patches.

I have installed KB4343900 on my Win7 machines without a problem,

1 user thanked author for this post.

Kirsty

Reply | Quote