Widespread reports of blue screens (0X000000C4 and 0x800f0845) with Meltdown/Spectre patches for Win7 (KB 4056894) and Win10 1709 (KB 4056892)

Topic

New Reply

Several AMD processor series – Athlon, Sempron, Opteron and Turion — seem most at risk, but others are reporting problems. Can somebody explain the d
[See the full post at: Widespread reports of blue screens (0X000000C4 and 0x800f0845) with Meltdown/Spectre patches for Win7 (KB 4056894) and Win10 1709 (KB 4056894)]

2 users thanked author for this post.

Elly, AJNorth

Reply | Quote

Replies

Nothing changed in binaries, the revision was for metadata

Win 10 1709 CU is KB4056892

2 users thanked author for this post.

PKCano, woody

Reply | Quote

After what seemed like a long delay, the Win7 2018-01 Rollup (KB 4056894) is now being offered to me via Windows Update. Now I can wait to install it. =)

4 users thanked author for this post.

JDeC, Cascadian, BobbyB, MrBrian

Reply | Quote

Think maybe these patches needed more evaluation. I guess blame The Register for posting the story early which forced the updates to get released early. Guess we have all become beta testers for this stuff now.

Reply | Quote

The stampede is underway – lawyers and investors are clamoring to gulp down what’s on offer at the glutton’s trough au jour d’aujourd’hui Today’s specialty is Intel and AMD ta tare.

The meltdown vulnerability patch from Microsoft managed to melt down several AMD Athlon systems. Intel manged to stuff both feet in their mouth while madly making slashing attempts at AMD. The stocks for both AMD and Intel are up and down like an amusement park ride and lawyers are savaging and scavenging at will.

Spectre will be the final banquet. All you can eat.

What a gong show.

2 users thanked author for this post.

lurks about, HiFlyer

Reply | Quote

Given that there are no reported exploits in the wild, the patches will likely slow the PC’s and reasonable good practice will protect cautious users since malware must be delivered to the PC for this vulnerability to be exploited…there is no good reason to patch until they get it fixed.

The worse threat to PC health continues to be bad patches and bad patching practices…beta testing for Microsoft..pioneers wear arrow shirts.

9 users thanked author for this post.

JDeC, OscarCP, lurks about, Cascadian, woody, Cybertooth, SueW, Seff

Reply | Quote

There are JavaScript proof-of-concept exploits for Spectre that run in a Web browser. One is included in the Spectre paper.

1 user thanked author for this post.

AJNorth

Reply | Quote

OS vendors are not an enviable position. The problem is not of their making but they can mitigate against some of its worst aspects. The balancing act they face is to get reliable patches out last month before they get dragged into the muck. Since MS does not properly test patches anyway, these patches will be more problematic as they are affecting large swaths of Windows. A proper QA group with a little less haste would probably less the carnage.

2 users thanked author for this post.

SueW, Cybertooth

Reply | Quote

https://www.ghacks.net/2018/01/08/fix-windows-7-bsod-0x000000c4-after-installing-kb4056894/

Above is for Removing KB4056894 IF you got BSOD and can’t access W7 .

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

5 users thanked author for this post.

SueW, HiFlyer, Jan K., fk5353, MrBrian

Reply | Quote

I’m guessing that I don’t need to worry about this if I run Windows 7 and 8.1 in virtual machines in a Linux Mint host.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

See attack scenarios at https://github.com/marcan/speculation-bugs.

3 users thanked author for this post.

MrJimPhelps, HiFlyer, woody

Reply | Quote

Oh thanks for this information.

Reply | Quote

Have you been able to see the linked proof of concept code work?

Reply | Quote

I haven’t tried any of the proof-of-concepts. However, there are proof-of-concepts on github in which multiple users report their results.

Reply | Quote

After trying the linked proof of concept, I was able to see the message after changing the timing from its default. However, it isn’t certain if this is confirmation of vulnerability, if it is real then AMD needs to be more forth coming about all of their classes of CPUs.

What a mess…

1 user thanked author for this post.

MrBrian

Reply | Quote

Is windows 8.1 and AMD Radeon affected?

Reply | Quote

To my knowledge, the Rollup for Win8.1 has not been released yet.
When it is, I would hold off on installing it until things are sorted out. Particularly considering you have AMD components.

3 users thanked author for this post.

Karlston, HiFlyer, woody

Reply | Quote

the KB4056895 rollup for Win8.1 is still not yet available until most likely tomorrow January 9

my father’s Toshiba touchscreen based Satellite C55dt laptop with Win8.1 uses an AMD A6-5200 Kabini APU (an integrated CPU/GPU kind) and will definitely not rush to apply the January 2018 rollups. MS should seriously fix their buggy patches first.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Group A,  Win 7X64,  Sempron  145.   No problems, no slow down so far.

Reply | Quote

My anti virus is Microsoft Security Essentials.  Win 7×64
The update had no negative effect.

Reply | Quote

2018-01 Security Monthly Quality Rollup for Windows 8.1 (KB4056895) published

Edit:
it’s removed just few minutes later! 😀

4 users thanked author for this post.

SueW, Karlston, HiFlyer, woody

Reply | Quote

yea, on and off again with KB4056895 (MS Update Catalog searches with KB4056895 still come up empty as of today)

MS will re-publish it on patch Tuesday 1/9 for sure

2 users thanked author for this post.

HiFlyer, woody

Reply | Quote

I just received the KB4056895 Quality Monthly Rollup on Win8.1 and I hide the update.  Safe to say I’m in no rush to install it.

2 users thanked author for this post.

MrBrian, abbodi86

Reply | Quote

Right

and Windows 7 Monthly Rollup got another metadata revision, still same binaries

2 users thanked author for this post.

Pim, woody

Reply | Quote

Yep, it’s up to revision 3 (at least), dated Jan 9.

I wonder if they’re trying to change the metadata to prevent it from installing on AMD machines?

Reply | Quote

I think so. On my AMD Athlon x64 the update (win7 32bit) is not longer available via windows update (it was half an hour ago). As i see they pulled it off for AMD FX too (win7 64bit).

They had to read Woodys article in order to mobilize

2 users thanked author for this post.

satrow, MrBrian

Reply | Quote

And now it is checked again, after having been unchecked (v2) and checked (v1).

Reply | Quote

Responding to Woody’s Computer World article when he says: “…The manual-download Security Only update hasn’t had as many problems. Or, at least, as many reported problems…” That is my experience too; no prob w/ Secur Only KB4056897.

From Speccy: Windows 7 Pro 64-bit SP1, 2.5 year-old mass market desktop PC, AMD64, Intel64 Family 6 Model 60 Stepping 3, PROCESSOR_LEVEL 6, PROCESSOR_REVISION 3c03, Intel Pentium G3220, Cores 2, Threads 2, @ 3.00GHz, Family 6, Extended Family 6, Model C, Extended Model 3C, Stepping 3, Revision C0, Haswell 22nm Technology; Installed Secur Only KB4056897 Late morn. Fri. 1/5/2018, along w/ IE 11 Cumulative Secur Update for x64 KB 4056568. Consistently have applied only IE 11-x64, and secur-only x64 updates. Result now: IIRC, a v/e/r/y slow reboot, appx. 4 minutes of black screen; but it did come on, and since that, reboots/ boots normally, and maybe even slightly quicker. No degradation in normal system performance experienced, genlly for word processing, ordinary Net surf, etc.

PS: I have learned to install the secur and IE 11 updates the “old way”: that is, one at a time, genlly security first; then reboot, and install IE 11 one. YMMV. Woody: Continuing: Kudos for everything you do, and have done; without your work, these M$ debacles would be an un-fathomable swamp.

5 users thanked author for this post.

SueW, JDeC, HiFlyer, woody, AJNorth

Reply | Quote

PPS:  Sorry to have omitted following from my original post:  This is re my own No. 157414, above:  Before I installed the Secur. only and the IE 11 patches, I *did* find the HKLM key, IIRC, in registry.  The first thing I had done that morning was update my virus defns. for Avast Free, recent edition of that program; dunno if Avast had inserted it in there, or not; but presumably so.

1 user thanked author for this post.

JDeC

Reply | Quote

Is no one paying attention to Microsoft where they state to verify any AntiVirus product you have installed or else it can cause a BSOD?   There is no mention in this article about that.  People need to read the information that is out there before just blindly patching.

4 users thanked author for this post.

BobbyB, Karlston, HiFlyer, woody

Reply | Quote

The average user shouldn’t be expected to dig into the registry to check whether a patch is safe or not, and won’t have an opportunity to do so before the patch installs if WU is set to “automatic”.  It’s a key part of the WU process that Microsoft checks which patches are appropriate to your machine before offering the appropriate patches to you. However,  if a user checks the patch information note it simply states that “this fix is only being made applicable to the machines where the Anti virus ISV have updated the ALLOW REGKEY” so the clear implication is that if you’re offered the patch then it’s intended for your machine.

The evidence thus far suggests that the system failures aren’t due to people patching a machine that doesn’t meet the requirements, they are due to the particular AMD version that you are running regardless of your AV and whether it meets the registry requirements. So far as I have seen, Microsoft haven’t even acknowledged that there’s a problem with AMD machines, which I find extraordinary given the many hundreds of reports on their own forums.

9 users thanked author for this post.

HiFlyer, ryegrass, BobbyB, JDeC, rontpxz81, Sessh, Karlston, Elly, Cascadian

Reply | Quote

The only way to see and answer is to click REPLY to someone then you will see the answer you posted. Otherwise it is missing.

Reply | Quote

Hello, While it is true that people should read the MS articles and known issues, only people who are here at Woody’s  or technically inclined will do so. Do you really feel “mom and pop” are going to do that? The average user will install any update offered by MS because that is what they are supposed to do and with Windows 10, you can’t stop it (unless you are technically inclined).

Reply | Quote

The Answers forum link is broken in the article.

Reply | Quote

Hmmmmm…. It’s working for me.

?

Reply | Quote

Weird. It was OK earlier today. Should be

https://answers.microsoft.com/en-us/windows/forum/windows_7-update/stop-0x000000c4-after-installing-kb4056894-2018-01/f09a8be3-5313-40bb-9cef-727fcdd4cd56

Reply | Quote

Downloaded delta KB4056890 for W10 1607 x64 installed without problems and stable for 2 days.

Reply | Quote

Is Google affected by Meltdown/Spectre, and has Google issued the patches?

Reply | Quote

Speculative Execution Side-Channel Vulnerabilities – Vendor-Published Info

6 users thanked author for this post.

SueW, HiFlyer, woody, OscarCP, PKCano, AJNorth

Reply | Quote

I am a little thrown off by what Microsoft is implying here …

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

Until Anti-Virus makers add this registry key, you don’t get any security fixes.

Please note not only does this impact Windows Update, it also impacts Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).

Ouch! No more Windows Updates for the unwashed.

2 users thanked author for this post.

Bill C., woody

Reply | Quote

I just saw that iPhones are getting iOS 11.2.2, which is the Spectre security fix. I will apply a bit of the old Woody DefCon with it.

I am waiting to see what Linux Mint serves up tomorrow, January 9, the cooperative patch day.

Reply | Quote

@Bill C. I don’t think Mint will serve up anything yet. If you go to the github link posted up-thread, it says the Linux kernel patch shipped with 4.14.11, which I believe is for Meltdown. My version of Mint is up to date and is running kernel 4.10.38. Mint is very cautious about what they push out. From that github link:
“[PRIV-LOAD] Linux: KPTI

Linux kernel page-table isolation. Shipped in Linux 4.14.11 and will ship in 4.15. 4.14.11 version is rough around the edges; future versions should fix further issues.”

I know that the FF mitigation for Spectre was in the repo yesterday.

justaned

1 user thanked author for this post.

Bill C.

Reply | Quote

Allow me to add this : to Ubuntuwicki in reference to kernel patches.
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

just an ed

Reply | Quote

The caution level in the Mint updates is outstanding. It givea a good deal of preventive steps to take for each level and explains the risks in “plain English.” I believe it is more explanatory than my Ubuntu is, even though they are both using Ubuntu base. I was primarily expecting something on the Community day.

And I do say I am patient to wait.

Reply | Quote

Haven’t found any comments on this, so I’ll toss it out there:

TLDR: I applied the stand-alone x86 patch KB4056897 on a Win7-32bit VM on an Intel Sandy Bridge host.  Everything normal, no bluescreen, etc.  I then ran a following validation script (from https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050) which reported that support for kernel VA shadow (Meltdown) was not present nor enabled.

Additional details:

Going through the same patching process on a Win7-64bit VM on the same host resulted in the validation script reporting that kernel VA shadow was both present and enabled.  Both systems were stock Win7 SP1 with no anti-virus installed, and no registry key set.  For good measure, I tried setting the registry key on the 32bit VM, installing the 4056894 rollup, installing all windows updates, all with the same result – the validator script reports no Meltdown mitigation present on Win7-32.

The patch did do something though, because after patching the validation script did indicate that branch target injection (Spectre) mitigation was present, but not enabled due to lack of hardware support.  (This was expected).

So…  it’s not clear to me if the x86 version of the patch actually patches for Meltdown on Win 7-32 systems.  It could be the validator script doesn’t work properly, though the fact that it reports a change for Spectre, and reports the expected Meltdown patch state on Win 7-64 seems to argue against that.  It could be the Meltdown portion of the x86 patch doesn’t work on Win7-32 in a VM (VirtualBox) configuration.  I haven’t found any other references to this.  Can anyone duplicate my observations?  From what I can tell, folks are just happy if the patch applies without a BSOD… but what if the patch doesn’t work as intended?

Reply | Quote

see FAQ #7 at link below

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv180002

Reply | Quote

For those who use Firefox ESR, this from Mozilla (2018.01.04):

We have released the two timing-related mitigations described above with Firefox 57.0.4, Beta and Developers Edition 58.0b14, and Nightly 59.0a1 dated “2018-01-04” and later. Firefox 52 ESR does not support “SharedArrayBuffer” and is less at risk; the “performance.now()” mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018. (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/)

Reply | Quote

The info was posted 2-3 days ago on Meltdown & Spectre from a Windows user’s point of view 🙂

It pays to search to see if a link has already been posted, as it often has (I’ve been caught myself!).

1 user thanked author for this post.

woody

Reply | Quote

Hello , Thank you AJNorth for that Firefox information. Good work.

Reply | Quote

Microsoft is aware of the issue with AMD.  They have paused sending out updates for win 7/ 8.1/10 with AMD Processors. All in the Link Below.

https://support.microsoft.com/en-us/help/4073707/windows-operating-system-security-update-block-for-some-amd-based-devi

3 users thanked author for this post.

abbodi86, MrBrian, woody

Reply | Quote

Woody:  Martin Brinkmann is reporting that Microsoft has halted patches for selected AMD devices:

https://www.ghacks.net/2018/01/09/microsoft-halts-security-updates-for-select-amd-devices/

MikeFromMarkham

2 users thanked author for this post.

MrBrian, woody

Reply | Quote

CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility:

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

Reply | Quote

TRY A RECOVERY DISC to get to the command prompt if the builtin recovery does not work after running the command.

We have found that some of our computers were not able to be repaired when running the command from the in builtin  Windows recovery options

dism /image:d:\ /remove-package /packagename:Package_for_RollupFix~31bf3856ad364e35~amd64~~7601.24002.1.4 /norestart

However, using a repair disc worked 100% of the time even on the computers that that had problems when using the builtin repair tools

1 user thanked author for this post.

MrBrian

Reply | Quote

Just to make sure… I have KB 4056892 installed, and haven’t experienced any issues. No slowdown or bluescreens, using Windows Defender as my AV. Should I just leave well enough alone?

Reply | Quote

I would check to see if you have any other updates offered – like Office, IE11 Flash Player, .NET. But you can wait till DEFCON 3 or above to install them.

Reply | Quote

I’m running a PC with Windows 8.1 &AMD and I received the KB4056895 Rollup update along with 4 other updates today for patch Tuesday. Didn’t Microsoft say they stopped  the release of the KB4056895 rollup update for AMD users yesterday.  I hid the update but I’m disappointed I received it.

Reply | Quote

Not all AMD cpus are affected/excluded

what’s your processor family?

Reply | Quote

I have the AMD A10-7300 with Radeon™ R6 Graphics

EDIT This reply did not reference @abbodi86’s response, but this seems to be where it fits (this may be incorrect though)

Reply | Quote

Hey, if you can’t turn your computer on, it can’t be hacked! #featurenotabug

LABS - a family friendly webcomic about scientists, robots and Wisconsin

1 user thanked author for this post.

Elly

Reply | Quote

Intel PCs damaged by KB4056892.  Damage severe if some legacy apps are executed.  Lists of installed updates vary per how the lists are accessed.  Some installs continue to be reported after removal.   Damage includes “Settings” won’t run.  Whatever to do about this?  Only known fix is to do a clean install of Windows.
This type of damage seems not well known/publicized.
I have to know if others have the same experience?
Or are we the only ones in the world with this problem?

Next: hiding updates only works for updates that are already on the way.  One can hide KB4056892 but what about protecting from what comes next?   Turn off Windows Update service seems extreme.  But the damage MUST be prevented as impacts are great.
Any comments?  Ideas?

Reply | Quote

I’ve been asked if any of the computers had AMD video cards.  I don’t know for sure.  There are so many that it’s possible I suppose – depending on the intended meaning of the question. BUT, all of the computers are (mostly Dell) minitowers that are very likely running on-board video and wouldn’t have been purchased with any add-on video “card”.

Reply | Quote

The reason you were asked about the AMD video cards is because the Jan updates have been causing problems with some AMD video as well as AMD processors. Microsoft has blocked certain AMD devices from receiving updates because of BSODs.

Reply | Quote

Hello.  I am here to report that the two patches KB4056568 and KB4056897 when installed in VirtualBox 5.1.30 or 5.2.4 with a Windows 7 x64 guest OS will cause the guest OS to hang at restart. 8-(

https://forums.virtualbox.org/viewtopic.php?f=2&t=86244

 

1 user thanked author for this post.

MrBrian

Reply | Quote