|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
Newsletter Archives
-
Microsoft offers more Spectre v2 microcode updates, KB 4090007, KB 4091663, KB 4091664
Yesterday, I posted a note about two new Spectre v2 patches, KB 4078407 and KB 4091666.
The first is a Win10-only fix that has to be combined with a microcode change from your hardware manufacturer in order to accomplish anything. As @abbodi86 notes:
KB4078407 is not a patch, it’s just an executable that enables the Spectre mitigation protection by changing two registry entries
The second is a microcode-only, Intel-only, Win10 1507-only patch that changes the microcode for a large number of Intel processors.
This morning, Günter Born notes on Borncity that there are now four of these microcode patches:
- KB4090007 for Win10 1709/”Server 2016 version 1709″
- KB4091663 for Win10 1703
- KB4091664 for Win10 1607/Server 2016
In addition to the one I described yesterday, KB4091666 for Win10 1507.
None of them are available through Windows Update. You have to manually dig into the Update Catalog to get them.
As noted (voluminously) there are no known exploits as yet for Meltdown, Spectre v1 or Spectre v2. You might want to tuck these away in case we ever see a reason to use them.
-
Are Windows customers getting Meltdown/Spectre bullied into buying new computers?
Just got this from @dportenlanger:
I think Windows users are getting snubbed. I have an old Clarksfield processor that Intel will not be updating via the BIOS. However, the Linux microcode 20180312 exists for my processor…. the Intel® Core™ i7-920XM Processor Extreme Edition (8M Cache, 2.00 GHz) at this link:
https://downloadcenter.intel.com/download/27591/?product=43126
So what fixes are in the 20180312 Linux Microcode? Here is a clue:
https://www.phoronix.com/scan.php?page=news_item&px=Intel-Microcode-20180312
I believe this is why Linux users are secure and Windows users are getting bullied (sorry, I hate that word, how about “marketed”) into new computers.
I know this is a site for Windows Updates and news. I think this is Windows news if my conclusions are right and someone needs to call out Intel and Microsoft.
Is that a strange conspiracy theory — or is there an element of truth to it?
-
So, where’s the 32-bit Windows 7 Meltdown patch?
Just got this from LB:
Hey Woody,
What do you think about doing a story on the missing Windows 7 32-bit meltdown fix? Or maybe mentioning it in next week’s update writeup (unless it finally hits.)
It seems very odd that it’s taken microsoft so long to issue a fix when the problem, and the solution (kpti), are clear cut (as opposed to the much tougher spectre problems.) 32-bit Win7 should still be getting security fixes until Jan 2020, last I knew.
Anyway, just a thought. Thanks for all the work you do to keep us informed!
take care,
Anybody out there have some insight? Microsoft was slow to get the 32-bit Meltdown patches to Win10. Surely they wouldn’t just give up on Win7, would they?
Er, would they?
-
Intel releases more Meltdown/Spectre firmware fixes, while Microsoft unveils a new Surface Pro 3 firmware fix that doesn’t exist
You’d have to be incredibly trusting — of both Microsoft and Intel — to manually install any Surface firmware patch at this point. Particularly when you realize that not one single Meltdown or Spectre-related exploit is in the wild. Not one.
Computerworld Woody on Windows.
-
Intel says its new Spectre-busting Skylake firmware patch is ready
Oh boy. I love the smell of fresh bricked PCs in the morning.
Yesterday, Intel said it has released new firmware that — this time, really, for sure, honest — plugs the Meltdown/Spectre security hole. Says honcho Navin Shenoy:
Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days.
What he’s actually saying is something like, “Hey, we spent six months coming up with new firmware to fix Spectre, released it, and bricked a bunch of machines. We went back to the drawing board and, two weeks later, came up with new firmware that won’t brick your machines. Have at it.”
According to the freshly updated Microcode Revision Guidance, Intel has released updates for Skylake U-, Y-, U23e-, H-, and S- chips.
Shenoy goes on to say:
Ultimately, these updates will be made available in most cases through OEM firmware updates. I can’t emphasize enough how critical it is for everyone to always keep their systems up-to-date. Research tells us there is frequently a substantial lag between when people receive updates and when they actually implement them. In today’s environment, that must change.
To which I say:
Fool me once, shame on me. Fool me twice… well, you know.
Folks, you’d have to be absolutely batbox crazy to install these new BIOS/UEFI patches as they’re being rolled out. Give them time to break other peoples’ machines — or to prove their worth in open combat. I’m sure the folks who made the new firmware are quite competent and tested the living daylights out of everything. But they did that the last time, too.
Again, I repeat, for emphasis, there is exactly NO known Meltdown or Spectre-based malware out in the wild.
-
Update: No, Virginia, there are no Meltdown/Spectre exploits in the wild
A reassuring tweet from Kevin Beaumont.
As I understood it, malware has been found*, presumably in the wild, that includes the Meltdown PoC. But that still doesn't mean that they actually exploited the vulnerability in the wild.
* this is the real source: https://t.co/sjns6JUmnV— Martijn Grooten (@martijn_grooten@mastodon.social) (@martijn_grooten) February 1, 2018
The AV-Test red line graph shows that, yes, there are more and more samples being submitted to AV-Test — but, according to people who know these things, none of them are in the wild. They’re “Proof of Concept” test samples.
UPDATE: And AV-Test responds:
That's correct, we've tried to avoid using the term "malware", because the majority of the samples appear to be PoC, even if most anti-malware products added detection of these samples during the last few days. @martijn_grooten @EscInSecurity https://t.co/eNPf34Numb
— AV-TEST GmbH (@avtestorg) February 2, 2018
-
Putting Meltdown/Spectre in perspective
Just saw a set of tweets from Kevin Beaumont, a.k.a. @GossiTheDog:
https://twitter.com/GossiTheDog/status/956890618361413632
https://twitter.com/GossiTheDog/status/956891845304385542
That’s so, so true.
A little translation, if I may: The Meltdown/Spectre problem was revealed by Google’s Project Zero and a group of Ph.D.s at the University of Graz. Burger King has a great explainer on Net Neutrality:
How would you explain the repeal of Net Neutrality? We did it with the Whopper. Watch the video below: pic.twitter.com/9EWjtbenv8
— Burger King (@BurgerKing) January 24, 2018
Did I ever mention that Beaumont’s one of my favorite white hats?
-
Did you install the latest Meltdown/Spectre BIOS/UEFI firmware update? Joke’s on you
What an unbelievable mess.
At least Dell, HP and Lenovo are withdrawing all of their firmware updates. But if you heeded their call — and ignored my warning — you’re now approximately 10 meters into deep doodoo.
Computerworld Woody on Windows
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Connecting hard drive on USB 3.2 freezes File Explorer & Disk Management
by 4 hours, 18 minutes ago
-
Shellbag Analyser & Cleaner Update
by 4 hours, 51 minutes ago
-
CISA warns of increased breach risks following Oracle Cloud leak
by 6 hours, 29 minutes ago
-
Outlook 2024 two sent from email addresses
by 10 hours, 32 minutes ago
-
Speeding up 11’s search
by 17 hours, 45 minutes ago
-
HP Pavilion Will Not Wake Up After Being Idle for Longer Period
by 2 hours, 48 minutes ago
-
Make a Windows 11 Local Account Passwordless
by 20 hours, 30 minutes ago
-
Ubuntu 25.04 (Plucky Puffin)
by 1 day, 4 hours ago
-
24H2 fixed??
by 17 hours, 33 minutes ago
-
Uninstalr Updates
by 1 day, 9 hours ago
-
Apple zero days for April
by 13 hours, 54 minutes ago
-
CVE program gets last-minute funding from CISA – and maybe a new home
by 6 hours, 46 minutes ago
-
Whistleblower describes DOGE IT dept rumpus at America’s labor watchdog
by 2 days, 7 hours ago
-
Seeing BSOD’s on 24H2?
by 1 day, 14 hours ago
-
TUT For Private Llama LLM, Local Installation and Isolated from the Internet.
by 1 day, 22 hours ago
-
Upgrade from Windows 10 to 11
by 2 days, 16 hours ago
-
Microsoft : AI-powered deception: Emerging fraud threats and countermeasures
by 2 days, 19 hours ago
-
0patch
by 1 day, 20 hours ago
-
Devices might encounter blue screen exception with the recent Windows updates
by 2 days, 12 hours ago
-
Windows 11 Insider Preview Build 22631.5261 (23H2) released to Release Preview
by 2 days, 22 hours ago
-
Problem opening image attachments
by 3 days ago
-
advice for setting up a new windows computer
by 3 days, 14 hours ago
-
It’s Identity Theft Day!
by 16 hours, 24 minutes ago
-
Android 15 require minimum 32GB of storage
by 3 days, 19 hours ago
-
Mac Mini 2018, iPhone 6s 2015 Are Now Vintage
by 3 days, 19 hours ago
-
Hertz says hackers stole customer credit card and driver’s license data
by 3 days, 20 hours ago
-
Firefox became sluggish
by 1 day, 12 hours ago
-
Windows 10 Build 19045.5794 (22H2) to Release Preview Channel
by 4 days ago
-
Windows 11 Insider Preview Build 22635.5235 (23H2) released to BETA
by 4 days ago
-
A Funny Thing Happened on the Way to the Forum
by 2 days, 21 hours ago
Remembering Woody
