|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
Newsletter Archives
-
Patch Lady – light reading for the evening
For those of you that like to dig a bit deeper into the details of patching, I highly recommend the Zero Day blog. For those who remember the detailed Microsoft MSRC blogs from years ago, the author is one that USED to write those detailed Microsoft blogs: Dustin Childs. Now he works for the Zero day Initiative and writes these fantastic blogs that go a long way to help me understand the risks of *not* patching.The other day I said that when the point in time occurs that I’m more scared of *not* patching than I am of patching, that’s the point in time I need to patch.
So right now, we are day four of the updating process. I’ve installed updates on a few of my home pcs, I will be rolling an update on a sample (in my office that means ONE) production machine to see if I spot any issues. I’m watching the forums for side effects. I’m waiting for Microsoft to fix any metadata detection issues (they already expired KB4284880 as there was a duplicate up there), and I’m basically not approving anything at this time until my testing process is done.
But what I am doing is reading and understanding what this month’s updates include. Here’s my light reading I’m doing tonight:
https://www.zerodayinitiative.com/blog/2018/6/12/the-june-2018-security-update-review
The blog post spells out the security issues per CVE or Common Vulnerabilities and Exposures, not per patch. So while it doesn’t showcase the updates as you can I see them on your computer, (as we see them in one glob per operating system) it does give a way better deep dirty explanation of the overall risks related to not updating so you and I can get a feel for how long we should wait before we update.
It also helps me to determine what I currently have in place for mitigations or protections that will also give me time to not patch.
Flash zero day – “primarily targeting the Middle East region and is wrapped in an Office document”. Okay so I’m not located in the Middle East and I not only warn users about opening attachments, we have email attachment filtering.
DNS server bug – “The more likely scenario is simply tricking a target DNS server into querying an evil server that sends the corrupted response”. In small firms or home users, the way I see this probably used is getting your system to reach out to a malicious DNS server bypassing your DNS entries (or your ISPs). For servers in large firms that handle handling out DNS inside of a firm, because you can’t always control what your servers connect to, this is one you’ll probably want to patch sooner versus later.
Http.sys bug – bug in a web service, “A remote attacker could cause code execution by sending a malformed packet to a target server”. If I’ve got a web server out there, I’ll be testing this and rolling it out sooner versus later. But we don’t (well, we shouldn’t) run web servers on workstations so this will be lower risk there.
Cortana bug – “someone close enough to speak to a Cortana-enabled system could execute programs with elevated privileges” Doesn’t impact Windows 7, and like the Alexa bugs, you have to be local to the machine to do your evil deeds. Bottom line anything these days that you yell “Hey….” to is being targeted these days because it’s sexy to go after the voice recognition stuff.
The other thing of interest to me that ran across my radar was YASMB (yet another Spectre Meltdown bug). This time the v4 bug is NOT enabled by default. Based on my read it’s due to two things:
Thing one, it’s another Spectre Meltdown with a performance hit. As per this blog post “If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks.”. Thing two there are no active attacks and it reads to me that it’s going to be hard to exploit. Not to say it’s impossible to exploit, but there are lots of other low hanging fruit that they can use to get me.
There’s a nice recap on the bottom of the portal page that describes which patches are and are not enabled by default in the Spectre/Meltdown patches:
-
- After installing Windows updates, refer to the following table for further action to be protected from Spectre/Meltdown vulnerabilities:
Operating System CVE-2017-5715 CV-2017-5754 CVE-2018-3639 Windows 10 Enabled by default Enabled by default Disabled by default – see ADV180012 Windows Server 2016 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Disabled by default – see ADV180012 Windows 8.1 Enabled by default Enabled by default Not available – see ADV180012 Windows Server 2012 R2 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Not available – see ADV180012 Windows RT 8.1 Enabled by default Enabled by default Not available – see ADV180012 Windows 7 Enabled by default Enabled by default Disabled by default – see ADV180012 Windows Server 2008 R2 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Disabled by default – see ADV180012 Windows Server 2008 Disabled by default – see KB4072698 Disabled by default – see KB4072698 Not available – see ADV180012 I’m still not convinced that on desktops this is as big of an issue we are making it, I still think this is a bigger risk on cloud servers or hosted servers where you may not monitor the access as much as you do on a desktop in front of you.
Just hot off the presses tonight we have another Intel vulnerability that will make our heads hurt trying to figure out the patches on. Called Lazy FP State restore vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180016
Intel Releases Security Advisory on Lazy FP State Restore Vulnerability
06/13/2018 06:47 PM EDTOriginal release date: June 13, 2018
Intel has released recommendations to address a vulnerability—dubbed Lazy FP state restore—affecting Intel Core-based microprocessors. An attacker could exploit this vulnerability to obtain access to sensitive information.
NCCIC encourages users and administrators to review Intel’s Security Advisory INTEL-SA-00145, apply the necessary mitigations, and refer to software vendors for appropriate patches, when available.
At this time Microsoft is still determining updates to be released. If you have VM’s in Azure they are not affected by this vulnerability.
All of this just showcases that you can’t just update your operating system these days, you HAVE to update your bios and hardware drivers.
Here’s another example of hardware patches — Surface 3 has a standalone TPM update tool in order to fix that vulnerability. It can’t come down via Windows update, it has to be done manually.
Lots of fun.
-
-
A note about the “new” Spectre NG revelations
Several of you have pinged me about the Spectre NG (variously, Specter V4, Spectre V4, Specter-NG, and enough alternatives to make Google search interesting) posts by Microsoft and Intel earlier this week.
We talked about those bad boys on May 3, when Günter Born posted his first exploration of the problems and their fleeting solutions. Born has since updated his exploration with a further discussion of the mysteries surrounding Microsoft’s patches — which are horribly documented, as usual.
Microsoft has posted two Security Advisories, ADV180012 (for CVE-2018-3639) and ADV180013 (for CVE-2018-3640) that deal with related problems. The first Advisory says that Microsoft doesn’t have any idea which versions of Windows (or Azure) are affected. The second Advisory says that Surface machines are affected, but there’s no fix right now.
Intel has a good overview of the “side-channel analysis” problems, which says that Intel anticipated the problem, increased its bug bounty, and:
We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.
Which should send a chill down the spine of anyone who’s had to deal with the earlier Meltdown, Spectre V1, V2, and V3 fire drills.
@Kirsty has been following the latest developments in our Code Red forum. She points to excellent articles by Catalin Cimpanu, Steven Vaughan-Nichols and Martin Brinkmann.
Big open question: How much more performance will the new mitigations consume?
Noel Carboni has a key observation:
It strikes me again and again that “Spectre” and “Meltdown” are first and foremost tools to manipulate the masses, used by those trying to make money in “security”.
Nailed it.
I’m not saying that Microsoft, Intel, AMD, Qualcomm and others had a hand in bringing down the Meltdown/Spectre curtain. I am saying they stand to make a whole lotta money out of it, and added publicity doesn’t hurt one whit.
Oh. And it should go without saying that we haven’t yet seen one, single, solitary Meltdown or Spectre exploit in general use.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Expand the taskbar?
by 37 minutes ago
-
Gregory Forrest “Woody” Leonhard (1951-2025)
by 31 minutes ago
-
March 2025 updates are out
by 8 hours, 56 minutes ago
-
Windows 11 Insider Preview build 26120.3380 released to DEV and BETA
by 16 hours, 59 minutes ago
-
Update Firefox to prevent add-ons issues from root certificate expiration
by 1 day ago
-
Latest Firefox requires Password on start up
by 18 hours, 42 minutes ago
-
Resolved : AutoCAD 2022 might not open after updating to 24H2
by 1 day, 12 hours ago
-
Missing api-ms-win-core-libraryloader-11-2-1.dll
by 11 hours, 44 minutes ago
-
How Much Daylight have YOU Saved?
by 14 hours, 41 minutes ago
-
A brief history of Windows Settings
by 8 hours, 20 minutes ago
-
Thunderbolt is not just for monitors
by 6 hours, 56 minutes ago
-
Password Generators — Your first line of defense
by 12 hours, 23 minutes ago
-
AskWoody at the computer museum
by 7 hours, 59 minutes ago
-
Planning for the unexpected
by 13 hours, 23 minutes ago
-
Which printer type is the better one to buy?
by 1 day, 14 hours ago
-
Upgrading the web server
by 1 day, 13 hours ago
-
New Windows 11 24H2 Setup – Initial Win Update prevention settings?
by 2 days, 8 hours ago
-
Creating a Google account
by 2 days, 6 hours ago
-
Undocumented “backdoor” found in Bluetooth chip used by a billion devices
by 2 days, 13 hours ago
-
Microsoft Considering AI Models to Replace OpenAI’s in Copilot
by 3 days ago
-
AI *emergent misalignment*
by 3 days, 1 hour ago
-
Windows 11 Disk Encryption/ Bitlocker/ Recovery Key
by 1 day, 9 hours ago
-
Trouble signing out and restarting
by 8 hours, 47 minutes ago
-
Windows 7 MSE Manual Updating
by 5 hours, 34 minutes ago
-
Problem running LMC 22 flash drive
by 2 days, 8 hours ago
-
Outlook Email Problem
by 2 days, 8 hours ago
-
“Microsoft 365 Office All-in-One For Dummies, 3rd Edition FREE
by 2 days, 16 hours ago
-
Cant use Office 2013 – Getting error message about Office 2013
by 3 days, 9 hours ago
-
Nearly 1 million Windows devices targeted in advanced “malvertising” spree
by 3 days, 9 hours ago
-
Windows 11 Insider Preview build 27808 released to Canary
by 4 days, 10 hours ago
