Posted on 03/30/2018 7:37:48 AM PDT by dayglored
If at first you don't succeed, you're Redmond
Microsoft today issued an emergency security update to correct a security update it issued earlier this month to correct a security update it issued in January and February.
In January and February, Redmond emitted fixes for Windows 7 and Server 2008 R2 machines to counter the Meltdown chip-level vulnerability in modern Intel x64 processors. Unfortunately, those patches blew a gaping hole in the operating systems: normal applications and logged-in users could now access and modify any part of physical RAM, and gain complete control over a box, with the updates installed.
Rather than stop programs and non-administrators from exploiting Meltdown to extract passwords and other secrets from protected kernel memory, the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM.
Roll on March, and Microsoft pushed out fixes on Patch Tuesday to correct those January and February updates to close the security vulnerability it accidentally opened.
Except that March update didn't fully seal the deal: the bug remained in the kernel, and was exploitable by malicious software and users.
Now, if you're using Windows 7 or Server 2008 R2 and have applied Microsoft's Meltdown patches, you'll want to grab and install today's out-of-band update for CVE-2018-1038.
Swedish researcher Ulf Frisk discovered the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken, and went public with his findings once the March Patch Tuesday had kicked off. As it turns out, this month's updates did not fully fix things, and Microsoft has had to scramble to remedy what was now a zero-day vulnerability in Windows 7 and Server 2008.
In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.
BTW some of us have written kernel-mode code that manipulates MMU page tables, and it's an absolute fiddly PITA. So gg Microsoft. You got there in the end. https://t.co/bxDbbALhqE — The Register (@TheRegister) March 29, 2018
Frisk told El Reg he only learned the OS-level bug was still present yesterday. When he went live with the flaw on his blog earlier this week, it was with the blessing of Microsoft's security group on the belief the March update had addressed everything.
Needless to say, if you own or administer either a Windows 7 or Server 2008 R2 system, you will want to test and deploy this fix as soon as possible. ®
Patches, I’m depending on you, son!....................
Will there be another patch for this patch?
...and we know THIS one is good -— how?
That is one of the reasons I avoided Win10 and its forced updates. MS has a history of releasing updates that create more problems than they fix.
With my Win7 desktop, even though I have ‘do not update’ checked, I still periodically get a ‘critical update’. I can tell because my PC goes bonkers and I usually have to run a Restore Point.
A few weeks ago, I bought a Win10 Tablet just to start learning my way around Win10. Win10 seems an inevitability. I find more websites, for example, balking at my old XP/Win7 browsers, etc.
Yesterday, I noticed the Win10 tablet light blinking, so I figured an update was going on. After about an hour, I noticed the screensaver was stalled. After another hour, the screensaver still stalled, I unplugged the tablet and held the on-off switch. After a couple of tries, it finally restarted and went to an ‘update in progress’ screen. A few minutes later, it started up — so I guess my turning it off and on didn’t mess anything up. I am still not familiar enough with Win10 to find out what this new update did, because it flashed a brief message that ‘new features were being installed.’
I still hate Win10. Every time I play around with the Win10 tablet, I find Win10 frustrating. Please please please God let my Win7 desktop and laptop last a few more years.
The Win10 in my laptop has gone completely stupid. I get a message that it needs to update, because this version isn’t going to get updates after April, so I run the update, and it fails to load.
It has done this no fewer than 9 times now. I suppose I have to bite the bullet and take it in.
I should never have let Win10 into the machine in the first place...
I agree!. . .I know enough to be dangerous about all of this. I think I have automatic updates. . .although I thought they weren't updating anymore on Win7. Should I download the patch in the article?
I let mine do the big OS update - in order to do it, I had to update the BIOS - been working great ever since...
“With my Win7 desktop, even though I have ‘do not update’ checked, I still periodically get a ‘critical update’.”
here’s the best way to update W7:
right now, i’ve got a custom excludelist.txt file with this in it:
kb4088878,Windows 7 / Server 2008 R2 Service Pack 1
also advise use of this:
https://www.grc.com/inspectre.htm
I use Macrium Reflect Free (for home use) for hard drive imaging.
Image backups have saved me several times, when system restore failed.
Microsoft is suffering from delusions of competency.
I use Clonezilla. Text based and free, it requires the user to pay attention, but it works well.
Microsoft is getting a bad reputation...
Companies are now more concerned with real-time updates than producing solid code that works so customers can use the software. Microsoft, and everyone else, has become not worth the costs.
Getting? HA!
My last update was 12-1-2017. I see I now need 348mb of updates to Windows 7. This on top of the gigabytes of updates
The C:\Windows folder has 29gb’s of files. The spying software from Microsoft takes up a lot of space.
My Windows 10 install in Oracle VM VirtualBox shows 13gb’s which I have installed for show with only Firefox added since the initial install.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.