back to article Microsoft patches Windows to cool off Intel's Meltdown – wait, antivirus? Slow your roll

Microsoft has released updates for Windows to block attempts by hackers and malware to exploit the Meltdown vulnerability in Intel x86-64 processors – but you will want to check your antivirus software before applying the fixes. The Redmond giant issued the out-of-band update late yesterday for Windows 10 version 1709. While …

Silver badge

McAfee?

My employer uses McAfee, so I assume we must already be patched and ready to go. I feel so secure.

Find out how you can make US 10.000$ a week working from home Visit $URL;> to find out more.

32
1
Silver badge
Joke

Re: McAfee?

I'm still using the free copy of Kaspersky Barclays let me have. So I'm safe from everyone except the Russian government.

32
0
Silver badge
Joke

Re: McAfee?

Is that the Windows 95 copy you have running on your Vista system then?

14
0
Thumb Up

Re: McAfee?

You're fine with McAfee - it slugs the CPU so much that the branch predictor gives up and goes home.

73
0
Silver badge
Joke

Re: McAfee?

McAfee runs on the CPU?! At the speed I've seen, I thought it was dialling out on the HDD activity LED waiting for stray cosmic rays to flip it's bits over to the next step in the code...

29
0
Silver badge

Re: McAfee?

I've just looked in task manager, I have 15 process running with a mcaffee badge.

including a "Canary Process"

Also I have 1 Chrome window with 5 tabs. This means 9 chrome processes want to run!

7
0

Re: McAfee?

LOL, at least you'll be safe from the US government and it's 17 security agencies, who it must be said SHOULD HAVE SPOTTED THIS BUG.

So we have to conclude that either

1. They did spot it but kept quiet and abused it to spy on people

or

2. They are incompetent and useless.

Neither of which is very confidence inspiring and none have anything to do with Russia...

18
0
Anonymous Coward

I've got an idea!

Why don't they just make it not crash, without requiring a registry value being set?

15
10
Silver badge

or, just automatically set the reg value before it runs the update?

4
8

The point of the brand new reg value

Is that only shiny new anti-virus software with updated shitty dependencies on Windows internal gubbins knows to set it. The absence of the value suggests that old anti-virus is present, which will probably kick the patched Windows in the 'nads.

16
0
Silver badge

Re: The point of the brand new reg value

yeah, but win security centre knows what av is installed for most major brands, hell, team viewer knows it. wouldn't be beyond the realms of mankind to check that automatically would it?

0
1
Silver badge

Re: The point of the brand new reg value

Is that only shiny new anti-virus software with updated shitty dependencies on Windows internal gubbins knows to set it.

It must be really shiny and new AV software, as a machine currently running MBAM 30-day trial doesn't have this key...

So just because you are running a current subscription AV doesn't mean this KB will be installed, you need to check that the key exists and then do the install.

The absence of the value suggests that old anti-virus is present, which will probably kick the patched Windows in the 'nads.

It also suggests that no AV is present.

2
0
Silver badge

Re: The point of the brand new reg value

yeah, but win security centre knows what av is installed for most major brands, hell, team viewer knows it. wouldn't be beyond the realms of mankind to check that automatically would it?

Well it would make sense on consumer systems for Win Security Centre to set the key, however, suspect there are valid installs where Win Security Centre isn't running or cannot reliability determine the AV software installed, hence MS have left it to the AV vendor to set.

Because of the circumstances under which it blue screens, it is worth manually setting this and seeing if your 'old' AV causes a blue screen or not, as you can always delete the key via safe mode.

3
0
Silver badge

Re: The point of the brand new reg value

i dont think im going to enable this on anything. trend reckon they have, in development, not released yet, an auto patch that can be installed via trend wfbs itself, but its not ready yet. i really dont fancy doing this on 746 machines manually....i hope to christ that they do it right...otherwise my phone will melt.

if you use trend wfbs, see the below

trend response

0
0
Silver badge
WTF?

Huge Baby Huge

The update is one mighty package it is slowly ticking by one percent at a time.

2
1

Re: Huge Baby Huge

Yes, it appears to be a rewrite of most of the core pieces of the Windows directory - I took a look around C:\Windows\SoftwareDistribution\Download once it downloaded, and have decided I'm willing to wait a few days to hear what other problems this behemoth causes.

Contrary to what Intel is bleating about it, it looks to be all Windows components being patched. And an enormous and rather terrifying number of them, all patched at once.

I dont' see anything that looks like a microcode update from Intel to address the root cause.

10
3
Gold badge

Re: Huge Baby Huge

So that's pretty much an "out-of-band new version of Windows" coming down the wire, eh?

Well that's the internet fucked for a few days, then. Are the Linux patches similar?

3
0
Silver badge
Devil

Re: Huge Baby Huge

"Yes, it appears to be a rewrite of most of the core pieces of the Windows directory "

For real this time?

Not just "rewritten from the ground up" like all the New Versions?

Blimey!

3
3
Silver badge

Re: Huge Baby Huge

>> "I dont' see anything that looks like a microcode update from Intel to address the root cause."

That's because Meltdown is beyond the scope of a microcode fix.

As a result, the "fix" doesn't actually fix your CPU at all - it re-writes core parts of your OS so that the CPU flaw can no longer expose parts of kernel memory. That's why this fix involves lots of patched Windows files. Think of it more as a workaround than a resolution :)

24
0
Gold badge

Re: Huge Baby Huge

"Contrary to what Intel is bleating about it, it looks to be all Windows components being patched. And an enormous and rather terrifying number of them, all patched at once."

To be fair, *only* Intel are trying to pretend that this is a minor issue. Everyone else is talking about how unfixable Spectre is and how it can only be mitigated with counter-measures compiled into all software running on the system. Presumably, then, MS have simply run all of Windows through a version of the compiler that applies the mitigations. They've had 6 months to test such a compiler and they have a reproducible build system for all of Windows, so this isn't any more scary than a hobbyist rebuilding their own Linux system, which any competent software developer will tell you is not *very* scary.

11
0
Gold badge

Re: Huge Baby Huge

"Are the Linux patches similar?"

To answer my own question, the only linux patch available for my Debian Stretch boxes right now is one for linux-image-amd64, so that's a big fat no. If there *are* plans to recompile all of user-space with Spectre mitigations, they aren't being put into effect yet.

5
1

Re: Huge Baby Huge

why would they recompile all of user space to make the kernel use a separate virtual address space?

2
1
Silver badge

Re: Huge Baby Huge

Weird, apparently, since it should only need a "kernel" patch, like on Linux, few lines of code, done ... on Windows, they have to patch half the bloody binaries ? Ahhh, of course, that is because that half lives in kernel space, to speed up the monster ...

4
9

Re: Huge Baby Huge

Huge - just like all Win10 patches then :D

All with a rushed fix done with overtime by sleepy engineers.

What could go wrong?

I suspect all programs that ask for a password now explicitly now black the password string as soon as it's been used to stop it hanging around in memory - so more changes than just the kernel.

2
2
LDS
Silver badge

"Think of it more as a workaround than a resolution"

Actually, even mapping kernel memory into a process address space - albeit protected by some access control bits - is a performance workaround to avoid the performance hit due to switching address spaces.

From a security point of view, fully isolating the kernel memory from user processes is a much sounder design - not a workaround. The issue is CPU are not designed to switch them quickly, and anyway performing the required checks takes time.

0
0
Anonymous Coward

"is one for linux-image-amd64, so that's a big fat no."

Which tells you don't know what it is - it's a metapackage that will download the updated kernel through it dependencies. That package may be just a few kilobytes, but it could trigger the download of some hundred megabytes.

0
0
Silver badge

Re: Huge Baby Huge

" Are the Linux patches similar?"

The OpenSUSE one was ~52MB download for kernel & just had a 2.6MB Intel u-code update. Don't know if there will be more.

3
0
LDS
Silver badge
Devil

"that is because that half lives in kernel space, to speed up the monster ..."

You should thank that decision now, less user/kernel switches and back, so less performance issues...

0
0

Re: Huge Baby Huge

If it is the Win 10 update, I checked its in excess of 900MB........ once upon a day that was about 3 O/S installs :-(

900MB for an update............ wft?

1
1
Silver badge

Re: "Think of it more as a workaround than a resolution" @LDS

It's a long time since I've had to read an Intel CPU data sheet.

Was (prior to this) mapping kernel code into every application's virtual memory space their recommended way of calling kernel functions from an application for better performance, or did they advocate a proper separation and context switch?

2
0
LDS
Silver badge

Re: "Think of it more as a workaround than a resolution" @LDS

I don't really know if that was something suggested by Intel, or something devised by kernel developers to avoid bottlenecks. I think more about the latter, but I could be wrong.

Some information about the use of the features that lead to this issues, and some of their possible solutions are in "Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 3A: System Programming Guide, Part 1".

Intel has always suggested different models, but the more secure one implied the use of segments and specific "gates" to call across rings, which is very "heavy" and no one used - and in 64 bit mode AMD thought it was fine to get rid of segments. IMHO, one day they will find it's the right way to write secure OS.

Anyway, today you'd need to read some long manuals, i.e. "Intel® 64 and IA-32 Architectures Optimization Reference Manual" (788 pages) or "Intel® 64 and IA-32 Architectures Software Developer Manual: Vol 3" (1998 pages), to have a good knowledge of all the available features and recommended use.

3
0

Re: Huge Baby Huge

In comparison to Windows, I would not expect Linux kernel patches to be huge, even if you include some critical system utilities require patching, systemd on the other hand . . .

2
0
Silver badge

Re: Huge Baby Huge

Here is a list of files: http://download.microsoft.com/download/D/A/0/DA052502-1178-41A0-83CF-7120155B2009/4056892.csv

Yes, it includes Cortana "listen" ui ... what that has to do with Meldown is mystery!

0
0
Silver badge

too many beers already possibly, but...

"Also, people installing the Windows Server patches should ensure they are enabled, too. They are disabled by default due to the potential performance hit involved. "

"they" are enabled? what are enabled? wtf are you talking about?

do you mean the mitgations talked about in the link on "they are enabled"? in which case, word it as "you should enable these mitigations here" or similar?

3
0
Anonymous Coward

not "what", but "who", i.e. the people installing the Windows Server patches, silly. Although I'd personally use the word "capable". Or "certified" ;)

7
0
Silver badge

that actually makes sense. I think I'm going to bed before i become fully enabled...

10
0
Silver badge
Coat

Aha!

"Also, people installing the Windows Server patches should ensure they are enabled, too. They are disabled by default due to the potential performance hit involved. "

Discrimination!

7
1
Bronze badge

Mozilla also issued a patch

There is a new Firefox (57.0.4) which makes some timings more random to allegedly make it more difficult to exploit the two bugs.

I wonder how much slower Firefox becomes to protect itself from other processes I run on my personal computer. In theory the OS could eavesdrop Firefox, but it could be also done in many other ways.

5
0
Silver badge

Re: Mozilla also issued a patch

can you imagine how much (more) ram chrome will eat if google do the same thing?

9
1
Silver badge

Re: Mozilla also issued a patch

Edge also has done this, for the few that use it.

4
1
Silver badge

Re: Mozilla also issued a patch

can you imagine how much (more) ram chrome will eat if google do the same thing?

None more on my system. It has gobbled it all already

4
0
Silver badge

Re: Mozilla also issued a patch

so the solution is simple....buy more ram!! ;)

2
0

Doesn't matter

Unless your computer also has a firmware update you're not protected. And good luck getting that firmware update, unless you bought your PC from Dell in the last 6 months.

0
21

Re: Doesn't matter

Eh? CPU microcode updates can be done by the BIOS or the OS.

7
0

Re: Doesn't matter

From what I recall there is no way to fix this problem through CPU microcode updates, so a lack of available BIOS updates is irrelevant.

21
0

Re: Doesn't matter

There's a microcode component to the spectre mitigations. See https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf

1
0
Silver badge

just a heads up....i think this update has screwed trend wfbs. ive had 3 win 10 machines do odd things today on fresh installs - firewall wont enable on trend, refuses to start even from directly telling the service to start, and the enable firewall button is greyed out on the client. in services, a dependancy for the firewall service is missing, trend micro wfp callout driver, but i cant find this referenced with a fix anywhere.

ive been scratching my head on this one. ive only got 1 machine left in the lab with this issue, but it has the update applied. i'll take it off and see what happens

2
0
Silver badge

fyi, didnt make any difference. a coincidence. a fucker of a coincidence, but one none the less. move along....

2
0
Anonymous Coward

My strategy

I'm going to hold my breath...

4
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018