back to article Microsoft's Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE

Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's …

wsm

Ooops!

Time to blame Intel again?

Yes, yes, I am aware that the need to patch is all because of the famed Chipzilla design flaws, but MS have a way of blaming others for their own design flaws, as in the Surface product introductory conditions.

But when you fail in your own field, software updates, for example, can you really call someone else out?

31
9
Silver badge

Re: Ooops!

If your car has a GPS which has fault and the car manufacturer has to rewire your car I think it is safe to safe to mention that the problems are due to the faulty GPS the manufacturer.

This doesn't completely excuse the car maker from having dodgy wiring but it is understandable.

Personally I wouldn't like to be in Microsofts shoes at the moment having Meltdown looming over my head.

Intel have a lot to answer for...

16
4
Silver badge

Re: Ooops!

It's almost like Microsoft want everybody off Windows 7...

15
0
Silver badge

Re: Ooops!

You could interpret it that way. And I wouldn't disagree...

We couldalso go with the old 64K limit on early MS-DOS/CPM and say that the boys that owned MS at that time were interested in "expanding" their reach.

Also that somewhat contested statement that 640K (1MB minus MS overhead) was enough for everyone. Until MS wanted to get into the corporate suites and run some real software.

Not to talk about taking an essentially single-user OS and jerry-rigging it to try to server multiple users, and sometimes multiple desktops.

Just like the proverbial frog and the slow leakage of democracy - how have we let these inadequate buggers dictate what 90%+ of the world uses on their desktops? Yes, I know that most embedded devices and ALL phones don't run MS software.

7
2
Anonymous Coward

Re: Ooops!

IBM is presumably to blame for the 640k limit; the remainder of the first 1MB (8088's limit) is where stuff like ROM and VRAM were mapped. Now, not designing their software to be able to work around this limitation without various complications (UMA/HMA, EMS, XMS, and the software memory managers to provide interactions with them),... that's on MS and others.

2
0
Silver badge

Should I be worried...

...that I've not received anything other than updates to MS Security Essentials the last few times there's been anything in my update client at all?

I *just* ran it again to be sure & once again it says there's no updates available.

Either I'm so secure that MS can't find anything to patch/fix (unlikely but possible) or MS is off in a corner wanking with both hands, both feet, & a prehensile tail (infinitely more likely).

=-j

21
5

Re: Should I be worried...

Their updates could break windows machines that ran certain kind of anti virus programs. So they made a key in the registry that had to be set before windows update would allow those updates to be applied. If the anti virus vendor had cleared their own software they should send out an update that should set that key. Of course if you do not run any AV you are screwed.

https://www.theregister.co.uk/2018/01/09/meltdown_patch_anti_malware_conflict/

I don't know if your problem is that, but should be able to check if the key is set manually.

10
3

Re: Should I be worried...

You may want to check that you have the registry key set that they advised in January. Without it your system will show compliant, but won't install any updates after December. I believe it's hklm/software/Microsoft/Windows/CurrentVersion/QualityCompat

Happy Patching!

9
1
Anonymous Coward

Re: Should I be worried...

The March cumulative updates have been pulled by Microsoft for Windows 7 and 2008R2 due to the networking bug, although still available if you are using WSUS / SCCM and fancy a gamble. You can still get hold of them direct from the Windows Update Catalog but read the KB articles first as they now say you have to run a script first to ensure you don't lose networking.

I have no idea how a normal user is supposed to update thier Window 7 machine.

3
0
Anonymous Coward

Re: Should I be worried...

Amusingly enough, it looks as if Windows Defender doesn't set that key.

(Posting as AC for a fairly obvious reason.)

2
0
Joke

Re: Should I be worried...

"I have no idea how a normal user is supposed to update thier Window 7 machine."

Last time I checked, a normal user is supposed to "update" their Windows 7 machine by installing Windows 10 on it. At least that's the official word from Microsoft.

2
0
Anonymous Coward

Re: Should I be worried...

"(Posting as AC for a fairly obvious reason.)"

It's very unfortunate what time and age we are transforming backwards. It's like 2015 was a tipping point, before that writing things online was no problem. We have to fear the corrupt corporate stasi, their puppets and bots and naive fanboys these days. So much for free speech. The good thing a few websites like TheReg still offer a comment section and allow anon comments! Most other media removed comment sections, heavily censor comments or put in FB(I) comment section.

1
0
Anonymous Coward

it was a mistake, would we lie to you?

Microsoft ain't done til Windows 7 won't run!

48
3
Silver badge

Re: it was a mistake, would we lie to you?

You think it's a cunning ploy?

I think you severely over-estimate Microsoft's competence.

24
4
Silver badge

Re: it was a mistake, would we lie to you?

I think he underestimated MS's incompetence.

28
3
Silver badge

Windows upd...what, now?

Stop-Service wuauserv

Set-Service wuauserv -StartupType Disabled

Stop-Service bits

Set-Service bits -StartupType Disabled

You know things are bad when you trust malware more than Microsoft.

25
6
Anonymous Coward

Re: Windows upd...what, now?

I turned off windows updates when they announced they were releasing fixes that slowed down your machine by 30% or more.

11
4
Silver badge

Re: Windows upd...what, now?

Oh Homer, you owe me a new keyboard. But since I now owe you a pint, meet me at the pub so I can thank you properly. =-Jp

8
5
Silver badge

Re: You know things are bad when you trust malware more than Microsoft.

Me, I'm dishonest, and you can always trust a dishonest man to be dishonest. Honestly, it's the honest ones you have to watch out for.
Captain Jack Sparrow

8
1

Re: Windows upd...what, now?

For those allergic to PowerShell (you can also 'net stop' instead of 'sc stop', but why?):

sc stop wuauserv

sc config wuauserv start= disabled

sc stop bits

sc config bits start= disabled

(note the space after the =, it matters)

Wrapping it all in a pair of batch scripts (or something fancier to toggle it) is a possibility.

1
0
Anonymous Coward

Why is this allowed?

Why is Microsoft allowed to sell a defective OS and distribute defective so called "security" updates that compromise actual PC security and operation with no liability for the damage these defective products inflict? The user's agreement should in no way allow for such irresponsible behavior and financial damage to consumers and enterprise.

29
13
Anonymous Coward

Re: Why is this allowed?

Well simple, they have money. Lots of it. Money into the right pockets has its advantages ;-)

12
5
Def
Silver badge

Re: Why is this allowed?

For the same reason everyone else is. There's no such thing as bug free software, and there never will be. Probably.

18
4
Silver badge

Re: Why is this allowed?

There is really no lower limit for how crap software can be, only that the more crap it gets the more likely you are to consider a competitor product, no matter what level of technical indebtedness you have to Redmond.

3
2
Silver badge
Coat

Re: Why is this allowed?

@AC

Why is Microsoft allowed to sell a defective OS and distribute defective so called "security" updates?

Because one the Three Letter Club asked nicely? *cough* *NSA* *cough*

Now where's that tinfoil hat icon...

2
6
Silver badge

So are there any attacks via Meltdown in the wild? Makes we wonder why the panic if not. This still doesn't account for MS screw-ups.

12
2
Silver badge
Facepalm

Optional title

Remind me, what services is a personal computer running that make Meltdown/Spectre significant risks?

The update should be optional

10
9
Silver badge

Re: Optional title

Your bank details, your photos being held to ransom, the system being zombied to attack others in a DDOS.....

18
6
Silver badge

Re: Optional title

Your bank details, your photos being held to ransom, the system being zombied to attack others in a DDOS.....

For a single user home PC meltdown is only effectively as dangerous as a keylogger; by the time you have let somebody root your computer to the extent that you can run a meltdown exploit then it's endgame anyway; everything but the bank details would be done with other bits of malware than a meltdown exploit.

Meltdown is most serious for servers and especially cloud services as you have multiple users sharing the CPU, and compromising one user allows you to basically read any users data from the CPU. For a home user, it's not too much more serious than a keylogger as far as I can see.

12
2

Re: Optional title

Please explain how you intent to convert random bytes in memory space into bank account numbers.

3
3
Silver badge

Re: Optional title

Well, if it'd been entered then it might be resident in memory and retreivable through meltdown. Meltdown on it's own certainly wouldn't hold photos to ransom or be part of a zombie network DDOS'ing people.

Hence my point that in a single user enviroment meltdown is only as dangerous as a keylogger for most practical purposes. It becomes more scary at server or cloud level where it can pull out details of other users, but that's not relevant in a single user enviroment.

10
2
Silver badge
Thumb Up

Re: Optional title

Thank you, Peter2 - As you say, Meltdown is a privilege escalation bug, not an entry point.

3
0
Silver badge
FAIL

Huh, I have mixed emotions. I'll count myself as lucky(?) as the January and February patches failed to install. The unlucky part is that the March hack job succeeded. The truly pitiful part is that I actually download and install this crap by hand via the command line on my personal machines. Maybe it's time to stay a month behind to see what shit stirs up, maybe six months.

Dear MS,

Epic -->

15
4
SVV
Silver badge

Prevent data theft, or have working networking. Tough Choice.

To be fair, not having working networking also prevents data theft. But that's only being pedantic in this scenario.

24
2

Rock, meet hard place.

"Unless, of course, yours is one of the systems that also happens to be suffering from a different bug in the patch that is causing networking problems on some servers that run VMware hypervisors (and possibly some Broadcom NICs- we're trying to confirm that,) in which case you now get to choose between security and network access."

Quite the choice: do or don't. Seems that the choice to be damned or not is out of your hands.

7
2
Facepalm

Foot meet hand grenades

It seems Microsoft aren't satisfied merely shooting at their own feet so they decided to take it to the next level.

Of course, MS being a joke is nothing new but this is one enormous screw up, even by their super low standards.

It is also not unheard of for Microsoft to deliberately introduce new show-stopping bugs into operating systems they'd rather people upgraded from. It was the exact same tactic they used when Vista was replacing XP e.g. SP3 broke popular on-board networking and sound on a lot of motherboards unless the drivers were installed prior to the service pack, otherwise the PC fell silent and had no networking no doubt convincing the technically illiterate that the actual hardware was broken and it was time for a new PC (and the latest version of Windows).

What are the odds that the official fix advice will be "upgrade to Windows 10"?

16
5
Silver badge
Facepalm

Re: Foot meet hand grenades

What are the odds that the official fix advice will be "upgrade to Windows 10"?

The March 13 update fixed this already. Didn't you read the article? Icon.

3
3

Re: Foot meet hand grenades

Except the March security patch broke wireless networking on my older Windows 10 laptop with an Atheros card. No event logs, no service problems; it just would';t see any Wi-Fi points at all until I uninstalled it.

It's probably because of that "Designed for Windows Vista" RFID sticker on it, eh?

4
1
Silver badge

Microsoft Comment

Will probably fall along these lines:

"We're sorry that some of our customers using older software were effected by this issue. We recommend you upgrade to Windows 10 to get the best protection."

They will try to push 10 one way or the other.

11
5
Anonymous Coward

Re: Microsoft Comment

That can just wait till Jan. 14, 2020

4
1
Anonymous Coward

No surprises

Break the fundamental security in Windows 7 and hope that people go to Windows 10 as its more secure.

Break the existing working networking functionality so it has the same 'performance' as Windows 10 networking.

I feel more secure just not doing updates to my Windows 7 machines.

18
3

Re: No surprises

If it’s 32bit windows 7 then no meltdown patch anyway. If it came with windows 7 then your oem probably hasn’t released a bios update for the Intel CPU firmware and MS so far is only including Intel firmware in Win 10 updates, so probably no spectre v2 patch either.

2
3
Thumb Down

Re: No surprises

WRONG. 23 bit W7 DOES have meltdown patches.

0
0
Silver badge
Joke

Prevent data theft, or h̶a̶v̶e̶ ̶w̶o̶r̶k̶i̶n̶g̶ ̶n̶e̶t̶w̶o̶r̶k̶i̶n̶g̶ prevent data theft. Tough choice.

3
3
Silver badge
Facepalm

From the desk of /dev/null

Generic anti-MSFT rant, pledge to migrate Nan to use Linux, recommend all wear tin-foil hat

12
16
Silver badge

Re: From the desk of /dev/null

That's an interesting post there, JJ. Of all the comments at time of writing yours is the only one to mention Linux. The rest seem to be by Windows users complaining about Microsoft.

18
2
Silver badge
Coat

Re: From the desk of /dev/null

To be fair to JJ that's probably a first :)

6
2
Trollface

Re: From the desk of /dev/null

That's a great plan JJ, have an upvote.

1
0
Silver badge
Joke

Re: From the desk of /dev/null

@Doctor Syntax

It must have been "dungeons and dragons" night or something.

The Penguins were busy.

Regards,

Jealous I wasn't invited.

1
1
Silver badge

Game over, Microsoft

I've already mentioned here that I stopped upgrading Windows 7 in January feeling the Spectre and Meltdown medicine is worse than the malady. I feel 100% vindicated now. The March patches patch January vulnerabilities while the network may stop working. What kind of joke it is unless it is a last ditch effort by Microsoft to make me use Windows 10?

7
3

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018