back to article Microsoft's Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE

Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes. This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system. We're told Redmond's …

  1. wsm

    Ooops!

    Time to blame Intel again?

    Yes, yes, I am aware that the need to patch is all because of the famed Chipzilla design flaws, but MS have a way of blaming others for their own design flaws, as in the Surface product introductory conditions.

    But when you fail in your own field, software updates, for example, can you really call someone else out?

    1. Khaptain Silver badge

      Re: Ooops!

      If your car has a GPS which has fault and the car manufacturer has to rewire your car I think it is safe to safe to mention that the problems are due to the faulty GPS the manufacturer.

      This doesn't completely excuse the car maker from having dodgy wiring but it is understandable.

      Personally I wouldn't like to be in Microsofts shoes at the moment having Meltdown looming over my head.

      Intel have a lot to answer for...

    2. J. R. Hartley

      Re: Ooops!

      It's almost like Microsoft want everybody off Windows 7...

      1. elDog

        Re: Ooops!

        You could interpret it that way. And I wouldn't disagree...

        We couldalso go with the old 64K limit on early MS-DOS/CPM and say that the boys that owned MS at that time were interested in "expanding" their reach.

        Also that somewhat contested statement that 640K (1MB minus MS overhead) was enough for everyone. Until MS wanted to get into the corporate suites and run some real software.

        Not to talk about taking an essentially single-user OS and jerry-rigging it to try to server multiple users, and sometimes multiple desktops.

        Just like the proverbial frog and the slow leakage of democracy - how have we let these inadequate buggers dictate what 90%+ of the world uses on their desktops? Yes, I know that most embedded devices and ALL phones don't run MS software.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ooops!

          IBM is presumably to blame for the 640k limit; the remainder of the first 1MB (8088's limit) is where stuff like ROM and VRAM were mapped. Now, not designing their software to be able to work around this limitation without various complications (UMA/HMA, EMS, XMS, and the software memory managers to provide interactions with them),... that's on MS and others.

  2. Shadow Systems

    Should I be worried...

    ...that I've not received anything other than updates to MS Security Essentials the last few times there's been anything in my update client at all?

    I *just* ran it again to be sure & once again it says there's no updates available.

    Either I'm so secure that MS can't find anything to patch/fix (unlikely but possible) or MS is off in a corner wanking with both hands, both feet, & a prehensile tail (infinitely more likely).

    =-j

    1. mr.K

      Re: Should I be worried...

      Their updates could break windows machines that ran certain kind of anti virus programs. So they made a key in the registry that had to be set before windows update would allow those updates to be applied. If the anti virus vendor had cleared their own software they should send out an update that should set that key. Of course if you do not run any AV you are screwed.

      https://www.theregister.co.uk/2018/01/09/meltdown_patch_anti_malware_conflict/

      I don't know if your problem is that, but should be able to check if the key is set manually.

    2. mIRCat

      Re: Should I be worried...

      You may want to check that you have the registry key set that they advised in January. Without it your system will show compliant, but won't install any updates after December. I believe it's hklm/software/Microsoft/Windows/CurrentVersion/QualityCompat

      Happy Patching!

      1. Anonymous Coward
        Anonymous Coward

        Re: Should I be worried...

        Amusingly enough, it looks as if Windows Defender doesn't set that key.

        (Posting as AC for a fairly obvious reason.)

        1. Anonymous Coward
          Anonymous Coward

          Re: Should I be worried...

          "(Posting as AC for a fairly obvious reason.)"

          It's very unfortunate what time and age we are transforming backwards. It's like 2015 was a tipping point, before that writing things online was no problem. We have to fear the corrupt corporate stasi, their puppets and bots and naive fanboys these days. So much for free speech. The good thing a few websites like TheReg still offer a comment section and allow anon comments! Most other media removed comment sections, heavily censor comments or put in FB(I) comment section.

    3. Anonymous Coward
      Anonymous Coward

      Re: Should I be worried...

      The March cumulative updates have been pulled by Microsoft for Windows 7 and 2008R2 due to the networking bug, although still available if you are using WSUS / SCCM and fancy a gamble. You can still get hold of them direct from the Windows Update Catalog but read the KB articles first as they now say you have to run a script first to ensure you don't lose networking.

      I have no idea how a normal user is supposed to update thier Window 7 machine.

      1. onefang
        Joke

        Re: Should I be worried...

        "I have no idea how a normal user is supposed to update thier Window 7 machine."

        Last time I checked, a normal user is supposed to "update" their Windows 7 machine by installing Windows 10 on it. At least that's the official word from Microsoft.

  3. Anonymous Coward
    Anonymous Coward

    it was a mistake, would we lie to you?

    Microsoft ain't done til Windows 7 won't run!

    1. veti Silver badge

      Re: it was a mistake, would we lie to you?

      You think it's a cunning ploy?

      I think you severely over-estimate Microsoft's competence.

      1. Mark 85

        Re: it was a mistake, would we lie to you?

        I think he underestimated MS's incompetence.

  4. Oh Homer

    Windows upd...what, now?

    Stop-Service wuauserv

    Set-Service wuauserv -StartupType Disabled

    Stop-Service bits

    Set-Service bits -StartupType Disabled

    You know things are bad when you trust malware more than Microsoft.

    1. Anonymous Coward
      Anonymous Coward

      Re: Windows upd...what, now?

      I turned off windows updates when they announced they were releasing fixes that slowed down your machine by 30% or more.

    2. Shadow Systems

      Re: Windows upd...what, now?

      Oh Homer, you owe me a new keyboard. But since I now owe you a pint, meet me at the pub so I can thank you properly. =-Jp

    3. Baldrickk

      Re: You know things are bad when you trust malware more than Microsoft.

      Me, I'm dishonest, and you can always trust a dishonest man to be dishonest. Honestly, it's the honest ones you have to watch out for.
      Captain Jack Sparrow

    4. fobobob

      Re: Windows upd...what, now?

      For those allergic to PowerShell (you can also 'net stop' instead of 'sc stop', but why?):

      sc stop wuauserv

      sc config wuauserv start= disabled

      sc stop bits

      sc config bits start= disabled

      (note the space after the =, it matters)

      Wrapping it all in a pair of batch scripts (or something fancier to toggle it) is a possibility.

  5. Anonymous Coward
    Anonymous Coward

    Why is this allowed?

    Why is Microsoft allowed to sell a defective OS and distribute defective so called "security" updates that compromise actual PC security and operation with no liability for the damage these defective products inflict? The user's agreement should in no way allow for such irresponsible behavior and financial damage to consumers and enterprise.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why is this allowed?

      Well simple, they have money. Lots of it. Money into the right pockets has its advantages ;-)

    2. Anonymous Coward
      Anonymous Coward

      Re: Why is this allowed?

      For the same reason everyone else is. There's no such thing as bug free software, and there never will be. Probably.

    3. MyffyW Silver badge

      Re: Why is this allowed?

      There is really no lower limit for how crap software can be, only that the more crap it gets the more likely you are to consider a competitor product, no matter what level of technical indebtedness you have to Redmond.

    4. chivo243 Silver badge
      Coat

      Re: Why is this allowed?

      @AC

      Why is Microsoft allowed to sell a defective OS and distribute defective so called "security" updates?

      Because one the Three Letter Club asked nicely? *cough* *NSA* *cough*

      Now where's that tinfoil hat icon...

  6. Mark 85

    So are there any attacks via Meltdown in the wild? Makes we wonder why the panic if not. This still doesn't account for MS screw-ups.

    1. tfewster
      Facepalm

      Optional title

      Remind me, what services is a personal computer running that make Meltdown/Spectre significant risks?

      The update should be optional

      1. Dodgy Geezer Silver badge

        Re: Optional title

        Your bank details, your photos being held to ransom, the system being zombied to attack others in a DDOS.....

        1. Peter2 Silver badge

          Re: Optional title

          Your bank details, your photos being held to ransom, the system being zombied to attack others in a DDOS.....

          For a single user home PC meltdown is only effectively as dangerous as a keylogger; by the time you have let somebody root your computer to the extent that you can run a meltdown exploit then it's endgame anyway; everything but the bank details would be done with other bits of malware than a meltdown exploit.

          Meltdown is most serious for servers and especially cloud services as you have multiple users sharing the CPU, and compromising one user allows you to basically read any users data from the CPU. For a home user, it's not too much more serious than a keylogger as far as I can see.

        2. jeffdyer

          Re: Optional title

          Please explain how you intent to convert random bytes in memory space into bank account numbers.

          1. Peter2 Silver badge

            Re: Optional title

            Well, if it'd been entered then it might be resident in memory and retreivable through meltdown. Meltdown on it's own certainly wouldn't hold photos to ransom or be part of a zombie network DDOS'ing people.

            Hence my point that in a single user enviroment meltdown is only as dangerous as a keylogger for most practical purposes. It becomes more scary at server or cloud level where it can pull out details of other users, but that's not relevant in a single user enviroment.

            1. tfewster
              Thumb Up

              Re: Optional title

              Thank you, Peter2 - As you say, Meltdown is a privilege escalation bug, not an entry point.

  7. Eddy Ito
    FAIL

    Huh, I have mixed emotions. I'll count myself as lucky(?) as the January and February patches failed to install. The unlucky part is that the March hack job succeeded. The truly pitiful part is that I actually download and install this crap by hand via the command line on my personal machines. Maybe it's time to stay a month behind to see what shit stirs up, maybe six months.

    Dear MS,

    Epic -->

  8. SVV

    Prevent data theft, or have working networking. Tough Choice.

    To be fair, not having working networking also prevents data theft. But that's only being pedantic in this scenario.

  9. dan1980

    Rock, meet hard place.

    "Unless, of course, yours is one of the systems that also happens to be suffering from a different bug in the patch that is causing networking problems on some servers that run VMware hypervisors (and possibly some Broadcom NICs- we're trying to confirm that,) in which case you now get to choose between security and network access."

    Quite the choice: do or don't. Seems that the choice to be damned or not is out of your hands.

  10. conscience
    Facepalm

    Foot meet hand grenades

    It seems Microsoft aren't satisfied merely shooting at their own feet so they decided to take it to the next level.

    Of course, MS being a joke is nothing new but this is one enormous screw up, even by their super low standards.

    It is also not unheard of for Microsoft to deliberately introduce new show-stopping bugs into operating systems they'd rather people upgraded from. It was the exact same tactic they used when Vista was replacing XP e.g. SP3 broke popular on-board networking and sound on a lot of motherboards unless the drivers were installed prior to the service pack, otherwise the PC fell silent and had no networking no doubt convincing the technically illiterate that the actual hardware was broken and it was time for a new PC (and the latest version of Windows).

    What are the odds that the official fix advice will be "upgrade to Windows 10"?

    1. Sandtitz Silver badge
      Facepalm

      Re: Foot meet hand grenades

      What are the odds that the official fix advice will be "upgrade to Windows 10"?

      The March 13 update fixed this already. Didn't you read the article? Icon.

    2. Amos1

      Re: Foot meet hand grenades

      Except the March security patch broke wireless networking on my older Windows 10 laptop with an Atheros card. No event logs, no service problems; it just would';t see any Wi-Fi points at all until I uninstalled it.

      It's probably because of that "Designed for Windows Vista" RFID sticker on it, eh?

  11. JakeMS

    Microsoft Comment

    Will probably fall along these lines:

    "We're sorry that some of our customers using older software were effected by this issue. We recommend you upgrade to Windows 10 to get the best protection."

    They will try to push 10 one way or the other.

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft Comment

      That can just wait till Jan. 14, 2020

  12. Anonymous Coward
    Anonymous Coward

    No surprises

    Break the fundamental security in Windows 7 and hope that people go to Windows 10 as its more secure.

    Break the existing working networking functionality so it has the same 'performance' as Windows 10 networking.

    I feel more secure just not doing updates to my Windows 7 machines.

    1. Deckard_C

      Re: No surprises

      If it’s 32bit windows 7 then no meltdown patch anyway. If it came with windows 7 then your oem probably hasn’t released a bios update for the Intel CPU firmware and MS so far is only including Intel firmware in Win 10 updates, so probably no spectre v2 patch either.

      1. Two Lips
        Thumb Down

        Re: No surprises

        WRONG. 23 bit W7 DOES have meltdown patches.

  13. Hans 1
    Joke

    Prevent data theft, or h̶a̶v̶e̶ ̶w̶o̶r̶k̶i̶n̶g̶ ̶n̶e̶t̶w̶o̶r̶k̶i̶n̶g̶ prevent data theft. Tough choice.

  14. Anonymous Coward
    Facepalm

    From the desk of /dev/null

    Generic anti-MSFT rant, pledge to migrate Nan to use Linux, recommend all wear tin-foil hat

    1. Doctor Syntax Silver badge

      Re: From the desk of /dev/null

      That's an interesting post there, JJ. Of all the comments at time of writing yours is the only one to mention Linux. The rest seem to be by Windows users complaining about Microsoft.

      1. Sir Runcible Spoon
        Coat

        Re: From the desk of /dev/null

        To be fair to JJ that's probably a first :)

      2. rmason
        Joke

        Re: From the desk of /dev/null

        @Doctor Syntax

        It must have been "dungeons and dragons" night or something.

        The Penguins were busy.

        Regards,

        Jealous I wasn't invited.

    2. onefang
      Trollface

      Re: From the desk of /dev/null

      That's a great plan JJ, have an upvote.

  15. arctic_haze

    Game over, Microsoft

    I've already mentioned here that I stopped upgrading Windows 7 in January feeling the Spectre and Meltdown medicine is worse than the malady. I feel 100% vindicated now. The March patches patch January vulnerabilities while the network may stop working. What kind of joke it is unless it is a last ditch effort by Microsoft to make me use Windows 10?

  16. Anonymous Coward
    Anonymous Coward

    Re. Game over, Microsoft

    Seems to be fine so far but noticed that some stuff that previously worked now won't.

    Such as Bluetooth.

    Also has anyone managed to upgrade a shipped-with-32-bit system to 64 if everything else supports it?

    The system has a 4GB hardwired RAM limit but thats not too bad for some applications.

    1. Deckard_C

      Re: Re. Game over, Microsoft

      Yes, well wipe and install. Vista vintage PC (now running win 7 64bit) and PCs from 2010. Hardware limit to 4GB of ram only 2GB installed.

    2. kain preacher

      Re: Re. Game over, Microsoft

      You can't upgrade 32 to 64

  17. Dave K

    Control

    Funnily enough, it's situations like this why I demand proper control over updates. As I have an AMD system (hence, no Meltdown), I chose not to apply the January patches. Thought I'd let the worst of the issue blow over, and give chance for any bugs in the (rushed) patches to be sorted out and fixed first of all. As a couple of months have passed, I was now beginning to think about patching, and then this story rises up.

    I will apply the patches to my system in due course, but MS's "quality control" doesn't have the greatest reputation lately, hence why I prefer to delay installation a bit first.

    1. Tom Paine

      Re: Control

      I will apply the patches to my system in due course, but MS's "quality control" doesn't have the greatest reputation lately, hence why I prefer to delay installation a bit first

      Must be nice to have that luxury.

  18. Hans 1
    Windows

    How is this even news ?

    Microsoft's Windows 7̶ ̶M̶e̶l̶t̶d̶o̶w̶n̶ ̶f̶i̶x̶e̶s̶ ̶f̶r̶o̶m̶ ̶J̶a̶n̶u̶a̶r̶y̶,̶ ̶F̶e̶b̶r̶u̶a̶r̶y̶ made PCs MORE INSECURE

    TFTFY

  19. tempemeaty
    Pint

    Death by a Thousand Patches

    I don't think the modern world will end with an asteroid hit. It will all come to an end with a Microsoft Windows Patch...

    I'm just going to sit here and calmly watch it all end...with my favorite beverage in hand...

    1. Anonymous Coward
      Anonymous Coward

      Re: Death by a Thousand Patches

      More like Windows NT4 (Nuclear Submarine Edition) patches finally show up late, on CD-R and get installed causing every single missile to launch at the same time say 01/04/18 at 04.00 because some crazy phool figured that this would be a good time to automagically install the rollup patch and made some really boneheaded mistake like a fandango-on-core.

      By the time someone figured out that it wasn't an April Fools joke 2900 megadeaths and a radioactive death cloud result, the only good news being that Redmond *and* Cupertino both get taken out by a pair of 9 megaton yield SLBMs in the first ten minutes. Karma's a b*tch!

      1. tempemeaty
        Thumb Up

        Re: Death by a Thousand Patches

        @Anonymous

        "...the only good news being that Redmond *and* Cupertino both get taken out by a pair of 9 megaton yield SLBMs in the first ten minutes. Karma's a b*tch!?

        THANK YOU.

    2. Tom Paine

      Re: Death by a Thousand Patches

      I've never heard it called that before.

      /blackadder

  20. Anonymous Coward
    Anonymous Coward

    Microsoft is killing the Planet!

    The Carbon Footprint of People Bricking Themselves...it must a massive cost, all that extra f*rted pollutant, not to mention the extra wasteful CPU cycles, extra reboots.

    I've got a list of all the pre-spectre patches and this is all I will be using 'till (microsoft kills Win7) this resolves.

    1. onefang
      Flame

      Re: Microsoft is killing the Planet!

      I think you'll find that farts are mostly methane, though it's still a bigger hot house gas than carbon dioxide. Maybe someone more chemically minded than me could tell us if it's better for the planet to light 'em? The farts I mean, not Microsoft.

  21. Bandikoto
    Holmes

    I'll just be sitting in my basement, occasionally firing up a dead XP box in a VM in order to program devices. Oddly enough, MSFT is still updating the darn thing!

    My 7 box is still on 7 because it was dead during the free upgrade to 10 window.

  22. tekHedd

    Quote Accidentally Unquote

    Only on Windows 7, they "accidentally" left the write bit set. "Oops."

    How did I get so cynical? The behavior of Microsoft and similar companies over the past [redacted] decades. The line between cynicism and skepticism is very, very thin.

    1. Anonymous Coward
      Anonymous Coward

      Re: Quote Accidentally Unquote

      "The line between cynicism and skepticism is very, very thin."

      The line is very very thin because you are using the 'wrong' unit of information to map your data.

      If it is represented by a qubit thence 'there is no spoonline'*. !!! :)

      *[Never thought I would ever use 'thence' in a sentence :) :) ]

  23. Anonymous Coward
    Anonymous Coward

    It was safer to disable Windows 7 updates in 2016 onwards

    Ever since 2016 it is insecure to update Windows 7. Just disable Windows updates and use Chrome and other software. Why? Ever since 2016 Windows updates come with backported spyware, forced upgrade dialogs, slower replacement components to annoy user. Exactly the same happend with Windows XP. It was best to stay with Service Pack 2 and never install SP3 and disable Windows Updates and install selected patches via third party websites that really care about the user and Windows ecosystem. Their evil strategy, again and again.

    For the short and mid term Windows 7 64-bit is perfect. No other OS (beside macOS, iOS, Android) is as polished, stable and great to use. For long term a switch to Google Android, Google Magenta or Linux or FreeBSD is inevitable. Win8 and Win10 are a showstopper, loosing control of PC/notebook is a no go. Unfortunately MSFT has their fingers inofficially in Gnome and KDE to sabotage them, so both suck nowadays, KDE 3.5, Unity and Gnome 2 (now Mate) were great. Almost everything is web based anyway, and for the few native applications the hope is the new Google OS "Magenta" destroys Windows one for good.

  24. Tom Paine

    PMSL table?

    GOTO FAIL

  25. Anonymous Coward
    Anonymous Coward

    Hacking

    Has anyone ever installed x64 Ubuntu (probably going for 18.04 Bionic Beaver) on a netbook?

    Its a 4GB dual core Atom with a recent graphics chip and I've also replaced the terrible wifi card with something a bit less primitive (Scotty voice) and ripped out the blue LEDs.

    It does have Bluetooth on the card but a second unit isn't out of the question and adding diskless cold boot via 128Mbit BIOS chip and SD via webcam interface would be handy.

    Interesting note: the majority of problems with cheaper netbooks are simple overheating, I have determined that simple overvoltage to the fan (normally +5V) or second HDD fan will give a bit more cooling.

    Also replacing the switching regulators with more modern equivalents and adding active filters reduces RF noise a lot, should really document this mod on Hackaday.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like