Posted on 03/30/2018 7:37:48 AM PDT by dayglored
If at first you don't succeed, you're Redmond
Microsoft today issued an emergency security update to correct a security update it issued earlier this month to correct a security update it issued in January and February.
In January and February, Redmond emitted fixes for Windows 7 and Server 2008 R2 machines to counter the Meltdown chip-level vulnerability in modern Intel x64 processors. Unfortunately, those patches blew a gaping hole in the operating systems: normal applications and logged-in users could now access and modify any part of physical RAM, and gain complete control over a box, with the updates installed.
Rather than stop programs and non-administrators from exploiting Meltdown to extract passwords and other secrets from protected kernel memory, the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM.
Roll on March, and Microsoft pushed out fixes on Patch Tuesday to correct those January and February updates to close the security vulnerability it accidentally opened.
Except that March update didn't fully seal the deal: the bug remained in the kernel, and was exploitable by malicious software and users.
Now, if you're using Windows 7 or Server 2008 R2 and have applied Microsoft's Meltdown patches, you'll want to grab and install today's out-of-band update for CVE-2018-1038.
Swedish researcher Ulf Frisk discovered the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken, and went public with his findings once the March Patch Tuesday had kicked off. As it turns out, this month's updates did not fully fix things, and Microsoft has had to scramble to remedy what was now a zero-day vulnerability in Windows 7 and Server 2008.
In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.
BTW some of us have written kernel-mode code that manipulates MMU page tables, and it's an absolute fiddly PITA. So gg Microsoft. You got there in the end. https://t.co/bxDbbALhqE The Register (@TheRegister) March 29, 2018
Frisk told El Reg he only learned the OS-level bug was still present yesterday. When he went live with the flaw on his blog earlier this week, it was with the blessing of Microsoft's security group on the belief the March update had addressed everything.
Needless to say, if you own or administer either a Windows 7 or Server 2008 R2 system, you will want to test and deploy this fix as soon as possible. ®
I have turned off updates for both of my Windows 7 PCs and am wondering if it is safe to keep updates permanently off . Don’t want to experience the blue screen of death horror I went through in January ever again . Any advice would be appreciated . A computer dummy in Japan ...
It all depends on how much risk you are willing to take. Security updates protect against the bad guys and their attempts to subvert your computer, steal your identity and money, etc.
Like any form of protection they're only one part of the defense picture. You also have to take responsibility for being extremely careful and suspicious when surfing the internet, opening email, downloading files, etc.
Personally, I install security updates regularly, never go to likely malicious sites, evaluate every email carefully and never trust anything from anyone without checking. I also run anti-malware software to catch the things I might miss or don't know about; that goes for -all- my computers, not just Windows.
If you choose to avoid the security updates, your computer will still function, but you must assume additional responsibility for being alert. It's still a very good idea to run anti-malware software, regardless of your operating system.
pls, what is a write-protect tab?
i know what it used to be as in the tab you put on a floppy to write protect it, but in this case no
> pls, what is a write-protect tab? i know what it used to be as in the tab you put on a floppy to write protect it, but in this case no
Obscure 08's-90's reference... It used to be "Practice Safe Computing, always wear a write-protect tab", a parody of the Safe-Sex warnings of the time.
I was just updating it for the Internet. :-)
gotcha... i remember the write-protect tabs on floppy drives but dint know if you meant VPN or VirtualBox tab of some sort
Bfl
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.