As many of us were getting ready for the holiday weekend, after the surprise announcement about Windows being torn into three pieces, Microsoft shovel
As many of us were getting ready for the holiday weekend, after the surprise announcement about Windows being torn into three pieces, Microsoft shoveled yet another load of patches out the Automatic Update chute. Think of it as the software equivalent of a Friday night news dump.
A destructive fix for Total Meltdown
KB 4100480 kicked off the two days from patching purgatory with a Windows 7/Server 2008R2 kernel update for CVE-2018-1038, the “Total Meltdown” bug Microsoft introduced in Win7 back in January. Total Meltdown, you may recall, is a huge security hole implemented by all of these Microsoft security patches:
- KB 4056894 Win7/Server 2008 R2 January Monthly Rollup.
- KB 4056897 Win7/Server 2008 R2 January Security-only patch.
- KB 4073578 Hotfix for “Unbootable state for AMD devices in Windows 7 SP1. and Windows Server 2008 R2 SP1” bug installed in the January Monthly Rollup and Security-only patches.
- KB 4057400 Win7/Server 2008 R2 Preview of the February Monthly Rollup.
- KB 4074598 Win7/Server 2008 R2 February Monthly Rollup.
- KB 4074587 Win7/Server 2008 R2 February Security-only patch.
- KB 4075211 Win7/Server 2008 R2 Preview of the March Monthly Rollup.
- KB 4091290 Hotfix for “smart card based operations fail with error with SCARD_E_NO_SERVICE” bug installed in the February Monthly Rollup.
- KB 4088875 Win7/Server 2008 R2 March Monthly Rollup.
- KB 4088878 Win7/Server 2008 R2 March Security-only patch.
- KB 4088881 Win7/Server 2008 R2 Preview of April Monthly Rollup.
If you installed any of those 11 patches on your Intel 64-bit Windows 7/Server 2008 R2 computer, you opened up a gaping hole known as “Total Meltdown,” or CVE-2018-1038, that allows any program running on your computer to run in kernel mode. Yes, any program that’s running can read or write into any part of memory.
Microsoft infected all of those machines to defend against the professionally marketed Meltdown/Spectre vulnerability, which has never, ever been seen in the wild. Kevin Beaumont (@GossiTheDog on Twitter) said it best:
The amazing thing is Meltdown is academic research, which is realistically very difficult to do at scale (ie nobody has managed it) whereas this introduced issue is trivial to exploit — even I can do. And I’m thick.
Vess Bontchev goes on to say:
The single bug this [KB 4100480] update fixes is catastrophic. Basically a bug that negates the fundamental security protections of the OS and returns it to the times of MS-DOS.
Ulf Frisk, the guy who discovered this gaping security hole, said last Wednesday that the March Monthly Rollup, KB 4088875, plugs the hole. The next day he said that, oops, the March Monthly Rollup doesn’t fix the hole. Microsoft has now confirmed that the March Monthly Rollup actually introduces the hole.
KB 4100480 cure worse than the disease?
With the multitude of problems introduced by the March security patches, you may be wondering if this new (patch of a patch) ^ 12 brings along with it the bugs that have led to Microsoft “unchecking” the patch in Windows Update — to put it bluntly, the March patches stink so badly that Microsoft stopped force-feeding them a week ago.
MrBrian has a step-by-step analysis of the bugs in the March patches and whether they’re inherited by KB 4100480. He concludes that the Internet Explorer, phantom NIC and reset manual IP bugs, and bluescreen VALID_POOL_ON_EXIT bugs in the March patches aren’t present in this new patch. The SMB server memory leak bug may or may not be in this new patch, but the bug has been around since January. And the bluescreens for PAE and SIMD may or may not be in the new patch.
We’ve had ongoing coverage at AskWoody about the KB 4100480 patch and its mess. Susan Bradley, who has lots of experience with small business installations, has gone so far as to recommend SMEs with 64-bit Win7 machines roll them back to December:
If there are users in your patching environment that surf and click on ANYTHING, I’d hope you’d make them do their random surfing on an iPad, not a Windows machine (probably still with local admin rights) until this Windows 7 patching mess gets straightened out. I don’t like telling people to roll back to pre-January updates, but neither do I appreciate Microsoft having constant side effects that are measurable and impactful and all that happens is that they keep on telling us that they are working on the issues and this will be fixed in a future release…
If you have any January through March update installed, make sure KB4100480 is installed.
Otherwise go into add/remove programs and roll back to December’s KB4054521 (security only) or KB4054518 (rollup) and then hang tight and keep our fingers crossed that April’s updates will resolve these issues.
And then Microsoft please please please, do something about these known issues and fix them, because it pains me greatly to publically type this.
A fix for patches that don’t have problems
Also, on Thursday afternoon, Microsoft dropped a handful of patches that fix other bad bugs in previous patches. Susan Bradley has a short list that includes KB 4096309 for Win10 1607/Server 2016 that “addresses an issue that can cause operational degradation or a loss of environment because of connectivity issues in certain environment configurations after installing KB4088889 (released March 22, 2018) or KB4088787 (released March 13, 2018).”
As Susan notes, both of the referenced fixed patches are still listed in their KB articles, as “Microsoft is not currently aware of any issues with this update.”
Then there are the patches that fix bluescreens generated by earlier botched patches:
- KB 4099467 — Stop error 0xAB when you log off a Windows 7 SP1 or Windows Server 2008 R2 SP1 session. That’s a bug introduced in this month’s Win7/Server2008R2 patches.
- KB 4099468 — Stop error 0xAB when you log off a Windows Server 2012 session. That bug was introduced in this month’s Server 2012 patches.
- KB 4096310 — Stop error 0xAB when you log off a Windows Server 2008 session. Ditto ditto ditto.
Save your IP if you’re prescient
This update addresses issues introduced in KB4088875 and KB4088878 for Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1 where a new Ethernet Network Interface Card (NIC) with default settings may replace the previously existing NIC, causing network issues. Also addressed, is an issue where static IP address setting are lost after applying the update. These symptoms may be seen on physical computers and virtual computers running VMWare.
Ends up this is just a package for the (modified) VBScript that, when run prior to installing this month’s patches for Win7, avoids the static IP busting nature of the patch. I talk about the VBScript program in my Patch Alert article from last week.
Abbodi86 describes it:
So it’s the easy automated version of the VBscript. It checks if KB2550978 hotfix is installed (or any superseder). [Note:=KB 2550978 is a many-year-old hotfix, last updated more than a year ago.] …
I wonder why Microsoft didn’t roll out that important fix years ago through Windows Update
The important note is that you have to run KB 4099950 before you install this month’s Win7/Server 2008R2 patches.
The bottom line
I can recall lots of bad Windows patches over the past couple of decades, but I’d be hard-pressed to come up with any that approach this year’s phalanx of Windows 7 screw-ups. It’s as if Microsoft doesn’t care about old multi-billion-dollar businesses.
For now, I continue to recommend that individuals stay put and don’t install any of the March patches. For enterprises, follow Bradley’s advice and roll back to December if you have users with indiscriminate clicking fingers.
Join us for tea and sympathy on the AskWoody Lounge.