Microsoft releases out-of-band security updates to address Intel bug - gHacks Tech News

Microsoft releases out-of-band security updates to address Intel bug

Microsoft released out-of-band security updates for Windows yesterdays that address a recently revealed major security bug in Intel, AMD and ARM processors.

The updates are filed under the IDs KB4056888 , KB4056890. KB4056891, KB4056892, and KB405689. All updates share the following description:

Security updates to Internet Explorer, Microsoft Scripting Engine, Microsoft Edge, Windows Graphics, Windows Kernel, Windows Subsystem for Linux, and the Windows SMB Server.

The update is available only for Windows 10 and Windows Server 2016 at this point; updates for Windows 7 and Windows 8.1 will be released next Tuesday according to The Verge. The second Tuesday of the month is Microsoft's traditional Patch Tuesday. Microsoft releases security updates for all supported products on that day usually.

The updates rely on firmware updates from Intel, AMD, and other vendors, and some software programs, antivirus products, for instance, may need patching as well to address the changes made to Kernel-level access.

The patches may cause performance to drop on affected systems. While Intel Skylake and newer processor systems won't see a massive drop in performance, older Intel processors may see a significant drop in performance after application.

Intel confirmed that performance might be affected depending on the system's workload. Initial benchmarks suggest that performance may drop by up to 30% in certain workload situations.

AMD published a response on its corporate website indicating that AMD processors are affected only by one variant of the vulnerability and that the company expects a negligible performance impact

Google disclosed the vulnerability yesterday on the Project Zero blog. It seems likely that Microsoft's decision to release an out-of-band security update for Windows 10 was caused by Google's disclosure date.

It is unclear why Microsoft won't release updates for Windows 7 and Windows 8.1 as out-of-band security updates as well.

Update: Security updates for Windows 7 and Windows 8.1, and Server operating systems are available on the Microsoft Update Catalog website (thanks Woody).

Internet Explorer 11 patches are available on the Microsoft Update Catalog website as well.

Installing the update

windows KB4056888 KB4056890 KB4056891 KB4056892 KB405689

Windows 10 users and admins can use Windows Updates to install the out-of-band security updates to affected machines running Windows 10.

  1. Tap on the Windows-key, type Windows Update and select the item from the list of results to open the Update & Security section of the Settings application.
  2. Click on "check for updates" to run a manual check for updates if the check does not happen automatically.
  3. Click download or wait for the download to complete automatically.
  4. Restart the computer system.

Follow the links below to the KnowledgeBase articles.

The following links point to the Microsoft Update Catalog website where updates can be downloaded manually:

Summary
Microsoft releases out-of-band security updates to address Intel bug
Article Name
Microsoft releases out-of-band security updates to address Intel bug
Description
Microsoft released out-of-band security updates for Windows yesterdays that address a recently revealed major security bug in Intel, AMD and ARM processors.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Hop Tzop said on January 4, 2018 at 10:06 am
    Reply

    There are 2 bugs reported, Meltdown which is the big one and affects only Intel CPUs and ARM, if I remember right, but not AMD, and there is another bug called Spectre which isn’t a big one and can’t really be patched which affects all CPUs, expect on AMD only a part of it. The update MS released is for Meltdown. My only curiosity about this patch is if it applies to AMD processors too, which aren’t affected by the bug and wouldn’t be fair to lower their performance.

    1. TelV said on January 4, 2018 at 1:39 pm
      Reply

      AMD is affected as well according to CERT: https://www.kb.cert.org/vuls/id/584653

      1. smh said on January 8, 2018 at 5:43 am
        Reply

        That page mentioned both Meltdown and Spectre. It doesn’t specifically says that AMD is affected by Meltdown.

    2. AnorKnee Merce said on January 4, 2018 at 3:44 pm
      Reply

      @ Hop Tzop

      For Linux kernels, the KPTI patch for the Meltdown bug only applies to computers with Intel processors, ie does not apply to AMD processors. Do not know about Windows.

      AFAIK, the CPU Spectre bug allows hackers to use programs, eg browser Javascript, to read kernel memory dumps that were in RAM = may read passwords, encryption keys, usernames, credit card data, bank account data, etc. With such information at hand, the hackers will be able to do further exploits.
      … Seems, the Spectre bug can only be patched on the software/program side, eg Mozilla has just released an initial patch for Spectre for FF 57.
      … Computer users will have to rely on their OS and/or Anti-Virus program to detect a program/app-based Spectre attack and then respond accordingly, eg by uninstalling the vulnerable program/app or not visiting the vulnerable website.

  2. Ivan said on January 4, 2018 at 10:14 am
    Reply

    >It is unclear why Microsoft won’t release updates for Windows 7 and Windows 8.1 as out-of-band security updates as well.

    Is it too far fetched to assume that they want to push users towards using Win 10?

    They obviously have something to gain from users switching, otherwise there wouldn’t have been this malware autoinstall debacle and the free upgrade, after decades of the OS costing money.

    1. Martin Brinkmann said on January 4, 2018 at 10:22 am
      Reply

      Just received word that security updates for W7 and W8.1 are available on Update Catalog, but not Windows Update.

      1. Ivan said on January 4, 2018 at 12:14 pm
        Reply

        Thanks!

        I hope someone tests these and does benchmarks.

      2. ilev said on January 4, 2018 at 9:19 pm
        Reply

        No Windows 7, 8.1 update on Update Catalog. Just checked.

      3. Martin Brinkmann said on January 4, 2018 at 9:23 pm
        Reply

        They are on the second page, you need to click on “next”.

  3. wybo said on January 4, 2018 at 10:20 am
    Reply

    Reuters reports that Intel denies it will bog down affected computers,

    https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO

    PS Windows Update Catalog has patches for Windows 8

    1. Hop Tzop said on January 4, 2018 at 11:00 am
      Reply

      Well, I wouldn’t trust Intel. They’ve done a lot of shady things in the past. We have to understand that they are trying to stop the snowball which is getting bigger and bigger and it hurts them a lot so it’s in their interest even to lie about that.

      1. Jacob said on January 4, 2018 at 11:22 pm
        Reply

        No, this is true. It does not affect performance especially for user machines.
        There are multiple benchmarks on this matter. It is safe to install, besides Security trumps performance.
        https://www.techspot.com/article/1554-meltdown-flaw-cpu-performance-windows/

      2. Sophie said on January 5, 2018 at 5:42 pm
        Reply

        Security does not always trump performance. There can be many mitigating actions that one can take, that….when held at arms length….alongside the security issues, can sometimes lead to the conclusion that the reverse of your statement may be true.

        For example, I would not wish to suffer a significant slowdown (in this example), for a theoretical issue that might never bite. And if it did bite, I might consider that I had my bases covered.

        Each of us have their own perspective of risk and mitigation of risk. And often risks are hyped for all sorts of reasons, though I’m not suggesting that that is the case here, with this issue.

      3. Tom Hawack said on January 5, 2018 at 5:59 pm
        Reply

        I had and have exactly the same approach to these unexpected out-of-band security updates but wouldn’t have found the words and the tactful way of using them to express it any better.

        Wait and see how all this deploys but between an alarm and hysteria the line is often thin. Moreover this affair is too full of approximations and incertitude. I won’t install an update which concerns the very Kernel on this basis, certainly not. Not at this time.

      4. AnorKnee Merce said on January 5, 2018 at 6:42 pm
        Reply

        @ Jacob

        Security updates can bork or brick your programs or computer, especially Win 10’s forced updates/upgrades.
        … Like they say, “Do not fix what ain’t broken”.

        Latest news on the issue is at arstechnicadotcom.
        … Seems, the Intel microcode or firmware update to fix the Spectre bug can break your programs and OS if they have not been correspondingly patched.
        … Some AV programs for Windows are not compatible with the KPTI patch for the Meltdown bug.

        In this case, it’s better to wait for the dust to settle before applying the updates/patches. Nobody wants to end up with a non-performing computer just for security sake.

      5. Fedor said on January 21, 2018 at 8:41 am
        Reply

        you shouldn’t be surprised about this about Intel, they are designed and manufactured by Israel, I am surprised no one talks about this fact…

  4. Franck said on January 4, 2018 at 10:53 am
    Reply

    Thank you very much for the excellent sum-up and clear download links !

  5. kanade said on January 4, 2018 at 11:35 am
    Reply

    Looks like only Windows Embedded Standard 7 has the security patch as the normal Windows 7 (both 32 and 64 bits) are not available from the catalogue.

    Are they rolling out the rest of the patches by end of today?

    1. Martin Brinkmann said on January 4, 2018 at 11:52 am
      Reply

      You need to go to the second page on the Update Catalog website to see the other patches.

      1. kanade said on January 4, 2018 at 12:42 pm
        Reply

        Oh my bad, I’m blind.

      2. beatbox said on January 4, 2018 at 5:39 pm
        Reply

        I must be too, I can’t find it either.

        Maybe, it would be more helpful to supply the correct links to the websites in question.

        I find Martin’s insights very interesting, but I spend too much time looking for the right information and then I’m not sure if I have the right download.

        It’s not a criticism, just asking for a little more help.

        Thank you.

      3. Tom Hawack said on January 4, 2018 at 5:43 pm
        Reply
      4. beatbox said on January 4, 2018 at 7:31 pm
        Reply

        Thanks Tom.

        So, I download the 64 bit at 66.9MB ?

        Cheers.

      5. Tom Hawack said on January 4, 2018 at 7:44 pm
        Reply

        That should be it, beatbox, for Windows 7 64-BIT of course.
        2018-01 Security Only Quality Update for Windows 7 for x64-based Systems (KB4056897)
        windows6.1-kb4056897-x64_…..msu weighing 66.9MB

        I know, it’s not obvious to find. I wonder why they can’t make it a direct link to that .msu file, but that’s Microsoft’s policy : you have to go and get it…

      6. beatbox said on January 4, 2018 at 5:59 pm
        Reply

        Hi.

        I found the link to the Microsoft update catalogue…Sorry guys !!

        As I use windows 7, 64 bit do I download both of the updates because they both have the same KB number ?

        Or only the 2018-01 Security Only Quality Update for Windows 7 for x64-based Systems (KB4056897) @ 66.9MB ?

        Thank you.

      7. Cigologic said on January 6, 2018 at 12:07 am
        Reply

        @ beatbox: “As I use windows 7, 64 bit do I download both of the updates because they both have the same KB number ?”

        Microsoft’s KB labelling system is such that all patches addressing the SAME issue wrt Win 7 x32/64 & Win Server 2008 R2 have the same KB label.

        Since your OS is Win 7 x64, you only need to install the x64 version (66.9 MB) of KB 4056897 (Meltdown kernel bug patch for Win OS).

        That being said, you might wish to wait a while before installing the patch, & check if other users have experienced problems with the patch.

        IMPORTANT: You first need to check that your installed antivirus program (if any) is compatible with the KB 4056897 patch. A certain registry key needs to exist, or else the installed KB patch will cause your PC to go into a bluescreen loop upon the next boot, such that your PC won’t be able to boot into the Windows environment.

        If your installed antivirus is MS Windows Defender or MS Security Essentials with their latest updates, they are compatible with KB 4056897.

        In contrast, numerous 3rd-party antivirus are currently not compatible with KB 4056897. Check with your antivirus vendor to see if their latest or upcoming program update supports KB 4056897 & would thus set the required registry key. If yes, install the antivirus program update BEFORE installing KB 4056897.

        Here is a list of compliant & non-compliant antivirus, as compiled by the Google team that announced the Meltdown & Spectre kernel bugs:
        https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview

        See the below articles regarding the requisite registry key. If you are familiar with editing the Windows Registry, you can manually create the registry key yourself. If not, it is probably better to wait for your antivirus program update to carry out that task.

        https://support.microsoft.com/en-us/help/4072699
        https://support.microsoft.com/en-us/help/4056897

  6. chesscanoe said on January 4, 2018 at 11:46 am
    Reply

    Windows update shows nothing available for me with version 1709 (build 16299.125) and https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 for example shows issues with that KB, and says fixes will be forthcoming. It appears appropriate and prudent to wait a while to install mature fixes when made available.

    1. chesscanoe said on January 4, 2018 at 2:23 pm
      Reply

      Of the two big problems, only one is fixable and the other cannot be fixed until new chips are available in the future. I assume this is a valid statement per
      https://www.nytimes.com/2018/01/03/business/computer-flaws.html

      1. chesscanoe said on January 4, 2018 at 8:11 pm
        Reply

        Only after updating my AVG Internet Security to its latest level would Windows 10 Windows Update offer a manual request to Update with KB2538242.

      2. chesscanoe said on January 4, 2018 at 9:22 pm
        Reply

        Correction: The Windows 10 FCU cumulative update for me was KB4056892, not KB2538242.

  7. Paul(us) said on January 4, 2018 at 11:58 am
    Reply

    Even more, a bit newer news the potentially catastrophic flaw in an entire generation of processors according to The verge this time by Russell Brandom:
    https://www.theverge.com/2018/1/3/16846840/intel-arm-processor-flaw-chipocalypse-windows-macos-linux

    The special for this subject created (devoted) website by the researchers:
    https://meltdownattack.com/

  8. cryohellinc said on January 4, 2018 at 12:05 pm
    Reply

    Thank you Martin.

  9. TelV said on January 4, 2018 at 12:46 pm
    Reply

    It appears there might be a problem with some AV and it may be necessary to create a REG_DWORD at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat

    I don’t have a QualityCompat key at that location and am wondering now whether to create one or not: https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898

    1. TelV said on January 4, 2018 at 1:21 pm
      Reply

      Well, I decided to create the registry key and then install the update. The system seems to be functioning as normal now, but I can’t say what would of happened if I hadn’t created the registry key and accompanying value.

    2. Leo said on January 4, 2018 at 1:41 pm
      Reply

      I guess we have to wait for AV companies to catch up. I use BitDefender free and the update doesn’t show up in my Windows 10. I am very reluctant to go and modify the registry for this particular patch, so I’ll just wait..

      1. TelV said on January 4, 2018 at 2:06 pm
        Reply

        @ Leo,

        Some criticism of Bitdefender’s mode of operation in this grc.com link: https://www.grc.com/fingerprints.htm

        Scroll down to the paragraph called “Machine-Resident Interception” about two thirds of the way down.

      2. ULBoom said on January 6, 2018 at 4:57 am
        Reply

        Turn off Scan SSL if hppts proxy is a concern, it’s off by default anyway. It’s in Features>Web Protection.

  10. TelV said on January 4, 2018 at 2:00 pm
    Reply

    Well, it looks like my Acer V3-772G isn’t affected: https://us.answers.acer.com/app/answers/detail/a_id/51890

    At the foot of the article in the following link you’ll find a support page to every PC manufacturer using Intel CPUs.
    https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

    1. @Dryden1 said on January 4, 2018 at 5:00 pm
      Reply

      This is a completely different vulnerability. Your Acer is affected by Meltdown and Spectre.

      1. TelV said on January 4, 2018 at 6:06 pm
        Reply

        Ah..yes, I see what you mean. Apologies for the confusion.

        Still, I hope the link to the other vulnerability might be useful to users who were unaware of that particular vulnerability.

  11. Tom Hawack said on January 4, 2018 at 3:21 pm
    Reply

    Quoting TheRegister.co.uk (https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/):
    “Our advice is to sit tight, install OS and firmware security updates as soon as you can, don’t run untrusted code, and consider turning on site isolation in your browser (Chrome [https://twitter.com/hackerfantastic/status/948709444602515457], Firefox [https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/]) to thwart malicious webpages trying to leverage these design flaws to steal session cookies from the browser process.”

    So, besides installing the patches (I’ll wait for that) enabling a browser’s First Party Isolation may not be enough but is said to help.

    Firefox, pasting Pants’ Ghacks-User.js setting:

    // 2698a: enable First Party Isolation (FF51+) – [WARNING] May break cross-domain logins and site functionality until perfected
    user_pref(“privacy.firstparty.isolate”, true);

    This feature will break indeed the functionality of an extension such as ‘Cookie Autodelete’.

  12. Dave said on January 4, 2018 at 5:12 pm
    Reply

    I’m further distressed by the fact a patch wasn’t released until this knowledge became public and then was released in a matter of hours. Has anyone taken a closer look at these patches to see what they actually do?

    “The Meltdown flaw was discovered by Jann Horn, a security analyst at a Google-run security research group called Google Project Zero, last June.” (From the NY Times article)

  13. awd said on January 4, 2018 at 8:21 pm
    Reply

    the patches were coordinated to be released by next tuesday i believe. the register (and wherever they hoovered their info from) gathered the breadcrumbs and broke the news early, mucking up that timeline.

    it’s not like they’ve been sitting on patches for months waiting for nsa to grab all your data! the fact that ms won’t release the patches for machines with incompatible antivirus installed because they are scared it’ll bork the machines worldwide and there are still a/v out there that hasn’t released a patch tells you why these things takes time.

  14. opsec said on January 4, 2018 at 9:08 pm
    Reply

    For your browsers –

    Mitigation #meltdown #spectre

    Chrome/Chromium:
    chrome://flags/#enable-site-per-process
    Next to ‘Strict site isolation’, click Enable then relaunch browser.

    Firefox:
    about:config?filter=privacy.firstparty.isolate
    Double-click on privacy.firstparty.isolate to set the preference to true.

  15. PANAMAPATRICK said on January 4, 2018 at 10:39 pm
    Reply

    This site can’t be reached
    The webpage at https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4056897 might be temporarily down or it may have moved permanently to a new web address.
    ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

  16. seki said on January 5, 2018 at 3:14 am
    Reply

    Should I install the patch now or wait until 9th next week?

    It looks like some people are suggesting to wait it out a little as the current patches might cause some stability problems.

  17. asf said on January 5, 2018 at 7:49 am
    Reply
  18. ilev said on January 5, 2018 at 7:53 am
    Reply

    Windows Meltdown-Spectre patches: If you haven’t got them, blame your antivirus

    “To avoid causing widespread BSOD problems Microsoft opted to only push its January 3 security updates to devices running antivirus from firms that have confirmed their software is compatible.

    “If you have not been offered the security update, you may be running incompatible antivirus software and you should follow up with your software vendor,” the company explains.”

    http://www.zdnet.com/article/windows-meltdown-spectre-patches-if-you-havent-got-them-blame-your-antivirus/?loc=newsletter_large_thumb_featured&ftag=TRE-03-10aaa6b&bhid=20312173897669011625312597204853

  19. Stinch said on January 5, 2018 at 3:54 pm
    Reply

    I am trying to download the patch for version windows 10 version 1511 but it does not support windows 10 Pro. Does anyone know if there is a patch for windows 10 pro?

    1. AnorKnee Merce said on January 6, 2018 at 8:17 am
      Reply

      @ Stinch

      No.
      … Win 10 1507/RTM, Win XP and Win Vista are also EOL.

      Only Win 10 1511 Ent & Edu have extended support until April 2018 because M$ often accommodate the enterprises’ request, ie for more time to transition to Version 1703, since they are M$’s ca$h cow$ = they get the KPTI patch.
      … Edu students are one of M$’s bleeding-heart CSR(= corporate social responsibility) or PR(= public relations) projects.

  20. JoeG said on January 5, 2018 at 5:12 pm
    Reply

    Hello from Berlin,

    I manually downloaded kb4056894 and kb4056897 from the Windows catalog.

    After assuring I had the latest updates for my Norton Internet Security (v. 22.11.2.7) and Malwarebytes (Pro / latest version), I installed both M$ updates on three Win7Pro-SP1 x64 machines: two Lenovo ThinkStation S20s and a Lenovo X200s laptop.

    The only problem was on the laptop. I also have Sandboxie installed on it, and it was declared “incompatible”. However, there’s already a beta update on the Sandboxie forum and it fixed the issue.

    Thank God I haven’t noticed any system slowdowns or other problems yet.

  21. Karl Hungus said on January 6, 2018 at 3:03 am
    Reply

    Applying KB4056894 caused my AMD-based system to crash with BSOD.

    A quick Google search led me to the following:

    https://www.reddit.com/r/sysadmin/comments/7ode4s/problems_with_windows_7_quality_rollup_kb4056894/

    1. Vertical said on January 8, 2018 at 1:09 am
      Reply

      Yes, command line instructions that worked for me:

      DISM /image:X:\ /cleanup-image /revertpendingactions

      …as suggested in the reddit link.

      I was stuck on a black screen following restart (AMD 4650e, WIN 7 32-bit).

  22. Declan said on January 6, 2018 at 5:40 pm
    Reply

    Am I totally missing something but I think this is ‘much ado about nothing”.

    I know this affects every chip made in the past few years, but neither of these issues has been used in the wild. And the biggest threat seems to be the access to what’s sitting in memory, which is clean when you reboot. Unless you leave your computer on 24/7, and practice sloppy security, and are stupid and fall for fishing and bad website attacks, you’re not really affected. This is mostly a problem for large server farms and cloud services, and they will be the first to identify if they are really at risk and will apply whatever mitigation is best for them.

    Am I missing something?

  23. fsr said on January 6, 2018 at 11:08 pm
    Reply

    “Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.”

    Industry Testing Shows Recently Released Security Updates Not Impacting Performance in Real-World Deployments – https://newsroom.intel.com/news-releases/industry-testing-shows-recently-released-security-updates-not-impacting-performance-real-world-deployments/

  24. Jack E. Alexander said on January 9, 2018 at 6:28 am
    Reply

    Have updates due to the buggy Creator’s Edition locked down in my w10 machine and this machine is w8.1 and I shall be avoiding this update until the dust dies down and we actually know what damage it’s going to do.

  25. Mat said on January 26, 2018 at 5:16 pm
    Reply

    Any thoughts on what to do about those (already installed) Windows Updates containing ‘bad’ Intel Patches?

    Each ‘Windows Update’ (including those containing ‘bad’ Intel ‘Patches’) typically cover numerous ‘windows fixes’ – some of which, I guess, need to be kept. Therefore, removing an ‘entire’ Windows Update – just to eject a ‘bad’ Intel Patch – may not be wise(?). Plus, unless ‘Automatic’ Windows Updates are ‘turned-off’, Windows will probably ‘compensate’ for any we manually removed ‘today’, by assuming (‘tomorrow’) that those Updates we’ve Removed, have simply ‘failed to Install’ (and automatically re-install them without our knowledge!)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.