Microsoft releases out-of-band security updates to address Intel bug
Microsoft released out-of-band security updates for Windows yesterdays that address a recently revealed major security bug in Intel, AMD and ARM processors.
The updates are filed under the IDs KB4056888 , KB4056890. KB4056891, KB4056892, and KB405689. All updates share the following description:
Security updates to Internet Explorer, Microsoft Scripting Engine, Microsoft Edge, Windows Graphics, Windows Kernel, Windows Subsystem for Linux, and the Windows SMB Server.
The update is available only for Windows 10 and Windows Server 2016 at this point; updates for Windows 7 and Windows 8.1 will be released next Tuesday according to The Verge. The second Tuesday of the month is Microsoft's traditional Patch Tuesday. Microsoft releases security updates for all supported products on that day usually.
The updates rely on firmware updates from Intel, AMD, and other vendors, and some software programs, antivirus products, for instance, may need patching as well to address the changes made to Kernel-level access.
The patches may cause performance to drop on affected systems. While Intel Skylake and newer processor systems won't see a massive drop in performance, older Intel processors may see a significant drop in performance after application.
Intel confirmed that performance might be affected depending on the system's workload. Initial benchmarks suggest that performance may drop by up to 30% in certain workload situations.
AMD published a response on its corporate website indicating that AMD processors are affected only by one variant of the vulnerability and that the company expects a negligible performance impact
Google disclosed the vulnerability yesterday on the Project Zero blog. It seems likely that Microsoft's decision to release an out-of-band security update for Windows 10 was caused by Google's disclosure date.
It is unclear why Microsoft won't release updates for Windows 7 and Windows 8.1 as out-of-band security updates as well.
Update: Security updates for Windows 7 and Windows 8.1, and Server operating systems are available on the Microsoft Update Catalog website (thanks Woody).
Internet Explorer 11 patches are available on the Microsoft Update Catalog website as well.
Installing the update
Windows 10 users and admins can use Windows Updates to install the out-of-band security updates to affected machines running Windows 10.
- Tap on the Windows-key, type Windows Update and select the item from the list of results to open the Update & Security section of the Settings application.
- Click on "check for updates" to run a manual check for updates if the check does not happen automatically.
- Click download or wait for the download to complete automatically.
- Restart the computer system.
Follow the links below to the KnowledgeBase articles.
- Windows 10 version 1709: KB4056892
- Windows 10 version 1703: KB4056891
- Windows 10 version 1607: KB4056890
- Windows 10 version 1511: KB4056888
- Windows 10 version 1507: KB4056893
The following links point to the Microsoft Update Catalog website where updates can be downloaded manually:
- Windows 10 version 1709: KB4056892
- Windows 10 version 1703: KB4056891
- Windows 10 version 1607: KB4056890
- Windows 10 version 1511: KB4056888
- Windows 10 version 1507: KB4056893
Any thoughts on what to do about those (already installed) Windows Updates containing ‘bad’ Intel Patches?
Each ‘Windows Update’ (including those containing ‘bad’ Intel ‘Patches’) typically cover numerous ‘windows fixes’ – some of which, I guess, need to be kept. Therefore, removing an ‘entire’ Windows Update – just to eject a ‘bad’ Intel Patch – may not be wise(?). Plus, unless ‘Automatic’ Windows Updates are ‘turned-off’, Windows will probably ‘compensate’ for any we manually removed ‘today’, by assuming (‘tomorrow’) that those Updates we’ve Removed, have simply ‘failed to Install’ (and automatically re-install them without our knowledge!)
Have updates due to the buggy Creator’s Edition locked down in my w10 machine and this machine is w8.1 and I shall be avoiding this update until the dust dies down and we actually know what damage it’s going to do.
“Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.”
Industry Testing Shows Recently Released Security Updates Not Impacting Performance in Real-World Deployments – https://newsroom.intel.com/news-releases/industry-testing-shows-recently-released-security-updates-not-impacting-performance-real-world-deployments/
Am I totally missing something but I think this is ‘much ado about nothing”.
I know this affects every chip made in the past few years, but neither of these issues has been used in the wild. And the biggest threat seems to be the access to what’s sitting in memory, which is clean when you reboot. Unless you leave your computer on 24/7, and practice sloppy security, and are stupid and fall for fishing and bad website attacks, you’re not really affected. This is mostly a problem for large server farms and cloud services, and they will be the first to identify if they are really at risk and will apply whatever mitigation is best for them.
Am I missing something?
Applying KB4056894 caused my AMD-based system to crash with BSOD.
A quick Google search led me to the following:
https://www.reddit.com/r/sysadmin/comments/7ode4s/problems_with_windows_7_quality_rollup_kb4056894/
Yes, command line instructions that worked for me:
DISM /image:X:\ /cleanup-image /revertpendingactions
…as suggested in the reddit link.
I was stuck on a black screen following restart (AMD 4650e, WIN 7 32-bit).
Hello from Berlin,
I manually downloaded kb4056894 and kb4056897 from the Windows catalog.
After assuring I had the latest updates for my Norton Internet Security (v. 22.11.2.7) and Malwarebytes (Pro / latest version), I installed both M$ updates on three Win7Pro-SP1 x64 machines: two Lenovo ThinkStation S20s and a Lenovo X200s laptop.
The only problem was on the laptop. I also have Sandboxie installed on it, and it was declared “incompatible”. However, there’s already a beta update on the Sandboxie forum and it fixed the issue.
Thank God I haven’t noticed any system slowdowns or other problems yet.
I am trying to download the patch for version windows 10 version 1511 but it does not support windows 10 Pro. Does anyone know if there is a patch for windows 10 pro?
@ Stinch
No.
… Win 10 1507/RTM, Win XP and Win Vista are also EOL.
Only Win 10 1511 Ent & Edu have extended support until April 2018 because M$ often accommodate the enterprises’ request, ie for more time to transition to Version 1703, since they are M$’s ca$h cow$ = they get the KPTI patch.
… Edu students are one of M$’s bleeding-heart CSR(= corporate social responsibility) or PR(= public relations) projects.
Windows Meltdown-Spectre patches: If you haven’t got them, blame your antivirus
“To avoid causing widespread BSOD problems Microsoft opted to only push its January 3 security updates to devices running antivirus from firms that have confirmed their software is compatible.
“If you have not been offered the security update, you may be running incompatible antivirus software and you should follow up with your software vendor,” the company explains.”
http://www.zdnet.com/article/windows-meltdown-spectre-patches-if-you-havent-got-them-blame-your-antivirus/?loc=newsletter_large_thumb_featured&ftag=TRE-03-10aaa6b&bhid=20312173897669011625312597204853
just use https://www.catalog.update.microsoft.com/Search.aspx?q=kb4056897
Should I install the patch now or wait until 9th next week?
It looks like some people are suggesting to wait it out a little as the current patches might cause some stability problems.
This site can’t be reached
The webpage at https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4056897 might be temporarily down or it may have moved permanently to a new web address.
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
For your browsers –
Mitigation #meltdown #spectre
Chrome/Chromium:
chrome://flags/#enable-site-per-process
Next to ‘Strict site isolation’, click Enable then relaunch browser.
Firefox:
about:config?filter=privacy.firstparty.isolate
Double-click on privacy.firstparty.isolate to set the preference to true.
See this for Firefox: https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/
See this for Chrome: https://www.ghacks.net/2017/12/08/how-to-enable-strict-site-isolation-mode-in-google-chrome/
the patches were coordinated to be released by next tuesday i believe. the register (and wherever they hoovered their info from) gathered the breadcrumbs and broke the news early, mucking up that timeline.
it’s not like they’ve been sitting on patches for months waiting for nsa to grab all your data! the fact that ms won’t release the patches for machines with incompatible antivirus installed because they are scared it’ll bork the machines worldwide and there are still a/v out there that hasn’t released a patch tells you why these things takes time.
I’m further distressed by the fact a patch wasn’t released until this knowledge became public and then was released in a matter of hours. Has anyone taken a closer look at these patches to see what they actually do?
“The Meltdown flaw was discovered by Jann Horn, a security analyst at a Google-run security research group called Google Project Zero, last June.” (From the NY Times article)
Here’s what the Windows patch does: https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/
Quoting TheRegister.co.uk (https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/):
“Our advice is to sit tight, install OS and firmware security updates as soon as you can, don’t run untrusted code, and consider turning on site isolation in your browser (Chrome [https://twitter.com/hackerfantastic/status/948709444602515457], Firefox [https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/]) to thwart malicious webpages trying to leverage these design flaws to steal session cookies from the browser process.”
So, besides installing the patches (I’ll wait for that) enabling a browser’s First Party Isolation may not be enough but is said to help.
Firefox, pasting Pants’ Ghacks-User.js setting:
// 2698a: enable First Party Isolation (FF51+) – [WARNING] May break cross-domain logins and site functionality until perfected
user_pref(“privacy.firstparty.isolate”, true);
This feature will break indeed the functionality of an extension such as ‘Cookie Autodelete’.
Well, it looks like my Acer V3-772G isn’t affected: https://us.answers.acer.com/app/answers/detail/a_id/51890
At the foot of the article in the following link you’ll find a support page to every PC manufacturer using Intel CPUs.
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
This is a completely different vulnerability. Your Acer is affected by Meltdown and Spectre.
Ah..yes, I see what you mean. Apologies for the confusion.
Still, I hope the link to the other vulnerability might be useful to users who were unaware of that particular vulnerability.
It appears there might be a problem with some AV and it may be necessary to create a REG_DWORD at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
I don’t have a QualityCompat key at that location and am wondering now whether to create one or not: https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898
I guess we have to wait for AV companies to catch up. I use BitDefender free and the update doesn’t show up in my Windows 10. I am very reluctant to go and modify the registry for this particular patch, so I’ll just wait..
@ Leo,
Some criticism of Bitdefender’s mode of operation in this grc.com link: https://www.grc.com/fingerprints.htm
Scroll down to the paragraph called “Machine-Resident Interception” about two thirds of the way down.
Turn off Scan SSL if hppts proxy is a concern, it’s off by default anyway. It’s in Features>Web Protection.
Well, I decided to create the registry key and then install the update. The system seems to be functioning as normal now, but I can’t say what would of happened if I hadn’t created the registry key and accompanying value.
Thank you Martin.
Even more, a bit newer news the potentially catastrophic flaw in an entire generation of processors according to The verge this time by Russell Brandom:
https://www.theverge.com/2018/1/3/16846840/intel-arm-processor-flaw-chipocalypse-windows-macos-linux
The special for this subject created (devoted) website by the researchers:
https://meltdownattack.com/
Windows update shows nothing available for me with version 1709 (build 16299.125) and https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 for example shows issues with that KB, and says fixes will be forthcoming. It appears appropriate and prudent to wait a while to install mature fixes when made available.
Of the two big problems, only one is fixable and the other cannot be fixed until new chips are available in the future. I assume this is a valid statement per
https://www.nytimes.com/2018/01/03/business/computer-flaws.html
Only after updating my AVG Internet Security to its latest level would Windows 10 Windows Update offer a manual request to Update with KB2538242.
Correction: The Windows 10 FCU cumulative update for me was KB4056892, not KB2538242.
Looks like only Windows Embedded Standard 7 has the security patch as the normal Windows 7 (both 32 and 64 bits) are not available from the catalogue.
Are they rolling out the rest of the patches by end of today?
You need to go to the second page on the Update Catalog website to see the other patches.
Oh my bad, I’m blind.
I must be too, I can’t find it either.
Maybe, it would be more helpful to supply the correct links to the websites in question.
I find Martin’s insights very interesting, but I spend too much time looking for the right information and then I’m not sure if I have the right download.
It’s not a criticism, just asking for a little more help.
Thank you.
Hi.
I found the link to the Microsoft update catalogue…Sorry guys !!
As I use windows 7, 64 bit do I download both of the updates because they both have the same KB number ?
Or only the 2018-01 Security Only Quality Update for Windows 7 for x64-based Systems (KB4056897) @ 66.9MB ?
Thank you.
@ beatbox: “As I use windows 7, 64 bit do I download both of the updates because they both have the same KB number ?”
Microsoft’s KB labelling system is such that all patches addressing the SAME issue wrt Win 7 x32/64 & Win Server 2008 R2 have the same KB label.
Since your OS is Win 7 x64, you only need to install the x64 version (66.9 MB) of KB 4056897 (Meltdown kernel bug patch for Win OS).
That being said, you might wish to wait a while before installing the patch, & check if other users have experienced problems with the patch.
IMPORTANT: You first need to check that your installed antivirus program (if any) is compatible with the KB 4056897 patch. A certain registry key needs to exist, or else the installed KB patch will cause your PC to go into a bluescreen loop upon the next boot, such that your PC won’t be able to boot into the Windows environment.
If your installed antivirus is MS Windows Defender or MS Security Essentials with their latest updates, they are compatible with KB 4056897.
In contrast, numerous 3rd-party antivirus are currently not compatible with KB 4056897. Check with your antivirus vendor to see if their latest or upcoming program update supports KB 4056897 & would thus set the required registry key. If yes, install the antivirus program update BEFORE installing KB 4056897.
Here is a list of compliant & non-compliant antivirus, as compiled by the Google team that announced the Meltdown & Spectre kernel bugs:
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview
See the below articles regarding the requisite registry key. If you are familiar with editing the Windows Registry, you can manually create the registry key yourself. If not, it is probably better to wait for your antivirus program update to carry out that task.
https://support.microsoft.com/en-us/help/4072699
https://support.microsoft.com/en-us/help/4056897
Windows 7 KB4056897 Direct Download Links:
64-bit (x64) : http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4056897
32-bit (x86) : http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4056897
Thanks Tom.
So, I download the 64 bit at 66.9MB ?
Cheers.
That should be it, beatbox, for Windows 7 64-BIT of course.
2018-01 Security Only Quality Update for Windows 7 for x64-based Systems (KB4056897)
windows6.1-kb4056897-x64_…..msu weighing 66.9MB
I know, it’s not obvious to find. I wonder why they can’t make it a direct link to that .msu file, but that’s Microsoft’s policy : you have to go and get it…
Thank you very much for the excellent sum-up and clear download links !
Reuters reports that Intel denies it will bog down affected computers,
https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO
PS Windows Update Catalog has patches for Windows 8
Well, I wouldn’t trust Intel. They’ve done a lot of shady things in the past. We have to understand that they are trying to stop the snowball which is getting bigger and bigger and it hurts them a lot so it’s in their interest even to lie about that.
you shouldn’t be surprised about this about Intel, they are designed and manufactured by Israel, I am surprised no one talks about this fact…
No, this is true. It does not affect performance especially for user machines.
There are multiple benchmarks on this matter. It is safe to install, besides Security trumps performance.
https://www.techspot.com/article/1554-meltdown-flaw-cpu-performance-windows/
@ Jacob
Security updates can bork or brick your programs or computer, especially Win 10’s forced updates/upgrades.
… Like they say, “Do not fix what ain’t broken”.
Latest news on the issue is at arstechnicadotcom.
… Seems, the Intel microcode or firmware update to fix the Spectre bug can break your programs and OS if they have not been correspondingly patched.
… Some AV programs for Windows are not compatible with the KPTI patch for the Meltdown bug.
In this case, it’s better to wait for the dust to settle before applying the updates/patches. Nobody wants to end up with a non-performing computer just for security sake.
Security does not always trump performance. There can be many mitigating actions that one can take, that….when held at arms length….alongside the security issues, can sometimes lead to the conclusion that the reverse of your statement may be true.
For example, I would not wish to suffer a significant slowdown (in this example), for a theoretical issue that might never bite. And if it did bite, I might consider that I had my bases covered.
Each of us have their own perspective of risk and mitigation of risk. And often risks are hyped for all sorts of reasons, though I’m not suggesting that that is the case here, with this issue.
I had and have exactly the same approach to these unexpected out-of-band security updates but wouldn’t have found the words and the tactful way of using them to express it any better.
Wait and see how all this deploys but between an alarm and hysteria the line is often thin. Moreover this affair is too full of approximations and incertitude. I won’t install an update which concerns the very Kernel on this basis, certainly not. Not at this time.
>It is unclear why Microsoft won’t release updates for Windows 7 and Windows 8.1 as out-of-band security updates as well.
Is it too far fetched to assume that they want to push users towards using Win 10?
They obviously have something to gain from users switching, otherwise there wouldn’t have been this malware autoinstall debacle and the free upgrade, after decades of the OS costing money.
Just received word that security updates for W7 and W8.1 are available on Update Catalog, but not Windows Update.
No Windows 7, 8.1 update on Update Catalog. Just checked.
They are on the second page, you need to click on “next”.
Thanks!
I hope someone tests these and does benchmarks.
There are 2 bugs reported, Meltdown which is the big one and affects only Intel CPUs and ARM, if I remember right, but not AMD, and there is another bug called Spectre which isn’t a big one and can’t really be patched which affects all CPUs, expect on AMD only a part of it. The update MS released is for Meltdown. My only curiosity about this patch is if it applies to AMD processors too, which aren’t affected by the bug and wouldn’t be fair to lower their performance.
@ Hop Tzop
For Linux kernels, the KPTI patch for the Meltdown bug only applies to computers with Intel processors, ie does not apply to AMD processors. Do not know about Windows.
AFAIK, the CPU Spectre bug allows hackers to use programs, eg browser Javascript, to read kernel memory dumps that were in RAM = may read passwords, encryption keys, usernames, credit card data, bank account data, etc. With such information at hand, the hackers will be able to do further exploits.
… Seems, the Spectre bug can only be patched on the software/program side, eg Mozilla has just released an initial patch for Spectre for FF 57.
… Computer users will have to rely on their OS and/or Anti-Virus program to detect a program/app-based Spectre attack and then respond accordingly, eg by uninstalling the vulnerable program/app or not visiting the vulnerable website.
AMD is affected as well according to CERT: https://www.kb.cert.org/vuls/id/584653
That page mentioned both Meltdown and Spectre. It doesn’t specifically says that AMD is affected by Meltdown.