Microsoft halts security updates for select AMD devices
Microsoft released an out-of-band security update for Windows on January 4, 2018, to fix vulnerabilities known as Spectre and Meltdown.
It turns out that the update caused a blue screen of Death on Windows 7 machines running specific AMD hardware. The PC would not boot anymore, and even SafeMode was not accessible. We published a workaround to regain access to affected devices (by removing the update using the repair console).
Microsoft published KB4073707 today which confirms the issue. The company notes:
Microsoft has reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates.
The investigation revealed that affected AMD chipsets did not "conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown".
Microsoft halted update delivery for affected AMD processors as a consequence to work with AMD on a patch for affected devices that resolves the issue without putting devices in the boot loop.
Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible.
The company added a new "known issue" to each of the patches that inform customers of this. The following Windows updates are blocked for affected AMD devices:
KB4056897 (Security-only update)
- KB4056894 (Monthly Rollup)
- KB4056888 (OS Build 10586.1356)
- KB4056892 (OS Build 16299.192)
- KB4056891 (OS Build 15063.850)
- KB4056890 (OS Build 14393.2007)
- KB4056898 (Security-only update)
- KB4056893 (OS Build 10240.17735)
- KB4056895 (Monthly Rollup)
The support article links to guides for Windows 7, Windows 8 and Windows 10 to resolve blue screen errors on the systems. The guides are generic and don't address the issue at hand specifically.
It is interesting to note, however, that all supported versions of Windows are affected and not Windows 7 exclusively.
Microsoft identified incompatibilities with a small number of antivirus programs as well. Incompatible products may cause blue screen errors on patched systems, and Microsoft paused update delivery for systems with incompatible antivirus solutions.
Closing Words
Windows PCs with affected AMD processors will remain unpatched until Microsoft releases a working patch for these devices. It will be interesting to see how Microsoft handles today's Patch Day considering that updates are cumulative in nature.
Tip: You can find out if your PC is affected by Meltdown/Spectre
Hah, the usual bungling from Microsoft then…
Wouldn’t testing have identified this seemingly obvious issue to a billion dollar privacy abuser?
it is tested, by millions of AMD users @ home :P
Unfortunately, Ann speaks the truth. Microsoft doesn’t care about consumers at all, other than to get free QA testing done, so they can have rock solid patches available for Enterprise customers that pay the big bucks.
>all supported versions of Windows are affected and not Windows 7
Ofcourse, everything since Vista is NT6. It’s the same OS with just more cr.p added on top of it.
Surely these “rushed to market” patches need to be treated with quite a bit of caution. A little bit of wait and see? The risk is highly theoretical, and I personally would not be happy with a slowing down my CPU or processing. But more than anything else, it would appear that these patches are little without a firmware upgrade, and even for experienced users, updating bios can be somewhat nerve-wracking.
For me, I will wait and watch, and see how things pan out, and continue wise computing practices, backups, clones and use of virtual machine.
Don’t forget that the world loves a good scare story, and we sometimes have to dig a little deeper to see what’s really going on. As ever, each follows their own best practices, based on expectation or possibility of risk.
While I agree with the overall sentiment of your (Sophie’s) post, there should be no question that Meltdown is serious. So much so that to refer to it as catastrophic is not to peddle hyperbole. The threat model encompasses countless systems and applications and I can assure you that it is not merely theoretical in nature. Indeed, functional proofs-of-concept were circulating within days of the embargo being broken.
The notion that Meltdown cannot be mitigated without firmware updates is a falsehood which desparately needs to be quashed (Spectre is a different matter). The mitigation of Meltdown entails that the operating sytem’s kernel be modified to enforce isolation of the page tables between kernel and user space. Yes, this results in a performance loss but there simply isn’t any other way to handle it, short of CPU replacement. The extent of this loss really depends on the workload. Applications that make heavy use of syscalls are among the most affected – databases, for example. Those who are using Intel Haswell or greater will be less affected because PCID support is ubiquitous in that case; it reduces the rate of TLB flushing that is otherwise required.
Anyway, page table isolation has been introduced in macOS 10.13.2, Windows 10 16299.192 and Linux 4.14.11, 4.9.75 and 4.4.110. In general, Linux users don’t build their own vanilla kernels and will need to check with their distro maintainers or vendors. Those that have a legitimate concern over the performance impact have the option of booting Windows with a registry key to disable the mitigation and the Linux kernel can be booted with “pti=off” as an option. Thus, one can update and systematically test for – and benchmark – any potential performance regressions.
In closing, the way in which this situation has been handled is very bad, for a variety of reasons I won’t go into here. The net result is that Microsoft and Linux developers are rushing patches into ostensibly stable releases with insufficient QA, as this very article touches upon. Indeed, the recent round of ‘stable’ Linux kernels were botched, with “urgent bug fixes” continuing to roll in as I write this. For what it’s worth, Apple seem to have gotten through this relatively unscathed. Despite the severity of this issue, I must concur that users approch these updates with caution until the dust settles. I only wish that I could say otherwise.
I’ve stopped “updating” Windows 7 long ago. Against all advice and through no particular decision of mine. Just extreme fatigue of reading a zillion posts and how-to’s such as this one, and postponing the “right” decision that the updating gurus recommend. The result is I’m immune from all those problems. Also, I have backups. Okay, my computer is slow. But it has been slow ever since I installed the first “updates” years ago, right after my first original Windows install, way back when Windows “updating” was still a (relatively) trouble-free affair.
I have Windows 7 running in a Virtual Machine with absolutely NO updates whatsoever. Just the 2009 retail box CD, 32-bit……….job done.
Its run in that VM since April 2017, and runs flawlessly. I have many other aspects of security running inside the VM, which should do well to protect against issues, not to mention rolling back the VM to any point back….up to 9 months, since inception.
And because Win7 in that VM has no added bloat………its running very nicely indeed.
Ha ?… How much memory do you have ? What VM are you using ? This is beginning to look interesting…
16GB only (wish I had built it with 32), Oracle VM. Win 10 1607 as the host OS, Win7 in the VM. All updates blocked and refused on Win 10 since April 2017, pristine 2009 version of Win7.
Runs sweet as cherry pie!
So you do need a lot of memory. How difficult is it to master the concept of working under a VM ? I have installed Oracle VM, but never got past the first tinkering. Also, if you wanted to run W7 upon W7, you’d need to buy a second licence, right ?
Yes, you would need a second licence. My ‘spare’ Win7 licence came about by having been on a now-long-retired laptop, and never having been used more than once. Once inside the VM, it allowed me to register it with no issues.
I would say that using the VM is not hard, and everything with Oracle was intuitive….a dream in fact, and very easy to create snapshots that really do “restore”, unlike Windows, where so often I have had System Restores fail on me. I’m left with around 8GB once a ton of stuff has loaded, including the VM, and I think its quite conservative, so I feel sure you could run it with a lot less that 16GB. Absolutely no reason why you could not have Win7-upon-Win7, and you get to run VPN within VPN too, which works incredibly well.
Thank you, most illuminating. Apart from the presumed snappiness of an unpatched Windows, what is the logic of going VM ? The ease of restoring if malware does get through an exploit ? And is it easier than restoring from a classical image, made with Macrium Reflect for instance ? Indeed, is it possible to have a configuration such as yours, and backup regularly + restore if needed with a program such as Macrium ?
VM certainly offers a great environment for testing, and for isolating your main host install. If you don’t accept feature updates (I simply can’t take the risk that Microsoft won’t botch my PC), and are often not up to date with security patches in isolation, it at least offers some comfort that you are utilising a virtualised environment that can easily roll back to many points in time. Much easier, IMO that restoring an image made with, say, Macrium. Actually, Macrium is my preferred imaging tool, and whenever I have had to restore, it has worked flawlessly – though nowhere near as quick and easy as going back to a VM snapshot.
>>>Indeed, is it possible to have a configuration such as yours, and backup regularly + restore if needed with a program such as Macrium ?
Yes, Macrium does this job nicely! : Windows install is on an SSD, Oracle VM files are on a separate spinning disk, and both are cloned with Macrium independently, on different external HDDs.
If you can install a VM, even if initially just for fun and curiosity, you may well find as I did, that it becomes a big part of your setup.
Thanks a lot. VM always seemed like black magic to me, but I come across more and more people talking about it, and you certainly make it seem like it’s a piece of cake.
It is also possible to use a Macrium Reflect Image to create a VM.
You can find an article on the Macrium Knowledgebase about the procedure.
http://kb.macrium.com/knowledgebasearticle50005.aspx
I have tried this myself and it works for single OS setups.
I haven’t been able to figure out how to make multi-boot OS setups work.
I certainly found it logical, and straightforward. The only issue I had is understanding that in Oracle’s case, you are recommended to add something called Guest Additions, which if I remember, was an ISO you could mount. I did have a couple of little teething problems, but it just seemed to all settle down quite quickly. I keep about 8 to 10 “snapshots”, going back in time, but with Macrium, I could in theory go right back to 9 months or so before, so if anything odd happened, or something became damaged, I can restore right back to the beginning.
Give it a try! It really works well. Because of the potentially fickle nature of an environment like that, I personally decided to stop updates to Oracle VM once it had settled down. I figured that if it works….don’t fix what ‘aint broke, so I have disallowed updates in order to not introduce any new elements that could cause instability.
Good luck with it.
Also, I understand that if I had updated and been affected by the “bug” (I do have an AMD processor), the only solution for me would have been either to restore a previous image, or to reinstall from scratch. I have read the (convoluted) workaround provided on your previous article, but how can you take note of the workaround with an unbootable computer ? It appears you now need a spare computer just in case. Or “device”, as lingo has it. I don’t. I belong to that odd class of people who don’t have two hammers for hammering, two washing-machines to wash their clothes in case one breaks down, etc.
This (BSOD) is what can happen if we blindly follow Microsoft’s rushed patches. Even if they are not rushed….they are often very flawed. Actually, I can hardly believe what MS is pushing out through their update chute these days…..
A BSOD is disconcerting at any point, because they can be very hard to pin down. If you have an update patching something at an elemental level, a low-level…….and then get a BSOD that won’t even allow Safe Mode, that would be a pretty nasty place to be, especially with an important PC that you’ve spent a lot of time on.
This problem would seem to be related to the registry key for certain AV not being set properly as described in https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software
I did that manually myself when the issue first arose even tthough I don’t have an AMD system (better be safe than sorry). But non-techies aren’t going to be happy rummaging around in the Windows registry.
It does seem a bit mad that something as simple as a missing REG key could cause a BSOD. That seems to me very little reason for what is a quite significant crash. But yes, I too keep hearing about that key, and needing to create it. Personally, I don’t use an AV. Not only to they track and follow, report back, and are generally a privacy violator – but they are often a resource-hog, and becoming (in my view) more obsolete as time goes by. But people feel comfortable with one, and I would not knock that.
TelV: “This problem would seem to be related to the registry key for certain AV not being set properly”
There are reports of AMD & even Intel CPU users who encountered BSOD, despite having the compliant registry key already correctly set before they installed the KB patch. See bottom of some sample feedback.
Based on cursory observation of affected users who did indicate the exact model & generation of their CPUs, it appears that it is those with older (typically end-of-support) AMD & Intel CPUs users who got hit by BSOD.
One possible reason why there are more AMD CPU users affected — as of now, before Official Patch Tuesday rolls out — could be that such users tend to keep their AMD machines for much longer. Reason being that I came across quite a number of AMD users who declared that they love their AMD machine. (Yes, the word that they used was “love”.) I found these love declarations for AMD quite memorable because in contrast, I have not heard of any Intel users announcing that they love their Intel machine.
* AMD CPU + MS Security Essentials:
https://forums.mydigitallife.net/threads/windows-7-hotfix-repository.19461/page-508#post-1401816
* Intel CPU + AVG Antivirus:
https://www.askwoody.com/forums/topic/multiple-reports-of-blue-screens-bsods-0x000000c4-when-installing-the-january-win7-monthly-rollup-kb-4056894/#post-156853
* Intel CPU + 3rd-party Antivirus — see post by Wayne Hartell ( 05 Jan 2018, 3:40 AM):
https://social.technet.microsoft.com/Forums/windows/en-US/df98809f-ba87-40b4-a027-fdad302a1d3f/blue-screen-after-kb4056894
“Once bitten – twice shy”
If you’ve ever been forced to take a detour through a place I call “Update Hell”, you learn to be very careful about applying updates.
Still running Windows 7 64-bit on an AMD Athlon dual-core machine, I usually wait at least two weeks before installing the monthly updates – and I’ve learned that at times like this, with all sorts of “End-of-the World” hysteria regarding yet another security flaw, it’s even more important to be a bit patient and prudent.
Having read the horror stories about people’s systems being bricked by this so-called “Fix” – when it appeared in my update cue, I immediately chose to hide the update and just wait until the smoke clears.
Oddly enough – this morning, when I go into my “Restore Hidden Updates” area (of which there are many) – the offending patch is no longer there and not available to restore.
Eventually, cooler heads will prevail and someone will discover the proper method to plug this security hole which does not include having to throw one’s computer into the trash.
In my case, windows 10, phenom x4 955, eset internet security, no problem.
Greets from Japan .
I have 2 Windows 7 Japanese PCs : one an HP with an AMD processor – and a Dell with Intel . This evening , my wife inadvertently shutdown the HP before I could disable auto update . Got the blue screen of death and other booting problems . Rebooted a couple of times and the PC is now working . Is the computer going to be OK now ? Anything you would advise doing ? A computer dummy in Japan . Thanks in advance .
“AMD chipsets did not conform to the documentation”
Ah, AMD lying about their cpu’s, again……
Microsoft determined that AMD chipsets did not “conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdownâ€.
The out of band patches only addressed Meltdown (not Spectre at all ) and AMD made it clear that AMD processors are not affected by this vulnerability. Microsoft sent out these patches to AMD systems anyway. The official statement is a bit rich.
I see that Microsoft now says that they are working closely with AMD. Maybe it is the corporate lawyers they are working closely with and not the AMD engineers. AMD have nothing to offer in reference to the bricked systems as it is Windows that needs repair. Even if the Microsoft referenced workaround is capable of getting Windows to boot on these systems, it does not mean that the changes to the kernel has been completely backed out. Kernel updates are not easy to undo.
Patch Tuesday, WTF Wednesday. (MS should have stuck to the schedule).
No, it’s not Microsoft’s fault, it’s AMD’s fault as they *originally* didn’t deny that their PSP was affected by Meltdown:
http://seclists.org/fulldisclosure/2018/Jan/12
But they retracted it:
https://phoronix.com/scan.php?page=news_item&px=AMD-PSP-2018-Vulnerability
(see the update to the article)
So they should’ve provided MS with the right information in the first place instead of not confirming Google’s security notice, leading MS to think that there was something wrong…
Looks like AV needs disabled BEFORE updating.
“There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes. To be honest, some of the techniques are similar to ones used by rootkits — Kernel Patch Protection was introduced by Microsoft a decade ago to combat rootkits, in fact. Because some anti-virus vendors are using very questionable techniques they end up cause systems to ‘blue screen of death’ — aka get into reboot loops.”
https://www.bleepingcomputer.com/news/microsoft/microsoft-says-no-more-windows-security-updates-unless-avs-set-a-registry-key/
Note to self, read all comments before posting.
Correction, AV MAY need disabled. Read the article, it looks like those running windows defender where not affected?!?
There is a difference between a glass half empty mentality compared to a conspiracy theorist. IMO, I would NOT put it past Microsoft to knowingly send / install this update, leading to BSOD. I presume, based on what I have read, the update affects Win7 primarily.
So the sheep…(which is probably 80% of Microsoft user-base) believing they have a fatal virus, and thinking their machine now is a paperweight…have perhaps already purchased a new laptop…with guess……….Win 10 on it.
“So the sheep…(which is probably 80% of Microsoft user-base) believing they have a fatal virus, and thinking their machine now is a paperweight…have perhaps already purchased a new laptop…with guess……….Win 10 on it.”
Except this buggy patch affected Windows 10 as well.
@ Anonymous, who said, “Except this buggy patch affected Windows 10 as well.”
No difference, the sheep will still have to purchase a new computer likely with Win 10 on it = more profit$ for M$.
Yaaaawn, as if this one is a Security Problem.
When i choose Windows 10 Clocks App, it shows mee Geolocation or even use Encrypted Google as a Searchmachine, it says mee location due tu IP.
So what is the Matter about that Mediaroundabouts,eh?
It means NOTHING, cos u always be followed, even if u protect ur System with all possible Matter.
Ur Provider knows, where u have been and where u are, so what?
Thee only Thing to be invisible is no use of an Internetconnection, which is ridicoulus.
Todays Updates on a running Win10 Machine is more of a Pokergame, cos if u do so, u see,ohh, damn Bugs.
I avoided thee last updates, cos it made mee System not shutting down, instead it does a Reboot.
Come on, be calm and do urself a favour, do NOT believe thee Media today as usual.
Greets, InGSoC.
Press F to pay respect for microsoft customers, I mean betatesters, I hope they get free and fast response from said company.
P.S. There is a reason, why in theory you should wait a little bit before actually updating anything. Today complexity of anything is huge, there are regressions here and there, bsods, software conflicts, relaxed testing etc.
Also, I think it is different issue, unrelated to AV bsods (which I had, btw, had to update avast from 2011 that was… well less taxing than newer versions).
Generaly:
1.1. Keep your OS/programs up to date (if possible, I know today’s trend is to degenerate software with patches, so be wise on what you don’t update, or read changelogs)
1.2. In preW10 you can wait before updating, or even skip rogue patch
1.3. In W10 you can postpone updates in various ways, but not skip
2. Use adblocker, disable or remove flash/java
3. Do not install software you don’t trust, use virustotal to check it.
Ah,P.S.:
As usual, to protect urself against any following in social media platforms it is neccesary to use a Synonym, aka Fake Accounts.
Well, even Bookwriters did that, as usual.
Thee People, who do their own real Names in such Media are in my Mind NAIVES.
Due to all Respect, this Site can and shall read Real Name, but in other Media Sites, this is dumb.
For Example, i did an Email Adress in AOL, and they didn’t want to know mee Name either.
Web.de and Consortes wanted to know all, Adress and so on, so?
People in general are naive, they think, that it is all ok if they do so, then they wonder, what Ads are coming to there Account or even their Home Adress, looking into their Postoffice.
So whatta say, u perhaps know the Name of thee Finder of Unsigned Letters?
His Name is ARNO NYM,GG.
Greets, InGSoC ^^
FYI
According to this link … https://www.suse.com/support/kb/doc/?id=7022512 , SUSE Enterprise OS has already received both the KPTI(= Meltdown) and firmware/microcode patches as Linux kernel updates on 4 Jan 2018, ie patching the CVE-2017-5754(= Meltdown) and CVE-2017-5715(= Spectre 2) bugs.
(Enterprise customers are VIPs)
The CVE-2017-5753(= Spectre 1) bug is patched on the software/app side, eg patched by the Mozilla Firefox, Google Chrome and M$ Edge browsers.
In comparison, the recent Windows patch seems to have 2 components, the 1st is to mitigate against the Meltdown(= CVE-2017-5754) bug and the 2nd is to make the OS compatible with the coming firmware/microcode patch against Spectre 2(= CVE-2017-5715) from the OEMs, as per this link …
https://www.ghacks.net/2018/01/05/find-out-if-your-windows-pc-is-affected-by-meltdown-spectre-vulnerabilities/
No Rollup with Win7 and AMD Ax )-: but i get on 1:
Microsoft .NET Framework 4.7.1 für Windows 7 und Windows Server 2008 R2 für x64
with 2 different KB, KB4033342 and KB4054852 -1 file/update, 2 KBs.
KB4054852 in Program/installedupdates, KB4033342 in Windowsupdate/installed
Why this difference?
There are a lot of bugs patched in January 2018, in kernel too.
Is this a problem, Windows on AMD gets no update?
Why i get
Microsoft .NET Framework 4.7.1 für Windows 7 und Windows Server 2008 R2 für x64
as KB4033342&KB4054852(??) on W7/AMD
but no
KB4055269 — Security Only Update for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
?
April 2010 Installed Windows 7 Ultimate. NO UPDATES allowed since. No problems ever. Do not use IE which is why most updates are needed. Intel cpu. Replaced fans a few times but nothing else. I use Macrium and have 2 back-ups always ready. I built my computer with Asus M/B (#1 to me) 8 gigs of ram & currently 5 internal drives.
My boot drive is only the operating system. All files, downloads etc all saved on other drives. No seagate only Toshiba 7200rpm drives although my current boot drive is an old WD 500 gig. (WD black or red are good not blue or green IMHO).
I use VirtualBox to play with Win10, Linux etc so I can help friends when they have problems. I re-create their problems to see what happens. The beauty of VirtualBox is when there is a problem close the problem image and start again. No re-booting of computer just the image. Same if you have a Macrium backup if you get a bad virus or ransomeware etc just Restore from a GOOD image. 30 minutes and back to normal.
“Do not use IE which is why most updates are needed.”
According to Ask Woody (one of the few gurus on Windows updates), you need to update IE even if you don’t use it as a browser. It’s a deep part of the operating system, and used by Windows even if not launched by the user to browse the Web.
I thought Microsoft halted the trouble-plagued update on 1/9 ? I restored my HP with Windows 7 / AMF AThlon 2 to Jan. 7th , did a hard re-boot and the PC now works again , but during the night KB4056894 once again auto downloaded into my machine along with NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 . The PC is still working , but I’m afraid to shut it down fearing the same trouble e.g. blue screen and no connection to internet network .