Windows patches for Total Meltdown, bluescreens, an IP stopper — and little documentation

Credit to Author: Woody Leonhard| Date: Mon, 02 Apr 2018 07:33:00 -0700

As many of us were getting ready for the holiday weekend, after the surprise announcement about Windows being torn into three pieces, Microsoft shoveled yet another load of patches out the Automatic Update chute. Think of it as the software equivalent of a Friday night news dump.

KB 4100480 kicked off the two days from patching purgatory with a Windows 7/Server 2008R2 kernel update for CVE-2018-1038, the “Total Meltdown” bug Microsoft introduced in Win7 back in January. Total Meltdown, you may recall, is a huge security hole implemented by all of these Microsoft security patches:

If you installed any of those 11 patches on your Intel 64-bit Windows 7/Server 2008 R2 computer, you opened up a gaping hole known as “Total Meltdown,” or CVE-2018-1038, that allows any program running on your computer to run in kernel mode. Yes, any program that’s running can read or write into any part of memory.

Microsoft infected all of those machines to defend against the professionally marketed Meltdown/Spectre vulnerability, which has never, ever been seen in the wild. Kevin Beaumont (@GossiTheDog on Twitter) said it best:

The amazing thing is Meltdown is academic research, which is realistically very difficult to do at scale (ie nobody has managed it) whereas this introduced issue is trivial to exploit — even I can do. And I’m thick.

Vess Bontchev goes on to say:

The single bug this [KB 4100480] update fixes is catastrophic. Basically a bug that negates the fundamental security protections of the OS and returns it to the times of MS-DOS.

Ulf Frisk, the guy who discovered this gaping security hole, said last Wednesday that the March Monthly Rollup, KB 4088875, plugs the hole. The next day he said that, oops, the March Monthly Rollup doesn’t fix the hole. Microsoft has now confirmed that the March Monthly Rollup actually introduces the hole.

With the multitude of problems introduced by the March security patches, you may be wondering if this new (patch of a patch) ^ 12 brings along with it the bugs that have led to Microsoft “unchecking” the patch in Windows Update — to put it bluntly, the March patches stink so badly that Microsoft stopped force-feeding them a week ago.

MrBrian has a step-by-step analysis of the bugs in the March patches and whether they’re inherited by KB 4100480. He concludes that the Internet Explorer, phantom NIC and reset manual IP bugs, and bluescreen VALID_POOL_ON_EXIT bugs in the March patches aren’t present in this new patch. The SMB server memory leak bug may or may not be in this new patch, but the bug has been around since January. And the bluescreens for PAE and SIMD may or may not be in the new patch.

We’ve had ongoing coverage at AskWoody about the KB 4100480 patch and its mess. Susan Bradley, who has lots of experience with small business installations, has gone so far as to recommend SMEs with 64-bit Win7 machines roll them back to December:

If there are users in your patching environment that surf and click on ANYTHING, I’d hope you’d make them do their random surfing on an iPad, not a Windows machine (probably still with local admin rights) until this Windows 7 patching mess gets straightened out. I don’t like telling people to roll back to pre-January updates, but neither do I appreciate Microsoft having constant side effects that are measurable and impactful and all that happens is that they keep on telling us that they are working on the issues and this will be fixed in a future release…

If you have any January through March update installed, make sure KB4100480 is installed.

Otherwise go into add/remove programs and roll back to December’s KB4054521 (security only) or KB4054518 (rollup) and then hang tight and keep our fingers crossed that April’s updates will resolve these issues.

And then Microsoft please please please, do something about these known issues and fix them, because it pains me greatly to publically type this.

Also, on Thursday afternoon, Microsoft dropped a handful of patches that fix other bad bugs in previous patches. Susan Bradley has a short list that includes KB 4096309 for Win10 1607/Server 2016 that “addresses an issue that can cause operational degradation or a loss of environment because of connectivity issues in certain environment configurations after installing KB4088889 (released March 22, 2018) or KB4088787 (released March 13, 2018).”

As Susan notes, both of the referenced fixed patches are still listed in their KB articles, as “Microsoft is not currently aware of any issues with this update.”

Then there are the patches that fix bluescreens generated by earlier botched patches:

Then there’s KB 4099950, “Network Interface Card settings can be replaced, or static IP address settings can be lost” fix, released Friday, chronicled by MrBrian. Per the KB article:

This update addresses issues introduced in KB4088875 and KB4088878 for Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1 where a new Ethernet Network Interface Card (NIC) with default settings may replace the previously existing NIC, causing network issues. Also addressed, is an issue where static IP address setting are lost after applying the update. These symptoms may be seen on physical computers and virtual computers running VMWare.

Ends up this is just a package for the (modified) VBScript that, when run prior to installing this month’s patches for Win7, avoids the static IP busting nature of the patch. I talk about the VBScript program in my Patch Alert article from last week.

Abbodi86 describes it:

So it’s the easy automated version of the VBscript. It checks if KB2550978 hotfix is installed (or any superseder). [Note:=KB 2550978 is a many-year-old hotfix, last updated more than a year ago.] …

I wonder why Microsoft didn’t roll out that important fix years ago through Windows Update

The important note is that you have to run KB 4099950 before you install this month’s Win7/Server 2008R2 patches.

I can recall lots of bad Windows patches over the past couple of decades, but I’d be hard-pressed to come up with any that approach this year’s phalanx of Windows 7 screw-ups. It’s as if Microsoft doesn’t care about old multi-billion-dollar businesses.

For now, I continue to recommend that individuals stay put and don’t install any of the March patches. For enterprises, follow Bradley’s advice and roll back to December if you have users with indiscriminate clicking fingers.

Join us for tea and sympathy on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss