Microsoft jiggles — but doesn’t fix — buggy Win7 patches KB 4088875, KB 4088878

Credit to Author: Woody Leonhard| Date: Thu, 05 Apr 2018 06:17:00 -0700

Last night we were treated to new versions of the badly banged-up March Win7 patches. It looks like the new ones are the same as the old ones, but the internal handling instructions (the metadata) now force installation of a “Total Meltdown” fix-up patch prior to installing the old patch.

Of course, none of this is documented anywhere.

Starting with Günter Born’s report, and checking the Microsoft Update Catalog, I can see modified versions of:

KB 4088875 – Win7 March Monthly Rollup (dated, in the Update Catalog, as April 4)

KB 4088878 – Win7 March Security-only patch (also April 4)

KB 4088881 – Preview of the Win7 April Monthly Rollup (also April 4)

MrBrian analyzed the content of those patches and came to the conclusion:

Literally nothing has changed in the Catalog for the x64 versions of these updates (the only ones that I checked). I assume the same is true for the other versions of these three updates. One can see this by downloading the given updates and checking their digital signature dates. The reason that the date changed in the Catalog for these three updates is because their metadata changed. … [It appears as if] Microsoft is now bundling the download and installation of KB4099950 when one installs any of these three updates in Windows Update.

You may recall that KB 4099950 is the fix for the bug, introduced in the March Win7 patches, that knocks out Network Interface Cards and static IP addresses. I talked about KB 4099950 earlier this week. It looks like the metadata has been jiggered so any attempt to install the buggy Win7 patches KB 4088875, 4088878, or 4088881, automatically bundles the fix KB 4099950 and runs it before the original patches are installed.

Which means that these new versions of KB 4088875, 4088878, or 4088881 still have the same bugs as the old ones, except the NIC/static IP bug is exterminated in advance because the KB 4099950 fix is automatically run before the original patch.

Along with the horse-before-the-cart bundling, the KB articles for both of the Win7 March Monthly Rollup KB 4088875 and the Security-only patch KB 4088878 have yet another bug added to the officially acknowledged list:

After you install this update, you may receive a Stop error message that resembles the following when you log off the computer:

SESSION_HAS_VALID_POOL_ON_EXIT (ab)

And they both now have this admonition:

Important Please apply KB4100480 immediately after applying this update. KB4100480 resolves vulnerability in the Windows kernel for the 64-bit (x64) version of Windows. This vulnerability is documented in CVE-2018-1038 .

KB 4100480 is the destructive fix for the Total Meltdown security hole — the one introduced by every Win7 patch this year — that I talked about earlier this week. For more details, see abbodi86’s description and MrBrian’s analysis.

Remember: There are absolutely no known attacks for Meltdown or Spectre in the wild. But this Total Meltdown bug is a huge one, introduced while trying to fix Meltdown and Spectre.

Several people are now reporting that Win7 March Monthly Rollup, KB 4088875, no longer appears in the Windows Update list, and the KB 4088881 Preview is no longer available. Of course there’s no documentation about any of this, but it looks as if Microsoft — which changed KB 4088875 to “important but not checked” a week after it was released — has now yanked the patch, at least for Windows Update users.

Sometimes I wonder if things could get even more screwed up.

Thx MrBrian, PKCano, abbodi86, gborn, and the AskWoody Street Irregulars.

Join us for KB 4090450, 4088879, 2952664, 2976978 and more senseless things on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss