Microsoft’s Useless Patch to Fix Intel’s Problem Explodes in Users’ Faces
Microsoft Windows, never a bastion of security or reliability, has reached yet another low. Their fix-to-a-fix-to-a-fix-to-a-problem has exposed pretty much every Windows machine ever made to one of the worst vulnerabilities yet. I’ll track the progress here. At the very least, make sure you update your computer to the April 2018 Microsoft patches.
If you’re running Windows, you may find these articles interesting:
- Microsoft may have patched Windows 10 for Meltdown, but a security researcher claims that the patch had a “fatal flaw” that undermines the purported protection. The only way to get a true fix is to update to the Windows 10 April 2018 Update, which was released earlier this week. Bleeping Computer first reported the news. https://www.tomsguide.com/us/windows-10-meltdown-patch-fatal-flaw,news-27129.html
- Hackers can bypass Windows Meltdown patch, and early builds may be at risk. Microsoft’s Spectre/Meltdown patches for Windows 10 could be completely bypassed, and only users with the April 2018 Update are protected. https://www.techrepublic.com/article/hackers-can-bypass-windows-meltdown-patch-and-early-builds-may-be-at-risk/
- Windows security: Microsoft issues fix for critical Docker tool flaw, so patch now
Microsoft has patched a bug in an open-source tool it developed to help Docker containers run on Windows. https://www.zdnet.com/article/windows-security-microsoft-issues-fix-for-critical-docker-tool-flaw-so-patch-now/ - Microsoft’s patches for the Meltdown vulnerability have had a fatal flaw all these past months, according to Alex Ionescu, a security researcher with cyber-security firm Crowdstrike. Only patches for Windows 10 versions were affected, the researcher wrote today in a tweet. Microsoft quietly fixed the issue on Windows 10 Redstone 4 (v1803), also known as the April 2018 Update, released on Monday. https://www.bleepingcomputer.com/news/security/microsoft-working-on-a-fix-for-windows-10-meltdown-patch-bypass/
- Intel is facing another wave of reported security issues that affect the company’s processors. The vulnerabilities, called Spectre Next Generation or Spectre NG, have not been disclosed publicly yet. A report on the German computer magazine site Heise suggests that eight new vulnerabilities were reported to Intel recently. Intel gave four of the eight vulnerabilities a severity rating of high and the remaining four a severity rating of medium according to Heise. The exploitability of one of the vulnerabilities appears to be higher than that of previous issues as attackers may abuse the issue to break out of virtual machines to attack the host system or other machines, reports Heise. https://www.ghacks.net/2018/05/03/spectre-next-generation-vulnerabilities/
- Heads up: Total Meltdown exploit code now available on GitHub. The massive security hole introduced by Microsoft for 64-bit Win7 and Server 2008 R2 now has working proof-of-concept code — and it’s freely available on GitHub. While we haven’t seen exploits in the wild, it’s only a matter of days. https://www.computerworld.com/article/3269003/microsoft-windows/heads-up-total-meltdown-exploit-code-now-available-on-github.html