Skip to content

microsoft

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE

Quote

You’ll want to install the March update. Like right now – if you can avoid broken networking

In other words you choice is prevent data theft, or have working networking. Wow, as this article concludes, it is indeed a Tough choice

Update: A user in the comments to this article stated

The March cumulative updates have been pulled by Microsoft for Windows 7 and 2008R2 due to the networking bug, although still available if you are using WSUS / SCCM and fancy a gamble. You can still get hold of them direct from the Windows Update Catalog but read the KB articles first as they now say you have to run a script first to ensure you don’t lose networking.

HHmmm that needs to verified. Below is the full article:

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE
You’ll want to install the March update. Like right now – if you can avoid broken networking
By Shaun Nichols in San Francisco 28 Mar 2018 at 00:21
59 Reg comments SHARE ▼
Embarrassed/exhausted man sits in front of laptop in hipstery office. Photo by Shutterstock

Microsoft’s January and February security fixes for Intel’s Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes.

This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple’s FileVault disk encryption system.

We’re told Redmond’s early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system’s memory map, gain administrator-level privileges, and extract and modify any information in RAM.

Ouch!

The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.
Sunk by its own hand

According to Frisk, who backed up his claim with a detailed breakdown and a proof-of-concept exploit, the problem boils down to a single bit accidentally set by the kernel in a CPU page table entry. This bit enabled read-write user-mode access to the top-level page table itself.

On Windows 7 and Server 2008 that PML4 table is at a fixed address, so it can always be found and modified by exploit code. With that key permission bit flipped from supervisor-only to any-user, the table allowed all processes to modify said table, and thus pull up and write to memory addresses they are not supposed to reach.

Think of these tables as a telephone directory for the CPU, letting it know where memory is located and what can access it. Microsoft’s programmers accidentally left the top-level table marked completely open for user-mode programs to alter, allowing them to rewrite the computer’s directory of memory mappings.

Further proof-of-concept code can be found here.
Total meltdown

“Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk explained. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!”

Windows 8.x and Windows 10 aren’t affected. The March 13 Patch Tuesday updates contain a fix that addresses this permission bit cockup for affected versions, we’re told.

Microsoft did not respond to a request for comment on the matter.

In short, patch your Windows 7 and Server 2008 R2 machines with the latest security updates to protect against this OS flaw, otherwise any processes or users can tamper with and steal data from physical RAM, and give themselves admin-level control. Or don’t apply any of the Meltdown fixes and allow programs to read from kernel memory.
Networking not working

Fingers crossed your system isn’t among those that will suffer networking woes caused by the March security patches. Microsoft’s security updates this month broke static IP address and vNIC settings on select installations, knocking unlucky virtual machines, servers, and clients offline.

For example, with patch set KB4088878 for Windows 7 and Server 2008 R2, Redmond admitted:

A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused. Microsoft is working on a resolution and will provide an update in an upcoming release.

Static IP address settings are lost after you apply this update. Microsoft is working on a resolution and will provide an update in an upcoming release.

Prevent data theft, or have working networking. Tough choice.

Microsoft silently fixes security holes in Windows 10 – Leaves Win 7, 8 out in the cold

Quote

Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.

Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator’s Update. But this vital repair work is only slowly, if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.

Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020

Read: We want you all on Windows 10 Spyware Platform so can farm all your information and target you with adverts.

Windows 10: Just Say No

Comment: I have been in I.T. my entire career. I witness the birth of the internet, and with the help of Microsoft, Google and their ilk, I am witnessing its death. What was suppose to be an open platform for information sharing and communication has descended into an advertising & spyware platform for all sorts of miscreants – legal and otherwise. Welcome to the cesspool.

Microsoft is disgustingly sneaky: Windows 10 isn’t an operating system, it’s an advertising platform

Don’t believe what Microsoft tells you — Windows 10 is not an operating system. Oh, sure, it has many features that make it look like an operating system, but in reality it is nothing more than a vehicle for advertisements. Since the launch of Windows 10, there have been numerous complaints about ads in various forms. They appear in the Start menu, in the taskbar, in the Action Center, in Explorer, in the Ink Workspace, on the Lock Screen, in the Share tool, in the Windows Store and even in File Explorer.

Microsoft has lost its grip on what is acceptable, and even goes as far as pretending that these ads serve users more than the company — “these are suggestions”, “this is a promoted app”, “we thought you’d like to know that Edge uses less battery than Chrome”, “playable ads let you try out apps without installing”. But if we’re honest, the company is doing nothing more than abusing its position, using Windows 10 to promote its own tools and services, or those with which it has marketing arrangements. Does Microsoft think we’re stupid?

….
(Yes they do)

It might feel as though we’re going over old ground here, and we are. Microsoft just keeps letting us (and you) down, time and time and time again.

It’s time for things to change, but will Microsoft listen?
Article source: HERE

(Of course not, they are a monopolist)

Microsoft Admits Windows 10 Automatic Spying Cannot Be Stopped

Windows10-Spy
Quote

…Speaking to PC World, Microsoft Corporate Vice President Joe Belfiore explained that Windows 10 is constantly tracking how it operates and how you are using it and sending that information back to Microsoft by default. More importantly he also confirmed that, despite offering some options to turn elements of tracking off, core data collection simply cannot be stopped:

“In the cases where we’ve not provided options, we feel that those things have to do with the health of the system,” he said. “In the case of knowing that our system that we’ve created is crashing, or is having serious performance problems, we view that as so helpful to the ecosystem and so not an issue of personal privacy, that today we collect that data so that we make that experience better for everyone.”

To his credit, Belfiore does recognise the controversial nature of this decision and stresses that:

“We’re going to continue to listen to what the broad public says about these decisions, and ultimately our goal is to balance the right thing happening for the most people – really, for everyone – with complexity that comes with putting in a whole lot of control.”

B.S.!


Interestingly Belfiore himself won’t be around to oversee this as he is about to take a year long sabbatical. When he comes back, however, I suspect this issue will still be raging as Windows and Devices Group head Terry Myerson recently confirmed Windows 10 Enterprise users will be able to disable every single aspect of Microsoft data collection.

This comes in combination with Windows 10 Pro and Enterprise users’ ability to permanently disable automatic updates which are forced upon consumers and shows the growing divide between how Microsoft is treating consumers versus corporations.

So how concerned should users be about Windows 10’s default data collection policies? I would say very.

By default Windows 10 Home is allowed to control your bandwidth usage, install any software it wants whenever it wants (without providing detailed information on what these updates do), display ads in the Start Menu (currently it has been limited to app advertisements), send your hardware details and any changes you make to Microsoft and even log your browser history and keystrokes which the Windows End User Licence Agreement (EULA) states you allow Microsoft to use for analysis.

The good news: even if Belfiore states you cannot switch off everything, editing your privacy settings will disable the worst of these. To find them open the Start menu > Settings > Privacy.

The bad news: despite Belfiore’s pledge “to continue to listen”, Microsoft’s actions (including the impending Windows 7 and Windows 8 upgrade pressure) suggests the company’s recent love for Big Brother tactics is only going to get worse before it gets better…

Answer? Stay on windows 7 pro or switch to a Linux distro. It is time that users stand up and say “Stop spying or I will stop using your products.” Remember, Windows 10 is not free, you pay for the privileged to get raped by their ilk!

Is Windows 10 slurping too much data?

Seems like yes, despite assertions that it is not.

Quote

“We collect a limited amount of information to help us provide a secure and reliable experience. This includes data like an anonymous device ID, device type, and application crash data which Microsoft and our developer partners use to continuously improve application reliability,” Myerson wrote. “This doesn’t include any of your content or files, and we take several steps to avoid collecting any information that directly identifies you, such as your name, email address or account ID.”

Moving right along, Myerson confirmed that Microsoft would love to collect words and phrases that you type – something we’ve known about since the first Windows 10 Technical Preview shipped – but explained that it’s not about advertising. Rather, it’s about being able to “deliver a delightful and personalized Windows experience to you.”

The Windows 10 Privacy Statement gives examples of data that Redmond might collect, including “name, email address, preferences and interests; location, browsing, search and file history; phone call and SMS data.”

So basically, use Windows 10 and your life is an open book to Microsoft and their partners. No thanks!