back to article Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

Microsoft today issued an emergency security update to correct a security update it issued earlier this month to correct a security update it issued in January and February. In January and February, Redmond emitted fixes for Windows 7 and Server 2008 R2 machines to counter the Meltdown chip-level vulnerability in modern Intel …

  1. bombastic bob Silver badge
    FAIL

    This is what happens when...

    a) you don't properly test prior to deployment;

    b) you generally rely on end-users to test your patches;

    c) your general focus on "all the wrong things" doesn't put sufficient resources on what's important, i.e. security and reliability, vs "next new, shiny that requires Edge and/or locks customers into a privacy invasive EULA or a subscription model".

    and market-driven development cares LESS about support when "they" *FEEL* [not think] that end-users are LOCKED IN [like a monopoly] and wouldn't DARE go elsewhere...

    1. J27

      Re: This is what happens when...

      Sounds like the software industry in a nutshell.

      1. Rob007

        Re: This is what happens when...

        Oh yes - seen this regularly - why test when you either get the internal users to do this for you and/or the customers

    2. Anonymous Coward
      Anonymous Coward

      Re: This is what happens when...

      As always, that is Microsoft's standard MO - which explains the high level of user discontent, as well as Microsoft's longstanding position as the world's most successful software corporation.

      Many companies have come and gone with better ideas, better implementation, far greater emphasis on quality and much more dedication to customer satisfaction.

      Sadly, they have all either gone out of business or been taken over by more pragmatic rivals such as Microsoft, IBM, Oracle or HP. (The last-named has a fantastic, almost unbelievable record of destroying healthy software companies after it has bought them; recently this trend has even seen HPE itself damaged).

      The trouble is that, in spite of all the fine words uttered, the market as a whole is unwilling to pay for any high degree of security, integrity, reliability or quality. Hence the corporations that make the most profit are those that systematically keep quality and its costs as low as possible.

  2. Brian Miller

    Yet another PITA

    Er, pain patch in the asset.

  3. aregross

    Doesn't appear to apply to 32bit

    1. diodesign (Written by Reg staff) Silver badge

      Re: aregross

      I don't believe there are any 32-bit Meltdown/Spectre patches from Microsoft. 32-bit is SoL.

      C.

      1. aregross

        Re: aregross

        Is it possible 32bit processors are immune?

        ...or forgotten?

      2. xenny

        Re: aregross

        There are definitely 32 bit Meltdown/Spectre patches available now.

        Looking at https://support.microsoft.com/en-gb/help/4073757/protect-your-windows-devices-against-spectre-meltdown (there's a section explicitly for 32-bit Windows) and https://support.microsoft.com/en-us/help/4088878/windows-7-update-kb4088878 I think they went on general release with the March patch Tuesday.

        I remember (no link, sorry) seeing them offered an an out of band not on general release update perhaps in late January or Feb.

      3. DJV Silver badge
        Trollface

        @diodesign - SoL?

        What's all this got to do with Scottish Omnibuses Ltd?

        https://acronyms.thefreedictionary.com/SOL

      4. Tail Up

        @С. Re: aregross

        A way-out is possibly to believe that the patch is from MD/S devs (-;

      5. mIRCat

        Re: aregross

        I came here to mention the same thing. I would have to check the catalog, but I know we patched 32-bit systems.

  4. Anonymous Coward
    Anonymous Coward

    Microsoft should be held accountable for there defective code

    This is what happens when:

    1. You sell a half-baked POS operating system that has at least 10,000 known Bugs that will crash the computer or cause lost data

    2. You don't care about your customers and only care about how much profit can be generated

    3. You're incompetent and don't properly test your piss poor updates before imposing damage to customer PCs

    1. G2

      Re: Microsoft should be held accountable for there defective code

      or, 4) nobody is perfect and you cannot test for the millions of configuration variants out there. Even you used a BIG typo in your comment code up there: s/there/their/

      If you want "perfect" code then write your own OS. And drivers. And design and bake your own silicon chips to avoid any potential CPU meltdown or architectural design variations.

      Modern systems are in continuous evolution, the old tests are already obsolete by the time the finished, supervisor-reviewed, manager-approved test schedule sheet rolls out of the office printer.

      If you want those back then what are you doing on the internet? The internet is a real-time, continuously-changing environment. Someone wants a change in one part of a software to work with a new gadget on the market and then suddenly something else that was depending on the old version won't work as it used to and needs to be brought up to date.

      https://en.wikipedia.org/wiki/Continuous_delivery

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft should be held accountable for there defective code

        If you can't properly test your millions of lines of code then you are in the wrong business. This absurd defense that Microsucks and it's fanbois have used for years illustrates the lies that are regurgitated to cover for gross negligence and apathy. Microsucks should have been prosecuted decades ago for their illegal blackmail of PC vendors and defective OSs. Instead they were able to buy favor and now the world has totally unreliable and insecure PC systems as a result of Windoze being forced on consumers and enterprise.

      2. Anonymous Coward
        Anonymous Coward

        Re: Microsoft should be held accountable for there defective code

        "The internet is a real-time, continuously-changing environment".

        That is a rather naive, sweeping statement.

        On the face of it, the Internet is a network. Nothing more. Some people may choose to connect to the Internet various pieces of kit and software, some of which are drastically immature and unreliable. Others may prefer to stick with the classic definition of a legacy application: "one that works".

        The idea that "a real-time, continuously-changing environment" is necessarily a good thing is naive in the extreme. No doubt it is very useful to have such environments here and there - a kind of IT brainstorming - but it's very foolish to place any reliance on such systems. Nor do we: almost all of our society's vital IT tasks are still run on mainframes, for the simple reason that nothing better has been invented.

        1. Updraft102

          Re: Microsoft should be held accountable for there defective code

          The idea that "a real-time, continuously-changing environment" is necessarily a good thing is naive in the extreme.

          If anyone actually believed it, certainly. That's just a glob of rather obvious marketing doublespeak, meant to make the victim believe that stability is actually a bad thing. Consistency and a coherent UI that is actually designed for the way people use the OS is bad, but constant code churn and permanent beta quality (along with significant down time while the thing keeps changing, continuously, one time-wasting update at a time) are good.

          We've heard this nonsense from Microsoft before in their efforts to tell us that in today's world, only Windows as a Service can possibly hope to keep up with the evolving threats (because its new that the threats are changing and adapting now, apparently), even while more than half of the users of Windows out there were still happily using an OS that hasn't seen a "feature update" or anything like it since 2010, fully eight years ago as I write this. If MS wasn't "inadvertently" breaking Windows 7 with updates that do more harm than good, it would be keeping up with the threats just fine. Find a security hole, fix the security hole; lather, rinse, repeat. What's new about that?

          Windows 10 has far more untested, unproven code than Windows 7 (when 7 was written, they actually had paid people to do the testing, and then it went through nearly a decade of post-release usage in the real world). Windows 10 has more attack surface with the Win32 bits (which 7 also has) as well as the useless UWP portion (with which Windows 7 is blissfully unencumbered). Nearly every month, Windows 10 has the same or more security fixes as 7; clearly, the same issues exist in both of them, plus some new ones in 10 only.

          You don't need "feature" updates every six months for security purposes. In terms of security, you'd be far better off without them... each one of them introduces more code churn and thus more bugs, and all of it for "features" that very few, if any, of Windows 10 users asked for. The things they have been asking for have thus far been met with laughter or the sound of crickets...

          That's why I am getting off this crazy train after 27 years on board. If Windows 10 is the last version ever, it will be the last version I ever say "Hell no!" to as well.

        2. amanfromMars 1 Silver badge
          Mushroom

          Microsoft being accountable for defective code is the Chicken being responsible for Easter Eggs?

          Crikey, Archtech,

          That thinking of yours is Positive Archaic and Ripe for All Manner of New Fangled Entangling Exploitative Attack with the Oday Vulnerabilities Trading and Swapping and Swiping of COSMIC Secrets. You appear to be imagining leading future things now being much as they and it ever were, whenever the Practical Actuality with IT and AI and Alternate Media in Virtually Anonymous Command and Remote Autonomous Control, is All is Enabled to be completely different, and Everything has Changed Fundamentally and Radically, and Always to be Continually Changing .

          The Fact that Politically Inept Establishments and Status Quo MainStream Media Moguls Pimp and Pump FUD to the Masses is a Sure Sign their Live Life MasterClasses have Failed Admirably and Catastrophically.

    2. Anonymous Coward
      Anonymous Coward

      Re: Microsoft should be held accountable for there defective code

      People should be held accountable for using Microsoft.

    3. HmmmYes

      Re: Microsoft should be held accountable for there defective code

      MS server OSes are not POS.

      They are the best you can get from MS.

      They do tend to be stable but suffer from whatever fuckedup idea the MS UX team have about Guis. Should have stuck to win2k gui and left it there. I dont buy server oses for their fucking guis.

      The fuckup has a smell of panic and too many managers, not enough experienced software people.

      I no longer know anyone working at MS. Theyve all left - retired from work or gone elsewhere.

      Thier does seem to be a missing generation of softies in MS.

      1. gotes

        Re: Microsoft should be held accountable for there defective code

        HmmmYes:

        I dont buy server oses for their fucking guis.

        Server 2012 is the worst. The full screen start menu and that fucking "charm" thing.

        1. HmmmYes

          Re: Microsoft should be held accountable for there defective code

          Ahh but youll find its UX is consistent with Windows mobile.... whatever that is.

    4. Anonymous Coward
      Anonymous Coward

      Re: Microsoft should be held accountable for there defective code

      4. You become the wealthiest software corporation in the world.

    5. Phil Kingston

      Re: Microsoft should be held accountable for there defective code

      "Microsoft should be held accountable for there defective code"

      I'm not normally one to go all there/their/they're on someone, but in that sentence it's gold.

  5. Lion

    The cheque is in the mail.

    I hope that Swedish researcher gets a nice big fat bug bounty payout from Microsoft. Six figures would be appropriate. They will be super cheap bastards if they send anything less.

    No apology from Microsoft though.

    Today, Nadella rearranged the deck chairs and threw an executive overboard. He said he did a great job keeping Windows safe. His replacement will keep up the good work.

  6. J27

    It's looking like a good time to jump off the sinking Windows 7 ship.

    1. Anonymous Coward
      Anonymous Coward

      "It's looking like a good time to jump off the sinking Windows 7 ship."

      Written by a MSFT sponsered bot?

      Of course they try very hard to get users to Windows 7. Of course they do everything they can do to destroy Win 7 reputation and more add annoying things with very new update. Exactly the same strategy was eventually successful with Win XP. Back then they released a SP3, which slowed down the PC a lot and so many other nasty updates. The same happens with Win 7 since 2016, so better disable updates and never upgrade to Win 10, but look elsewhere in the long term.

    2. Anonymous Bullard

      It's looking like a good time to jump off the sinking Windows 7 ship.

      Out the frying pan into the fire.

    3. james swiers

      my thoughts exactly , windows 7 is bye bye

  7. mark l 2 Silver badge

    I have some sympathy for Microsoft here, and I am a long way from being an MS fanboy. It is Intel that are to blame continuing to sell vulnerable products even after they were informed about the vulnerability, yet it seems they can do no wrong with this fiasco hardly putting a dent into their share price.

    We should all stop buying PCs with Intel chips, bring back the 'Intel Outside' stickers that i remember seeing on peoples non-Intel computers in the 90s.

    1. Ed3

      ...and AMD. And ARM. And Power. Do I remember seeing SPARC in there as well? Keep in mind that this particular set of vulns has effected a large swath of CPUs across several manufacturers. It seems like they all bought from the same patent bucket. If Intel is the original designer and everyone licensed the feature from them, then sure blame them. But I myself have not read where the memory management algorithms that caused all this actually came from.

      1. Ken Hagan Gold badge

        If we are talking about Meltdown, it is only Intel so you can forget about AMD and ARM and Power.

        If we are talking about Spectre, the reading you haven't done is on the subject of speculative execution (not memory management, although sufficiently baroque MM can make it harder to exploit) and probably dates from the 1980s (academia) or the 1990s (industry). There isn't any patent bucket. It's just a good idea for several-fold increase in performance with the unintended side-effect of introducing a very low bandwidth side-channel for snooping.

        I'd be surprised if we don't see the bandwidth of that channel chased down to negligible levels in the next year or two by introducing some carefully considered randomness in cache timings and/or separation of caches. That will be a hardware re-design, so not applicable to existing chips, but pretty much all timing-related side-channels can be drowned out with jitter (noise) once you've figured out where they are.

        1. Claptrap314 Silver badge

          Jitter only lowers bandwidth. It cannot eliminate the channel. What's more, if such jitter were random, it would destroy the ability to debug many classes of critical hardware bugs. A month ago, I gave an overview of the problem from a hardware design viewpoint, and what to expect with true fixes. TL;RD: expect major price jumps to (mostly) maintain performance.

          1. MacroRodent

            The Singularity

            We have clearly reached the Singularity. No, not the Kurtzweill one, but a situation where the combined complexity of processors and OS means every patch creates at least as many bugs as it fixes. From now on, there is no reliable computing, unless you are willing to simplify radically.

  8. chivo243 Silver badge
    Trollface

    I'll wait

    for proper updates from the manufacturers. At least they tried it on one of their systems before shoveling it out the door...

    1. G2
      Pint

      Re: I'll wait

      you assume that they had systems to test the updates on in the first place... or that they bother to publish updates.

      These days if a system is older than 12/24 months then most of them consider they no longer have any responsibility so they shovel out the door any remaining systems to sell as "manufacturer-refurbished".

  9. a handle

    Microsoft are you being evil again ?

    Microsoft's March 2018 Windows Update removes Virtual Network adapter, and creates a new default one, this loses IP settings if they are static. I believe this has been the cause of many systems outages, it broke our "test" servers. Here are the prerequisites if you've not applied March's updates already: https://support.microsoft.com/en-us/help/4088875/windows-7-update-kb4088875

    Microsoft did similar things to earlier Windows and Office versions towards their end of life too. It is mafia style, poor morals and very unethical.

  10. JakeMS
    Thumb Up

    Testing?

    "Except that March update didn't fully seal the deal: the bug remained in the kernel, and was exploitable by malicious software and users."

    Did they even test if the update worked then? I mean you make a patch, surely you should check to see if it did what you wanted it to do?

    1. Grikath

      Re: Testing?

      They did test it... against the original problem..

      This one was introduced by someone who forgot to reset a flag ( presumably set for testing/debugging purposes.), which opened up ...well.. everything...

      Not a failure to solve the problem, but introducing a new vulnerability in the same area by simple, stupid, human error. Like leaving the stock admin login untouched in an installation.

    2. Nolveys

      Re: Testing?

      I mean you make a patch, surely you should check to see if it did what you wanted it to do?

      That's exactly what they did, they installed their patch on their millions of test machines located in homes and businesses all over the world. Then they learned that they fucked it up and tried again. And again.

    3. GrapeBunch

      Re: Testing?

      @JakeMS. I'm sure that the patch did exactly what MS wanted it to do.

  11. Captain Badmouth
    FAIL

    Patching hell...

    I'll wait for the patch for the patch for the patch for the patch.

    Thanks.

    1. ecofeco Silver badge

      Re: Patching hell...

      Patch Adams?

    2. Captain Badmouth
      WTF?

      Re: Patching hell...

      I'll wait for the patch for the patch for the patch for the patch.

      Thanks.

      On second thoughts...

  12. Stevie

    Bah!

    logged-in users could now access and modify any part of physical RAM

    This is exactly how the NRA suggests we fight gun violence in schools.

    Large world.

  13. Anonymous Coward
    Anonymous Coward

    Got there in the end

    > So gg Microsoft. You got there in the end.

    You're assuming this patch finally fixes everything. :-)

  14. Milo Tsukroff
    Coat

    Keep laughing

    I keep laughing ... If it's not COBOL, it's not stable.

    I'll get my coat. It's the one with the Magic Brain Calculator in the pocket.

    1. Anonymous Coward
      Anonymous Coward

      Re: Keep laughing

      MT mentioned COBOL.

      Pascal rules, COBOL drools.

  15. PhillW

    So how come, if it such an important update, that windows update is not picking it up? (as of 8:30 on 31st march)

  16. amanfromMars 1 Silver badge

    Happy Easter Egg

    On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

    AIMasterful 0Day Trading Platform ..... for Stellar Performances in Future JOINT Enterprises ..... Heavenly AIMissions to/from RAW Core Secret Source2XSS.

    FTAO ... The Chief of the Defence Staff, General Sir Nick Carter

    Re: The Immaculate Edge to Have and Behold and Sell/Expropriate and Export

    Can We Spark Interest in MOD Protected CyberIntelAIgent Global Operating Devices with AIMODified Forces Deeply into NEUKlearer Secret Source Sources.

    That which Follows the Unfurling of the True Path, and with IT and Media Stocks and Shares Available for Onward Investment in the New NEUKlearer You, an Altogether Different Being

    TS/SCI:Strictly Need to Know ?

    The COSMIC Full Monty Conversion and HyperInversion with CHAOS [Clouds Hosting Advanced Operating Systems] in Virtual Command and Remote Control.

    Does that Show a Sign of CyberIntelAIgent Machine Control with Heavenly Presumption on Assumption and Ascension into Leading AI with Leading AIDVenturers Leading and Paving the Way for AIDVentures with PathFinders?

    As a Universal Tool is your Great Use of IT Absolutely Vital and Critical to Counter and Vanquish Any and All choosing an Ignorant Foe who would/could be both Foolish and Mad Enough to Weaponise Space with Heavenly Order to Command and Control.

    That certainly enough to turn any Good Sinner into a Saint/Saint into a Good Sinner.

    :-) But hey, that's Just ITs Helter Skelter ProgramMING, for You. Start Enjoying it and All that IT will now Provide ...... and Present as a Future Worth Following for Everything There IT Seeds and Feeds for Future Harvest .... and Presentation of Live Universal Truths which Driver Existence and Aid Exhaustion with the Provision of Succour in Pure RAW NEUKlearer Source for Core Kernel Processor Loding with Expanding Memory to Future Vision.

    A Simply Complex AIBetaTest of the Readiness and Willingness of UKGBNI Defence Forces and Secret Services to Engage with New Super Stealthy Services for Import/Exporting, El Reg.

    Watch this space for more on most unlikely news of all that transpires later. :-)

    Hmmmm :-). ....Atomic Football/Big Red Button/Doctor StrangeLOVE stuff in Live Operational Virtual Environments fleeted in and shot through right outta sight just there. Stealth Is as Stealth does and Follows to Server Core Feeds/Needs/Seeds.

    Hmmmmm... Is that Virtual Machinery Ensuring ITs Growing Existence in a Universal Presence beyond All Command and Control?

    And a Possible Hollywood Mission Impossible BlockBuster Ball Bursting Live Documentary to Stream to the Faithful and Others who be Restless and/or Reckless.:-) Spookery Sells.

    Ciao, for Now.

    1. Updraft102

      Re: Happy Easter Egg

      That is an *awfully* long title. I can only imagine how bad the article must be.

  17. Anonymous Coward
    Anonymous Coward

    Unfortunately, WSUS logic for 4100480 seems broken. I have 115 x64 Win7 machines with the Jan., and Feb., Security Only rollups installed, but only 4 show 'update needed' for 4100480.

    See https://www.askwoody.com/forums/topic/patch-lady-new-update-for-windows-7-kb-4100480/#post-179324

    3 separate users reporting this issue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like