10
Jan 18

Microsoft’s Jan. 2018 Patch Tuesday Lowdown

Microsoft on Tuesday released 14 security updates, including fixes for the Spectre and Meltdown flaws detailed last week, as well as a zero-day vulnerability in Microsoft Office that is being exploited in the wild. Separately, Adobe pushed a security update to its Flash Player software.

Last week’s story, Scary Chip Flaws Raise Spectre of Meltdown, sought to explain the gravity of these two security flaws present in most modern computers, smartphones, tablets and mobile devices. The bugs are thought to be mainly exploitable in chips made by Intel and ARM, but researchers said it was possible they also could be leveraged to steal data from computers with chips made by AMD.

By the time that story had published, Microsoft had already begun shipping an emergency update to address the flaws, but many readers complained that their PCs experienced the dreaded “blue screen of death” (BSOD) after applying the update. Microsoft warned that the BSOD problems were attributable to many antivirus programs not yet updating their software to play nice with the security updates.

On Tuesday, Microsoft said it was suspending the patches for computers running AMD chipsets.

“After investigating, Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,” the company said in a notice posted to its support site.

“To prevent AMD customers from getting into an unbootable state, Microsoft has temporarily paused sending the following Windows operating system updates to devices that have impacted AMD processors,” the company continued. “Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible.”

In short, if you’re running Windows on a computer powered by an AMD, you’re not going to be offered the Spectre/Meltdown fixes for now. Not sure whether your computer has an Intel or AMD chip? Most modern computers display this information (albeit very briefly) when the computer first starts up, before the Windows logo appears on the screen.

Here’s another way. From within Windows, users can find this information by pressing the Windows key on the keyboard and the “Pause” key at the same time, which should open the System Properties feature. The chip maker will be displayed next to the “Processor:” listing on that page.

Microsoft also on Tuesday provided more information about the potential performance impact on Windows computers after installing the Spectre/Meltdown updates. To summarize, Microsoft said Windows 7, 8.1 and 10 users on older chips (circa 2015 or older), as well as Windows server users on any silicon, are likely to notice a slowdown of their computer after applying this update.

Any readers who experience a BSOD after applying January’s batch of updates may be able to get help from Microsoft’s site: Here are the corresponding help pages for Windows 7, Windows 8.1 and Windows 10 users.

As evidenced by this debacle, it’s a good idea to get in the habit of backing up your system on a regular basis. I typically do this at least once a month — but especially right before installing any updates from Microsoft. 

Attackers could exploit a zero-day vulnerability in Office (CVE-2018-0802) just by getting a user to open a booby-trapped Office document or visit a malicious/hacked Web site. Microsoft also patched a flaw (CVE-2018-0819) in Office for Mac that was publicly disclosed prior to the patch being released, potentially giving attackers a heads up on how to exploit the bug.

Of the 56 vulnerabilities addressed in the January Patch Tuesday batch, at least 16 earned Microsoft’s critical rating, meaning attackers could exploit them to gain full access to Windows systems with little help from users. For more on Tuesday’s updates from Microsoft, check out blogs from Ivanti and Qualys.

As per usual, Adobe issued an update for Flash Player yesterday. The update brings Flash to version 28.0.0.137 on Windows, Mac, and Linux systems. Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.

When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.

Standard disclaimer: Because Flash remains such a security risk, I continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.

Tags: , , , , , ,

81 comments

  1. We have at least two users in our company (me and another user) who recently applied the most recent round of Microsoft Updates most of which appeared to be Office related and we are seeing a weird bug with Outlook 2016. If we xcan ourselves a document from our copier in .pdf format or we receive a .wav file in an email from our hosted VOIP phone system containing a voice mail and then open one of those two emails and click forward, the attachment will be dropped. If we close the email, select the email in our inbox and then click forward then the email will forward fine. Both of us have Windows 10 Pro.

    • Mark, we are seeing the same thing at our company, still trying to narrow down which update it is, if you find out would love to know, thanks.

      • Two more got the update. I’m thinking I want to try and stop this batch of updates, but I have lots of users outside the corporate office that get updates automatically. Any suggestions for how best to stop the updates company-wide? There is a registry key that I believe our AV software manufacturer had to set in order for these recent updates to come down. I have asked them if there is an easy way to unset this key for us. Not holding my breath.

        • That registry key only prevents the one update for the meltdown vulnerability, and then only if it hasn’t been already installed. All other MS updates this month will install as normal with or without that key.

          That key is intended for AV makers to mark if they are compatible with that one particular patch.

      • Hi, we are in the very early stages of testing, but I looked at all of the updates that came down yesterday and looked for ones that mentioned Outlook 2016. On my PC, I only found one (KB4011626). I uninstalled it from my PC (took maybe 3 minutes), rebooted, and I believe the symptoms have disappeared. Probably the next step is to Pause Updates for 35 days. (You can Google how to do that with Windows 10 – under Advanced Options). Need to run to pickup the kids. Hope this helps.

        • Hi Mark. Your comment has just saved from have to to search for the cause – thanks. Microsoft have confirmed to me that KB4011626 is the culprit.

          Interestingly, the bug does NOT show up for signed e-mails.

          • Steve, Did Microsoft say anything about when a fix or work-around for this might be released. On my PC at least, I deleted the KB previously mentioned and my Windows 10 automatic Windows update put it back the next day. I might look into temporarily disabling auto-updates for 35 days, but will hold off on that for now. Users can save the attachment to their desktop and then compose a new email and attach it. In our case, we are seeing it when we scan documents on our Ricoh copiers and have them email us .pdf files or when our hosted VOIP phone system receives a voicemail for us and sends it to us in an email as a .wav file. So, I guess in both of these cases these emails might not be signed. Thanks, Mark

          • Hi,

            I just checked back on the Microsoft KB 4011626:
            https://support.microsoft.com/en-us/help/4011626/descriptionofthesecurityupdateforoutlook2016january9-2018

            It appears that they have an update that you need to manually download. It will not yet come down as an automatic update and this reportedly will correct the issue with attachments being dropped from emails you forward that are plain text and include attachments.

            https://support.microsoft.com/en-us/help/4011123

            I have not tested yet, but will try and do so today or tomorrow.

  2. I haven’t had any issues with January Patch Tuesday.

    • I might be you didn’t get any. Microsoft has decreed no more updates without the registry key for the AV.

      • Yes, very strange. they claim people will get bsod’s. the conpiracy theorist in me wonders if maybe they just want to control what security software people are allowed to use.

  3. Interesting. Wouldn’t have minded this kind of action earlier. I have a Ryzen 3 1200 and ran KB4058043 on the 5th, but thankfully had no issues.

    You’d think this kind of thing would come out in preliminary testing, if it’s overt enough to require an update-cancellation.

  4. Well THAT’s a drag! When I check for Adobe updates, I routinely check for Adobe Reader updates as well, even if none are mentioned in your monthly post. Today I got a message that “Adobe Reader XI is no longer supported.”. When did that happen? I didn’t read anything in the tech press about that, and certainly no announcement from Adobe.

  5. Wasn’t the patch actually released last Tuesday, e.g. a week ago?

    • Wikipedia has Microsoft Patch Tuesday as the second and sometimes fourth Tuesday of each month. 1/2 would have been the 1st and 1/9 the second. So, yesterday was the day I believe.

      • The Meltdown vulnerability fix was released out of band, about a week ago, in part because of news leaking about it before the planned release, so it was released a week early.

        Yesterday was patch tuesday (2nd tuesday of the month). MS only releases on other dates if there’s severe enough problems to warrant out of band.

        • Yes. This was explained in the 2nd and 3rd paragraphs of the story:

          “Last week’s story, Scary Chip Flaws Raise Spectre of Meltdown, sought to explain the gravity of these two security flaws present in most modern computers, smartphones, tablets and mobile devices. The bugs are thought to be mainly exploitable in chips made by Intel and ARM, but researchers said it was possible they also could be leveraged to steal data from computers with chips made by AMD.

          By the time that story had published, Microsoft had already begun shipping an emergency update to address the flaws, but many readers complained that their PCs experienced the dreaded “blue screen of death” (BSOD) after applying the update. Microsoft warned that the BSOD problems were attributable to many antivirus programs not yet updating their software to play nice with the security updates.”

          • Blue Screen of Death on January 4 while Microsoft tech was on remote access installing update drivers for AMD processor……worked on it with Microsoft until January 8 (10-12 hours a day with hold time included)….FULL TIME….then had to try and get my backup from Norton by Symmantec until it finally loaded on January 12 (that was 24 hour process via remote access and them transfering me to level 2 case managers throughout the day and night)…..can’t keep doing this anymore, everytime there is an update with Microsoft, it messes up my computer. This time I lost apps that were on my computer preinstalled by HP and I can’t get them back, neither HP or the developer will help me. This is a nightmare because of people who are smart that don’t want to have a job, or just think it’s funny to destroy other people’s property or steal from them. Sad state this world is in.

      • Chip vulnerability update went without a hitch for me; then the .NET updates followed right behind. I guess for Windows 7 , MS wanted that patch before letting any other updates come in.

        To tell the truth, I’ve never had so easy a time in updating since that last bottle neck happened, where a lot of people just flat weren’t getting the updates, whether by manual method or automatic.

        So every since installing those KBs that fixed that problem, I’ve not had trouble since – and that is saying something. Usually the history is littered with errors and retries to get the various important updates to install. Not anymore! I’m really surprised – not use to this!

  6. I’m actually concerned about this slowdown, Brian. You described how to install this update, but I want to know how NOT to install it? I don’t use this particular computer to host any shared content that may be affected by that Meltdown or Specter but it will be bad if it makes my computer run slower. Also I don’t want to deal with BsODs or similar stuff.

    Those updates have really been a pain in the butt lately. Anything from Apple intentionally slowing down your phone with those updates from Microsoft BSODing your gaming computer.

    • You don’t know how to hide an update so it doesn’t install?

      Try the right mouse button. Deep breath.

    • for what it’s worth – you are very unlikely to ever notice the slowdown caused by this.

      the “30-60%” performance drops are sensationalist claims, inferred from a single data point on tests DESIGNED to cause the worst possible case, in a shared cloud hosting environment.

      it is extremely unlikely that you – as a normal user – will ever notice a noticable performance impact in a desktop machine workload.

      • Very true!! The only people that should be worried are IT departments that run cloud services or sophisticated data base programs. I’d almost swear I’ve had a slight performance GAIN, since I got my update.

        I’ve also read from various sources that anyone running RAM intensive software may see negative losses in performance.

    • If you browse the web or read email, that’s “shared content”.

      So long as you’ve at least updated your web browser, you should be moderately safe in the short term IMO. So it might be reasonable to wait a few weeks for things to settle down. Not installing the updates at all would not be a good idea, we still haven’t scratched the surface of what sort of attacks these techniques make possible.

      (Besides, Windows updates are all cumulative now, so the only way to not get the Meltdown/Spectre updates would be to stop updating altogether.)

      Don’t forget to apply BIOS updates as well as operating system and application updates.

  7. Pressing the Windows key and typing “about your pc” is usually easier than finding the Pause key.

  8. Thanks, Brian! As usual, you announced this issue before any other info was widely available to non-techies and helped us keep our systems protected. Your blog is essential to surviving out here in the wild with no IT support.

    Had no problem with install in Windows 10, Intel. HATE the BSOD!

  9. “Not sure whether your computer has an Intel or AMD chip?”

    At risk of pseudo-browbeating do you think anyone who doesn’t even know if they have Red or Blue inside is really going to be overly concerned about meltdown or a missing update?

    Mashing keys until the scheduled restart kicks in by itself, then cursing.

    • I would wager that a fair number of people use computers without ever knowing or caring what type of chip is inside. And believe it or not, plenty of those people actually do read this site on fairly regular basis. I know because I hear from them all the time in email, and they sound just like my mother-in-law, who is exactly one of those people who couldn’t tell me what kind of chip is in her computer.

      • I was going to say! It certainly doesn’t feel like your site is the kind that the complete tech-ignorant would read, but I guess you’re the one with the stats to back it up.

      • Thanks for the hot keys.
        I’m fairly tech savvy but don’t ask me to find what processor a winbox is running… unless you want to hear me shouting obscenities at the Windows code monkeys.

        Changing the name, location, and description of features that have had the same function since NT3.51, every time a new version is released does not constitute an update!

        Bring back File Manager!

      • ” And believe it or not, plenty of those people actually do read this site on fairly regular basis. ”

        You’re surely right – and it’s because of your regular-guy writing style that people can actually follow along outside of their comfort zone.
        It’s a feather in your cap.

        I guess this particular bug has gotten plenty of media attention so even non-tech people would have it on their radar already, whether affected or knowing their cpu type – or not.

      • A simpler option for Windows PCs for one to determine CPU/Processor type, BIOS rev, etc.

        Start up Windows normally, then:

        Press & hold Windows key, then “R” key for “run” box.
        Release both keys
        See “run” box pop up
        In “Open” field, type “msinfo32” (no quotes), press Enter key
        See good stuff

        Works for both Win 7 pro & Win 10 pro on 64bit OS at least.

  10. Curiously, nobody is pushing microcode updates to the processors, to my awareness. Though the ability to ‘exploit’ the vulnerability may be patchable in the operating system, the vulnerability still exists in the microcode of the processor…

    Doesn’t seem to be any issues yet on Windows Server 2012…

    • Dell is patching the BIOS on a ton of systems in short order; we’ve received a few updates for newer servers, and I’ve personally applied updates for a couple of 3-year-old Optiplex systems that I had expected would be far down the update schedule.

      These recent BIOS updates (most likely Intel-sourced) specifically address these side-channel attacks.

      I haven’t seen anything for my HP systems at home, but I’m hopeful they won’t be too far behind.

    • Red Hat is offering the Intel microcode update.
      Debian is apparently offering it for it’s “next release” and” “bleeding edge” [1].
      Ubuntu is offering an update for its supported platforms [2].

      Last I checked no one was offering an update for AMD.

      Note that the Linux updates are temporary hot fixes. They are applied to the cpu when the system boots and lost at power off (and restored again at the next boot). As opposed to a permanent fix.

      [1] https://packages.debian.org/search?keywords=intel-microcode
      [2] https://usn.ubuntu.com/usn/usn-3531-1/

  11. “Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.”

    I would add: and run the Flash/ browser in a sandbox. The Comodo firewall has a built in sandbox, now called a Containment or Auto-Containment I believe.

    There is an longtime freeware program that will tell you everything about your computer called WinAudit. It will tell you everything about you computer including what your chip is under the topic ‘Processor Description’.

    http://www.majorgeeks.com/files/details/winaudit.html

  12. Hmmm …
    Updated W7 desktop w/AMD Athlon last Friday. No BSD or slowdown.

  13. I’m curious to know how long MS and the other non-CPU manufacturers knew about those bugs and how long have they been working on fixes? I wouldn’t expect them to publicize this kind of thing, until the fix was out, but… knowing the lead time would be interesting.

    • Months at least, google’s researchers found it last year and notified.

    • Only date I’ve seen is June 2017. That might not have been the earliest report, though, both Meltdown and Spectre were discovered independently by multiple researchers.

  14. The real issue is whether or not AMD will be released updated BIOS/firmware updates. Microsoft clearly says that to fully mitigate, a hardware firmware update is required. So Microsoft points to Intel, Intel points to the computer manufacturer who bought chips from Intel, and the manufacturers may not be saying anything at all. Toshiba has exited the personal computing market, so what will happen to all their devices? The computers from Toshiba and other manufacturers who have sold no-longer supported computers? Will they provide a firmware update despite the EOL status?

    • Ugh… “The real issue is whether or not AMD will be released…” = “The real issue is whether or not Intel/AMD will release…”

  15. My parents called me, something is wrong with the PC, not responding. Stuck at “Choose your keyboard layout”. No keyboard / no mouse input. Fk.

    Sure enough, PC is from 2010, running old AMD Athlon 64 x2 4200. Had to repair with bootable USB, re-did the updates and crapped out again. Repair for 2nd time, and paused updates for 30days. They can use it again. Hopefully MS gets it resolved by then.

  16. I wonder how this will affect the Mac users. Where I used to work about a third of the computers were Macs. Those users never wanted to restart or patch their Macs. I would often come across Macs that had not been patched in 6 months. They also would also tell me that everyone knows antivirus software was not needed on a Mac.

    Mac users tend to fall into two classes, those who were very knowledgeable and those who did not want to know anything about their computers.

    • I’m the IT person at my company, I normally push our users to upgrade quickly, I was probably the last Mac user to get this update – too many incomplete tasks. I had updated all of our servers first*.

      * We have one server which failed its update because of an incompatibility between the update (Red Hat) and our hosting environment (AWS, Para Virtualization).

  17. To clarify your second paragraph – AMD is only affected by Spectre; Intel is affected by both Spectre and the more serious Meltdown.

  18. No Meltdown/Spectre updates but no other updates either. Wouldn’t you think that Microsoft would just delete the offending updates and allow us the security benefits of the others. Are there any critical updates amongst these?

  19. I always love your article! I always love every weekend to read your articles. They are juicy with all the information and resources.

  20. The only time I boot Windows anymore is to watch Windows Update FAIL (usually with 0x80073712). It won’t be long until spring 2018 and I’m just getting the unwanted Fall 2017 Creator’s Update. Microsoft Windows 10 “As a Service” is an epic failure. Soon I’ll stop updating my last Windows machine and that’ll be it.

  21. Hi, my computer has been applying this latest patch as well as others i’m sure, as I always delay applying them. I am at about 18 hours now with a black screen and the little rotating circle at the bottom. Could it be hung up? Should I restart it let it go longer?
    Thanks
    Darren

  22. Has anyone noticed that Scanners and Cameras take a nosedive after the Jan 3 update?? All my espson scanners have to have the new Jan 3rd Driver release.

  23. One thing worth mentioning is that users won’t receive Jan2018 updates unless their Anti-Virus software sets a registry entry to indicate it’s compatible. Users with outdated, broken, or no anti-virus software installed will not receive the Jan2018 patches or any patches after that. My fear is that this could result in a lot of machines that stop receiving patches. The rule even applies to Windows Server.

    Microsoft has an article on this at: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

  24. I am wondering, since these updates we have not been able to open any office document on our internal SharePoint Server. IE 11 is our default browser for our systems and we get the following message: Sorry, we couldn’t open http;//intranet.blahblah.org/document.docx. This is happening even on the Edge browser as well. But we can successfully open them with Firefox. Any one else having this issue? Thanks.

  25. Well I have not received the updates on a machine. very strange. Its intel, not using 3rd party av, the registry entry is present, but no january updates.

    Anyone else have this issue?

    I got a bios update, and contrary to news reports, I feel it increased my performance in gaming, by alot. I don’t see the 20% slowdown? Maybe because I haven’t got the os updates yet?

    I don’t know what to make of this.

    • Does your machine have an AMD chip instead of Intel? Microsoft announced the other day it was suspending updates for AMD chips due to too many BSODs, as noted in this story.

      • No its intel, in fact I just updated my chipset and bios on the 4th. The patches for asus came very quick.

        I went on MS forums and they told me to reset windows update. Then i started seeing the update but it was failing to install.

        I contacted customer support live chat. They had me do an in place upgrade. Basically download the windows media creation tool, and then run the upgrade windows option. Took about 30 mins. but I’m all up to date now and windows is running better then it was.

        I think after the november update something must of went goofy in my system and I never realized.

        Tks as always for your Articles BK.

  26. My HP Probook 4540s has Intel-based core, x64 system, but I see that some things in it apparently also use AMD chips for x86 components/processers, storage, and graphics driver. Am I at risk for BSOD or other adverse reactions if I install the January 2018-01 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4056894) issued on 1/4/18? Rated “Important.” (Hefty download size, 231.4 MB.)
    “A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.”

    My Windows Update had disappeared a/o some time in Dec., but after 2 days of working my way thru several different fixes suggested on Microsoft’s website, I finally found and installed a download of a “Servicing Stack Update” from July 2016 from , which re-established a Microsoft Update, now offering this January security rollup. MS Support indicates that they’re working on a fix for the issue discussed in this thread — a/o 1/11/18 the AMD lockup problem might be resolved by “next week” or “in future weeks.” Today is 1/17/18. Do you know if it’s resolved now? Is it safe to install the 1/4/18 recommended update for Win 7? There’s a standalone fix to install in case of problems, (KB4073578), and I downloaded it in case of need, but if computer suffers BSOD after I install the problematic update I assume I wouldn’t be able to access the fix. ?? Should I proceed w/ the 1/4/18 update anyway? I also seem to be unable to update the BIOS from HP — it downloads but gets hung up for hours on the installation. (These are probably 2 different issues?)

  27. For those who build their own PCs or use Toshiba computers there seems to be no way of installing Intel and AMD updates. In that case the Microsoft security updates for Meltdown/Spectre seem only to be ineffective system slowing entities.

    The main vulnerability presently seems to exist in web browsers and there lies, in the short term at least, the best hope for mitigating processor security flaws.

    I hope that more browser checkers like Tencent’s become available so that users can readily and regularly test their vulnerabilities.

    • What is “Tencent browser helper?” I wondered. Did a search, found a lot on Wikipedia (and elsewhere — a lot of people apparently want to find out how to get rid of QQ once they installed it). This sounds unhelpful, to put it mildly:
      — Per Wikidedia: “Anti-malware software cheating allegations — In 2015, security testing firms AV-Comparatives, AV-TEST and Virus Bulletin jointly decided to remove Tencent from their software whitelists. The Tencent products supplied for testing were found to contain optimizations that made the software appear less exploitable when benchmarked but actually provided greater scope for delivering exploits.[173] Additionally, software settings were detrimental to end-users protection if used. Qihoo was later also accused of cheating, while Tencent was accused of actively gaming the anti-malware tests.[174][175].” (Page was last edited on 18 January 2018, at 05:04.) — Chris — Are you sure you want to recommend it?

      • Thanks for that comment. I wasn’t aware of a Tencent browser helper. I am very choosy about such tools. I did not realise that the Spectre browser test ( https://xlab.tencent.com/special/spectre/spectre_check.html ) was made a available by a company with a questionnable reputation. More circumspection is obviously needed by yours truly.

        • I don’t know that much about it myself — just what I read when I searched for what “Tencent browser checker” might be. If you find out something more, please post it here. Thx.

    • If you build your own machine, you should check to see if a firmware update is available from your motherboard vendor. And presumably Toshiba will get with the program eventually.

      Microsoft’s updates will still address the Meltdown vulnerability on Intel CPUs even without the firmware updates. AMD CPUs aren’t immediately affected by Meltdown, so if you’re on AMD and don’t have firmware updates than the updates won’t do anything, but also won’t slow down the machine. (Or at least that’s the theory; I haven’t actually checked.)

  28. All updates for my Windows 7 AMD Sempron 3000+ powered system seem to have been blocked including the .NET update KB4055532 and the security updates in the January KB4056894 security and quality rollup. This expedient decision of Microsoft deprives me of possible critical updates which are presumably not connected to the Meltdown/Spectre issue.

  29. I keep seeing that in addition to OS patches, Intel is releasing microcode or firmware updates. It doesn’t appear that any of the older models of PCs will receive support from the manufacturers and anything other than OS updates will not be made available to end users.

    For those that wonder if they have Intel or AMD, aside from many hardware inspecting utilities, most Intel machines have the little Intel inside sticker.

    I’d like to see the Linux patches display a “sorry, you have Intel inside” statement in the boot screen. Linux, are you listening?

  30. Dell and others pulling most of the BIOS updates for Spectre – read the links:

    From the frontpage of Sysadmin Reddit:
    https://www.reddit.com/r/sysadmin/comments/7sboac/dell_recommends_reverting_spectre_bios_update/

    Dell’s article on this:
    http://www.dell.com/support/article/us/en/04/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en

    I know we don’t use HP here, but they seem to be doing something similar:
    https://support.hp.com/gb-en/document/c05869091

    I have probably updated the bios on maybe 30 machines so far. Mostly Optiplex 7040 and some 7020 PCs. We haven’t seen any issues. I will hold off trying to roll back any of these updates unless we start seeing issues and just wait for newer updates to come out.

Leave a comment