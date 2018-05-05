Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
Bug Microsoft Windows

Microsoft's 'Meltdown' Patch For Windows 10 Contains a Fatal Flaw (bleepingcomputer.com) 13

Posted by EditorDavid from the fishing-chips dept.
An anonymous reader quotes BleepingComputer: Microsoft's patches for the Meltdown vulnerability have had a fatal flaw all these past months, according to Alex Ionescu, a security researcher with cyber-security firm Crowdstrike. Only patches for Windows 10 versions were affected, the researcher wrote today in a tweet. Microsoft quietly fixed the issue on Windows 10 Redstone 4 (v1803), also known as the April 2018 Update, released on Monday.

"Welp, it turns out the Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation," Ionescu wrote. Ionescu pointed out that older versions of Windows 10 are still running with outdated and bypass-able Meltdown patches.

Wednesday Microsoft issued a security update, but it wasn't to backport the "fixed" Meltdown patches for older Windows 10 versions. Instead, the emergency update fixed a vulnerability in the Windows Host Compute Service Shim (hcsshim) library (CVE-2018-8115) that allows an attacker to remotely execute code on vulnerable systems.

Microsoft's 'Meltdown' Patch For Windows 10 Contains a Fatal Flaw More | Reply

Microsoft's 'Meltdown' Patch For Windows 10 Contains a Fatal Flaw

Comments Filter:

  • too many of our servers, desktops, and laptops will no longer boot after installing Meltdown/Spectre fixes. The usual symptom is that they show the Windows loading screen then a blank screen.

  • The Windows 10 update system feels like "free to play" games, where they actually make you pay more than what you would have paid outright if you made an upfront purchase.

    While I like the some of the new features (linux support, more responsive UI, remote xbox streaming, etc), they make sure unwanted cruft comes with it, since you can no longer choose to include or not include many components. Also they took away the excellent Windows Media Center which still has no free alternative.

    It is now too late, but

    • Re: (Score:1)

      by Anonymous Coward

      It is now too late, but I wish we stayed with the WIndows 7 model, where a purchase meant a purchase not a subscription.

      One word of advice: "Linux".

  • First they totally fscked up the Windows 7/Server 2008 Meltdown "fix" allowing every user program access any RAM area they wanted
    https://www.theregister.co.uk/... [theregister.co.uk]
    And now again they fsck it all up in another version as well by returning the data the patch was supposed to not return. But the way they did fsck it up was totally different than the Windows 7 way. They have so many fuckups, they create different ones for each OS version, cause one fuckup is not enough. Code reuse with audited, well written code w

  • And not enough time to test them properly. Microsoft should just support one version of Windows 10, getting rid of superfluous versions like 10S and take the LTSB version and just support that without the six monthly "Windows as a service" updates.

Slashdot Top Deals

CCI Power 6/40: one board, a megabyte of cache, and an attitude...

Close