Welcome to another banner Patch Tuesday. Microsoft yesterday released 56 separately identified security patches for every supported version of Windows, Office, .Net, Internet Explorer and Edge. Out of that monstrous pile, only one patch cures a currently exploited problem — a flaw in Word’s Equation Editor that should have been fixed in November.
If you’re a “normal” user, your first priority shouldn’t be Microsoft’s patches, notwithstanding the fabulous PR job performed on Meltdown and Spectre’s behalf. Assuming you don’t open random Word docs with dicey embedded equations, your main concern right now should be getting your antivirus house in order.
I say that knowing full well that everybody and his second cousin is champing at the bit to have you get the Meltdown/Spectre patches installed. Sometimes I feel like a 14th-century rationalist pushing back against "known" cures for the plague.
Your machine isn’t going to, uh, melt down. Nobody’s gonna get you with Spectre. Your 3-year-old PC isn’t going to turn into a pile of sludge, in spite of what Microsoft says. Instead, the facts point to something much more prosaic: Now would be a good time to get your antivirus program caught up. That’s all.
To be sure, this month’s Patch Tuesday is formidable. The official (and unusable) Security Update Summary lists 93 patches. SANS Internet Storm Center’s (much more usable) summary shows 56 patched “CVE” security holes. Martin Brinkmann’s Ghacks.net lists all of the patches in human-readable form, with descriptions and links. He has also replicated the official patch spreadsheet, which contains 1,073 separately identified patches.
The one common factor: Aside from the Equation Editor botched repatch, not one of this month’s patches addresses a known exploited security hole.
On the Windows side, we’re seeing a re-announcement of all of the Meltdown/Spectre patches that started appearing on Jan. 3. Those patches were all updated on Jan. 4, and many again on Jan. 9. Some of them (including the Windows 8.1 security-only patch KB 4056898) have been released and re-released, without explanation. All of them have a nasty habit of bricking AMD Athlon, Sempron, Turion, Opteron, Phenom and some Ryzen computers (detailed list on TechArp).
The fact is that there are no known exploits for Meltdown or Spectre in the wild. The hell-bent push to get the Meltdown/Spectre patches installed resulted in thousands (tens of thousands? hundreds of thousands?) of bricked AMD PCs and untold hours of wasted effort, all to no benefit. Yet almost every news report is parroting the same “sky is falling/patch now” drivel.
Over on the Office side, Microsoft lists 36 security patches and 25 non-security patches, including a big crop of patches for Office 2007. That’s more than a little surprising because Office 2007 reached the end of extended support in April 2017. We also have new versions of Office 2010 Click-to-Run (14.0.7193.5000) and Office 2013 Click-to-Run (15.0.4997.1000). Office 365 version 1711 stands at Build 8730.2175.
We also have three Security Advisories:
- ADV180001 — Flash Security Update
- ADV180002 — Meltdown/Spectre Advisory
- ADV180003 — Office Defense in Depth
And we have the usual list of patches being pushed out through Windows Update and WSUS. For those trying to keep their servers going, don’t forget to look at the KB 4072698 guidelines to manually get the protections enabled, if you feel so bold. And if you see dozens of repeated Office patches on your WSUS server, you’re looking at a bug (feature?) we’ve seen for months — per @abbodi86 on AskWoody:
They release each language in a separate patch, so in WSUS/Catalog each language will have 2 entries, for 32bit/64bit. I wonder why they did not bundle all languages in a single update, like they always do with proofing tools update.
That’s a massive amount of information to absorb, but for most people, there are only two takeaways: If you open Word docs with compromised Equation Editor components, you can get pwned. And you need to get your antivirus house in order.
Yes, there are examples of Meltdown and Spectre exploits on the web, but they’re nowhere near being active ground-level threats for the vast majority of Windows customers. When they are finally weaponized, my guess is that we’ll see the first breaches come through web browsers — or on high-stakes servers in the banking, military or cryptocurrency industries — not meltdown programs running on individual machines.
If you’re looking at this month’s patches from an admin’s point of view, check out Ed Bott’s advice on ZDNet:
The first order of business is: Don't panic. The tech press loves to treat security incidents like this one as apocalyptic, but the reality is you have time to devise a comprehensive response.
The failure of Equation Editor
Those of you who follow along here may be surprised to see Equation Editor singled out for persecution. After all, Microsoft fixed the Equation Editor security hole in November, didn’t it?
Well, no. It thought it had fixed the Equation Editor with the CVE-2017-11882 patch in November, but a new bug appeared shortly after that fix went out. The new security hole is called CVE-2018-0802. The 0patch blog presents convincing evidence that the CVE-2017-11882 fix was, in fact, a masterful piece of manual hacking. It looks like Microsoft lost the source code for EQNEDT32.EXE.
Long and short of it: The CVE-2018-0802 bug is so bad (or perhaps Microsoft gave up on manually hacking the ancient executable) that this month’s patches simply zap the EQNEDT32.EXE file. Omer Gull and Ben Simon, on the Checkpoint site, give full details of the old and new exploits.
If you still use Equation Editor — an obscure feature in Word and WordPad that allows you to put equations into documents — there’s a thread on AskWoody that discusses alternatives. Microsoft recommends MathType from Wiris Suite.
Also note that if you’re concerned about opening Word (or WordPad) docs with rogue equations and don’t want to install this month’s patches just yet, you can manually disable Equation Editor with a simple registry change. Microsoft has the details.
The slowdown yet to come
There are dire warnings all over the web that installing the Meltdown/Spectre patches will drive your computer into the ground. All of the (hundreds!) of warnings about the Meltdown meltdown point back to a post by Windows head honcho Terry Myerson, who said:
- With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
- With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
- With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
That sure sounds dire — if you own a 3-year-old computer, your performance is headed into the deep abyss, right?
I say bah. Microsoft ran its performance tests, and that’s great. (Obviously, it didn’t include any AMD processors, or it would’ve discovered the AMD-bricking bug sooner.) The results are waffling in the extreme. And the conclusion serves Microsoft’s purposes. The not-so-subtle subtext is: “We did the best we could, but you Win7/8.1 holdouts are gonna have to buy a new computer.”
What I’d like to see is independent, third-party confirmation of the results. Performance stats are hard. You really have to clock something specific — or rely on benchmarks that may or may not reflect what you do, day in and day out. In my experience, a variance of 20 percent or more in “normal” user speed isn’t really noticeable.
I think the big performance question for most folks is in the browser — and we don’t have any numbers there yet. Google won’t even update Chrome until around Jan. 23. Remember that Google (and several others) discovered Meltdown and Spectre. Their slow response should tell you how much they fear an imminent attack.
The antivirus conundrum
Gregg Keizer has a full explanation of the antivirus chicken-and-egg problem in his Computerworld column earlier today. In essence, you need to make sure your antivirus enables this month’s — and all future — updates, before you try to install the January patches.
If your antivirus isn’t up to the task — see Kevin Beaumont’s excellent explainer and companion shame list — or you don’t want to pay for more antivirus “protection,” you can always uninstall your antivirus and go with Windows Defender or Microsoft Security Essentials.
I repeat — forgive me if you’ve heard this before — but there are no known Meltdown or Spectre exploits in the wild. Folks who run servers with sensitive data — banks, brokerage houses, military contractors, cryptocurrency exchanges — need to be concerned about Meltdown and Spectre in the near term, realizing that the data can be snooped only if you allow an unauthorized program to run on your server.
For everybody else, the first attacks (if there ever are any) are likely to come through web browsers. You need to harden your browser as soon as the update is available: Firefox is already partially protected, and the new Chrome is due Jan. 23.
You need to update your BIOS or UEFI, but those fixes are only starting to roll out, and I don't expect to see any garden-variety hacking of an older BIOS or UEFI in the near term. For starters, the snooping program has to be actively running on your computer.
And if you’re worried about the Equation Editor security hole, just change the registry entries recommended by Microsoft.
What you’re witnessing is a colossal “sky is falling” routine, aided and abetted by folks who are going to make money from the havoc. Don’t fall for the hype, the PR, and those cute logos. Get the facts, get your antivirus house in order, change the Equation Editor entries if you’re very concerned, and you’re good to go. For now.
Wait and watch for more AMD-caliber problems on the AskWoody Lounge.