Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • MS-DEFCON 2: Batten down the hatches, there’s a kernel patch headed your way

    Posted on January 3rd, 2018 at 16:59 woody Comment on the AskWoody Lounge

    UPDATE: 4:00 am ET: @teroalhonen just noted that Yammer is down. The reason given:

    After reviewing the logs, we determined that recent maintenance is causing a portion of cloud network infrastructure to be in a degraded state. We’re reconnecting users to a to a healthy portion of infrastructure to mitigate the impact while we address the cause.

    Does “recent maintenance” encompass deployment of the Meltdown patches? That does not bode well.

    UPDATE 3:00 am ET: The Meltdown fix is getting pushed out Windows Update, but many people haven’t seen it yet. I haven’t seen either the 1709 or the 1703 update coming down the chute.

    We now have patches — both Monthly Updates and Security-only Updates — for a wide array of Window versions, from Win7 onward. See the Update Catalog for details. (Thx, @Crysta). Note that the patches are listed with a “Last Updated” date of Jan. 4, not Jan. 3. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). It looks like the Monthly Rollups will come out next week.

    BUT… you won’t get any patches installed unless and until your antivirus software sets a specific registry key. If you’re running third party antivirus, it has to be updated before the Meltdown patch installer will run. It looks like there are known problems with bluescreens for some AV products.

    There are also cumulative updates for Internet Explorer 11 in various versions of Win7 and 8.1 listed in the Update Catalog. The fixes for Win10, and for Edge, are inside the respective Win10 cumulative updates. Microsoft has also released fixes for SQL Server 2016 and 2017.

    Note that the Windows Server patches are NOT enabled by default. Those of you who want to turn on Meltdown protection have to change the registry. (Thx @GossiTheDog)

    Windows XP and Server 2003 don’t yet have patches.

    There’s an official Security Advisory, ADV 180002. One sobering comment:

    In addition to installing the January 2018 Windows security updates, you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.

    Which means you, as a Windows user, aren’t fully protected until you’ve installed the Windows patch, turned it on if you’re running Windows Server, and applied the latest firmware update. According to @teroalhonen, Dell, Microsoft and HPE have yet to push firmware patches.

    Microsoft has released official installation guidance for Windows Server, for non-server versions of Windows, and also for Edge and IE. Mozilla has posted its analysis for Firefox. Chromium also has details for Chrome, which should be patched later this month.

    There’s a great deal of knowledgeable speculation that Meltdown may not be fully fixed, even with firmware updates. It may require completely new processors. Expect that debate to continue for the next decade.

    We’re likely to see exploits published in fairly short order, but as of this writing, there are NO known in-the-wild exploits that take advantage of the Meltdown holes.

    It would be a very good idea to make sure that your Windows machine has auto update turned off. Kernel changes are always, always tricky. Far better to sit and wait for a few hours, or even a day or two, than to get blindsided by a bad kernel patch.

    It’s happened before. Many times.

    UPDATE: There appears to be a working exploit, purportedly on a Mac, from Michael Schwarz. “we are publishing demo code as soon as patches are available, so I guess next week.”

    I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it

  • Microsoft updating Win10 today with “special fix” for the Kernel Memory Vulnerability

    Posted on January 3rd, 2018 at 16:32 woody Comment on the AskWoody Lounge

    I’m seeing leaks all over, but no downloads as yet.

    Ina Fried at Axios reports:

    Microsoft is updating Windows 10 today with a special fix for the issue and also making available updates for Windows 7 and Windows 8.

    “We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”

    Fried also reports on the statements from Intel:

    Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits”

    AMD:

    Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.

    and ARM:

    Arm (has) been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This method requires malware running locally and could result in data being accessed from privileged memory. Please note that our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.

    Let’s see what we get from Microsoft.

    Important to note that there are NO KNOWN in-the-wild exploits at this point. Since this involves kernel code, a substantial amount of caution is in order.

    UPDATE: Google Project Zero is laying claim to at least part of the discovery:

    The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible.. These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.

    We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming.

    Google has published a detailed timeline for coverage of all of its products. Short version: Android security patches rolling out now; ChromeOS fixed in mid-December; Chrome browser fix coming Jan. 23; G Suite protected.

  • Intel “Kernel Memory Vulnerability” is going to hit all of us

    Posted on January 3rd, 2018 at 07:39 woody Comment on the AskWoody Lounge

    I first read about the problem in an article in The Reg yesterday from John Leyden and Chris Williams:

    A fundamental design flaw in Intel’s processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug… Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December…

    [The security hole] would allow ring-3-level user code to read ring-0-level kernel data. And that is not good.

    That was news to me, but we had a topic here on AskWoody started by @BillC just a few hours later. (I just discovered that I can’t put those comments under this post, so I’ve sealed off the original Code Red thread, and urge you to comment on this topic by clicking Comment on the AskWoody Lounge above.)

    It’s all vaguely reminiscent of the Intel Management Engine bug from 2016-2017.

    Lots of reason to be concerned, but there’s no immediate problem — and no known exploit. Suffice it to say that everyone running an Intel 64-bit chip will likely get hit. Apparently the Linux fix goes after AMD chips, too, although I don’t see any information about whether that’s due to a problem with AMD, or an overly zealous implementation in various Linux distros.

    Intel has the story under embargo, but I would expect we’ll get official notices shortly.

    Worth noting: Intel’s CEO Brian Krzanich sold $39 million worth of INTC stock on November 29. Just a coincidence, I’m sure. (Catalin Cimpanu has since withdrawn his tweet, saying “It’s not that bad. It was a legal sale in the eyes of the SEC.”)

    UPDATE: Alex Ionescu – “Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER). First screenshot shows how NtCreateFile is not mapped in the kernel region of the user CR3. Second screenshot shows how a ‘shadow’ kernel trap handler, is (has to be).” (Win10 17035 is the Nov 8 IoT beta build.) Thx @teroalhonen

    UPDATE: Hal Berenson: “Putting 2+2 together, my guess is you can see the fix in action here” pointing to this Amazon Web Services page

    Immediately following the reboot my server running on this instance started to suffer from cpu stress.

    We’re entering uncharted territory….

    UPDATE: Kevin Beaumont:

    UPDATE: Worthwhile details emerging, especially about the AMD fallout, on Reddit.

    UPDATE: There’s a report of Proof of Concept code from @brainsmoke.

    UPDATE: Ryan Shrout

    UPDATE: Intel (with stock down about 4% today, as of this moment), says that the security hole extends to other processors. Jordan Novet at CNBC has more from Intel’s point of view.