Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Risk Based Security brings some sanity to the Meltdown debacle

    Posted on January 9th, 2018 at 15:52 woody Comment on the AskWoody Lounge

    I just finished reading this article, recommended by Kevin Beaumont. The Slow Burn of Meltdown and Spectre: Exploits, Lawsuits, and Perspective.

    Here’s the conclusion:

    Vulnerabilities are disclosed every day, to the tune of over 20,000 new disclosures in 2017 alone. Just because a vulnerability receives a name, a website, and/or a marketing campaign does not necessarily mean it is high risk or that it will impact your organization. As always, we strongly encourage organizations to cut through the noise and focus on the details relevant to them, and make a decision based on that alone.

    I repeat – forgive me if you’ve heard this before – but there are NO KNOWN Meltdown or Spectre exploits in the wild. Folks who run servers with sensitive data — banks, brokerage houses, military contractors, cryptocurrency exchanges — need to be concerned about Meltdown and Spectre in the near term, realizing that the data can only be snooped if you allow an unauthorized program to run on your server.

    For everybody else, the first attacks (if there ever are any) are likely to come through web browsers. You need to harden your browser as soon as the update is available. You’ll want to install the new Windows patches as soon as they pass muster. And you need to get your BIOS or UEFI updated one of these days. But there’s no big rush.

    What you’re witnessing is a colossal “Sky is Falling” routine, aided and abetted by folks who are going to make money from the havoc.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Risk Based Security brings some sanity to the Meltdown debacle

    Tagged: ,

    This topic contains 59 replies, has 25 voices, and was last updated by  Ascaris 9 months, 1 week ago.

    • Author
      Posts
    • #157904 Reply

      woody
      Da Boss

      I just finished reading this article, recommended by Kevin Beaumont. The Slow Burn of Meltdown and Spectre: Exploits, Lawsuits, and Perspective. Here’
      [See the full post at: Risk Based Security brings some sanity to the Meltdown debacle]

      14 users thanked author for this post.
    • #157916 Reply

      WildBill
      AskWoody Lounger

      RBS has game! I went to Jerry Gamblin’s GitHub link & read all the code. Rickrolling Still Lives… LOL!

      Windows 8.1, 64-bit, Group A... switching to Group B in November!
      Wild Bill Rides Again...

    • #157912 Reply

      anonymous

      ? says:
      thank you, woody!

    • #157945 Reply

      wdburt1
      AskWoody Lounger

      Four days ago I wrote here:

      “Is it paranoid to wonder to what extent this thing is being promoted by various people, including those who would like to force us all into Group A?

      Andy Grove: Only the paranoid survive.”

      Trying to cut through the fog–if the price of patching is a 30% slowdown or worse, is the short answer to make sure that your browser is secure?  Early reports that Pale Moon is not affected are intriguing.

      A 30% slowdown is not acceptable and if that’s the only option then I stop patching.

      1 user thanked author for this post.
    • #157995 Reply

      woody
      Da Boss

      A 30% slowdown is not acceptable and if that’s the only option then I stop patching

      Unfortunately, this is another one of those situations (like the SMBv1 bug) where you don’t have much choice.

      Some day. Not now. And we’ll work through the consequences.

      4 users thanked author for this post.
    • #158008 Reply

      EP
      AskWoody Lounger

      Ed Bott has recently posted an article at ZDNet about the 4 things Windows Admins should be doing with the Meltdown-Spectre problem:

      http://www.zdnet.com/article/meltdown-spectre-four-things-every-windows-admin-needs-to-do-now/

      one of them is not to panic

      • This reply was modified 9 months, 1 week ago by  EP.
      3 users thanked author for this post.
      • #158069 Reply

        Noel Carboni
        AskWoody MVP

        And another of them is “2. Replace outdated hardware.”

        If the industry were to manufacture a security problem that makes hardware that wasn’t “outdated” yesterday seem more so today, who exactly spends the money and who gets the money?

        THAT is one of the most worrisome aspects of this whole thing.

        -Noel

        10 users thanked author for this post.
        • #158346 Reply

          Ascaris
          AskWoody MVP

          Outdated hardware… now that’s a loaded term, isn’t it?

          What exactly determines if hardware is outdated?

          What I call my main laptop (using it now to write this) is an Asus F8Sn (more or less) that uses a Core 2 Duo T7800 (2.6GHz) cpu, 8GB RAM, 1TB SSD, 1440×900 resolution TN panel, using a nVidia GT220M 1GB discrete video card.  It’s 9 years old, but it runs nicely.

          Then there’s my brand new, 2017-manufactured Dell Inspiron 11-3162, with its Celeron N3060 CPU, 4GB RAM (not expandable), 32GB eMMC “hard drive” (not removable), and a 1366×768 resolution TN panel.

          The old laptop outperforms the new one across the board.  The Core 2 bests the Celeron by 50% on CPU benchmarks, and the SSD, even when hobbled by the SATA2 interface of the old laptop, posts peak throughput of more than double what the eMMC in the Inspiron does (and I have no doubt that the margin would be even bigger in 4k random reads).  The Celeron’s integrated graphics do manage to come quite close to the performance level of the discrete but much older GT220M, though not having its own RAM means that the integrated GPU has to take what it needs from the already limited 4GB installed.

          The older laptop has 30 times more storage onboard, twice the RAM, and the display has higher resolution too.  The Asus also has a DVD burner, a keyboard whose keys feature twice the travel of the island keys on the Inspiron.  It has a full set of LEDs to indicate power, battery charging, wireless status, Bluetooth status, HDD access, and caps lock; the Inspiron has only one, for caps lock.

          The Asus has 5 USB ports, a 1394 Firewire port, a headphone jack, a microphone jack, a VGA port, a DVI port (which is not compatible with the transplanted GT220M video card), an S-video port, a Gigabit ethernet port, a 56k voice/fax modem port, an IR “blaster” that I have yet to find a use for, a full-size SD card reader, and a secondary miniPCIE port under the bottom cover that is currently unoccupied.

          The Dell has 2 USB ports, a HDMI port, a headphone jack, and a microSD card reader.  It pales in comparison to the older PC.

          So… with all of that in mind, is the Asus so much more outdated than the Dell?  It does all that is asked of it, and as long as that doesn’t involve portability or battery life, it does it all better than the Dell laptop I’ve had for two weeks.  I knew about all of this in advance; I’m not at all complaining or impugning the Dell.  I bought it to fill in when the Asus is too heavy and bulky or has too little battery life for the task at hand, and in that role it excels.

          Even if the Meltdown patch caused NO performance hit on the Dell, the Asus would still outperform it (task performance) even with the Meltdown patch in place.

          Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

          • This reply was modified 9 months, 1 week ago by  Ascaris. Reason: Department of redundancy department
          1 user thanked author for this post.
          Pim
    • #158018 Reply

      gkarasik
      AskWoody Lounger

      I just finished reading this article, recommended by Kevin Beaumont. The Slow Burn of Meltdown and Spectre: Exploits, Lawsuits, and Perspective. Here’[See the full post at: Risk Based Security brings some sanity to the Meltdown debacle]

      So I’m waiting to apply the server patches, but I’m also seeking some clarity. I have seen that there are four reg tweaks that must be applied, a QualityCompat key and three memory keys. The instructions I’ve found are to add the three memory keys and then reboot. Is the intent of this that we install the keys, reboot, then install any available patches and reboot again? Or can I add the reg tweaks, intall the patche(s), and then reboot?

      With virtual machines, the instructions are to shut down the virtual machines and then apply the patches. Do the patches then go onto the virtual machines?

      GaryK

      GaryK

    • #158025 Reply

      AlexEiffel
      AskWoody MVP

      Interesting. However, I wonder about the last part where the author says there are so many vulnerabilities for CPUs and no one talks about them. I would say that maybe it is either just because they didn’t hear about it or maybe because they are not as critical in real life because they are easy to fix through an update that will get pushed automatically or they are difficult to exploit or they require something installed on the computer that is bad to be triggered, which any security conscious person tries to avoid having in the first place. Actually, the arguably worse vulnerability he talks about has been fixed automatically for me by Lenovo that did an out of the ordinary aggressive push of update on the laptops we own from them, so yes it was potentially very bad and it needed a BIOS update to be fixed, but the way it has been handled by Lenovo was seamless for me and it was as easy to fix as a Windows update or a transparent Firefox update, so no, it is not as bad at all as what Spectre might be in that sense.

      The problem with Spectre is that you only need to browse the web and not have javascript disabled to have some apparently unavoidable yet risk of exposition. That is a pretty big deal. There doesn’t seem to be any durable fix for it right now and the researchers have known about it for quite some time. If the other vulnerabilities the author refers to are as potentially as bad in real life, then there is something wrong if we don’t hear about them.

      What is a bad vulnerability? One that can be exploited easily and ideally with no user intervention, or that no careful behavior can help that much to avoid. If those conditions are not met, even if the vulnerability’s consequences are quite bad, it won’t be as bad. Second, a vulnerability that is dangerous like that is really bad if you can’t fix it easily. If you need a Windows update, not that bad. If you need a BIOS update, you can be sure lots of folks will never fix it and malware authors will have fun exploiting it for a long time. If people need to change the computer, well I don’t know that companies will change their whole fleet right away because of it (if there is an alternative) and they might just hope no serious exploit will appear. In the case of Spectre, one factor that makes it less bad is the fact it is not code that will auto spread like a worm that could quickly reach all computers that aren’t hidden behind a non Spectre vulnerable firewall.

      I don’t panic, but I live more on hope that no serious exploit will appear than an irrational thought that it won’t happen because it is too terrible to happen. I’m not sure anybody right now is able to evaluate clearly what is doable now with this. I bet spy agencies are working a lot on this right now, as this seems to be the perfect tool for undetected gathering of information.

      4 users thanked author for this post.
    • #158030 Reply

      anonymous

      Good write-up. Having read Joanna’s and fellow researchers Intel x86 considered harmful white paper more than two years ago, it is good to see her name mentioned in the article.

      AMD has to be more open about that ARM Trustzone processor cryptography flaw, as that little chip is inside many of their products since 2014. I speculate we AMD users might have to be applying an update like Intel did for their Management Engine vulnerabilities.

    • #158059 Reply

      Pim
      AskWoody Lounger

      I am a bit dizzy from all the articles about Meltdown and Spectre. What I keep reading though (also here) is that a BIOS/UEFI update is required. But what if the computer/motherboard manufacturer does not provide an update? I still have a 10 year old laptop that I would like to keep alive and maybe even get its broken screen fixed, because its (Windows 7) installation is valuable to me. Also, I see a risk that some motherboard manufacturers will not release a BIOS update if the motherboard is just a little bit too old (f.i. Asus will only provide updates starting with Skylake, so Haswell, Ivy Bridge, etc. will not receive anything).

      How serious is the risk if all other patches are applied except the BIOS patch (microcode update)? I am hoping that some of the other contributors are more knowledgeable than me, I am just a tech savvy hobbyist as far as IT is concerned.

      3 users thanked author for this post.
      • #158062 Reply

        Noel Carboni
        AskWoody MVP

        I am a bit dizzy from all the articles about Meltdown and Spectre. What I keep reading though (also here) is that a BIOS/UEFI update is required. But what if the computer/motherboard manufacturer does not provide an update? I still have a 10 year old laptop …

        Hear hear.

        So far, the maker of my 6 year old high-end workstation doesn’t seem to be interested in patching the BIOS. Last BIOS update was in 2013.

        I’m not sure whether to be relieved or upset about that yet, to be brutally honest.

        Worse, hints in the tecnobabble out there imply the pre-Haswell processors, still good performers even by today’s standards, will take a greater performance hit than more modern units. Oh boy, just what I want to hear while trying to leverage my hardware investment into another year of usage.

        I’m coming to the realization that today’s security risks are harder than ever to quantify, while at the same time the phrase “past performance is no guarantee of future results” is growing more and more pertinent.

        But I do have faith that people will be people, and that the more hyped up something is, the more likely an attempt is being made to manipuate others for some gain…

        From the article Woody links to…

        -Noel

        8 users thanked author for this post.
      • #158063 Reply

        radosuaf
        AskWoody Lounger

        You can modify the BIOS yourself with microcode, if you’re brave enough:

        https://www.win-raid.com/t8f16-BIOS-Modding-Introduction-and-Preparations.html

        MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Gigabyte GeForce GTX 1050 Ti D5 4G * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1803 64-bit + Windows 10 Mobile 1709 (Lumia 640 LTE)
        3 users thanked author for this post.
        • #158160 Reply

          Pim
          AskWoody Lounger

          Thanks, but I am not that brave 🙂

          1 user thanked author for this post.
        • #158185 Reply

          Ascaris
          AskWoody MVP

          I did this a year or so ago on the laptop I am using now, just because I could.  I also added the option ROM for the new GPU I installed in the laptop (there is no firmware on the Asus MXM reversed laptop graphic card; it’s part of the system firmware).  AMI’s MMTOOL.EXE makes it easy (and I’ve even used it from Linux under WINE), relatively speaking.  It’s been a decade or so since I last tried to modify non-AMI firmware; every PC since then has had AMI (probably because they’re nearly all ASUS PCs and motherboards, and they use AMI).

          Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

      • #158111 Reply

        MrBrian
        AskWoody MVP
        • #158158 Reply

          Pim
          AskWoody Lounger

          Thanks MrBrian, very interesting! The only problem is that Intel probably will not release microcode updates for older computers (like my almost 10 year old laptop). For those cases my question “How serious is the risk if all other patches are applied except the BIOS patch (microcode update)?” is still relevant.

          I have also thought about the following, but I do not know if it would work. Maybe you or somebody else knows the answer. What if a processor receives the new microcode from a motherboard that did get a BIOS upgrade and it is then moved to a motherboard on which the latest BIOS is an older one without the new microcode. Would the new microcode on the processor stay the same (thus patched) or would it revert to an older version that might be included in that older BIOS? If it stays the same this could also be a workaround (although cumbersome, I must admit. It requires a motherboard for the same processor that did get a BIOS with the new microcode).

          Reason for asking: I have 2 Skylake motherboards, of which I am in doubt whether one (a Gigabyte GA-H110M-HD3 DDR3) will be updated because it has not never moved out of beta for Kaby Lake support, so I estimate Gigabyte might be not coming forward with a new BIOS, whereas my Asus H170 Pro Gaming does receive frequent BIOS updates.

          Edit: I am surprised. Even for the 2008 Core 2 Duo T8300 in my old laptop new Linux microcode dated Jan. 8, 2018 is available! I am really surprised!

          • This reply was modified 9 months, 1 week ago by  Pim.
          • #158177 Reply

            Ascaris
            AskWoody MVP

            Edit: I am surprised. Even for the 2008 Core 2 Duo T8300 in my old laptop new Linux microcode dated Jan. 8, 2018 is available! I am really surprised!

            The latest microcode Intel released for your C2D will be in there, but it may be several years old even though the microcode update package from Intel is new.  It’s a rollup of all of the most recent microcodes for every CPU listed.  Unless you’ve verified that the C2D microcode has been updated, it could still be old even though it is one of the listed CPUs covered.

            Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

            • This reply was modified 9 months, 1 week ago by  Ascaris.
            2 users thanked author for this post.
            • #158188 Reply

              Pim
              AskWoody Lounger

              That’s a bummer. Do you perhaps know of a way to check this?

              1 user thanked author for this post.
            • #158394 Reply

              Ascaris
              AskWoody MVP

              Pim, the only way I know is to build the microcode file and check.  I did that with the new Intel microcode file, and the most recent one for CPUID 10676 (for C2D T9300) is dated September 10, 2010.

              As an added plus, I did that in Linux, using WINE.

              To answer your other question… the microcode is not stored in NVRAM in the CPU.  The microcode is loaded from the BIOS (or UEFI) into the CPU at boot time.  It would not do you any good to put the CPU in one board and update the firmware, then move the CPU to the board you really want to use it with.  Still, it implies that the updated microcode does, in fact, exist for the CPU in question, so that’s good.

              If you are not that brave (a reference to inserting the microcode blob into the firmware file yourself and flashing that), the OS can make up for it.  Both Linux and Windows can unload the existing microcode from the CPU and replace it with more up-to-date code until the next reboot (which is the whole point of the Linux microcode update in the first place).  Both Windows and Linux will install these microcodes as part of their normal updating process.

              Given that last fact, I am not quite sure why all of the hoopla over the firmware updates exists, come to think of it.

              Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

              1 user thanked author for this post.
              Pim
            • #158497 Reply

              Pim
              AskWoody Lounger

              Thanks very much Ascaris. I appreciate it much, also that you have checked the C2D T9300 for me. Some users write in forums that microcode/BIOS updates should go as far back as C2D, and I must say I do agree with such a bad bug. There still are enough old(er) computers active, which work fine today. MrBrian has written an interesting post about the dangers if the BIOS is not patched. I guess I will have to evaluate what I will do, perhaps even virtualize the machine (I’ve done that before). Also, the performance hit might be a factor moving me away from that machine (it is not a fast machine anymore). I might test that slowdown too to assess my options and preferences.

              Thanks also for your answer to my other question. I always thought that microcode was permanently loaded onto the CPU, but apparently that is not the case. MrBrian (again) has some interesting but bad info that using VMware CPU Microcode Update Driver to update microcode in Windows does not work, because the microcode is loaded to the CPU after Windows has checked whether the new microcode is present. So that wouldn’t work. He mentions another option in that thread (biosbits), but it is unknown whether that will work.

              Maybe that is the reason why the hoopla exists: it is certain that the microcode is loaded before anything else is started that needs the CPU.

              1 user thanked author for this post.
            • #158555 Reply

              Ascaris
              AskWoody MVP

              Happy to help, Pim.

              For the moment, I am letting all of the dust settle before I take any of the updates to fix this vulnerability, since it is so far not extant (in the wild).  Eventually, I would at least like to have the option of patching my older systems fully (I have two Sandy, one Core 2, one Ivy), microcode included, and Intel should not simply announce an arbitrary five year cutoff and declare anything older to be irrelevant.

              Microsoft released an emergency patch for Windows XP not long ago to fix a particularly nasty security bug, and XP was at that point what, fifteen years old?  They did this because even though XP was old and out of support, a lot of people were still using it, and for whatever reason, MS felt they had some responsibility to issue a fix for it.  I applaud Microsoft for this; it was the right choice.

              Intel now faces a similar situation.  A lot of people still use older Intel CPUs too, in part because the old ones they released were such decent performers that they’re still usable now.  I have a Core 2 Duo in my main laptop (using it now to type this), a T7800 in my case.  Even though it’s 9 years old, it still outperforms a number of brand new laptops, like my Dell Inspiron 11 that I bought just after Christmas (a few weeks ago as I write this).  It’s old, but it’s not outdated or obsolete, and there are still a lot of them in service now (as well as the Nehalems, Sandy Bridges, Ivy Bridges, etc).  Intel owes it to them (us) to update the microcodes for them even if they had not originally planned on supporting them this long.  Even Microsoft, not known for having much regard for its own customers lately, knew when it was time to ignore their own end of life statements and make an exception.

              I would not say I expect Intel to relent and release a one-time update for the older Core CPUs, but I wouldn’t be surprised by it either.  I guess you could say I half expect it.  This is an unusual situation as far as the scope and the depth of the threat, so the normal rules of “end of support” don’t really apply here.  Intel has already been hit with some lawsuits over this, and it would not shock me if releasing microcode updates to fix this vulnerability on older chips was not a part of their response.  No one’s asking Intel to resume full support for them as if all this time had not passed… just to fix this one unusually noteworthy vulnerability.

              It should be noted also that there appear to be three separate vulnerabilities within this Meltdown/Spectre family.  Meltdown is the one that doesn’t affect AMD, but it looks like the Windows fix for Intel CPUs requires so much architectural change of how Windows handles memory that all future patches (and programs like antimalware applications) will build upon that new way of doing things, so even AMD users will have to take the performance hit as the Intel patched architecture becomes the standard.

              In Linux, so far it remains easy to turn on or off the Meltdown fix… you can simply define one entry in GRUB as Meltdown safe and another as Max Performance (for example) and boot into whichever one you want.

              That’s Meltdown. There’s also Spectre, which has two variants.  One requires a CPU microcode update to mitigate the threat, but the other remains, so far, unpatched and apparently unpatchable.

              Because of this, I expect antimalware vendors to spend considerable time and effort coming up with a means of heuristically detecting attempts to invoke Spectre.  This might work for both Spectre variants, so even a system without the microcode update may be relatively safe (there’s no such thing as absolute safety, of course).

              I also expect browsers to incorporate means to block JavaScript-based attacks, since this is the most likely attack vector.

              This is something to be concerned about, but it’s not time to panic yet.  If an actual attack using any of these exploits is launched at some point, we will know more about the specific malware in question and how to protect ourselves from it even if we’re not patched up fully. I’m certain that this site will keep us well informed about this if and when it ever happens.

              Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

              2 users thanked author for this post.
      • #158204 Reply

        HiFlyer
        AskWoody Lounger

        #158059  “Asus will only provide updates starting with Skylake, so Haswell, Ivy Bridge, etc. will not receive anything.  How serious is the risk if all other patches are applied except the BIOS patch (microcode update)?”

        I’m in the same boat with an ASUS Haswell.   Just read on their site they will take care of 6, 7, 8th gens.

        Didn’t see any mention of earlier gens.  Laptop is less than three years old.

        • #158212 Reply

          Pim
          AskWoody Lounger

          For complete systems the 6th gen. and above restriction was not mentioned, unlike motherboards. On the page for complete systems even 2nd gen. is mentioned as affected. That list will be expanded as new BIOS versions are released. Personally I doubt whether Asus will go all the way back to the 2nd gen., but at least there is no restriction included for the 6th gen. and above.

          I have a Mini PC with Haswell, which is still under manufacturer warranty until May. If no new BIOS has been released in 2 months I will call them what they will do, because I expect a system under warranty to receive the appropriate security updates, especially because Intel will release new microcode for Haswell. Even my Dell Latitude E6430 with an Ivy Bridge processor will get a BIOS update with the new microcode next month, according to Dell’s website.

    • #158061 Reply

      radosuaf
      AskWoody Lounger

      From https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

      Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel.

      Thank you. I just set updates to “Never”.

      MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Gigabyte GeForce GTX 1050 Ti D5 4G * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1803 64-bit + Windows 10 Mobile 1709 (Lumia 640 LTE)
      2 users thanked author for this post.
      • #158065 Reply

        Noel Carboni
        AskWoody MVP

        The language in that article is indeed disturbing, eh?

        With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.

        Sounds bad, but… Consider the word choice: “notice”

        Is the implication there that users of Win 10 have already been over that speed bump? 🙂

        -Noel

        1 user thanked author for this post.
        • #158183 Reply

          anonymous

          Yeah, I think some of use Windows 10 users were hit with a set of speed bumps early last year but those were purely Microsoft’s flubs plus some of those “magical” subtle degraded API changes.

      • #158178 Reply

        Ascaris
        AskWoody MVP

        Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel.

        If only Windows 8.1 was still in mainstream support, where we could reasonably expect such “legacy design decisions” to be updated!

        Yeah…

        Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        1 user thanked author for this post.
    • #158077 Reply

      dph853
      AskWoody Lounger

      Another drawback to the cumulative update approach offered for Windows 10 – all or nothing.  If there are fixes available for 100 issues and I choose to forgo a single fix to prevent a loss of performance, it would be nice to have the option to fix the other 99 issues as opposed to the current situation of having to face all 100 issues head on just because I choose to avoid fixing a single issue where the cure is worse than the disease.

      3 users thanked author for this post.
      • #158151 Reply

        Ascaris
        AskWoody MVP

        If there are fixes available for 100 issues and I choose to forgo a single fix to prevent a loss of performance, it would be nice to have the option to fix the other 99 issues as opposed to the current situation of having to face all 100 issues head on just because I choose to avoid fixing a single issue where the cure is worse than the disease.

        Indeed.  It seems we’re at that point now… according to a ZDNet article , if you don’t take the MS-demanded cure for Meltdown as you are told, that’s it for you and security fixes.  Sorry, AMD users; the better design of your CPUs that prevents this vulnerability on your systems doesn’t mean much if Microsoft declares the design changes necessary to mitigate the problem in Intel systems to be the new normal.  You’ll just have to suck it up and take the performance hit even though it doesn’t apply to you.  Isn’t that awesome?

        And, of course, we’re being told that non-Win 10 versions of Windows will take an even worse hit than 10 itself.  People have long suspected that MS would use some security vulnerability as an excuse to cripple older versions of Windows, and here we go.  You want the vulnerability fixed?  Sure, we’ll cobble together some half-baked fix for Windows 7 or 8.1, but if you want it to be optimized as much as possible for performance… well, guess what?  Not gonna happen on anything but 10.

        Windows 8.1 is still in mainstream support and features a kernel that is nearly the same as what you will find in Windows 10.  Based on that, you might think that any performance optimizations to make this fix work well would be a reasonable thing to expect for 8.1 at least, if not 7 also, but this is the “new” Microsoft that so desperately wants to be Apple (which has a reputation for using OS updates to make older but otherwise viable iDevices perform so badly that upgrading is necessary).

        Linux, by contrast, can turn the bug fix for this off with a simple change to the GRUB configuration file, which isn’t as easy as, say, checking a box, but any person with even a slight working knowledge of Linux will know how to do this.  Whether or not this is a good idea is a separate issue; the point here is that deciding that the cure is worse than the disease won’t ace you out of every security fix from now on as it will with Windows. No one will be using the patch for this as a performance-reducing penalty for not upgrading on command.

        Looks like I might as well just go back to Windows 7 for my remaining Windows needs if this situation continues. I only moved to 8.1 for the extra years of security support, but it looks like every version of Windows is now unsupported, as far as I am concerned, as my current decision is to refuse this patch (and I am not about to speculate as to when or if I will change my mind as future events unfold).  Truth be told, I mainly see this issue as a browser vulnerability… if a site can execute JavaScript on my browser and read information that script has no business reading, that’s a problem with the JS engine in that browser, and I know that Mozilla is already working on this (and any fixes they produce will be backported to Waterfox, which I am using).  If I can harden the OS as well, and do so without any significant counterindications, I will, but that’s a big “if” at this point.

        Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        5 users thanked author for this post.
    • #158088 Reply

      BrianL
      AskWoody Lounger

      To the common everyday desktop user (2009 Win7 SP1 x64) –  what is the danger – using AMD with R440 motherboard?

      • This reply was modified 9 months, 1 week ago by  BrianL.
    • #158091 Reply

      BrianL
      AskWoody Lounger

      Since we are on Defcon 2, I keep  the 3 Diagnostics disabled plus update disabled. Been doing this for last 9mons. Only enable when I check for updates and I pick and choose updates I need (Group B).

    • #158117 Reply

      rc primak
      AskWoody MVP

      I know it’s a bit of work, but updating the BIOS on a modern desktop or smaller PC is not really that big a deal these days. I have twice in the past few months flashed the BIOS on my Intel NUC,  and it was not a big deal. No scary moments — just a couple of missteps which caused no damages.

      Patching Linux is more hands-on than patching Windows when it comes to updating the OS kernel. I have as of today done the kernel updates and recommended testing, and the only thing I do not know yet is whether I will suffer a performance hit on any of the tasks I put my NUC through from time to time.

      If there are issues, I have retained at least one unpatched kernel, and from the GRUB preboot menu, I can select one of those kernels for tasks which are experiencing unacceptable slowdowns, if there are any such tasks. Windows does not retain older kernel versions, so you can’t duplicate this elegant simplicity in Windows. Sorry.

      -- rc primak

      • This reply was modified 9 months, 1 week ago by  rc primak.
      3 users thanked author for this post.
      • #158154 Reply

        Ascaris
        AskWoody MVP

        You can even use the new patched kernel in Linux with the Meltdown patch turned off if you add an argument to the GRUB option.  It’s really easy to do if you use GRUB Customizer.

        Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        1 user thanked author for this post.
    • #158119 Reply

      mazzinia
      AskWoody Lounger

      At this point in time, isn’t a viable solution to, for win7 users, to
      1) download and keep the jan security update ready with a nice tag on the folder, but not apply it
      (maybe install the ie11 patch, if it’s not the one impacting the cpu… will need some confirmation)

      and

      2) rely on the mitigation measures added to the web browsers ?

      • #158121 Reply

        PKCano
        AskWoody MVP

        By all means, hang on the the Jan patch and wait.

        Keeping your browsers updated is a must – that is probably the greatest source of exposure at present. Though there is no known exploit for either vuln at this time.

        5 users thanked author for this post.
        • #158134 Reply

          mazzinia
          AskWoody Lounger

          What about , when is safe to install, adding the security patch but then disabling the cpu fix using the 2 registry keys as for the instructions they gave ?

          but I guess “this” approach would require some tests in advance

          • #158138 Reply

            PKCano
            AskWoody MVP

            Save your questions until Woody raises the DEFCON to 3 or above.
            We will know more by that time, and I’m sure he will provide the usual instructions for updating.

            2 users thanked author for this post.
        • #158250 Reply

          anonymous

          I’m going to take your advice PKCano and hang onto the patches and wait.  I’d rather be safe than sorry. My notebook is running AMD and my Desktop is running Intel.

    • #158125 Reply

      Gostak2017
      AskWoody Lounger

      In yesterday’s Woody on Windows column, “Microsoft yanks buggy Windows Meltdown/Spectre patches for AMD computers” I found an interesting nugget.

      There’s another problem on the horizon. During testing, Microsoft encountered many blue screens associated with specific antivirus programs. In order to guard against those blue screens, Microsoft established a registry key that must be set by an antivirus program before the Meltdown/Spectre patch will be applied.

      Since all of Microsoft’s patches now are cumulative (except the Win7 and 8.1 security-only manually downloaded patches), that means those who don’t pay for their antivirus product, or otherwise get thrown under the antivirus bus,  won’t get any more Windows patches. Ever.

      Was this an invitation for an enterprising individual to discover exactly what that registry key is, and then develop a script to turn on and off that key at the owner’s convenience?  Sounds like a sure fire way to take back control of Windows updates.

      Gostak

      1 user thanked author for this post.
    • #158140 Reply

      anonymous

      Update bios? That means all motherboards now will heave new bios for download? My motheboard is 4 years old and latest bios was released in 2015. I dont belive they create new BIOS for all motherboards.

      • #158146 Reply

        PKCano
        AskWoody MVP

        Contact the OEM or the chip mfg to see if a BIOS update is available for your machine.

    • #158157 Reply

      anonymous

      I agree that there is no need to go ape over what has been revealed. However, we should be concerned that the exploits are going to ramp up now that the vulnerability has been exposed. It is more than likely going to come from state actors rather than the low level creeps who lurk in the shadows. State actors are very competent coders and there are lots of them. Independent contractors (with high level skills) are very well paid, so they will be queuing up for the work. Yes, there is no need to panic, but a high level of awareness is appropriate.

      From a user perspective the view of all this is different. Many users have aging systems and are still using W7. Some 64 bit, but many have 32 bit systems that have been relegated to ‘you are on your own’ status – that seems to infer that performance degradation after patches are applied is unknown (maybe even dire). These systems will never get the BIOS update for Spectre, so I am skeptical of that claim.

      To further the concern, I was on another website today and one user posted that he believes the refurbished PC market is going to be severely impacted by the Meltdown and Spectre vulnerability. He ascertains that the enterprise migration to W10 over 2018-2019 will release thousands of W7 based systems onto the refurbish market (the majority of them Intel and more than 5 years old) and he refers to them as toxic waste. The refurbish market for enterprise PCs has always been a good place to pick up a high quality bargain but with Spectre still looming, these PCs have been deemed massively devalued. Caveat emptor.

      • #158176 Reply

        lurks about
        AskWoody Lounger

        Flashing the bios is not particularly hard but I would prefer not to do it on a production box in case it goes sideways. But refurbishers can flash with little risk to production data and can add this step to the process. I doubt it will hurt the refurbished market that much long term.

      • #158179 Reply

        Ascaris
        AskWoody MVP

        The refurbish market for enterprise PCs has always been a good place to pick up a high quality bargain but with Spectre still looming, these PCs have been deemed massively devalued

        So they’re even cheaper than before!  Works for me.

        Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

    • #158170 Reply

      Morty
      AskWoody Lounger

      I always update Firefox when I get a notice. But I’ve been wary enough not to let them take over and automatically install updates. Am I being overcautious?

      I use Chrome also, but I still haven’t figured out their update routine. Sometimes I go into Help/About just to kick-start their update, but I don’t know if they update when I’m not looking.

      Hey, I even back up my drive before I update Windows. Not that I’m paranoid.

      aluminum-beanie-paranoiac

      Attachments:
      You must be logged in to view attached files.
      1 user thanked author for this post.
    • #158198 Reply

      anonymous

      Reply to Ascaris: PC Refurbishers will not be flashing the BIOS (for Spectre) on a device that is more than 5 years old. Intel, AMD and ARM (and all the OEMs) are in lockstep with that. Consider the risk rather than the price.

      I would not mind picking up an business level refurbished PC that was released in 2014 (Haswell micro architecture) that runs Windows 7/64 or Windows 8.1, either this year or next. I see that most of them are getting the Spectre BIOS patch, however, when I checked the OEM websites (see link) for these units, not all of them will get the BIOS/mc fix. My current system is a Core 2 Duo Penryn generation, so I am in huge need of a new system. This one was business grade in 2009.

      https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

      • #158383 Reply

        Ascaris
        AskWoody MVP

        PC Refurbishers will not be flashing the BIOS (for Spectre) on a device that is more than 5 years old. Intel, AMD and ARM (and all the OEMs) are in lockstep with that. Consider the risk rather than the price.

        I’m not worried about it.  I’m not going to stop using my older gear because of this, and neither are millions of others around the world.  We’re still in the early days of this whole saga– there haven’t even been any actual attacks using these things yet.  We have yet to see how antimalware programs, browsers, and security addons like NoScript will evolve to fill in the gaps, or how Intel will respond to the lawsuits that are starting to appear (maybe the microcode updates in question aren’t so unrealistic after all).

        Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        2 users thanked author for this post.
    • #158222 Reply

      MrBrian
      AskWoody MVP

      I addressed several questions about microcode asked in this thread at Intel has released microcode update v20180108 with Meltdown/Spectre fixes.

      1 user thanked author for this post.
    • #158227 Reply

      HiFlyer
      AskWoody Lounger

      Re #158151 @ascaris re. ZD net article

      “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key”, Microsoft’s updated support page says.

      A point to clarify though is that Microsoft won’t enforce this requirement indefinitely, but rather only until it sees enough machines have applied the January 3 CPU fixes. As it notes in the FAQ on the issue:

      Microsoft added this requirement to ensure customers can successfully install the January 2018 security updates. Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates.”

      If you believe M$ will drop the requirement soon; just click the red x to accept.

      1 user thanked author for this post.
      • #158386 Reply

        Ascaris
        AskWoody MVP

        They may not enforce the registry key requirement forever, but that’s just a kludge to delay installation of the Windows fix until incompatible antivirus programs are out of the pipeline.  The requirement to take the Meltdown patch before any other security update (forevermore) is almost certainly permanent, given what they’ve written so far.

        Group L (Linux): KDE Neon User Edition 5.14 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

    • #158226 Reply

      anonymous

      Seems like the time has come for win7 users to stop taking up dates and protect them selfs through the sensible behaviours

    • #158238 Reply

      dgreen
      AskWoody Lounger

      Looking for what to do to protect oneself from the meltdown/spectre issue for Chrome Browser users.  I use Chrome for my browser.  It is version 63.0.3239.132.
      (apparently if you have version 64 it already has this enabled)
      you have to enable the “site isolation feature”
      I just enabled it.

      https://www.windowslatest.com/2018/01/07/secure-google-chrome-meltdown-spectre-vulnerabilities/

       

       

      • This reply was modified 9 months, 1 week ago by  dgreen.
    • #158241 Reply

      jescott418
      AskWoody Lounger

      Yep, avoiding the hysteria right now. Still too fluid to get all worried about what will be a long process. Still many PC makers have weeks before Bios updates come out. What effect they will have remains a mystery. Two things I can verify, my older pre 2015 cpu’s Are a bit slower and that’s about it. Otherwise hasn’t been a big deal so far. But again this is a very big mess that may only get cleaned up as all these cpu’s go out of service. But hey, they still work so I will continue to use them.

    • #158251 Reply

      Mcmacladdie
      AskWoody Lounger

      I saw some updates available on HP’s support website… there are, I think, at least 6 separate listings for “HP Pavilion Desktop”.  I have no clue which of those I would need, or if I’d need all of them… I’d sooner leave well enough alone than potentially [mess[ things up by trying to install the wrong one 😛

      Edited to remove a couple of words.

      • This reply was modified 9 months, 1 week ago by  PKCano.
      • This reply was modified 9 months, 1 week ago by  PKCano.
      • This reply was modified 9 months, 1 week ago by  Mcmacladdie.
    • #158279 Reply

      anonymous

      ? says:

      smart me running linux:

      i did the kernel update yesterday and then a fix of the fix showed up earlier today

      “USN-3522-1 fixed a vulnerability in the Linux kernel to address Meltdown (CVE-2017-5754). Unfortunately, that update introduced a regression where a few systems failed to boot successfully. This update fixes the problem. We apologize for the inconvenience.”

      sanity? debacle?

      what about running TENS on a stick?

      https://en.wikipedia.org/wiki/Lightweight_Portable_Security

    • #158477 Reply

      Northwest Rick
      AskWoody Lounger

      Notwithstanding Woody’s commendable disclosure awhile ago that he has been “assimilated”, he is demonstrating now, once again, that “assimilated” is not synonymous with “lobotomized”! Thank the cosmos, we have a “14th-century rationalist” speaking up just when we need one.

      When this Meltdown/Spectre SNAFU first came to light, I breathed a sigh of relief, because my clunky (DON’T LAUGH!) 10-year-old Compaq Presario runs on an AMD processor, which the conventional wisdom of the moment had declared to be virtually immune. When I bought this relic back in the day, it had Vista on it. Other than an upgrade to Win7 Home Premium, a RAM max-out to 4 (so it can manage 64-bit) and a new, larger hard drive (a preventative swap-out), it’s the same machine.

      Since then, the myth of AMD invincibility seems to have fallen by the wayside. But in a baffling development reminiscent of a Keystone Cops routine (or is it “The gang that couldn’t shoot straight”?) the geniuses at M$ found a way to target AMD processors and rushed out a “fix” that delivered the dreaded Blue Screen Death!

      As a card-carrying member of Group B, I was fortunate not to fall into this trap. Even with my jaundiced eye, I did not expect this level of incompetence/irresponsibility (you choose the noun) from M$. Woody has rightly mocked them for this, as well he should. The M$ Office-related trap is of no concern to me: as one would expect from a dedicated refusenik, I use the free, open source Libre Office.

      Once again, Woody has ridden to the rescue and provided a rational course of action to safely navigate through the panic. Thanks, buddy! Another well-earned contribution check to askwoody.com will be in the mail shortly. No, SERIOUSLY!

      – Northwest Rick

       

      • This reply was modified 9 months, 1 week ago by  Northwest Rick.
      • This reply was modified 9 months, 1 week ago by  PKCano.
      • This reply was modified 9 months, 1 week ago by  PKCano.
      • This reply was modified 9 months, 1 week ago by  Northwest Rick.
      • This reply was modified 9 months, 1 week ago by  Northwest Rick.
      • This reply was modified 9 months, 1 week ago by  Northwest Rick.
      • This reply was modified 9 months, 1 week ago by  Northwest Rick.
      • This reply was modified 9 months, 1 week ago by  Northwest Rick.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Risk Based Security brings some sanity to the Meltdown debacle

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: