Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Meltdown and Spectre from a Windows user’s point of view

    Home Forums AskWoody blog Meltdown and Spectre from a Windows user’s point of view

    Tagged: ,

    This topic contains 204 replies, has 34 voices, and was last updated by  MrBrian 7 months, 1 week ago.

    • Author
      Posts
    • #155989 Reply

      woody
      Da Boss

      I continue to recommend that you keep your PC locked down. There’s no compelling reason to apply yesterday’s myriad Windows patches right now. You’ll
      [See the full post at: Meltdown and Spectre from a Windows user’s point of view]

      12 users thanked author for this post.
    • #155990 Reply

      Seff
      AskWoody Lounger

      Thanks Woody, and thanks to all those who have been researching and commenting on this sorry saga. Holding off for a short time certainly seems a commonsense approach to the myriad of patches at the moment, not least until it’s established what the situation will be so far as both next week’s Windows Updates and also AMD machines are concerned. It seems to me that the report of slower performance is only one critical issue with these patches, the other is the reputation of kernel-changing updates generally.

      4 users thanked author for this post.
    • #155992 Reply

      anonymous

      I have AMD based systems and I am not going to install an MS patch that will affect the performance of my systems just because Microsoft has had to bale out their buddies at Intel.

      1 user thanked author for this post.
      • #155995 Reply

        Seff
        AskWoody Lounger

        I agree, but if the fix is included in a cumulative monthly update then beyond avoiding all such updates permanently there may not be any other option but to accept it.

        4 users thanked author for this post.
        • #156294 Reply

          Noel Carboni
          AskWoody MVP

          Wait, am I interpreting this correctly?

          We’re about to get a patch that will lower performance of software running on virtually all modern processors because of the possibility of getting some spyware?

          And is everyone convinced there is NO OTHER WAY to protect a system, such as, I don’t know, detecting the spyware on the way in and blocking it?

          The prospect of losing significant performance from the high-end computer I paid dearly for would certainly be enough to make me consider stopping updating Windows. Do we know how much performance would be lost? How much longer specific activities would take?

          I don’t get spyware/malware. I have protections both against malware being loaded into and running on my computer AND against unexpected communications (which are presumably what the malware would want to do with sensitive information). Nor do I subscribe to the notion that malware WILL ultimately run inside my computer, and so I have to give up performance to protect against it!

          Am I missing something important here?

          If not, does anyone beside me here think a patch that will ruin the performance of existing systems because of the possible threat of spyware is ridiculous?

          -Noel

          8 users thanked author for this post.
          • #156310 Reply

            DrBonzo
            AskWoody Lounger

            @Noel – Isn’t just about everything about this security hole ridiculous? There’s a lot of finger pointing between the major players, Intel AMD, ARM, Google, etc., but the fact is they’re all to blame. They all say it’s not a flaw because the chips are operating as they were designed to operate. Well, the design is flawed, pure and simple.

            On a practical level, though, I’d bet that most users who aren’t backed by an IT department would have a lot of trouble stopping traffic and malware into or out of their computers as you have done, and hence the need for patches.

            2 users thanked author for this post.
            • #156311 Reply

              Canadian Tech
              AskWoody MVP

              DrBonzo, I have roughly 150 client computers that have not been patched since May, 2017. Not a single problem!!! We use Bitdefender Antivirus+ and occasional use of ADWcleaner, along with a bit of commonsense and conservatism, as Noel describes.

              CT

              5 users thanked author for this post.
          • #156403 Reply

            radosuaf
            AskWoody Lounger

            And is everyone convinced there is NO OTHER WAY to protect a system, such as, I don’t know, detecting the spyware on the way in and blocking it?

            If it can be just a JavaScript on the web page that will mine the data, I guess it’s basically impossible. What is more worrying is that you need BOTH the patch and BIOS update – and how many mainboard manufacturers will provide them, when and for how old products? Somehow I don’t believe that 5-yr old ones will get the update, not mentioning any older ones…

             

            The prospect of losing significant performance from the high-end computer I paid dearly for would certainly be enough to make me consider stopping updating Windows. Do we know how much performance would be lost?

            Supposedly up to 30% when many I/O operations are involved. Many benchmarks vary:

            http://www.guru3d.com/articles_pages/windows_vulnerability_cpu_meltdown_patch_benchmarked,1.html

            https://www.techspot.com/article/1554-meltdown-flaw-cpu-performance-windows/

            MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Gigabyte GeForce GTX 1050 Ti D5 4G * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1803 64-bit + Ubuntu 18.04.1 LTS
            1 user thanked author for this post.
            • #156463 Reply

              Ascaris
              AskWoody MVP

              The Firefox devs report that the exploits rely on very precise timing, and they’re working on mitigations to keep the scripts from having that kind of precision available.  And, of course, NoScript is always a good idea if you are security-minded.

              If this is true, it might be possible to detect attempts to use the exploit by means of heuristic analysis, either by an antimalware/antiexploit program or within the browser itself.

              My gut tells me that for now, the performance and possibly the stability impact of the bugfixes for these exploits are going be pretty obnoxious, but in time, I think they will be pared down and optimized to the point that it won’t be that big of a deal.  In addition, both Linux and Windows have ways of turning off the fixes.  In Windows, it’s apparently a big enough change to cause BSODs with antimalware programs that aren’t expecting the new schema, so MS is leaving the fix in the OFF state even after it is installed until a certain registry key is set by a fix-compliant antimalware program.

              In the case of Linux, it looks like a parameter set in GRUB at boot time will turn it off.

              Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

              1 user thanked author for this post.
            • #156501 Reply

              Noel Carboni
              AskWoody MVP

              If it can be just a JavaScript on the web page that will mine the data, I guess it’s basically impossible.

              I need to see the details beyond someone online somewhere saying, vaguely, “it could be exploited with JavaScript”.

              Thing is, I’m finding it hard to understand how JavaScript can suddenly do things even a compiled executable would be hard-pressed to accomplish, especially secretly.

              It’s not like suddenly no one in the world understands how JavaScript works. People have been trying to exploit JavaScript for a long time.

              I find it hard to believe that turning scripting off entirely is going to be the only solution, BUT… This issue really isn’t much different than disallowing ActiveX / executable code to download and run… Even blocking scripting entirely could (would?) be preferable to having a computer that’s 30% slower at doing real work just so you can visit web pages with scripts running. Think about it.

              What is more worrying is that you need BOTH the patch and BIOS update – and how many mainboard manufacturers will provide them, when and for how old products?

              What worries me is how everyone immediately jumps to the part where they MUST have patches to close off the vulnerability du jour, without first understanding the risks vs. benefits.

              Heed Woody’s comment about being suspicious of vulnerabilities with cute icons and overdeveloped marketing campaigns, and always be aware that people can be manipulated for various reasons, not all of which are necessarily good for you and me.

              -Noel

              3 users thanked author for this post.
          • #156550 Reply

            anonymous

            For this problem I would like to try a test inside a VM. Wouldn’t you?

            • #156696 Reply

              Noel Carboni
              AskWoody MVP

              I would certainly test patches first in a VM – as I ALWAYS do – but with things like chip-level exploit mitigations how can you know what it will do to the performance of an actual hardware system?

              What if, for example, the OS patch were to instruct the virtual processor to somehow stop doing speculative execution? Would that mean the host system’s processor would not actually be doing it?

              This could be a case where testing in a VM doesn’t really validate a patch.

              -Noel

              2 users thanked author for this post.
            • #157024 Reply

              anonymous

              I do not know, however it would worth checking out the spectre & meltdown exploits in a VM and on spare real hardware to see it for ourselves.

              There is one point that needs remediation, in particular has been banter about not trusting these exploit announcements with fancy/cute graphics. The heartbleed bug was another real serious flaw that has a picture. Choose a previous past patched exploit it probably has an illustration.

    • #155997 Reply

      MrBrian
      AskWoody MVP
    • #155998 Reply

      MrBrian
      AskWoody MVP
      • #156118 Reply

        anonymous

        I don’t think my cheap Win 10 Dell laptop can take much more ‘updating’ before it slows to unusable. And it’s only six months old.

        With Meltdown/Spectre fix flagged to slow the CPU ‘up to 30%’ I wonder what the real number is. Higher I am thinking.

    • #156009 Reply

      MrBrian
      AskWoody MVP
    • #156014 Reply

      FakeNinja
      AskWoody Lounger

      We should all wait maybe a week after the patch has been released on tuesday before installing the update, this is a kernel patch after all. By the way, Woody, you should probably edit the MS-DEFCON page so that it no longer includes Windows Vista, it might confuse some people. Thanks!

      2 users thanked author for this post.
      • #157275 Reply

        EP
        AskWoody Lounger

        well FakeNinja, Vista may have been out of support on April 2017, but most of the new Server 2008 SP2 patches (fyi, Windows Server 2008 R0 is based on Vista SP1+ kernel) made after that date do install on Vista as I have confirmed myself on an old Vista computer. no need for Woody to remove Vista from his MS-DEFCON page.

    • #156028 Reply

      MrBrian
      AskWoody MVP
    • #156031 Reply

      MrBrian
      AskWoody MVP

      From https://spectreattack.com/ (my bolding): “Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

    • #156029 Reply

      anonymous

      Did I miss a memo?  Isn’t it odd that the “2018-01 Cumulative Update for…” and “2018-01 Security Update for…” has appeared in our corporate WSUS on Jan 4 instead of Jan 9?  Are these not releasing on 2nd Tuesday anymore or did Microsoft advance the schedule this month?

      Edit to fix typo

      • This reply was modified 10 months, 2 weeks ago by  PKCano.
      • This reply was modified 10 months, 2 weeks ago by  PKCano.
      • This reply was modified 10 months, 2 weeks ago by  PKCano.
      1 user thanked author for this post.
      • #156034 Reply

        PKCano
        AskWoody MVP

        Because of the severity of these two recent vulnerabilities, Microsoft has released the patches early this month.

        1 user thanked author for this post.
    • #156041 Reply

      fp
      AskWoody Lounger

      2018-01 Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB4056888)

      I don’t see any Security Only patch for Win10 1511. I assume that cumulative brings 1511 up to current version or, if not, restores all the nonsense that I have cleaned off Win10 and don’t want back (Cortana, Edge and all the rest of the useless stuff).

      Am I correct?

      • This reply was modified 10 months, 2 weeks ago by  fp.
      • #156049 Reply

        PKCano
        AskWoody MVP

        As far as I know, the security-only patches are only for Win7/8.1, not Win10

        2 users thanked author for this post.
    • #156045 Reply

      anonymous

      Meltdown is the one that only affects Intel CPUs and ARM. Not AMD.

      Spectre really can not be fully patched but it affects all CPUs, except for only parts of AMD.

      Microsoft’s patch is for Meltdown. Unfortunately, the MS patch hits AMD processors too, which aren’t affected by the bug, just to accommodate Intel. Not fair.

      The patch should have been out of band for all MS versions and should never have been included in the security bundles. W10 got it out of band, whereas the pond scum will get it bundled on patch Tuesday. Yes I am referring to W7 and W8. Thanks Microsoft.

    • #156060 Reply

      anonymous

      The following article provides technical details:

      “Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign” found in “https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/”

       

    • #156065 Reply

      Canadian Tech
      AskWoody MVP

      Woody, the line in your story in Computerworld has got to be one of the best lines I have ever read. It is priceless and is a wonderful word picture:

      “It’s possible Microsoft’s kernel team has pulled off another change-the-blades-while-the-blender-is-running feat.”

      CT

      5 users thanked author for this post.
      • #156071 Reply

        woody
        Da Boss

        Hope spins eternal….

        3 users thanked author for this post.
      • #156220 Reply

        JDeC
        AskWoody Lounger

        Yes, I enjoy that comment also 🙂

         

        Group B HP Pavilion-dv6 Win7x64 Home Premium-Intel Core i5-3210M CPU

    • #156073 Reply

      MrBrian
      AskWoody MVP

      There is Spectre proof-of-concept exploit code publicly available on a well-known exploit database and also github.

      • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      • #156086 Reply

        woody
        Da Boss

        I’ve seen demos, but not the code.

        This is really distressing – Spectre hasn’t been fixed, and likely won’t be fixed in my lifetime anyway.

    • #156078 Reply

      fp
      AskWoody Lounger

      As far as I know, the security-only patches are only for Win7/8.1, not Win10

      I understand that. My question is whether the cumulative patch messes up with 1511 besides applying the security patch. In your Info world article you say that, but are you sure? On what do you base that claim?

      • #156091 Reply

        woody
        Da Boss

        My question is whether the cumulative patch messes up with 1511 besides applying the security patch.

        The KB article only mentions the Meltdown patch (not by name, of course). I would be very surprised if there were any other components to the 1511 LTSC patch. Can I prove it? No. Has Microsoft clarified? Not as far as I know.

    • #156081 Reply

      MrBrian
      AskWoody MVP
    • #156084 Reply

      Geo
      AskWoody Lounger

      Group A Win 7.  Ive been taking the full  updates for several years. After the up date I go in and do the disk clean up with the windows up date clean up. I can still defrag also.   Didnt slow my computer down.  I have AMD . When the up date arrives  I`ll let you know if the up date affects the speed after I do the clean up.

      2 users thanked author for this post.
    • #156085 Reply

      Bill C.
      AskWoody Lounger

      This is the best article I have read to date on this. I have forwarded the ComputerWorld article link to some of my colleagues and friends to give them a better understanding of the issues that does not carry baggage, agendas, and hyperbole, or get so technologically detailed that they are lost.

      When I forward an AskWoody link, I always tell them to read the comments from users and experts.

      Well done!

      5 users thanked author for this post.
      • #156090 Reply

        Canadian Tech
        AskWoody MVP

        Bill C. Ditto. I did the same. I could not agree more.

        CT

        1 user thanked author for this post.
    • #156087 Reply

      radosuaf
      AskWoody Lounger

      I started the computer with net cable taken out, but after turning off Automatic Updates and scanning only Defender definitions update came up.

      MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Gigabyte GeForce GTX 1050 Ti D5 4G * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1803 64-bit + Ubuntu 18.04.1 LTS
    • #156130 Reply

      MrBrian
      AskWoody MVP

      Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

      Notice from this article that some non-Intel processors are known to be affected by Meltdown.

      1 user thanked author for this post.
      • #156417 Reply

        anonymous

        @ MrBrian

        Meltdown does not affect any AMD processors.

        (quoting from the Register article)

    • #156124 Reply

      anonymous

      Thanks for linking the list of affected processors @woody. The only problem I have now is that I can’t tell if my processor is listed or not. My processor is an Intel Pentium dual E2180. I can’t imagine its not there, I just really don’t know what to look for. Thanks in advance.

       

      1 user thanked author for this post.
      • #156178 Reply

        mindwarp
        AskWoody Lounger

        You’re like me – supposedly, your Conroe and my Wolfdale (my own PC has a E5300) are unaffected.  This is odd, since both do utilize out of order execution.  My guess is that, since Intel hasn’t supported them in ages, they didn’t test them.  Your best bet is to patch your antivirus and OS (when we get the go ahead for the latter), and practice safe computing.

        • #156182 Reply

          PKCano
          AskWoody MVP

          You both are using the detection for the Intel Management Engine vulnerabilities, not one for the current Meltdown and Specter vulnerabilities.

          There is no detection for Meltsown and Specter vulns yet!

          • #156226 Reply

            mindwarp
            AskWoody Lounger

            Actually, I’m going off the list from Intel’s FAQ about Meltdown, from Woody’s post.  Conroes and Wolfdales aren’t on there.  Do I believe that means we aren’t affected?  Nope, since both processors do out of order execution.  Considering the age of both (I’ve had my computer pretty much since Win7 came out 🙂 – upgrading the graphics card allows it to run Win10 pretty well, but I’ve tweaked it heavily), I’m inclined to think Intel may not have tested either processor.

      • #156465 Reply

        Ascaris
        AskWoody MVP

        Woops, hit Thanks when I meant to reply.  It’s not even on the same line…. not that I mind giving thanks, but it doesn’t really make sense in context.

        The list was only the ones from the last five years that are affected.  The subtext seems to be that older ones don’t matter, that we should not be using them anyway.  It looks like the real story is that every Intel newer than the original Pentium is affected.

        Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

    • #156137 Reply

      Bill C.
      AskWoody Lounger

      Bummer! My Intel BLoomfield i7-960, the old first generation with 45nm die is affected. I dodged the ME issue, but got hit here.

      Well after the dust settles and the Win7 is patched, I intend to ride this CPU into the EOL for Win7 even if it takes a performance hit. I have no bleeding edge games and Word and Excel will still be fast.

      Not too sure about video transcoding. That is the only thing that really demands all cores and really gets all the fans whirring. That is sometines nice on these recent ice cold nights.

    • #156132 Reply

      anonymous

      If anyone hears news about what, if anything, Intel does for processors older than 5 years, please let us know! I have at least one processor in that category, so wondering if Intel will do anything for it or simply leave it in the cold makes me anxious.

    • #156139 Reply

      Canadian Tech
      AskWoody MVP

      Is Intel really considering only processors made in the last 5 years? That sounds unbelievably irresponsible!!!!

      CT

      1 user thanked author for this post.
      • #156181 Reply

        mindwarp
        AskWoody Lounger

        From their own FAQ that Woody linked in the site post (the one with the list of processors): “My system has a CPU that is not among those listed to receive an update. What should I do?

        In some cases, the issue is addressed by an operating system update. You should check with your equipment manufacturer or operating system vendor for any available updates and apply them as soon as practical. If no updates are available, or you have not been able to install them yet, following good security practices protect against malware in general will also help to protect against possible exploitation.”

        I have a feeling that’s the answer for older processors on the list.  My housemate’s PC has a Sandy Bridge, so unlike my PC (where I have a feeling Intel didn’t bother testing Wolfdales), I know she’s affected.  Good thing we just use our Android tablets lately at home, a lot less ARM chips are affected.

    • #156141 Reply

      MrBrian
      AskWoody MVP

      From More details about mitigations for the CPU Speculative Execution issue: “Project Zero discussed three variants of speculative execution attack. There is no single fix for all three attack variants; each requires protection independently.”

      The latter part of this link should be read by everyone who wants to understand how to protect against these vulnerabilities.

      • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      5 users thanked author for this post.
    • #156150 Reply

      des911
      AskWoody Lounger

      Thanks to everyone for all the bits of info. Here are a couple more fragments:

      Anti-virus is also involved (not sure the technical details but it involves a registry entry). I use Norton Internet Security and it has updated eraser64.sys to the required version with today’s date. Apparently, that is sufficient to apply the Win7 x64 patch (as soon as Woody give the go-ahead).

      Different problem:

      There is an Intel tool for checking if your processor is vulnerable to the Intel Management Engine vulnerability- https://downloadcenter.intel.com/download/27150?v=t

      My 9 year old Dell with Intel i7 comes up vulnerable. D**n!

      • This reply was modified 10 months, 2 weeks ago by  PKCano.
      • This reply was modified 10 months, 2 weeks ago by  PKCano.
      • This reply was modified 10 months, 2 weeks ago by  des911. Reason: Corrected error
    • #156159 Reply

      Bill C.
      AskWoody Lounger

      I think I will dedicate one of the laptops for the sole purpose of checking my bank balances and NOTHING else – no surfing, no email, nothing.

      I will also stop any actual online purchases (rare for me normally, but sometimes used). I will still shop online, but actually call the order in via the land line (my normal process).

      At least until the OS patches come and more info is available as the the efficacy of the patches, I choose careful over convenience.

      Not sure if it will even make a difference since you have to consider all the CPUs in all the nodes and servers along the way, but it cannot hurt to be cautious. We should have learned that from the investigation of the credit data hack that many machines will remain unpatched for a while.

      PS: My paragraph 2 cautions may be worthless with paragraph 4 conditions. Inevitably, somewhere someone will put that data into a vulnerable system.

      • This reply was modified 10 months, 2 weeks ago by  Bill C..
      1 user thanked author for this post.
    • #156163 Reply

      des911
      AskWoody Lounger

      The detection tool you reference is for the Intel Management Engine vulnerability, not for Meltdown and Specter vulns. There is not detection tool yet for either of the new vulnerabilities.

      Ooops, Sorry.

    • #156160 Reply

      anonymous

      It makes total sense that Celeron processors are affected as the speculative execution function give that particular line any computing advantage it sorely needs to get an edge. Google says they have fixes for your shiny new Intel Celeron based Chromebooks, so enjoy.

      For those people using or servicing a Celeron based computer with Windows 10 will have to wait, and applying updates every month takes far too much time.

      • #156167 Reply

        Canadian Tech
        AskWoody MVP

        Chromebook. Once again it looks very interesting. After MS boondoggle called Windows Update already encouraged me in that direction.

        CT

        • #156194 Reply

          anonymous

          Yep, it does look like a nice spare computer option, any buyer be very aware would have to be certain to choose the highest end J or N Celeron CPU. If there are Pentium based Chromebooks that is probably better than any Celeron depending on the CPU’s feature set.

        • #156229 Reply

          anonymous

          After further rumination, an ARM CPU based chromebook that is not affected by these vulnerabilities might be even better… ¯\_(ツ)_/¯

    • #156197 Reply

      OscarCP
      AskWoody Lounger

      This has been posted elsewhere by MrToad28, but I think it is worth copying it here, as it might offer a measure of reassurance at this time:

      MrToad28 wrote:

      I found this plain English article useful…my notes below link:

      https://www.cnet.com/news/Spectre-Meltdown-Intel-Arm-Amd-Processor-Cpu-Chip-Flaw-Vulnerability-FAQ/
      major vulnerabilities, called Spectre and Meltdown, could let an attacker capture information they shouldn’t be able to access, like passwords and keys.
      The good news is that hackers would first need to install malicious software on your computer in order to take advantage of these flaws..they need to select their targets and hack each one of them before running a sophisticated attack to steal a computer’s sensitive information.

      So good security practices…antivirus, avoiding phish attacks and updating should mitigate threat risks.

      • This reply was modified 10 months, 2 weeks ago by  OscarCP.
      2 users thanked author for this post.
      • #156206 Reply

        The Surfing Pensioner
        AskWoody Lounger

        Thanks. I have been wondering why my gut reaction to all this brouhaha has to date been a total lack of excitation.

      • #156208 Reply

        MrBrian
        AskWoody MVP

        Web browsers are an attack vector for Spectre.

        • #156248 Reply

          anonymous

          Firefox patched 57.0.4 – https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

          Caveat:  there is so much still unknown about these vulnerabilities that the best guidance is to assume the early patches are just the first salvo in what will likely be a long-term process

          4 users thanked author for this post.
          • #158523 Reply

            MrToad28
            AskWoody Lounger

            Firefox patched 57.0.4 – https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ This link indicates Firefox ESR 52.x isn’t vulnerable.

            This list https://www.techarp.com/guides/Complete-Meltdown-Spectre-Cpu-List/3/

            Indicates that the  2009 Core 2 duo e8400s power a few of my Win7 desktops may not be vulnerable since they are not listed…or could be just not tested..since there’s no chance of processor microcode update on these Win 7 e8400 boxes and the win 7 update will likely slow them down considerably, I’m considering just stopping updates and relying on multiple layers of anti-virus, -malware, -exploit, -ransomeware & -spyware to keep me safe. The patches are a bigger threat anyway.

        • #156357 Reply

          Noel Carboni
          AskWoody MVP

          I would like to know a little more about the specifics of how a web browser can access such data purely from a script. Or is there an executable component involved? If the latter, that’s pretty easy to mitigate.

          -Noel

    • #156211 Reply

      MrBrian
      AskWoody MVP
    • #156224 Reply

      MrBrian
      AskWoody MVP

      January 4, 2018—KB4056895 (Monthly Rollup)

      1 user thanked author for this post.
    • #156218 Reply

      Raptor007
      AskWoody Lounger

      The best defense against JavaScript exploits is uMatrix; add a global rule “* * script block” to avoid trusting even 1st-party scripts by default.

      Windows 7 Pro x64, Slackware Linux, Mac OS 9

    • #156219 Reply

      anonymous

      I checked the Waterfox Reddit forum and there is an open question on Meltdown and javascript.

    • #156232 Reply

      MrBrian
      AskWoody MVP

      Woody’s original post has been modified with important info.

      3 users thanked author for this post.
    • #156233 Reply

      anonymous

      I find it interesting that Windows 10 users will be the true first testers to see how well the patch does for the recent vulnerabilities.  Windows 7 and 8.1 users already have downloads available in the Windows Catalog so those systems can be patched as needed.  Anyway, I look forward to seeing how this all plays out.  I do not like the chance of up to a 30% performance hit.

    • #156251 Reply

      anonymous
    • #156265 Reply

      Kirsty
      AskWoody MVP

      Intel’s Security Advisory:

      Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
      https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088

      Intel ID: INTEL-SA-00088
      Product family: Systems with Speculative Execution
      Impact of vulnerability: Information Disclosure
      Severity rating: Important
      Original release: Jan 03, 2018
      Last revised: Jan 03, 2018

       
      A helpful FAQ/information site on both Meltdown & Spectre, written for non-techies: http://www.meltdownattack.com

      Meltdown and Spectre

      Bugs in modern computers leak passwords and sensitive data.
      Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer.

      6 users thanked author for this post.
    • #156299 Reply

      Canadian Tech
      AskWoody MVP

      Noel, I could not agree more. This was built into the Intel chips in order to provide greater security and just the opposite has happened. Now, even Intel is untrustworthy. They are a bit different from Microsoft, because at least they still have the skill and intelligence to do better.

      I am with you. I do NO patching whatsoever of Microsoft software.

      I have closed down Windows Updates from Microsoft of all kinds. I know there is some risk in doing this.

      However, my considered opinion is that the risk of Microsoft changing our systems into something we would not have considered buying, and fouling up our systems with windows update errors too numerous to count is virtually 100%.

      This as opposed to some hacker breaking into one our systems and posing a serious threat which I consider to be a risk of well below 1%.

      We are well protected with one of the best antivirus programs in the market. We are relatively conservative in the use of our systems, which in itself lowers risk. We are all protected with routers that hide our IP addresses. We are all using Windows 7 systems that have had 9 years of security updates and are now finely tuned reliable stable systems.

      Backup is the critical key. I strongly encourage my clients to do backups once a month.

      It is important to note that none of my clients are businesses or people who depend on their computers for a living. We are just plain common folk who use our computers primarily for email and internet browsing and we are switching away from the less-popular and less-secure Internet Explorer to the better Google Chrome browser.

      We have not applied a single Microsoft update since May, 2017. We have not had a single instance of a problem.

      There was a time before this when you could apply security only updates as a safe strategy. However, last June, Microsoft committed a serious error. They patched an erroneous security only patch within a “quality” all in one patch, which we have no intention to ever use. That meant that unless you followed their quality roll-ups, you would be left with an erroneous patch. That behaviour just cannot be accepted. So, that was the end of Microsoft updating.

      Hacking has changed a lot in the last 10 years. It used to be the threat of some kid in the basement making a pain of him/herself. They threatened anyone that they could get at. That has morphed now into a big business enterprise — hacking. They are there to make a profit and we are not the type of profile that they would seek. They are going to go after organizations and enterprises.

      CT

      6 users thanked author for this post.
      • #156346 Reply

        Cybertooth
        AskWoody Lounger

        The approach advocated by @Canadian Tech and @Noel Carboni makes sense to me. Correct me if I’m wrong, but my understanding (so far) of these vulns is that they can be exploited assuming that suitable malware designed to use them manages to get on your system. The key, then, is to keep said malware off your system.

        Instead of slowing down our PCs and incurring the risks of royally messing up our systems that are inherent to kernel changes, it seems sensible to tighten our usual defenses (run as a standard account; keep your applications up to date; use a good AV plus resident anti-malware plus anti-exploit software; install uBlock Origin on your browsers and set up an extensive hosts file; point your IP settings to a security-oriented DNS server).

         

        2 users thanked author for this post.
        • #156354 Reply

          MrBrian
          AskWoody MVP

          Visiting a website is an attack vector for Spectre.

          1 user thanked author for this post.
          • #156376 Reply

            Cybertooth
            AskWoody Lounger

            Thanks, but presumably that would not involve visiting just any random website: it would have to be either a malicious site, or a benign site that’s unwittingly serving up malicious software via (e.g.) advertisements. No?

             

            • #156389 Reply

              MrBrian
              AskWoody MVP

              “Thanks, but presumably that would not involve visiting just any random website: it would have to be either a malicious site, or a benign site that’s unwittingly serving up malicious software via (e.g.) advertisements.”

              Those are two possible ways but there may be other ways.

            • #156495 Reply

              Cybertooth
              AskWoody Lounger

              So then you disagree with Canadian Tech’s approach to Meltdown/Spectre?

               

            • #156513 Reply

              MrBrian
              AskWoody MVP

              “So then you disagree with Canadian Tech’s approach to Meltdown/Spectre?”

              I will install all of the fixes available.

              3 users thanked author for this post.
            • #156610 Reply

              AlexEiffel
              AskWoody MVP

              I support this as well.

              It is very possible most people won’t even perceive a difference in performance in their day to day usage or it will likely be due to bias. But we don’t really know yet exactly so it is speculative. Noel of course have specific performance requirements so his approach is always a bit more extreme in terms of no compromise on performance. I understand also why it seems crazy to him and upsets him. But that doesn’t mean you shouldn’t install patches.

              Although I respect both Noel and Canadian Tech opinions, I do not share it. I very often see malware cross the boundaries of anti-virus among users. About only one out of three new viruses are detected by antivirus if I am not mistaken. I have other mitigations so I don’t have issues, really, but relying on antivirus and common sense might not be enough. Some talked about a VM but if I understood correctly, this particular problem can even cross the VM or sandbox boundaries, which is another reason why it could potentially be that bad, unlike your standard buffer overflow that anti-exploit kits, EMET or the new thing in FCU might block.

              I don’t have enough understanding about this new complex problem to issue strong opinions about whether the real world threat will be important or not, especially due to some mitigating factors. For example, Firefox patched the javascript problem. But when you read about it, it seems like a good idea, but is it enough? Will it be circumvented later? I don’t know and I bet many people don’t know.

              Waiting a little bit to see how this all works might not be a bad idea, but just plain saying you won’t install a patch because of possible slowdowns in specific scenarios like data intensive applications such as database don’t seem to me like the best approach.

              I understand Canadian Tech position and it might work for him and his customers, but relying on never visiting a tainted website by being careful is not in theory an approach that will work all the time, although the risk might be small and having good backups might be enough for some people who care less about the data stolen than loosing the data.

              Last year, for the first time in maybe 15 years, I stumbled upon a drive-by download by clicking on an apparently legitimate link on a reputable web site that was just not valid anymore and had been replaced by something else. There was no reasonable way I could have avoided that browsing normally like everyone does. Nothing bad happened because it wasn’t a sophisticated attack, but I doubt anybody here could pretend they can avoid this kind of situation. Noel’s black list might have blocked it, or not, as if you read the studies reported here by MrBrian, black lists are not THAT effective and had Noel clicked on the link, I bet there could have been a good chance the web site would not have been on the black list yet.

              That doesn’t mean the approach don’t work in practice most of the time and one can decide to balance risk/benefits the way one wants and I respect that. For some the cost is higher than others. But I don’t think people should feel too confident about running unpatched computers, but then again, most people that I see think they are not infected and when I carefully look into their computer, I find out they are and they just didn’t know it. Do they get consequences they perceive out of this? Maybe not. Maybe their credit info was stolen, but then mine was stolen at Equifax without me being able to do anything that could have prevented this. But I still prefer to err on the side of security on the computers I control. Outsmarting the bad guys is very hard even for experts.

              • This reply was modified 10 months, 2 weeks ago by  AlexEiffel.
              4 users thanked author for this post.
            • #156616 Reply

              Canadian Tech
              AskWoody MVP

              Alex, I and some of my clients have experienced the “drive-by” threat that I think you are referring to. Most of them recognize it now. When they see it, our process is to:
              Right-click on the taskbar
              Choose Task Manager
              Applications tab
              click once on the offending app
              Click End.

              Sometimes it takes a repetition of the same action, but that always clears it out.

              The danger is if you click on anything in the window.

              CT

              3 users thanked author for this post.
            • #156636 Reply

              AlexEiffel
              AskWoody MVP

              Yes, CT. In this case, it was a minor threat and ending the process was sufficient.

              However, I was highlighting the risk of any careful user to stumble upon a drive-by download, and they might not be as minor. A real good drive-by download doesn’t require user interaction. You click on an apparently legitimate link, and you end up infected through a buffer overflow or another tricky thing that exploits a vulnerability that you didn’t patch. This is the real risk. Once you click on the almost unavoidable trap to see that article a legitimate publication refered to and that has been replaced by something else, it is too late.

              The very fact that your users see that kind of minor threat is an indication that normal users like yours can in theory be exposed to any drive-by download, not only the minor ones, where running unpatched could cause an issue.

            • #156694 Reply

              Noel Carboni
              AskWoody MVP

              I just wish we had harder information about what the performance impacts will actually be.

              I’m not beyond choosing to patch, but without more info I’m not going to jump down a rabbit hole there’s no clear way to climb out of.

              Wouldn’t it be great if we could actually say, “Gee, if I patch it’ll only take 2% longer to do the thing I do a lot, which makes it worth doing for the added peace of mind.

              How do we do that without potentially making the wrong choice and throwing away a perfectly good system?

              I believe we’ll know more in time. For now I’ll be doing searches like “How much does the Meltdown / Spectre patch slow down Visual Studio builds” and similar.

              -Noel

              1 user thanked author for this post.
            • #156698 Reply

              MrBrian
              AskWoody MVP

              There are registry settings for enabling and disabling the protections, documented at https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution. I don’t know if they work on non-Server operating systems.

              • This reply was modified 10 months, 2 weeks ago by  MrBrian.
              1 user thanked author for this post.
            • #156812 Reply

              anonymous

              A serious gamer has tested the Windows patch and found a performance reduction of only 3%  https://overclock3d.net/reviews/software/windows_10_meltdown_spectre_patch_performance_impact_assessment/11

              1 user thanked author for this post.
            • #156691 Reply

              Noel Carboni
              AskWoody MVP

              “Thanks, but presumably that would not involve visiting just any random website: it would have to be either a malicious site, or a benign site that’s unwittingly serving up malicious software via (e.g.) advertisements.”

              Those are two possible ways but there may be other ways.

              I’m imagining that the big, tangled shared code base out there of scripts that are loaded and run higgledy piggledy by sites could become infected with these exploits. Who tracks where their scripts are loaded from, and how they interact? Even with things like uBlock on tap there actually are a lot of scripts being run. There’s a script that runs this edit box, for example.

              Scripting is kind of growing out of control, making it difficult to configure a system to be conservative about running scripts. Just use the “developer tools” network monitor in most browsers and watch the JavaScript file activity to get pretty much any web site on the screen.

              What if, for example, you learn you can’t visit this site and type into an edit box without incurring a real risk of having your browser send a bunch of private data somwehere, especially knowing what’s loaded to your computer (given the scripting sources are all over the place) isn’t well-controlled by the site owner? Food for thought.

              It seems we’re entering a time when quantifying risk vs. reward is harder than ever.

              -Noel

              1 user thanked author for this post.
        • #156469 Reply

          jescott418
          AskWoody Lounger

          My understanding is a javascript could be used as a attack form to gain access. Security suites have not said anything about being able to protect you. In fact the proof of concept has been able to access the information without leaving any trail of even doing so. This is what makes this so serious, you could potentially be compromised and not even know it. I personally would not count on any security suite to save you with Spectre especially. I do however believe most of what we know is only proof of concept examples and it may be days or weeks before we really find out what is developed and placed in the wild to exploit this. Let’s also remember that because is so potentially silent in its attack we may not know much about these exploits unless they are discovered or published. This could be unlike anything that has been dealt with before.

          • This reply was modified 10 months, 2 weeks ago by  jescott418.
          1 user thanked author for this post.
    • #156327 Reply

      anonymous

      I am a little worried, I have the anti virus up to date (Avast), and I haven’t recieved the update yet.  Should I be worried?  (Dont worry I am going to block it once it appears and unblock it when its safe to install)

      • #156370 Reply

        anonymous

        As long as you don’t run a server with highly confidential workloads AND install malware or browse malicious Web sites OR have a virtual machine hosted with a third party, you couldn’t care less! In fact, if you run a clean box and don’t install malware OR browse malicious Web sites without anti-malware software installed, you’re even better off not to patch anything. And yes, most of us will never get a CPU firmware update anyway just because we are out of warranty.

    • #156348 Reply

      MrBrian
      AskWoody MVP

      I researched what to do to get the required Intel microcode update if your device manufacturer doesn’t supply new BIOS updates for your device anymore and if Microsoft doesn’t publish the microcode update to Windows Update (older example). The solution: [How to] Update microcode from Windows but instead use the latest Linux Processor Microcode Data File. This solution should not be used until Intel releases a newer Linux Processor Microcode Data File that has the required Intel microcode updates.

      • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      4 users thanked author for this post.
      • #156351 Reply

        MrBrian
        AskWoody MVP

        Doing microcode updates this way is not permanent; the updated microcode gets loaded every time Windows starts (reference).

        3 users thanked author for this post.
      • #156358 Reply

        MrBrian
        AskWoody MVP

        I am assuming that the latest Linux Processor Microcode Data File doesn’t have the required microcode fixes but I could be wrong.

        Edit: the link above no longer has the latest Intel microcodes.

        • This reply was modified 10 months, 1 week ago by  MrBrian.
        • #156391 Reply

          MrBrian
          AskWoody MVP

          We might need microcode version 20171215 according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367.

          Edit: This was apparently an unofficial release, and is not the latest release.

          • This reply was modified 10 months, 1 week ago by  MrBrian.
          • This reply was modified 10 months, 1 week ago by  MrBrian.
          • #156479 Reply

            Ascaris
            AskWoody MVP

            If Intel releases the new microcode for a given CPU, it may be possible to create a BIOS update yourself.  If you download the Intel Linux microcode file, which is a CSV text file, you can use a program called Microdecode to turn that into a binary microcode file that can be imported into your firmware by means of a tool like AMI’s MMTOOL.  I’ve done this with the BIOS on the laptop I am using right now (among other things).  If you do this, it’s at your own risk!

            Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

            1 user thanked author for this post.
    • #156356 Reply

      Kirsty
      AskWoody MVP

      Find out if your Windows PC is affected by Meltdown/Spectre vulnerabilities

      by Martin Brinkmann | January 05, 2018 / Last Update: January 05, 2018

       
      Meltdown and Spectre are designed vulnerabilities in modern processors that allow attackers to read virtual memory arbitrarily. What this means is that attackers may read the memory of computer systems to steal passwords and other sensitive data.

       
      Read the full article here

      8 users thanked author for this post.
    • #156416 Reply

      ViperJohn
      AskWoody Lounger

      Anyone know what version of Powershell is needed to load and run the detection script Martin Brinkmann is refering to.  Windows 7 v2.0 sure as heck doesn’t work. v5.1 in W10 works.

       

      UPDATE: Install Powershell 5.1 in Windows 7 and script still will not load / run in Win7.  Microsoft says it should work in Win7 (and in 8.1 too) but no go here

      Viper

      • This reply was modified 10 months, 2 weeks ago by  ViperJohn.
      • This reply was modified 10 months, 2 weeks ago by  ViperJohn.
      1 user thanked author for this post.
      • #156456 Reply

        woody
        Da Boss

        I’m having trouble running it, too, on Win10 1703. Something about NuGet not supporting the right calls.

        1 user thanked author for this post.
      • #156477 Reply

        abbodi86
        AskWoody MVP

        It’s working for me on Windows 8.1 with WMF 5.1

        it requires two steps, installing NuGet, and trusting PSGallery repository
        Install-PackageProvider -Name NuGet -Force
        Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
        Install-Module SpeculationControl
        Get-SpeculationControlSettings

        and you also might need to change the ExecutionPolicy
        Set-ExecutionPolicy Bypass -Scope CurrentUser -Force

        • This reply was modified 10 months, 2 weeks ago by  abbodi86.
        1 user thanked author for this post.
    • #156459 Reply

      anonymous

      Huh, I have a Pentium G3440, released in 2014 so definitely within the 5-year limit they seem to have set, yet Pentium G-series isn’t listed in the list of affected CPUs. Is it actually unaffected or they slipped up? Or for some reason they don’t mean to patch it (though the most recent in the series were only released last year) so they just choose to ignore it?

      • #156624 Reply

        SueW
        AskWoody Lounger

        You may want to check back periodically.  I noticed this statement near the top (my bolding):

        “The following Intel-based platforms are impacted by this issue. Intel may modify this list at a later time.

        Win 7 SP1 Home Premium 64-bit; Office 2010; Group B; Former 'Tech Weenie'

    • #156464 Reply

      jescott418
      AskWoody Lounger

      My understanding is that Meltdown might be neutralized through patches but Spectre is more troubling to fix and could possible be a threat because there is no real fix that mitigates completely the exposure. Given the vast amount of hardware affected. I see this getting worse before it gets better. The patches worked on all three of my systems a Hazwell, Broadwell, and Kaby Lake. I think the slow down’s are over hyped for most users, maybe servers will suffer the most by this. I expect to see more exploits focused on Spectre then Meltdown simply because firmware fixes may not completely mitigate this threat.

    • #156512 Reply

      anonymous

      If a car or a toy had a fault that made it unsafe, it would be recalled. The manufacturer would be obligated by law to repair/replace the faulty component at their expense. All units affected with the fault would be recalled, not just the ones that were sold in the past 5 years.

      Unsafe cars and toys are treated like this to assure people do not get hurt or killed.

      Likewise, a component design flaw can render a computer unsafe (insecure). A patch or series of patches may fix it, but there are situations where a replacement is the only solution. However, the component manufacturer is not obligated, by law, to do anything. An unsafe (insecure) system can continue to operate – the user assumes all the liability. When component manufacturers do not voluntarily recall faulty units or refuse to fix all of the unsafe (insecure) units, it is basically a business decision. They determine how much hurt their brand can endure and the impact to their bottom line.

      Unsafe (insecure) systems do not kill people but lives can be destroyed if an attacker successfully breaches the system through a discovered vulnerability.

      Considering there are billions of users of computers, that is a lot of hurt.

      4 users thanked author for this post.
      • #156535 Reply

        Cybertooth
        AskWoody Lounger

        If billions of devices are affected, how long would it take to recall them all and replace the flawed components (assuming that were even possible for, say, 15-year-old machines)?

        • #156678 Reply

          NoLoki
          AskWoody Lounger

          In reference to recalls.  There are over a billion cars in the world and that statistic was reported in 2010. I can not imagine how many toys there are in the world.

          Regarding the computers:  It is reasonable to assume that not all affected units would require a  recall so the numbers would be less than the whole.  It can be outsourced.  If manufacturing processes are no longer capable of replacing a faulty component, then compensation is in order.

          • #156713 Reply

            Cybertooth
            AskWoody Lounger

            There’s never been a recall involving a billion cars, or even hundreds of millions. According to this article, the largest auto recall up until then involved 70 million cars.

            Multiply that by a factor of 10 or 15, and we get a sense of the magnitude of a recall of PCs with affected CPUs. Replacing a CPU isn’t AFAICT something that can be automated; it must be done by hand. Some sources suggest that processors dating back more than two decades are affected; that would involve more outsourcing than Intel, big-box electronics stores, and our friendly neighborhood PC repair shop could possibly handle within a reasonable time frame. By the time our turn came around, chances are we’d have bought a newer computer by then anyway.

             

    • #156564 Reply

      MrBrian
      AskWoody MVP
    • #156578 Reply

      MrBrian
      AskWoody MVP

      From the Spectre paper (https://spectreattack.com/): “As a result, any software or microcode countermeasure attempts should be viewed as stop-gap measures pending further research.”

      1 user thanked author for this post.
    • #156580 Reply

      MrBrian
      AskWoody MVP

      From Meltdown & Spectre security flaws – the industry responds: “Such a wide-scale attack has not been seen for some time, so ITProPortal asked the technology industry for its views on the issue.”

      2 users thanked author for this post.
    • #156655 Reply

      radosuaf
      AskWoody Lounger

      Win 8.1 – still nothing in WU.

      My test Win 10 1709 install – 2018-01 Rollup installed, 3D Mark run:

      Overall pre-patch: 6.872 points

      Overall post-patch: 6.872 points

      Physics (CPU test) pre-patch: 7.148 points

      Physics (CPU test) post-patch: 7.112 points

      Difference within error margin for me… And gaming is actually the only area where I need 100% performance. So these results are nice to see.

      MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Gigabyte GeForce GTX 1050 Ti D5 4G * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1803 64-bit + Ubuntu 18.04.1 LTS
      4 users thanked author for this post.
    • #156770 Reply

      MrBrian
      AskWoody MVP

      A user’s performance impact test results: https://www.reddit.com/r/pcmasterrace/comments/7obokl/performance_impact_of_windows_patch_and_bios/.

      1 user thanked author for this post.
    • #156773 Reply

      MrBrian
      AskWoody MVP
    • #156779 Reply

      abbodi86
      AskWoody MVP

      Get and run SpeculationControl on Windows 7 / 8.1 without installing WMF 5.1
      https://pastebin.com/DkG7e3hv

      2 users thanked author for this post.
    • #156811 Reply

      Ascaris
      AskWoody MVP

      Last year, for the first time in maybe 15 years, I stumbled upon a drive-by download by clicking on an apparently legitimate link on a reputable web site that was just not valid anymore and had been replaced by something else.

      The only malware I’ve ever had on my PC since I started using x86 PCs in 1990 was acquired in this way as well.  I’ve already told the story here, so if it seems familiar, it probably is.

      The web site I attempted to visit (based on a Google search) was about guitar strings, not something that is usually in that “risky” category like “warez” or porn sites.  Apparently, the site was hacked/hijacked by a miscreant who installed a redirect to a site whose URL was something about drugs, and that site used a vulnerability in Java (this was years ago, during the XP era, when people having Java enabled was normal) to cause my PC to silently download and run an executable program.

      It was also the norm for everyone to run their XP machines with full admin privs… and if you’ve ever tried to run an XP machine with a limited user account, it’s pretty frustrating.  They don’t have UAC, so any attempt to do anything that requires admin privs just gets an “Access denied,” and that’s that.  Linux is miles ahead on this; the user level/su (root) level privilege system was a part of it from the start, so it’s not tacked-on the way it was in Windows (to try to mitigate some of the threat without breaking every bit of software that assumes everyone runs as admin).  While I have run Windows post-XP in UAC-disabled mode most of the time, I wouldn’t even think of running with root privs in Linux all the time.  It’s just not the way one does things in Linux.

      I was alerted to this drive-by malware’s presence because I was running Agnitum Outpost, a security program that had a robust HIPS module that detected the errant program trying to run, popping up a dialog asking me what to do. If you’ve read my previous posts on the matter, you know that even though my mind immediately registered this as highly suspicious, the force of habit of having clicked or selected “allow” tens of times a day for years took over, and I allowed it even as my brain was yelling at my hand to stop.

      I recognized it as what it was immediately and disconnected from the net, first with the tray icon and then by physically unplugging the ethernet cable, then looked in the Outpost logs to see where the program I’d allowed now lived.  I had Outpost on maximum paranoia level, so the next thing the malware tried to do (set a registry key) also popped up a dialog, and this time I answered Block & Terminate, which worked.

      Turns out it was a previously unknown malware that had not been detected by the signature check (AV) portion of Outpost.  No idea what it came to be called when it was added to their databases, or what it was supposed to do… I just know that I sent it to several antimalware companies, and one wrote me back to tell me it was indeed a new malware.

      As far as this Meltdown/Spectre issue is concerned, I’m not against patching ever, but I am against being forced into a 30% slowdown to mitigate a threat that may not even apply to me at this time.  I’m of the opinion that an elegant, efficient way of mitigating the vuln will be found… whether it’s a signature or heuristic approach in antimalware programs, a change in the .js engines in browsers to prevent the issue, a browser addon to detect and block suspicious scripts (again, heuristically), or an OS patch that won’t result in any kind of noticeable performance hit, I think it will happen.  Just a gut feeling, at this point, but it’s too early to know anything about how this will end up just yet.

      For now, the exploit has never been seen in the wild, and until it does, I am not too worried.  Could I become the first one to end up at a compromised site and “discover” the newly-operationalized malware in the wild?  It’s possible, but not terribly likely.  There are thousands of white hats with this very exploit on their minds; they’re out looking for this.  More likely they’ll find it than me, should it ever come to pass.  If so, they will report on the attack vector, and we’ll know a little more about it.

      Until then, I’m inclined to let other people take the performance hit and do the beta testing.  A hypothetical threat only demands a hypothetical solution, and we already have that, so we’re golden, for the time being.

      Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

      5 users thanked author for this post.
      • #156820 Reply

        Noel Carboni
        AskWoody MVP

        I’m starting to see reports of gamers testing the patches, and I’m seeing numbers like “no difference” to “3% slower”.

        I’m still looking for people reporting speed differences for e.g., I/O-heavy stuff.

        -Noel

        3 users thanked author for this post.
        • #157306 Reply

          radosuaf
          AskWoody Lounger

          I’m still looking for people reporting speed differences for e.g., I/O-heavy stuff. -Noel

          Up to 40%!

          https://www.techspot.com/article/1556-meltdown-and-spectre-cpu-performance-windows/page3.html

           

          …and BIOS updates will slow down things even more:

          MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Gigabyte GeForce GTX 1050 Ti D5 4G * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1803 64-bit + Ubuntu 18.04.1 LTS
          • This reply was modified 10 months, 2 weeks ago by  radosuaf.
    • #157042 Reply

      MrBrian
      AskWoody MVP

      Detailed information about what fixes need to be done for the three vulnerabilities for both Windows and Linux: https://twitter.com/aionescu/status/949442252689981440. A thing I hadn’t read before: “Warning 2: 32-bit Windows does not have Meltdown patches. Beware.”

      Related information is found in the first two links from https://www.askwoody.com/forums/topic/meltdown-and-spectre-from-a-windows-users-point-of-view/#post-156508.

      • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      4 users thanked author for this post.
      • #157052 Reply

        MrBrian
        AskWoody MVP

        Statement “32-bit Windows does not have Meltdown patches” has been confirmed at ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities: Security Advisory: “The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.”

         

        • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      • #157181 Reply

        MrBrian
        AskWoody MVP

        This warning has been added: “Warning 3: Windows XP/Vista and Windows Server 2003/2008 will never get Meltdown updates. Windows 8.0 is out of support, it’ll not get Meltdown updates too.”

        1 user thanked author for this post.
        • #157274 Reply

          EP
          AskWoody Lounger

          Only the “client” versions of Windows 8.0 were out of support in Jan. 12, 2016, MrBrian. MS is still providing new updates to the embedded versions of Win8.0, which do install & work even on any edition of Win8.0 as I’ve tested some of them myself.

    • #157057 Reply

      MrBrian
      AskWoody MVP

      Firefox ESR news from https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/: “Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018.”

      1 user thanked author for this post.
    • #157117 Reply

      MrBrian
      AskWoody MVP
      • #157120 Reply

        MrBrian
        AskWoody MVP

        One of the replies links to 2017 paper “Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript”.

        Paper abstract (my bolding):

        “Research showed that microarchitectural attacks like cache attacks can be performed through websites using JavaScript. These timing attacks allow an adversary to spy on users secrets such as their keystrokes, leveraging fine-grained timers. However, the W3C and browser vendors responded to this significant threat by eliminating fine-grained timers from JavaScript. This renders previous high-resolution microarchitectural attacks non-applicable.

        We demonstrate the inefficacy of this mitigation by finding and evaluating a wide range of new sources of timing information. We develop measurement methods that exceed the resolution of official timing sources by 3 to 4 orders of magnitude on all major browsers, and even more on Tor browser. Our timing measurements do not only re-enable previous attacks to their full extent but also allow implementing new attacks. We demonstrate a new DRAM-based covert channel between a website and an unprivileged app in a virtual machine without network hardware. Our results emphasize that quick-fix mitigations can establish a dangerous false sense of security.

        • This reply was modified 10 months, 2 weeks ago by  MrBrian.
        • This reply was modified 10 months, 2 weeks ago by  MrBrian.
        3 users thanked author for this post.
        • #157393 Reply

          AlexEiffel
          AskWoody MVP

          That’s exactly what I was fearing. That was quick!

    • #157128 Reply

      MrBrian
      AskWoody MVP
    • #157132 Reply

      MrBrian
      AskWoody MVP

      From CPU security bugs caused by speculative execution: “This repo is an attempt to collect information on the class of information disclosure vulnerabilities caused by CPU speculative execution that were disclosed on January 3rd, 2018.”

      • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      2 users thanked author for this post.
    • #157313 Reply

      anonymous

      I found HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat, the “all clear to patch” registry key, on a system running Windows Vista x64 and Microsoft Security Essentials. Since MrBrian posted Warning 3 that Vista will not get a Meltdown patch, I guess this just means Microsoft Security Essentials is compatible and it sets the “all clear to patch” registry key on all systems without checking the OS.

    • #157428 Reply

      MrBrian
      AskWoody MVP

      From NVIDIA’s response to speculative side channels CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754: ” We […] are updating our GPU drivers to help mitigate the CPU security issue.”

    • #157449 Reply

      AlexEiffel
      AskWoody MVP

      What I don’t understand is if big companies like Microsoft were notified of the issue a long time ago, they suddenly have to rush patches like 1-2 weeks delay would make a difference when it’s been months they are aware and they should maybe have already tested the patches and be ready for deployment sooner than later when it was supposed to be announced.

      • #157462 Reply

        Canadian Tech
        AskWoody MVP

        Alex, your supposition is that there is good management at Microsoft that would recognize a problem and actually manage their resources to solve it. Unfortunately, that clearly is just not an attribute that it currently has.

        CT

        1 user thanked author for this post.
    • #157460 Reply

      ViperJohn
      AskWoody Lounger

      IT’S NOT JUST CPU’s

      Just a heads up for nVidia GFX Card users. NV has released the 390.65 WHQL Drivers that mitigate the Spectre variant that nVidia’s GPU are apparently exposed to.

      https://www.ghacks.net/2018/01/08/nvidia-geforce-driver-390-65-whql-is-a-security-update/

      https://www.geforce.com/drivers

      AMD Radeon users should no doubt be watching for security driver releases for their GPU’s as well.

      Viper

      • This reply was modified 10 months, 2 weeks ago by  ViperJohn.
      4 users thanked author for this post.
    • #157577 Reply

      MrBrian
      AskWoody MVP
    • #157590 Reply

      Elly
      AskWoody MVP

      First off… I have not tried to install the January patches for my Win 7 Home… but I wanted to know what was going on, on my laptop…

      So I checked if my antivirus (AVG free) had updated to include the new QualityCompat registry key. I updated it manually, every day, since the news about the registry key came out, but there was no change in the absence of the registry key, and Windows Update did not offer the January Quality and Security Rollup. AVG support said that it was compatible and including the key since January 3rd, but I wasn’t seeing it.

      I  did a partial uninstall of AVG to trigger repair, because someone else on their support site had the repair work for them. It didn’t work for me. I uninstalled AVG, then downloaded and attempted to re-install AVG from their website. It said it encountered an unexpected Error code: 0xc007271d and couldn’t update. I couldn’t find that on their support site… sigh…

      So I thought about what could prevent me from installing anything. I remembered I had Windows10FirewallControl free version installed. I checked that, and it was indeed blocking AVG’s install attempts. When I attempted to give AVG permission to install through the Firewall, it said that the free version would not allow any system changes. Deep breathing practiced for several minutes…

      I uninstalled Windows10Firewall… installed AVG… reinstalled the firewall… and I now have the QualityCompat registry key… and finally the January update is being offered in Windows Update. I have an old i5 Sandy Bridge processor, and I haven’t heard anyone test that compatability yet, and I sure don’t want to volunteer as a guinea pig!

      I repeat, I am not installing, just wanted to be ready when the time comes… but that was a lot to go through just to become eligible for any future updates…

      And it isn’t because I wanted to look dumb, that I post this… there will be other non-techy people hitting roadblocks like this, and maybe this will encourage them to check out different things…

      I really appreciate the information posted here, that let me get this far.

      Win 7 Home, 64 bit, Group B

      6 users thanked author for this post.
    • #157676 Reply

      MrBrian
      AskWoody MVP

      Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities has been modified to include the registry changes used to disable and enable the Spectre/Meltdown Windows fixes.

      3 users thanked author for this post.
    • #157741 Reply

      MrBrian
      AskWoody MVP

      The browser rendering engine WebKit‘s developers have written blog post What Spectre and Meltdown Mean For WebKit, parts of which are probably applicable to web browsers in general:

      “Security researchers have recently uncovered security issues known as Meltdown and Spectre. These issues apply to all modern processors and allow attackers to gain read access to parts of memory that were meant to be secret. To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim’s processor. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user’s processor. Spectre impacts WebKit directly. Meltdown impacts WebKit because WebKit’s security properties must first be bypassed (via Spectre) before WebKit can be used to mount a Meltdown attack.

      WebKit relies on branch instructions to enforce what untrusted JavaScript and WebAssembly code can do. Spectre means that an attacker can control branches, so branches alone are no longer adequate for enforcing security properties.

      Meltdown means that userland code, such as JavaScript running in a web browser, can read kernel memory. Not all CPUs are affected by Meltdown and Meltdown is being mitigated by operating system changes. Mounting a Meltdown attack via JavaScript running in WebKit requires first bypassing branch-based security checks, like in the case of a Spectre attack. Therefore, Spectre mitigations that fix the branch problem also prevent an attacker from using WebKit as the starting point for Meltdown.”

      • This reply was modified 10 months, 2 weeks ago by  MrBrian.
      2 users thanked author for this post.
    • #157761 Reply

      MrBrian
      AskWoody MVP

      Mark Burnett has three mitigation-related flowcharts at https://github.com/m8urnett/Windows-Spectre-Meltdown-Mitigations.

      2 users thanked author for this post.
    • #157797 Reply

      MrBrian
      AskWoody MVP
      • #157831 Reply

        MrBrian
        AskWoody MVP

        “We currently support 45 editions of Windows. Patches for 41 of them are available now through Windows Update. We expect the remaining editions to be patched soon. We are maintaining a table of editions and update schedule in our Windows customer guidance article.

        Silicon microcode is distributed by the silicon vendor to the system OEM, which then decides to release it to customers. Some system OEMs use Windows Update to distribute such microcode, others use their own update systems. We are maintaining a table of system microcode update information here. Surface will be updated through Windows Update starting today.”

    • #157804 Reply

      MrBrian
      AskWoody MVP

      From Microsoft: Protect your Windows devices against Spectre and Meltdown.

      1 user thanked author for this post.
      • #157813 Reply

        MrBrian
        AskWoody MVP

        “We will not be issuing updates for Windows Vista or Windows XP-based systems including WES 2009 and POSReady 2009.

        Although Windows Vista and Windows XP-based systems are affected products, Microsoft is not issuing an update for them because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems. We recommend that security-conscious customers upgrade to a later operating system to keep pace with the changing security threat landscape and benefit from the more robust protections that later operating systems provide.”

        1 user thanked author for this post.
    • #157900 Reply

      Canadian Tech
      AskWoody MVP

      MS has withdrawn some patches for Win10 on AMD machines because they brick the machines:

      https://www.theinquirer.net/inquirer/news/3024061/microsofts-withdraws-spectre-and-meltdown-patch-thats-borking-amd-machines

      CT

      1 user thanked author for this post.
    • #157992 Reply

      MrBrian
      AskWoody MVP

      Understanding the output of the Get-SpeculationControlSettings PowerShell script

      Note that there are 2 mitigations that can be independently enabled/disabled.

      • This reply was modified 10 months, 1 week ago by  MrBrian.
      3 users thanked author for this post.
    • #158126 Reply

      MrBrian
      AskWoody MVP

      ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities was revised again on January 9: “Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2008, Microsoft SQL Server 2008, and Microsoft SQL Server 2016 because these updates provide mitigations for ADV180002.”

      1 user thanked author for this post.
      • #158413 Reply

        MrBrian
        AskWoody MVP

        Three FAQs were added on January 10.

        1 user thanked author for this post.
    • #158135 Reply

      MrBrian
      AskWoody MVP

      From Protecting guest virtual machines from CVE-2017-5715 (branch target injection): “This page provides additional detail about protecting virtual machines on Hyper-V hosts from CVE-2017-5715 (branch target injection).”

      1 user thanked author for this post.
    • #158152 Reply

      MrBrian
      AskWoody MVP
    • #158441 Reply

      MrBrian
      AskWoody MVP

      Alex Ionescu‏ claims to have a reliable Meltdown proof-of-concept for Windows.

      2 users thanked author for this post.
      • #158508 Reply

        woody
        Da Boss

        Meltdown. It’s a “weaponized”/reliable PoC against Windows, you got it…. This is just for fun. Won’t release anything. No I don’t work anywhere with access to this in advance or anything non public.

        He knows what he’s doing, too. This is disconcerting….

        1 user thanked author for this post.
      • #158528 Reply

        AlexEiffel
        AskWoody MVP

        Do you study Russian and play guitar?

      • #158638 Reply

        MrBrian
        AskWoody MVP

        From https://twitter.com/aionescu/status/951530541068660736: “Now with less ShakyCam. […]”

    • #158540 Reply

      MrBrian
      AskWoody MVP

      From https://twitter.com/phillip_misner/status/951491825390428160: “At this point there is no plan for Windows Update to offer microcode updates. You will still need to get those from your OEM.”

      1 user thanked author for this post.
    • #158644 Reply

      MrBrian
      AskWoody MVP

      From AMD: An Update on AMD Processor Security (January 11)

      2 users thanked author for this post.
    • #158694 Reply

      MrBrian
      AskWoody MVP

      From Intel Offers Security Issue Update: “In early December we began distributing Intel firmware updates to our OEM partners. For Intel CPUs introduced in the past five years, we expect to issue updates for more than 90 percent of them within a week, and the remainder by the end of January. We will continue to issue updates for other products thereafter.”

      2 users thanked author for this post.
    • #159041 Reply

      MrBrian
      AskWoody MVP
    • #159173 Reply

      satrow
      AskWoody MVP

      Dedoimedo’s view: How to deploy Meltdown patches – in Windows 7/8/10 with no AV.

      Six systems from 2010 through 2015, five different generations of processors and three different hardware vendors, Windows 7/8/10, Home, Pro and Ultimate editions, Nvidia and Intel graphics, admin and limited users, no anti-virus software at all. I tested manual security and rollup updates, I tested with the registry key. I tried applications, video streaming, games. Everything was fine after these updates.

      I don’t see any AMD CPUs mentioned, take it as Intel CPU tests only.

      Oh, and performance tests are to follow 🙂

    • #159341 Reply

      anonymous

      Hello woody!

      Intel has known their bugs in their processors since 1992.

      Here is an old report made in 1992:

      https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf

      I think this old report should known and published everywhere!!!!

      Intel should pay for this bug, I think in a demand collective, people should use the old report.

      This is very very strong!!!!!!

      Bye!

    • #159352 Reply

      anonymous

      Hello Woody!

      the old report is since 1995, not from 1992, sorry for that 🙁

      https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf

      and the discover is someone, his/her(?) nick is tullido, located in a spanish forum called meneame:

      https://www.meneame.net/m/tecnolog%C3%ADa/intel-publica-resultados-rendimiento-tras-aplicar-parches-ing

      Thank you very much and I’m looking forward if someone could publish this info as soon as possible.

      Thanks.

      1 user thanked author for this post.
    • #159370 Reply

      MrBrian
      AskWoody MVP

      Blog post by Alex Ionescu‏: Chip Flaws Spectre and Meltdown are Actually Three Vulnerabilities and Proving Hard to Mitigate (January 11). Contain some vendor-specific info.

      • #159489 Reply

        Bill C.
        AskWoody Lounger

        Interesting article that is above my level of expertise, but I did notice the part about 32bit systems being vulnerable to the Variant 3, and mitigations for those systems are far more complex and will probably not be done.

        I may have read it incorrectly or understood it incorrectly, but I was under the impression that these were 64bit threats, and not 32bit also.

        Thanks for the link and do correct me if I am in error.

    • #159446 Reply

      MrBrian
      AskWoody MVP

      Intel has released highly technical document “Speculative Execution Side Channel Mitigations” (pdf link).

      • This reply was modified 10 months, 1 week ago by  MrBrian.
      • #159474 Reply

        anonymous

        @mrbrian

        Thanks for the link to Intel document which discusses mitigations for two of the three side channel vulnerabilities.  For additional Intel discussion on all three, please see their companion white paper.

        • This reply was modified 10 months, 1 week ago by  PKCano.
        • This reply was modified 10 months, 1 week ago by  MrBrian.
        2 users thanked author for this post.
    • #159466 Reply

      MrBrian
      AskWoody MVP
    • #159696 Reply

      MrBrian
      AskWoody MVP

      For developers: From Spectre mitigations in MSVC:

      “Software changes are required to mitigate variant 1 on all currently affected CPUs.

      […]

      In order to help developers mitigate this new issue, the MSVC compiler has been updated with support for the /Qspectre switch which will automatically insert one of these speculation barriers when the compiler detects instances of variant 1.

      […]

      It is important to note that there are limits to the analysis that MSVC and compilers in general can perform when attempting to identify instances of variant 1. As such, there is no guarantee that all possible instances of variant 1 will be instrumented under /Qspectre.”

      • This reply was modified 10 months, 1 week ago by  MrBrian.
      1 user thanked author for this post.
    • #159743 Reply

      MrBrian
      AskWoody MVP

      From Unbootable state for AMD devices in Windows 10 version 1709:

      “An update is available to fix the following issue that occurs after you install January 3, 2018—KB4056892 (OS Build 16299.192):

      AMD devices fall into an unbootable state.”

      • This reply was modified 10 months ago by  MrBrian.
      • This reply was modified 10 months ago by  MrBrian.
    • #159948 Reply

      MrBrian
      AskWoody MVP
    • #160547 Reply

      MrBrian
      AskWoody MVP

      From ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities: ’01/19/2018     1 – Updated FAQ #10 to announce that Microsoft has resumed updating all AMD devices with the Windows operating system security update to help protect against the chipset vulnerabilities known as Spectre and Meltdown. See the FAQ for links to information on how to download the update for your operating system. Customers with AMD-based devices should install the updates to be protected from the vulnerabilities discussed in this advisory. 2 – Added an update to FAQ #7 that security update 4073291 is available to provide additional protections for the 32-bit (x86) version of Windows 10 Version 1709 related to CVE 2017-5754 (“Meltdown”).’

      2 users thanked author for this post.
    • #161867 Reply

      MrBrian
      AskWoody MVP

      From Meltdown and Spectre: What about drivers? (for driver developers):

      “To summarize our guidance:

      The Windows patches designed to mitigate the Meltdown and Spectre (types 2 and 3) vulnerabilities should handle these issues without any code or logic changes in drivers, file systems, or file system filters.

      The Windows Meltdown and Spectre mitigation patches should not have any adverse effect on drivers, file systems, or file system filters.

      All Windows kernel-mode code should be recompiled with the /Qspectre switch at your earliest convenience. This switch is available starting in VS 2017 Update 5.  This doesn’t require an emergency fix.  Rather, it’s we recommend you use this switch when you build the next update of your product.”

      This is consistent with previous advice that driver updates are needed to protect against Spectre variant 1.

    • #162043 Reply

      MrBrian
      AskWoody MVP

      New post at AMD Processor Security: Software Techniques for Managing Speculation on AMD Processors Whitepaper (January 24, 2018).

      • #162048 Reply

        MrBrian
        AskWoody MVP

        Quotes from the paper:

        “For variant 1 mitigation, AMD is recommending software only solutions which need to be evaluated in a wide range of software including kernel software, JITs, browsers, and other user applications.”

        “For variant 2, there are both software and software plus hardware mitigations.”

        “This is referred to as a variant 3 (Google Project Zero and Meltdown). No AMD processor has been designed with this behavior and so we are not discussing mitigation steps in the rest of the document for this variant but we are including it here for completeness.”

    • #162108 Reply

      MrBrian
      AskWoody MVP

      For those in Group B that wish to avoid the Meltdown updates altogether, you will probably want to avoid any present and future Windows security-only update that contains file ntoskrnl.exe from December 2017 or later. I don’t recommend doing this though. Reference: Here’s how the new Meltdown patch for Windows is enforced for AMD systems.

      • This reply was modified 9 months, 4 weeks ago by  MrBrian.
      • This reply was modified 9 months, 4 weeks ago by  MrBrian.
    • #162165 Reply

      MrBrian
      AskWoody MVP

      From Meltdown-Spectre: Why were flaws kept secret from industry, demand lawmakers: “US lawmakers want to know why only a select few companies knew about Meltdown and Spectre, and whether these insiders considered the impact of their secrecy on others.”

    • #162756 Reply

      MrBrian
      AskWoody MVP

      From What can I do to protect my PC from the Meltdown and Spectre flaws? (January 25, 2018):

      ‘You’re most likely to be attacked via your web browser, and browser suppliers are already updating their software. It’s now particularly important to keep your browsers up to date.

      You can reduce the risk by using “site isolation” in the Chrome browser. As Google explains: “Site Isolation offers a second line of defense to make such attacks less likely to succeed. It ensures that pages from different websites are always put into different processes, each running in a sandbox that limits what the process is allowed to do.”’

      1 user thanked author for this post.
    • #167134 Reply

      MrBrian
      AskWoody MVP

      ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities was updated on February 13, 2018: “02/13/2018  Microsoft has released security updates to provide additional protections for the 32-bit (x86) versions of Windows 10 as follows: 4074596 for Windows 10, 4074591 for Windows 10 Version 1511, 4074590 for Windows 10 Version 1607, and 4074592 for Windows 10 Version 1703. Microsoft recommends that customers running 32-bit systems install the applicable update as soon as possible. Microsoft continues to work to provide 32-bit (x86) protections for other supported Windows versions but does not have a release schedule at this time. These update will be included in subsequent updates, and do not apply to x64 (64-bit) systems. Added a section under Advisory Details to announce that Microsoft has released mitigations for Windows Holographic to Microsoft HoloLens customers that are provided automatically as part of the February 2018 Windows Security Update to Windows 10 Version 1607 for HoloLens. HoloLens customers do not need to take any additional action to update their device firmware. Added FAQ#12 and FAQ#13 to provide further information for installing the February 2018 security updates.”

    • #167581 Reply

      MrBrian
      AskWoody MVP
    • #167658 Reply

      MrBrian
      AskWoody MVP

      From Hate to ruin your day, but… Boffins cook up fresh Meltdown, Spectre CPU design flaw exploits (Feb. 14, 2018): ‘In a research paper – “MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols” – out this month, bit boffins from Princeton University and chip designer Nvidia describe variants of Meltdown and Spectre exploit code that can be used to conduct side-channel timing attacks.’

      Hat tip: user GoneToPlaid.

      • This reply was modified 9 months, 1 week ago by  MrBrian.
      1 user thanked author for this post.
      • #167670 Reply

        MrBrian
        AskWoody MVP

        From New MeltdownPrime and SpectrePrime exploits surface: “The team concludes that mitigation techniques can be largely the same as for the original exploits can be used, but generic hardware level protection can be difficult, maybe impossible, to implement. As working proof the team created an exploit written in the C language that worked 99,95% times out of 100 test runs. An Apple Macbook Pro using macOS Sierra was used for the test.”

        1 user thanked author for this post.
    • #167680 Reply

      Noel Carboni
      AskWoody MVP

      From a conceptual perspective – and my opinion is based on a lifetime of computer geekdom – it’s nigh impossible to protect a computer system from attacks from within. As these latest revelations show us there has always BEEN some risk, there is some risk still, and there always will be.

      Thinking something is “completely secure” is both an oversimplification and, well, is a false sense. And a quick look at history confirms it… Are there zero computer viruses today? Can you say with certainty that your data isn’t already being taken without your knowledge?

      We simply cannot assume our computers are completely secure against software running in them or ever will be. Not with or without the Spectre/Meltdown/Whatever comes tomorrow patches. Much as we want to think, “I want to make my computer secure”, there is no such thing. Only making it more secure.

      A key thing to consider is this:

      We must balance risk against the fact that downloading things to run from the cloud brings value. How much would we be getting from our computing hardware if we didn’t rely on software developed by other people?

      Now, the rubber meets the road:

      • Do we want to ALWAYS trust Microsoft – or any vendor – to only ever deliver risk-free software via their cloud? Whom do we partner with? Whom do we trust?
      • Or do we want to NEVER trust anyone, turn everything off, and just go into the wilderness and learn to grow our own food? You have to admit, that kind of self sufficiency sounds attractive…

      Surely there must be a balance somewhere in between.

      Consider that it’s impossible for any individual to judge all of what’s in software nowadays. Even most software developers can’t be sure (we almost always rely on libraries and operating system code from others). On the other hand, people really DO get some value from computer software written by others. You’re here reading this; it must not be all bad.

      History has shown us that we can reduce our risk by running only software that’s well-tested, from a vendor that’s proven to be reliable, disallow our computer systems from visiting every site on the wild Internet, and get to know how our systems behave over time… But just think how that’s becoming less and less manageable in light of such things as rapid releases, software (e.g., web page software) that draws from multiple sources online in real time, and packages that are literally gigabytes in size (Adobe anyone? Windows Updates?) delivered over our hyper-fast Internet connections. No human I know can even imagine a collection of a billion things in their heads. Yet we can transfer a gigabyte of data now in a few moments.

      I suggest that we’re crossing a threshold where trust is becoming paramount – right at a time when companies care less about earning our trust than ever.

      We are also in an era where people are being manipulated by others through slick marketing. Meltdown and Spectre are potential security problems that don’t (or at least didn’t) even have real exploits in the wild, yet here we are finding ourselves told we must be willing to give up on up to a third of our computer performance just to mitigate them?!?

      Let’s try to resist giving up on common sense. The little voices in our heads telling us “Whoa, slow down, take a deep breath, does this make sense?” might not be wrong.

      -Noel

      • #167686 Reply

        Canadian Tech
        AskWoody MVP

        Noel, very well put. Obviously from a wise and experienced professional. Thanks.

        Not so long ago, I and many, if not most people would have put Microsoft on the top of the Most Trusted list. Through disgustingly bad management, Microsoft has managed to slide off the list altogether.

        Consequently, I do not use ANY Microsoft update. Microsoft updates are far more risky than the risk of a hacker or virus attack.

        CT

        4 users thanked author for this post.
      • #167722 Reply

        geekdom
        AskWoody Lounger

        Backups are for the contingency that nothing has gone well, trust notwithstanding.

        Group G{ot backup} Win7 · x64 · SP1 · i3-3220 · TestBeta
        2 users thanked author for this post.
    • #170398 Reply

      MrBrian
      AskWoody MVP

      From Intel didn’t tell CERTS, govs, about Meltdown and Spectre because they couldn’t help fix it (Feb. 23, 2018): “Letters sent to the United States Congress by Intel and the other six companies in the Meltdown/Spectre disclosure cabal have revealed how and why they didn’t inform the wider world about the dangerous chip design flaws.”

      2 users thanked author for this post.
    • #171567 Reply

      MrBrian
      AskWoody MVP

      ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities was updated on March 1, 2018: “Added FAQ#14 to announce that a stand-alone update for Windows 10 Version 1709 is available via the Microsoft Update Catalog. This update includes microcode updates from Intel. See Microsoft Knowledge Base Article 4090007 (https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates) for more information.”

      From FAQ #14: “Microsoft will make available Intel microcode updates for Windows operating systems as they become available.”

      • This reply was modified 8 months, 3 weeks ago by  MrBrian.
      1 user thanked author for this post.
    • #171671 Reply

      MrBrian
      AskWoody MVP

      From https://www.theregister.co.uk/2018/03/01/us_researchers_apply_spectrestyle_tricks_to_break_intels_sgx/ (March 1, 2018):

      “The Spectre design flaws in modern CPUs can be exploited to punch holes through the walls of Intel’s SGX secure environments, researchers claim.

      SGX – short for Software Guard eXtensions – is a mechanism that normal applications can use to ring-fence sections of memory that not even the operating system nor a hypervisor can access, let alone other programs.”

      2 users thanked author for this post.
      • #171729 Reply

        geekdom
        AskWoody Lounger

        Universal backdoor.

        Group G{ot backup} Win7 · x64 · SP1 · i3-3220 · TestBeta
    • #178074 Reply

      MrBrian
      AskWoody MVP

      Highly technical blog post from Microsoft: KVA Shadow: Mitigating Meltdown on Windows.

      2 users thanked author for this post.
    • #178578 Reply

      geekdom
      AskWoody Lounger

      Another flavor described here:
      https://www.bleepingcomputer.com/news/security/academics-discover-new-cpu-side-channel-attack-named-branchscope/

      Group G{ot backup} Win7 · x64 · SP1 · i3-3220 · TestBeta
      1 user thanked author for this post.
    • #178634 Reply

      gborn
      AskWoody MVP

      It seems, something went terribly wrong: January/February 2018 Meltdown patches from Microsoft opens even a bigger hole. No more exploit is necessary to access the memory from user processes (and even write it).

      See Windows 7 Jan./Feb. 2018 patches opens Total Meltdown vulnerability

      6 users thanked author for this post.
      • #178673 Reply

        geekdom
        AskWoody Lounger

        Soon, someone will find these holes. I expect rather spectacular security breaches once vulnerabilities go into the wild.

        Group G{ot backup} Win7 · x64 · SP1 · i3-3220 · TestBeta
    • #184121 Reply

      MrBrian
      AskWoody MVP

      ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities was updated on April 10, 2018. From that link: “By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. Enabling this mitigation may affect performance.”

      2 users thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Meltdown and Spectre from a Windows user’s point of view

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.