Replies

Look here.

https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/

1 user thanked author for this post.

Bill C.

My point is simply this.  If SpecCheck says you are not vulnerable to any of the three specex variants, either the SpecCheck is wrong or Intel and Microsoft have made the decision to leave systems vulnerable, which is negligent and irresponsible, even if the likelihood of an issue is near zero.

I would suggest that if Linux can mitigate all three variants, Windows can too.  I have tested three different machines.

1. Lenovo G700 which will have no firmware update.
2. Lenovo W701 which Intel pulled the firmware update.
3. Toshiba Satellite which is the oldest spare machine I can test.

All three pass SpecCheck as noted by Ascaris.

Does this mean that those of us who have to administrate hundreds of Windows machines could have been spared the CVE-2017-5715 firmware updates?  Microsoft is pushing out microcode for some processors.

Is there some architecture difference between Windows and Linux that will reopen the Linux is more secure than Windows debate?

Are Intel and Microsoft leaving older machines vulnerable on purpose?

Does specheck need an update because it is misreporting?

Is using one of the three variants to exploit a machine so difficult and unlikely that it isn’t worth protecting every machine?

I am no expert, but I feel it is important to understand the issues and the exposure to make informed decisions

 

3 users thanked author for this post.

HiFlyer, Ascaris, flackcatcher

Myself and several other people have several computers that will not have BIOS updates from Intel or from the manufacturer.  One machine I have is an Ivy Bridge machine, but Lenovo doesn’t have the model listed as eligible.  The other is much older but has a 4 core 8 thread Extreme processor that was abandoned but still runs great.

What I discovered was running Meltdown/Spectre check scripts on Linux (Ubuntu in my case) seems shows that my older machines are not vulnerable to Meltdown or Spectre.  So Linux must have done something in the boot process that loads microcode to foil Meltdown and both variants of Spectre.

I am curious whether others have found this to be the case and is it a possible solution to save these machines from the scrap bin.  If this is the case, would running Linux with Windows OS and applications running in a VM (if Windows is needed) keep the older but powerful hardware operational?

5 users thanked author for this post.

wdburt1, Elly, HiFlyer, Microfix, Fred

Don’t you know the solution to all your computing resource problems are “To The Cloud!”?

Yeah, I am not drinking that Kool-Aid either.

You already have your answer.  Meltdown/Spectre aren’t being fixed.  They are being mitigated.  As such, the past few months has demonstrated the outcome.  The whole thing is a complete cluster.

I did some of my own informal unscientific testing of patching and firmware updates for Meltdown/Spectre.  The firmware kills I/Os.  We know Meltdown and one variant of Spectre are already software patched.  I wonder, given the surface area of Spectre variant 2, whether the firmware update performance hit is even worth considering.  Unless you are a government or financial entity, is it worth suffering such a performance hit?  I recommend holding off on firmware updates.  See below.

1. The difference between having the firmware patched almost doubled application load times on my test laptop.  An app that took 7 seconds to load before patching took 13 seconds after patching on a 3 year old machine.  This was on the Lenovo E550 before and after firmware loads.

I ran for a week and witnessed zero reboots or instability.  I have some suspicion that Intel pulled the firmware because of performance, not instability.

I am a little concerned about verification tools.  I patched my the E550 firmware and OS and passed Inspectre’s testing.  Then I back leveled the firmware.  Inspectre still showed my system was completely secure.  Microsoft’s powershell script showed the E550 was secure on Winodws 10 1703.  Inspectre wouldn’t verify the E550 was secure until it was on Win 10 1709.  We need better verification tools.

Below are some other informal unscientific load times.  The T430 has a slightly faster processor than the E550, but the E550 is much newer and most every other piece of hardware should be faster.
Machine 1: Lenovo T430 – No Spectre Firmware Patch.
Core i7, 12GB RAM, 512GB SSD, Bitlocker
Machine 2: Lenovo E550 – Spectre Firmware Patch
Core i7, 16GB RAM, 512GB SSD, Bitlocker

Edit to remove HTML. Post may not appear as author intended.
Please convert to plain text (.txt) before cut/paste operation from Word document