AskWoody

Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Born: Is my browser vulnerable to Spectre attacks?

    Posted on January 11th, 2018 at 09:51 woody Comment on the AskWoody Lounge

    Günter Born has an important recap of the the test website xlab.tencent.com, which has a tool that can check to see if your browser is currently susceptible to Spectre attacks.

    The tool is from Tencent’s Xuanwu Lab, which is part of Tencent, one of the largest companies in Asia. The Xuanwu Lab is well-known in antimalware circles.

    I ran a quick check on both of my go-to browsers, Firefox 57.0.4 (64-bit) and Chrome 63.0.3239.132 (Official Build) (64-bit). Both of them came up with “Not vulnerable.”

    That’s a comforting, if ambiguous, determination. As the Tencent site says:

    However, if the result is NOT VULNERABLE, it doesn’t mean your browser is absolutely not vulnerable because there might be other unknown attacking methods.

    Which is something of a triple (quadruple?) negative, but I surmise that Firefox and Chrome aren’t susceptible to the currently published Spectre vulnerabilities.

    A quick check of the latest IE and Chrome on my Win10 1703 machine turned up Not Vulnerable as well.

    Martin Brinkmann on ghacks.net ran a similar set of tests. He says that Google Chrome Stable, Opera Stable and Vivaldi Stable all turn up Vulnerable.

    Your mileage may vary.

  • The Meltdown/Spectre patches will cause performance hits — but how much, and to whom?

    Posted on January 11th, 2018 at 09:21 woody Comment on the AskWoody Lounge

    Gregg Keizer has a new article in Computerworld, Windows 7 takes biggest performance hit from emergency Meltdown, Spectre updates. It relies heavily on Microsoft’s pronouncements. I’m skeptical.

    There’s a detailed post from Jampe on the Intel support forum about the effect of the Windows 10 patch on a Thinkpad T440s. The results are not good — although the devil may be in the details.

    As Jampe reports, the first test (NewBottomLine) was performed before installing the Win10 update (not sure which one), and all of the three latter tests were with the update in place.

    Our own Noel Carboni responded with a good analysis:

    Passmark PerformanceTest (or any benchmark) is known to show quite variable results for disk testing. That’s the nature of PC systems; they do a lot of different things all the time. I’ve run into variances of 2 to 1 just doing subsequent tests. I’d really like to see a whole SERIES of before/after benchmarks.

    So for those of you who dare to tread into uncharted MS-DEFCON territory — do you have any benchmark runs to share? I’m particularly interested in tests of the Windows patches separately.

  • Excel gets a variation of the Word DDE block settings

    Posted on January 11th, 2018 at 07:40 woody Comment on the AskWoody Lounge

    They come along for the ride with this month’s Excel security patches — but Microsoft didn’t bother to document any of it, outside of an addendum to an old Security Advisory.

    Here’s the DDE warning dialog on open:

    Thx, @MrBrian

    Computerworld Woody on Windows.

  • January Patch Tuesday overview

    Posted on January 10th, 2018 at 10:25 woody Comment on the AskWoody Lounge

    My summary:

    What you’re witnessing is a colossal “Sky is Falling” routine, aided and abetted by folks who are going to make money from the havoc. Don’t fall for the hype. Get the facts, get your antivirus house in order, change the Equation Editor entries if you’re very concerned, and you’re good to go. For now.

    It’s really that simple. We’re still at MS-DEFCON 2.

    Computerworld Woody on Windows.

    P.S. If you ever wondered why I don’t get any Christmas cards from Microsoft, well, now you know.

  • Risk Based Security brings some sanity to the Meltdown debacle

    Posted on January 9th, 2018 at 15:52 woody Comment on the AskWoody Lounge

    I just finished reading this article, recommended by Kevin Beaumont. The Slow Burn of Meltdown and Spectre: Exploits, Lawsuits, and Perspective.

    Here’s the conclusion:

    Vulnerabilities are disclosed every day, to the tune of over 20,000 new disclosures in 2017 alone. Just because a vulnerability receives a name, a website, and/or a marketing campaign does not necessarily mean it is high risk or that it will impact your organization. As always, we strongly encourage organizations to cut through the noise and focus on the details relevant to them, and make a decision based on that alone.

    I repeat – forgive me if you’ve heard this before – but there are NO KNOWN Meltdown or Spectre exploits in the wild. Folks who run servers with sensitive data — banks, brokerage houses, military contractors, cryptocurrency exchanges — need to be concerned about Meltdown and Spectre in the near term, realizing that the data can only be snooped if you allow an unauthorized program to run on your server.

    For everybody else, the first attacks (if there ever are any) are likely to come through web browsers. You need to harden your browser as soon as the update is available. You’ll want to install the new Windows patches as soon as they pass muster. And you need to get your BIOS or UEFI updated one of these days. But there’s no big rush.

    What you’re witnessing is a colossal “Sky is Falling” routine, aided and abetted by folks who are going to make money from the havoc.

  • January security patches are out

    Posted on January 9th, 2018 at 12:22 woody Comment on the AskWoody Lounge

    The Release Notes are up. A total of 93 separate patches.

    SANS Internet Storm Center posted its usual list. 

    No known exploits.

    Weird. The Jan. 3 patches are listed in the Update Summary Guide as Jan. 9.

    Holy Guacamole, Bitman. Martin Brinkmann just posted his overview at ghacks.net and it goes on for pages and pages and pages.

    There’s some confusion about the Equation Editor vulnerability. You may recall that the original hole, CVE-2017-11882, was patched in November. This new patch, for CVE-2018-0802, takes the nuclear option — it removes Equation Editor from Word. @yuhong2 advises on Twitter that the Eqn Editor EXE turns into 0 bytes, so it’s even dead with WordPad.

    UPDATE: It looks like the Equation Editor patch is the only patch in this month’s crop that has known exploits.

  • Microsoft yanks all of this month’s Windows patches for “devices with impacted AMD processors”

    Posted on January 9th, 2018 at 05:49 woody Comment on the AskWoody Lounge

    Let’s hear it for beta testing.

    Early this morning, Microsoft officially announced that it was pulling all of this month’s Meltdown/Spectre patches for folks with AMD processors.

    That’s just the tip of the iceberg.

    Computerworld Woody on Windows.

    UPDATE: Kevin Beaumont has a sobering report on the status of antivirus vendors cooperating (or not) with Microsoft:

    this has been incredibly messy for everybody involved. My belief is organisations shouldn’t rush these patches out. They need to carefully test and see where they need to mitigate the vulnerability.

    As I’ve said many, many times before, there’s no reason to install any of the patches yet. In spite of what you saw on TV, or read in the newspaper — or what you heard from a Windows security “expert.”

  • Widespread reports of blue screens (0X000000C4 and 0x800f0845) with Meltdown/Spectre patches for Win7 (KB 4056894) and Win10 1709 (KB 4056892)

    Posted on January 8th, 2018 at 06:14 woody Comment on the AskWoody Lounge

    Several AMD processor series – Athlon, Sempron, Opteron and Turion — seem most at risk, but others are reporting problems.

    Thx to @abbodi86 for the info about the difference between version 1 and version 2 of KB 4056894 — only the metadata changed, not the patches themselves.

    Computerworld Woody on Windows.