Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • NetSpectre — a remote Spectre v1 attack

    Posted on August 1st, 2018 at 13:36 woody Comment on the AskWoody Lounge

    Michael Heller reports on TechTarget:

    Researchers developed a new proof-of-concept attack on Spectre variant 1 that can be performed remotely (say, via a browser)… requires no attacker-controlled code on the target device… this NetSpectre variant is able to leak 15 bits per hour from a vulnerable target system.

    Kevin Beaumont had a great analysis:

    I’m still not shaking in my boots about Meltdown or Spectre.

  • New version of Chrome guards against Spectre-like attacks, but eats more memory

    Posted on July 13th, 2018 at 06:02 woody Comment on the AskWoody Lounge

    We still haven’t seen a commercial implementation of the Meltdown or Spectre security vectors, but Google’s had this “site isolation” technology in the works for six years. This week, they flipped the switch. Now, your copy of Chrome on Windows will gobble even more memory. But you’ll be protected from Spectre attacks coming from the most likely source — your browser.

    Gregg Keizer in Computerworld:

    Google has switched on Site Isolation for the vast majority of Chrome users – 99% of them by the search giant’s account.

    Good article. Check it out.

    Nipping Spectre in the browser sure beats the all-on assault that’s unfolding in the rest of the ecosystem. I continue to maintain that the first major Meltdown and Spectre infections we’ll see in the wild will come through the browser.

  • A note about the “new” Spectre NG revelations

    Posted on May 23rd, 2018 at 11:25 woody Comment on the AskWoody Lounge

    Several of you have pinged me about the Spectre NG (variously, Specter V4, Spectre V4, Specter-NG, and enough alternatives to make Google search interesting) posts by Microsoft and Intel earlier this week.

    We talked about those bad boys on May 3, when Günter Born posted his first exploration of the problems and their fleeting solutions. Born has since updated his exploration with a further discussion of the mysteries surrounding Microsoft’s patches — which are horribly documented, as usual.

    Microsoft has posted two Security Advisories, ADV180012 (for CVE-2018-3639) and ADV180013 (for CVE-2018-3640) that deal with related problems. The first Advisory says that Microsoft doesn’t have any idea which versions of Windows (or Azure) are affected. The second Advisory says that Surface machines are affected, but there’s no fix right now.

    Intel has a good overview of the “side-channel analysis” problems, which says that Intel anticipated the problem, increased its bug bounty, and:

    We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.

    Which should send a chill down the spine of anyone who’s had to deal with the earlier Meltdown, Spectre V1, V2, and V3 fire drills.

    @Kirsty has been following the latest developments in our Code Red forum. She points to excellent articles by Catalin Cimpanu, Steven Vaughan-Nichols and Martin Brinkmann.

    Big open question: How much more performance will the new mitigations consume?

    Noel Carboni has a key observation:

    It strikes me again and again that “Spectre” and “Meltdown” are first and foremost tools to manipulate the masses, used by those trying to make money in “security”.

    Nailed it.

    I’m not saying that Microsoft, Intel, AMD, Qualcomm and others had a hand in bringing down the Meltdown/Spectre curtain. I am saying they stand to make a whole lotta money out of it, and added publicity doesn’t hurt one whit.

    Oh. And it should go without saying that we haven’t yet seen one, single, solitary Meltdown or Spectre exploit in general use.

  • Microsoft offers more Spectre v2 microcode updates, KB 4090007, KB 4091663, KB 4091664

    Posted on April 26th, 2018 at 09:42 woody Comment on the AskWoody Lounge

    Yesterday, I posted a note about two new Spectre v2 patches, KB 4078407 and KB 4091666.

    The first is a Win10-only fix that has to be combined with a microcode change from your hardware manufacturer in order to accomplish anything. As @abbodi86 notes:

    KB4078407 is not a patch, it’s just an executable that enables the Spectre mitigation protection by changing two registry entries

    The second is a microcode-only, Intel-only, Win10 1507-only patch that changes the microcode for a large number of Intel processors.

    This morning, Günter Born notes on Borncity that there are now four of these microcode patches:

    In addition to the one I described yesterday, KB4091666 for Win10 1507.

    None of them are available through Windows Update. You have to manually dig into the Update Catalog to get them.

    As noted (voluminously) there are no known exploits as yet for Meltdown, Spectre v1 or Spectre v2. You might want to tuck these away in case we ever see a reason to use them.

  • Are Windows customers getting Meltdown/Spectre bullied into buying new computers?

    Posted on April 25th, 2018 at 02:29 woody Comment on the AskWoody Lounge

    Just got this from @dportenlanger:

    I think Windows users are getting snubbed. I have an old Clarksfield processor that Intel will not be updating via the BIOS. However, the Linux microcode 20180312 exists for my processor…. the Intel® Core™ i7-920XM Processor Extreme Edition (8M Cache, 2.00 GHz) at this link:

    https://downloadcenter.intel.com/download/27591/?product=43126

    So what fixes are in the 20180312 Linux Microcode? Here is a clue:

    https://www.phoronix.com/scan.php?page=news_item&px=Intel-Microcode-20180312

    I believe this is why Linux users are secure and Windows users are getting bullied (sorry, I hate that word, how about “marketed”) into new computers.

    I know this is a site for Windows Updates and news. I think this is Windows news if my conclusions are right and someone needs to call out Intel and Microsoft.

    Is that a strange conspiracy theory — or is there an element of truth to it?

  • Intel releases more Meltdown/Spectre firmware fixes, while Microsoft unveils a new Surface Pro 3 firmware fix that doesn’t exist

    Posted on February 21st, 2018 at 09:01 woody Comment on the AskWoody Lounge

    You’d have to be incredibly trusting — of both Microsoft and Intel — to manually install any Surface firmware patch at this point. Particularly when you realize that not one single Meltdown or Spectre-related exploit is in the wild. Not one.

    Computerworld Woody on Windows.

  • Intel says its new Spectre-busting Skylake firmware patch is ready

    Posted on February 8th, 2018 at 07:08 woody Comment on the AskWoody Lounge

    Oh boy. I love the smell of fresh bricked PCs in the morning.

    Yesterday, Intel said it has released new firmware that — this time, really, for sure, honest — plugs the Meltdown/Spectre security hole. Says honcho Navin Shenoy:

    Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days.

    What he’s actually saying is something like, “Hey, we spent six months coming up with new firmware to fix Spectre, released it, and bricked a bunch of machines. We went back to the drawing board and, two weeks later, came up with new firmware that won’t brick your machines. Have at it.”

    According to the freshly updated Microcode Revision Guidance, Intel has released updates for Skylake U-, Y-, U23e-, H-, and S- chips.

    Shenoy goes on to say:

    Ultimately, these updates will be made available in most cases through OEM firmware updates. I can’t emphasize enough how critical it is for everyone to always keep their systems up-to-date. Research tells us there is frequently a substantial lag between when people receive updates and when they actually implement them. In today’s environment, that must change.

    To which I say:

    Fool me once, shame on me. Fool me twice… well, you know.

    Folks, you’d have to be absolutely batbox crazy to install these new BIOS/UEFI patches as they’re being rolled out. Give them time to break other peoples’ machines — or to prove their worth in open combat. I’m sure the folks who made the new firmware are quite competent and tested the living daylights out of everything. But they did that the last time, too.

    Again, I repeat, for emphasis, there is exactly NO known Meltdown or Spectre-based malware out in the wild.

  • Update: No, Virginia, there are no Meltdown/Spectre exploits in the wild

    Posted on February 1st, 2018 at 14:33 woody Comment on the AskWoody Lounge

    A reassuring tweet from Kevin Beaumont.

    The AV-Test red line graph shows that, yes, there are more and more samples being submitted to AV-Test — but, according to people who know these things, none of them are in the wild. They’re “Proof of Concept” test samples.

    UPDATE: And AV-Test responds: