Newsletter Archives

• Patch Lady – we have another Spectre/Meltdown

  Posted on August 6, 2019 at 21:52 CDT by Susan Bradley • Comment in the Forums

  So included in the July patches was another Spectre/Meltdown patch that the information about it is just coming out today.  I’m still not convinced that we’ve seen actual attacks using Spectre/Meltdown nor am I convinced that we will see it in the wild.  Rather it’s my opinion that it will be used in targeted attacks but not in widespread ones.  Nevertheless, once again there’s another variant that got patched in the July updates:

   

  SWAPGS Spectre Side-Channel Vulnerability
  08/06/2019 08:21 PM EDT

   

  Original release date: August 6, 2019
  The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a vulnerability (CVE-2019-1125) known as SWAPGS, which is a variant of Spectre Variant 1—that affects modern computer processors. This vulnerability can be exploited to steal sensitive data present in a computer systems’ memory.

  Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from “speculative execution”—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, and cloud servers.

  CISA encourages users and administrators to review the following guidance, refer to their hardware and software vendors for additional details, and apply an appropriate patch when available:

  • Microsoft: Windows Kernel Information Disclosure Vulnerability
  • Red Hat: Spectre SWAPGS gadget vulnerability
  • Google: Spectre Side Channels
  Security, Windows News, Windows Patches/Security Meltdown, Patch Lady Posts, Spectre

• “Side channel” vulnerabilities and Windows

  Posted on May 19, 2019 at 12:07 CDT by woody • Comment in the Forums

  I’ve avoided talking much about Spectre, Meltdown and the like because there’s an endless succession of patches to Windows and the hardware – and registry changes to go with them – and we still haven’t seen a real-world exploit.

  If you’re running a high profile server, though, you should keep up on this stuff.

  Karl Wester-Ebbinghaus (@alqmar) has come up with an exhaustive list of patches, patches to patches, BIOS updates and registry settings, all related to the “side channel” vulnerabilities. Click on the comment link at the top to see the results of his extensive investigation.

  Hardware, Patch Watch, Windows Patches/Security Meltdown, Side channel vulnerabilities, Spectre

• Google’s JavaScript team: Spectre mitigation doomed to failure

  Posted on April 23, 2019 at 11:38 CDT by woody • Comment in the Forums

  That isn’t exactly what they said, but it’s pretty close. Here’s what they do say:

  A year with Spectre… When it was shown that JavaScript could be used to mount Spectre attacks, the V8 team became involved in tackling the problem…  offensive research [from the white and gray hats] advanced much faster than our defensive research, and we quickly discovered that software mitigation of all possible leaks due to Spectre was infeasible… the engineering effort diverted to combating Spectre was disproportionate to its threat level… the increasingly complicated mitigations that we designed and implemented carried significant complexity, which is technical debt and might actually increase the attack surface, and performance overheads… We still know of no attacks in the wild, outside of the curious tinkerers and professional researchers developing proof of concept gadgets

  Make no mistake, Meltdown and Spectre could become nightmares. At some point in the far future. For now, don’t worry about it, OK?

  Windows Patches/Security Spectre, V8

• On Security: Patch Lady Susan Bradley explains why you might — or might not — want to protect your machine from Spectre and Meltdown

  Posted on February 25, 2019 at 03:57 CST by woody • Comment in the Forums

  Microsoft keeps releasing patches for Spectre, Meltdown, and similar vulnerabilities — tons of them. Do you really need them?

  Even if you have the patches installed, they may not be working. That’s intentional — in some cases you have to manually enable the patch.

  Here’s a quick overview of the problem, a look at Steve Gibson’s free InSpectre tool that’ll poke at your system, and some solid recommendations for when you might be at risk, and when you can gleefully thumb your nose.

  Out this morning to all AskWoody Plus members, in AskWoody Plus Newsletter 16.7.0.

  Windows Patches/Security AskWoody Plus Newsletter, Meltdown, Patch Lady Posts, Spectre

• Patch Lady – How to update Win10 to fix Spectre, Meltdown and other side channel vulnerabilities

  Posted on February 22, 2019 at 17:05 CST by woody • Comment in the Forums

  Patch Lady Susan Bradley’s latest column in CSOOnline:

  In January 2018, security news media was abuzz over a new class of vulnerability called side channel vulnerabilities. Spectre, Meltdown and Foreshadow are some of the best known. They exploit weaknesses in speculative execution in microprocessors to leak unauthorized information. Side channel vulnerabilities allow attackers to bypass account permissions, virtualization boundaries and protected memory regions.

  Patching these vulnerabilities is not easy. They are mitigated by a combination of patches from both the chipset vendor and the operating system provider. Worse, there is often a noticeable performance hit after installing these updates…

  Windows servers in particular need specific guidance as most of the protections are not enabled by default.

  If you’re running a server that’s potentially at risk, it would behoove you to read this article.

  Windows Patches/Security Meltdown, Patch Lady Posts, Spectre

• Mind boggled: The Meltdown/Spectre microcode patches

  Posted on August 30, 2018 at 07:11 CDT by woody • Comment in the Forums

  I just read a tweetstorm from @Karl_F1_Fan to @Crysta that has my head swimming. Here’s what he says:

  Hi Crysta,

  Your quotes to Microsoft articles are right but things have developed over time. First they asked to set the bitmask for meltdown and Spectre 2 to

  FeatureSettingsOverride 1
  FeatureSettingsOverrideMask 3

  for intel clients and servers + the QualityCompat flag

  The qualitycompatflag was removed with a patch in March for both clients and servers. Then Microsoft advised the same registry mask for Intel but for AMD it was

  FeatureSettingsOverride 64
  FeatureSettingsOverrideMask 3

  (I won’t handle disable flags here for easiness.)

  With the appearance of Spectre NG the flags changed again for both AMD and Intel to

  FeatureSettingsOverride 8
  FeatureSettingsOverrideMask 3

  which Microsoft is falsely or incompletely advising now in the L1TF article. If a user is setting 1/3 it will DISABLE protection CVE-2018-3639 [speculative store bypass] also it will disable AMD protections.

  Meltdown, Spectre 2 / 3, 3a / 4 / L1TF need microcode updates or the seperate updates deployed for Windows 10 in August 2018 + 2018-08 CUs. In addition Microsoft choose that only servers need the registry keys to enable protection. I would advise all customers to apply them.

  The current situation is unbearable for average sys admins and there is too much confusion.

  IMHO Microsoft should roll out all microcode updates for any OS and enable protection by default without any registry keys it is much easier to understand how to disable it.

  The current situation is that only @Dell really cares to bring out BIOS updates for ANY systems back to 2009 whilst other OEMs don’t give a ****.. no matter if we are talking about enterprise or home.

  @ASUS there are no microcodes for all systems, as Intel provided. @HP is not updating their site accordingly so the theme sites indicate updates are missing or pending, while being partially available on the product site. We better don’t talk about lack of support from @Acer Lenovo or Medion etc. Without Win10 we would have no protection at all

  Based on a variety of 70 client pcs and servers of various OEMS / vendors only 18 received all BIOS microcode updates. 6 had too old Intel / AMD CPUs, more than 21 are only patches because Microsoft rolled out (optional) Microcode Updates. Others unprotected due to old Windows Client / Server version.

  How’s that for the very definition of falling into the briar patch?

  UPDATE: I just followed a link from @teroalhonen to a discussion on Anandtech of the new Intel processors and how they fare with Meltdown and Spectre. Clearly, whoever put together this slide didn’t have a clue.

  

  I sympathize. If Anandtech can’t get it right, what chance do we mortals have? Whotta mess.

  ANOTHER UPDATE: ‘Softie Jorge Lopez (@J0RGEL0P3Z) posted a few hours ago:

  The 0 / 3 combo enables CVEs 2017-5715 and CVE 2017-5754. The 8 / 3 combo enables Speculative Store Bypass (SSB) protection (CVE 2018-3639) *and* -5715/-5754. L1TF kernel protection requires only for 5754 to be on (so either 0 or 8 works for L1TF). Will see about making clearer

  — Jorge Lopez (@J0RGEL0P3Z) August 31, 2018

   

  Windows Patches/Security Meltdown, Microcode, Spectre

• Patch Lady – what’s up with the Microcode updates?

  Posted on August 28, 2018 at 09:09 CDT by Susan Bradley • Comment in the Forums

  Yesterday we’ve been seeing potential issues with the microcode updates and they were expired off of  WSUS servers last night…

  

  https://www.reddit.com/r/sysadmin/comments/9apooi/kb4100347_rendering_systems_unbootable/?st=jlckzbjr&sh=94b0f954

  https://www.reddit.com/r/Windows10/comments/995k2s/got_the_kb4100347_update_july_cumulative_update/e4m9ffn

  https://www.bleepingcomputer.com/news/microsoft/windows-10-kb4100347-intel-cpu-update-causing-boot-issues-and-pushed-to-amd-users/

  Unsure what’s up, but Microsoft appears to be pulling these updates back.

  I think there is/was metadata detection issues and they were offered up and installed on machines they shouldn’t have been installed.

  UPDATE: Günter Born has a compelling history posted on his Born City site.

  Windows Patches/Security Meltdown, Microcode, Patch Lady Posts, Spectre

• Microsoft Patch Alert: August is much, much better than July

  Posted on August 23, 2018 at 14:17 CDT by woody • Comment in the Forums

  There are still some well-known (even acknowledged) bugs, and the inanities performed in the name of Meltdown and Spectre continue to boggle my mind.

  And, of course, you can’t post any before-and-after performance statistics about the Intel microcode patches.

  Computerworld Woody on Windows.

  UPDATE: Intel has backed off its ridiculous (and likely unenforceable) gag order. See Paul Alcorn’s article on Tom’s Hardware.

  Windows Patches/Security August 2018 Black Tuesday, Intel, Meltdown, Microcode, Spectre

• NetSpectre — a remote Spectre v1 attack

  Posted on August 1, 2018 at 13:36 CDT by woody • Comment in the Forums

  Michael Heller reports on TechTarget:

  Researchers developed a new proof-of-concept attack on Spectre variant 1 that can be performed remotely (say, via a browser)… requires no attacker-controlled code on the target device… this NetSpectre variant is able to leak 15 bits per hour from a vulnerable target system.

  Kevin Beaumont had a great analysis:

  For the record, if you were ever actually be able to exploit it in real world (big if) it gives 15 bits of information per hour. There’s 8000000000 bits in 1gb. So only 60822 years to extract 1gb of RAM.

  — kevin (@GossiTheDog) July 27, 2018

  I’m still not shaking in my boots about Meltdown or Spectre.

  Windows Patches/Security Spectre

• New version of Chrome guards against Spectre-like attacks, but eats more memory

  Posted on July 13, 2018 at 06:02 CDT by woody • Comment in the Forums

  We still haven’t seen a commercial implementation of the Meltdown or Spectre security vectors, but Google’s had this “site isolation” technology in the works for six years. This week, they flipped the switch. Now, your copy of Chrome on Windows will gobble even more memory. But you’ll be protected from Spectre attacks coming from the most likely source — your browser.

  Gregg Keizer in Computerworld:

  Google has switched on Site Isolation for the vast majority of Chrome users – 99% of them by the search giant’s account.

  Good article. Check it out.

  Nipping Spectre in the browser sure beats the all-on assault that’s unfolding in the rest of the ecosystem. I continue to maintain that the first major Meltdown and Spectre infections we’ll see in the wild will come through the browser.

  Windows Patches/Security Chrome, Site isolation, Spectre

• A note about the “new” Spectre NG revelations

  Posted on May 23, 2018 at 11:25 CDT by woody • Comment in the Forums

  Several of you have pinged me about the Spectre NG (variously, Specter V4, Spectre V4, Specter-NG, and enough alternatives to make Google search interesting) posts by Microsoft and Intel earlier this week.

  We talked about those bad boys on May 3, when Günter Born posted his first exploration of the problems and their fleeting solutions. Born has since updated his exploration with a further discussion of the mysteries surrounding Microsoft’s patches — which are horribly documented, as usual.

  Microsoft has posted two Security Advisories, ADV180012 (for CVE-2018-3639) and ADV180013 (for CVE-2018-3640) that deal with related problems. The first Advisory says that Microsoft doesn’t have any idea which versions of Windows (or Azure) are affected. The second Advisory says that Surface machines are affected, but there’s no fix right now.

  Intel has a good overview of the “side-channel analysis” problems, which says that Intel anticipated the problem, increased its bug bounty, and:

  We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.

  Which should send a chill down the spine of anyone who’s had to deal with the earlier Meltdown, Spectre V1, V2, and V3 fire drills.

  @Kirsty has been following the latest developments in our Code Red forum. She points to excellent articles by Catalin Cimpanu, Steven Vaughan-Nichols and Martin Brinkmann.

  Big open question: How much more performance will the new mitigations consume?

  Noel Carboni has a key observation:

  It strikes me again and again that “Spectre” and “Meltdown” are first and foremost tools to manipulate the masses, used by those trying to make money in “security”.

  Nailed it.

  I’m not saying that Microsoft, Intel, AMD, Qualcomm and others had a hand in bringing down the Meltdown/Spectre curtain. I am saying they stand to make a whole lotta money out of it, and added publicity doesn’t hurt one whit.

  Oh. And it should go without saying that we haven’t yet seen one, single, solitary Meltdown or Spectre exploit in general use.

  Windows Patches/Security CVE-2018-3639, CVE-2018-3640, Spectre, Spectre V4, SpectreNG, Variant 3a, Variant 4

• Microsoft offers more Spectre v2 microcode updates, KB 4090007, KB 4091663, KB 4091664

  Posted on April 26, 2018 at 09:42 CDT by woody • Comment in the Forums

  Yesterday, I posted a note about two new Spectre v2 patches, KB 4078407 and KB 4091666.

  The first is a Win10-only fix that has to be combined with a microcode change from your hardware manufacturer in order to accomplish anything. As @abbodi86 notes:

  KB4078407 is not a patch, it’s just an executable that enables the Spectre mitigation protection by changing two registry entries

  The second is a microcode-only, Intel-only, Win10 1507-only patch that changes the microcode for a large number of Intel processors.

  This morning, Günter Born notes on Borncity that there are now four of these microcode patches:

  • KB4090007 for Win10 1709/”Server 2016 version 1709″
  • KB4091663 for Win10 1703
  • KB4091664 for Win10 1607/Server 2016

  In addition to the one I described yesterday, KB4091666 for Win10 1507.

  None of them are available through Windows Update. You have to manually dig into the Update Catalog to get them.

  As noted (voluminously) there are no known exploits as yet for Meltdown, Spectre v1 or Spectre v2. You might want to tuck these away in case we ever see a reason to use them.

  Windows Patches/Security KB 4078407, KB 4090007, KB 4091663, KB 4091664, Meltdown, Spectre
• « Older Entries