23 replies to this topic

[Corrine]

From Major flaw in millions of Intel chips revealed - BBC News:

Quote

A serious flaw in the design of Intel's chips will require Microsoft, Linux and Apple to update operating systems for computers around the world.

Intel has not yet released the details of the vulnerability, but it is believed to affect chips in millions of computers from the last decade.

The UK's National Cyber Security Centre (NCSC) said it was aware of the issue and that patches were being produced.

Some experts said a software fix could slow down computers.

Note:  Windows Insiders running Build 17035 already have the fix.

Response from Intel at Intel Responds to Security Research Findings

Quote

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

[Corrine]

Microsoft issues emergency Windows update for processor security bugs - The Verge

Quote

Microsoft is issuing a rare out-of-band security update to supported versions of Windows today. The software update is part of a number of fixes that will protect against a newly-discovered processor bug in Intel, AMD, and ARM chipsets. Sources familiar with Microsoft’s plans tell The Verge that the company will issue a Windows update that will be automatically applied to Windows 10 machines at 4PM ET / 1PM PT today.

The update will also be available for older and supported versions of Windows today, but systems running operating systems like Windows 7 or Windows 8 won’t automatically be updated through Windows Update until next Tuesday. Windows 10 will be automatically updated today.

Just checked and no updates here, Windows 10, 64bit, Version 1709.

[crp]

no updates showing up by me either - 7,10 and server12r2.

also, settle down people. don't fall for the hype. and if you insist on being worried about this, your IoT devices are the things to be worried about as ARM is just as vulnerable as the rest to the biggest 'threat'.

Edited by crp, 04 January 2018 - 05:04 AM.

[Corrine]

As Graham Cluley says, Spectre? Meltdown? F*CKWIT? Calm down and make yourself some tea.  

[crp]

Corrine, on 04 January 2018 - 11:52 AM, said:

As Graham Cluley says, Spectre? Meltdown? F*CKWIT? Calm down and make yourself some tea.  

i am going to give that podcast a shot, so far i am impressed.
to the current point, i appreciate his post. I've seen a ton of "sky is falling , we are all going to die" but next to nothing in

• how can a device get probed,
  
• how likely is it to succeed,
  
• how much needs to be known in advance to make the probe,
  
• how much needs to be known if 'paydirt' was hit.

[Corrine]

Due to the probability of resulting in BSOD's and an unrecoverable PC, Microsoft is not releasing the patch until the appropriate registry key is added by the A/V. For a table showing the latest from the Meltdown AV spreadsheet tracker see CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibilityhttps://docs.google....haring&sle=true.

[Corrine]

From Meltdown Mitigation - Malwarebytes Endpoint Protection - Malwarebytes Forums:

Quote

For now, users with MB3 based software installed and registered with Windows Action Center will not be able to receive any MS updates automatically, starting with the Jan. 2018 update. You can either apply the update manually or set the Malwarebytes action center setting to "Never register Malwarebytes in Windows Action Center" so that the MS update can apply automatically. Only Windows 10 and Server 2016 have patches.

[raymac46]

BTW MalwareBytes has now fixed their issues and the patch will apply when Microsoft makes it available.
While this is indeed a serious flaw it is probably broadly based but may be quite shallow in its impact. The average user with Intel won't see a big performance hit with the patch and AMD machines are mostly unaffected.
For the home user to be affected by any exploit they would have to be as stupid as anyone who doesn't have proper AV/Malware protection or clicks on email attachments and/or visits dodgy websites. And no exploit has been seen as yet.
It's a bigger problem for VMs in the cloud and server networks.
This looks like a good news item to be exploited by fake malware and scareware jockeys: "Your machine has been affected by the Meltdown virus!!!!! Call 1-800-IMA-DOPE for more information!!!!"

Edited by raymac46, 06 January 2018 - 10:36 AM.

[V.T. Eric Layton]

Not just Intel chips...

https://thehackernew...nerability.html

[raymac46]

Here is the AMD situation:

https://www.amd.com/...ative-execution

In summary:
Spectre 1 is patched or will be by the O/S guys.
Spectre 2 has a pretty remote chance of happening with AMD.
Meltdown doesn't affect AMD.

After all those years of feeling like a fool buying AMD while Intel was eating its lunch, maybe we fanbois have some perverse vindication. Don't want to gloat though.

[V.T. Eric Layton]

I was AMD before AMD was cool.

[goretsky]

Hello,

Here's something I wrote at work:  Meltdown and Spectre CPU Vulnerabilities: What You Need to Know.

I've been updating it with information about affected (and unaffected) vendors as I find them.  Currently at 57 158 200+.

Regards,

Aryeh Goretsky

Edited by goretsky, 16 January 2018 - 03:19 AM.
embiggened the number

[Corrine]

Cheers for ESET who was among the first to add the reg key!

From Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key:

Quote

According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches.

As explained by Kevin Beaumont in Important information about Microsoft Meltdown CPU security fixes, antivirus vendors and you:

Quote

There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes. To be honest, some of the techniques are similar to ones used by rootkits — Kernel Patch Protection was introduced by Microsoft a decade ago to combat rootkits, in fact. Because some anti-virus vendors are using very questionable techniques they end up cause systems to ‘blue screen of death’ — aka get into reboot loops.

Check this list to see if your A/V requires a manual registry key setting:  Important information about Microsoft Meltdown CPU security fixes, antivirus vendors and you.  If so, Bleeping Computer has created a reg file that can be used.  See the article at Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key.  The file is at the bottom of the article but be sure to read the entire article first.  You can also check the status with PowerShell (See How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws).

Microsoft Support Page:  Important: January 3, 2018, Windows security updates and antivirus software

[ebrke]

EDIT: As of a few minutes ago, reg key was created by ESET.

No registry key on mother's windows machine running ESET Smart Security. Everything is up-to-date according to ESET ABOUT screen. I'm wondering what's going on.

Edited by ebrke, 09 January 2018 - 09:08 PM.

[Corrine]

Intel Corp. admits security patches for Meltdown and Spectre flaws have bugs while AMD says its chips are vulnerable to both Spectre variants - Silicon Valley Business Journal

Quote

Santa Clara-based Intel Corp.  is quietly urging its biggest data center customers to hold off on  installing the company’s latest security patches for the Spectre and  Meltdown chip flaws, because the patches have bugs that could cause  unexpected system reboots, The Wall Street Journal reports.
In a public post  Thursday, Intel executive Navin Shenoy confirmed the issue, saying “a  few customers” running Intel’s older Broadwell and Haswell chips had  experienced higher-than-normal system reboots.
“We are working quickly with these customers to understand, diagnose and address this reboot issue,” he wrote.

[Corrine]

List of Links: BIOS Updates for the Meltdown and Spectre Patches:

Quote

As Intel, AMD, and other CPU manufacturers have started releasing CPU microcode (firmware) updates for processor models affected by the Meltdown and Spectre patches, those updates are trickling down to OEMs and motherboard vendors, who are now integrating these patches into BIOS/UEFI updates for affected PCs.

While not all vendors have patches available for vulnerable products right away, most have promised updates in the following months.

Bleeping Computer will be updating the list as more information becomes available.

[Corrine]

Included in CPU vulnerabilities exploited by Meltdown and Spectre and updated as additional information becomes available are 210 vendor security advisories; computer emergency, incident, and security response team reports issued from around the world and more  by Aryeh Goretsky.

[Corrine]

Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners:

Quote

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We  have now identified the root cause for Broadwell and Haswell platforms,  and made good progress in developing a solution to address it. Over the  weekend, we began rolling out an early version of the updated solution  to industry partners for testing, and we will make a final release  available once that testing has been completed.

Based on this, we are updating our guidance for customers and partners:

• We recommend that OEMs, cloud service providers, system  manufacturers, software vendors and end users stop deployment of current  versions, as they may introduce higher than expected reboots and other  unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
  
• We ask that our industry partners focus efforts on testing early  versions of the updated solution so we can accelerate its release. We  expect to share more details on timing later this week.
  
• We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.

[Corrine]

For anyone using an older Mac OS:  Apple issues Meltdown and Spectre fixes for older Mac operating systems

[Temmu]

the worst part of this disaster is that intel, google, & microsoft all withheld vital information for 6 months from other major vendors such as amazon, major isps, major streaming video vendors, who only could get together after the fact (after jan 3). their input may have been valuable and prevented a lot of blue-screen windows machines.

[zlim]

There is a new patch from MS, only available through the catalog for all versions of Windows KB 4078130 that undoes the buggy patch.
My question is, if you have a computer that either suffers from a BSOD and/or a reboot loop, how are you supposed to apply this patch to fix it?

I'm afraid to install ANY of the January patches because I don't need borked computers.

[ebrke]

Quote

I'm afraid to install ANY of the January patches because I don't need borked computers.

That's the way I feel. My mother's laptop is one of her mainstays for amusement since she rarely gets out of the house any more, and I can't take the chance of disabling it. As it is, I spent most of Saturday cleaning up after MB and something she had apparently downloaded accidentally that I'm pretty sure was malware. Luckily, it couldn't install since she's on a limited user account. I have her FF up to date with latest patches, and I did install NoScript since Java Script seems to be the area of highest risk. I'm just not willing to install anything now.

[goretsky]

Hello,

The companies involved were working on patches to correctly resolve these issues.  The reason we are having so many issues now with buggy patches being released and then withdrawn is because the premature disclosure of information about the vulnerabilities caused the affected vendors to scramble and release patches that will hadn't been thoroughly tested.

Regards,

Aryeh Goretsky

Temmu, on 29 January 2018 - 12:42 AM, said:

the worst part of this disaster is that intel, google, & microsoft all withheld vital information for 6 months from other major vendors such as amazon, major isps, major streaming video vendors, who only could get together after the fact (after jan 3). their input may have been valuable and prevented a lot of blue-screen windows machines.

[Corrine]

Update on Spectre and Meltdown security updates for Windows devices - Windows Experience BlogWindows Experience Blog

See the referenced article for "Additional steps being taken to address Spectre and Meltdown vulnerabilities" and "Antivirus (AV) Software Compatibility".

Also see KB409000\7,  Intel microcode updates