https://cloudblogs.microsoft.com/mi...-and-meltdown-mitigations-on-windows-systems/

Thank you for posting that, it directly answered some questions that I had. It is a good read.

 

Seems to me that when they talk about "changing the microcode" on the chip, then everything you do now, with the chip that you already have, is going to be a patch. If those patches are successful with a minimum of performance decreases, then I am as fine as I can be.

I fear that the "new" chips will have "new" price tags and that retailers will have a glut of older "vulnerable chips"....maybe at decreased prices, maybe not....maybe we are not far from "not vulnerable to ___" when you buy a system.

But, I may not be understanding.... to me, the "microcode" is within the chip - to put it down to my level - it is the code that allows an instruction like - INC A - to work. So, when I read.. from

nsaspook said: ↑
https://cloudblogs.microsoft.com/mi...-and-meltdown-mitigations-on-windows-systems/

"Silicon Microcode Update ALSO Required on Host"

But I also read....

Silicon microcode is distributed by the silicon vendor to the system OEM, which then decides to release it to customers. Some system OEMs use Windows Update to distribute such microcode, others use their own update systems. We are maintaining a table of system microcode update information here. Surface will be updated through Windows Update starting today.

So, I am a bit confused on this point.

 

Most modern x86 processors don't run the x86 CISC instruction set internally. Deep in the heart of each chip is usually a (very proprietary) RISC cpu with a much simpler and faster instruction set (uops). The 'microcode' translates x86 to this internal machine so it's possible to change execution behaviors within the limits of the microcode hardware by adding additional steps to mitigate hardware/architecture bugs (side effects of speculative execution, specifically branch prediction) software can't fix. There is a method to upload new microcode to existing chips but only the OEM has the (un)locking codes to encrypt the boot file in a manner the chip will accept during hardware boot.

AMD microcode update:
https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00004.html

This new firmware disables branch prediction on AMD family 17h processor
to mitigate a attack on the branch predictor that could lead to
information disclosure from e.g. kernel memory (bsc#1068032 CVE-2017-5715).

 

Most modern x86 processors don't run the x86 CISC instruction set internally. Deep in the heart of each chip is usually a (very proprietary) RISC cpu with a much simpler and faster instruction set (uops). The 'microcode' translates x86 to this internal machine so it's possible to change execution behaviors within the limits of the microcode hardware by adding additional steps to mitigate hardware/architecture bugs (side effects of speculative execution, specifically branch prediction) software can't fix. There is a method to upload new microcode to existing chips but only the OEM has the (un)locking codes to encrypt the boot file in a manner the chip will accept during hardware boot.

AMD microcode update:
https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00004.html

Ok, this is starting to coalesce somewhat in my mind - but I am not feeling better about it, I am feeling worse. Can't help but think that OEM is going to mean SOL for many.

 

Ok, this is starting to coalesce somewhat in my mind - but I am not feeling better about it, I am feeling worse. Can't help but think that OEM is going to mean SOL for many.

At least here the main OEM is Intel with a huge bankroll of cash they want to keep.

 

At least here the main OEM is Intel with a huge bankroll of cash they want to keep.

So, let's say I have a Dell (actually what I am on now is not a Dell, but I have a Dell with XP), using a Genuine Intel processor and Genuine Windows. I can safely count on a patch released by Windows update?

What about a customized build - depends on the MB and chipset?

I guess this is what the database is all about?

What a freaking nightmare.

 

New microcode and kernel released for Debian64.

[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.14.0-3-amd64 root=UUID=507a02a9-bff0-40d2-aaa0-f688b8443bdf ro quiet
[ 0.000000] smpboot: Allowing 8 CPUs, 0 hotplug CPUs
[ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.14.0-3-amd64 root=UUID=507a02a9-bff0-40d2-aaa0-f688b8443bdf ro quiet
[ 0.023911] smpboot: Max logical packages: 2
[ 0.068000] smpboot: CPU0: Intel(R) Xeon(R) CPU E5410 @ 2.33GHz (family: 0x6, model: 0x17, stepping: 0xa)
[ 0.168065] smpboot: Total of 8 processors activated (37333.54 BogoMIPS)
[ 1.305849] microcode: sig=0x1067a, pf=0x40, revision=0xa0b
[ 1.305986] microcode: Microcode Update Driver: v2.2.

Patched... Passed the exploit test.

 

There is a utility to check for this vulnerability - but I have not used it myself yet. I'm going to when I get back home (I'm on an away).
I will not post a shortcut to it, as I am unsure of the forum rules for such. I'd imagine it's available on the Ashampoo site, among others.
I've read articles where AMD cpu's have indeed been affected, but I have no percentage stats on this - it's all anecdotal.

The utility is supposed to check for the vulnerability, and if found, will give details on how best to deal with it, according to the MajorGeeks site.

Ashampoo Spectre Meltdown CPU Checker 1.0.0

 

New microcode and kernel released for Debian64.
[text]
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.14.0-3-amd64 root=UUID=507a02a9-bff0-40d2-aaa0-f688b8443bdf ro quiet
[ 0.000000] smpboot: Allowing 8 CPUs, 0 hotplug CPUs
[ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.14.0-3-amd64 root=UUID=507a02a9-bff0-40d2-aaa0-f688b8443bdf ro quiet
[ 0.023911] smpboot: Max logical packages: 2
[ 0.068000] smpboot: CPU0: Intel(R) Xeon(R) CPU E5410 @ 2.33GHz (family: 0x6, model: 0x17, stepping: 0xa)
[ 0.168065] smpboot: Total of 8 processors activated (37333.54 BogoMIPS)
[ 1.305849] microcode: sig=0x1067a, pf=0x40, revision=0xa0b
[ 1.305986] microcode: Microcode Update Driver: v2.2.
[/text]
Patched... Passed the exploit test.

I installed the update today on my work PC: Ubuntu 16.04 LTS. Running normally, and I have not experienced any noticeable slowdowns in the course of my typical work.

 

https://newsroom.intel.com/news/roo...-updated-guidance-for-customers-and-partners/

https://lkml.org/lkml/2018/1/21/192

 

https://www.bleepingcomputer.com/ne...ustomers-to-not-install-spectre-bios-updates/

The Spectre & Meltdown mess continues with Dell now recommending their customers do not install the BIOS updates that resolve the Spectre (Variant 2) vulnerabilities. These updates have been causing numerous problems for users including performance issues, boot issues, reboot issues, and general system instability.

Due to this, Dell EMC has updated their knowledge base article with the following statement advising customers to not install the BIOS update and to potentially rollback to the previous BIOS if their computers are exhibiting "unpredictable system behavior".

 

http://www.businessinsider.com/inte...-meltdown-proof-chips-coming-this-year-2018-1

Intel expects to begin shipping its first chips with built-in protection against the Meltdown and Spectre attacks later this year, company CEO Brian Krzanich said Wednesday.

The company has "assigned some of our very best minds" to work on addressing the vulnerability that's exploited by those attacks, Krzanich said on a conference call following Intel's quarterly earnings announcement. That will result in "silicon-based" changes to the company's future chips, he said.

"We've been working around clock" to address the vulnerability and attacks, Krzanich said. But, he added, "we're acutely aware we have more to do."

 

http://www.businessinsider.com/inte...-meltdown-proof-chips-coming-this-year-2018-1

I fear that the "new" chips will have "new" price tags and that retailers will have a glut of older "vulnerable chips"....maybe at decreased prices, maybe not....maybe we are not far from "not vulnerable to ___" when you buy a system.

So, what I feared is happening - Oy Vey!

 

https://www.bleepingcomputer.com/ne...and-update-that-disables-spectre-mitigations/

Microsoft has issued on Saturday an emergency out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715).

The update —KB4078130— targets Windows 7 (SP1), Windows 8.1, all versions of Windows 10, and all supported Windows Server distributions.

Microsoft shipped mitigations for the Meltdown and Spectre bugs on January 3.

Microsoft reacts to Intel statement
The company said it decided to disable mitigations for the Spectre Variant 2 bug after Intel publicly admitted that the microcode updates it developed for this bug caused "higher than expected reboots and other unpredictable system behavior" that led to "data loss or corruption."

As a response, Microsoft decided to disable Spectre Variant 2 mitigations until Intel develops a more stable fix.

 

https://www.reuters.com/article/us-...ut-chip-flaws-until-made-public-idUSKCN1G62PS

(Reuters) - Intel Corp did not inform U.S. cyber security officials of the so-called Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet Inc notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday.

 

https://www.bleepingcomputer.com/ne...ack-can-extract-data-from-intel-sgx-enclaves/

A new variation of the Spectre attack has been revealed this week by six scientists from the Ohio State University. Named SgxSpectre, researchers say this attack can extract information from Intel SGX enclaves.

Intel Software Guard eXtensions (SGX) is a feature of modern Intel processors that allow an application to create so-called enclaves. This enclave is a hardware-isolated section of the CPU's processing memory where applications can run operations that deal with extremely sensitive details, such as encryption keys, passwords, user data, and more.

 

Facts About the New Security Research Findings and Intel® Products

Hardware-based Protection Coming to Data Center and PC Products Later this Year

Security First Pledge

Ok, great to hear.....but why am I groaning?

 

Facts About the New Security Research Findings and Intel® Products

Hardware-based Protection Coming to Data Center and PC Products Later this Year

Security First Pledge

Ok, great to hear.....but why am I groaning?

Maybe because they could have included these protections years ago if they really cared about security.

 

 

Maybe because they could have included these protections years ago if they really cared about security.

Why so cynical?

Do you have evidence they knew these vulnerabilities existed years ago that they actively neglected to a) inform their customers and b) revise their new silicon?

Do you have evidence that they did not take security at the silicon level seriously until these exploits became known?

Do you think the NSA (and any other intelligence-based 3-letter acronym you can think of) did not review hardware security with their chosen vendors while developing their intelligence and data storage and access systems?

IMHO, Occum's razor applies here: the bad guys only need to be right once. The good guys -- 100% of the time.