Monroe Posted January 4, 2018 Share Posted January 4, 2018 was: Security Flaws Disclosed Wednesday 03 Jan 2018 Quote FRANKFURT/SAN FRANCISCO (Reuters) - Security researchers on Wednesday disclosed a set of security flaws that they said could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel Corp <INTC.O>, Advanced Micro Devices Inc <AMD.O> and ARM Holdings. One of the bugs is specific to Intel but another affects laptops, desktop computers, smartphones, tablets and internet servers alike. Intel and ARM insisted that the issue was not a design flaw, but it will require users to download a patch and update their operating system to fix. “Phones, PCs, everything are going to have some impact, but it’ll vary from product to product,” Intel CEO Brian Krzanich said in an interview with CNBC Wednesday afternoon. Researchers with Alphabet Inc's <GOOGL.O> Google Project Zero, in conjunction with academic and industry researchers from several countries, discovered two flaws. The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory and steal passwords. The second, called Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information. The researchers said Apple Inc <AAPL.O> and Microsoft Corp <MSFT.O> had patches ready for users for desktop computers affected by Meltdown. Microsoft declined to comment and Apple did not immediately return requests for comment. Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it "probably one of the worst CPU bugs ever found" in an interview with Reuters. Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches. Spectre, the broader bug that applies to nearly all computing devices, is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, he said. Speaking on CNBC, Intel's Krzanich said Google researchers told Intel of the flaws "a while ago" and that Intel had been testing fixes that device makers who use its chips will push out next week. Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on Jan. 9. The flaws were first reported by tech publication The Register. It also reported that the updates to fix the problems could causes Intel chips to operate 5 percent to 30 percent more slowly. (http://bit.ly/2CsRxkj) Intel denied that the patches would bog down computers based on Intel chips. "Intel has begun providing software and firmware updates to mitigate these exploits," Intel said in a statement. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time." ARM spokesman Phil Hughes said that patches had already been shared with the companies' partners, which include many smartphone manufacturers. "This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory," Hughes said in an email. AMD chips are also affected by at least one variant of a set of security flaws but that it can be patched with a software update. The company said it believes there "is near zero risk to AMD products at this time." Google said in a blog post that Android phones running the latest security updates are protected, as are its own Nexus and Pixel phones with the latest security updates. Gmail users do not need to take any additional action to protect themselves, but users of its Chromebooks, Chrome web browser and many of its Google Cloud services will need to install updates. The defect affects the so-called kernel memory on Intel x86 processor chips manufactured over the past decade, The Register reported citing unnamed programmers, allowing users of normal applications to discern the layout or content of protected areas on the chips. That could make it possible for hackers to exploit other security bugs or, worse, expose secure information such as passwords, thus compromising individual computers or even entire server networks. Dan Guido, chief executive of cyber security consulting firm Trail of Bits, said that businesses should quickly move to update vulnerable systems, saying he expects hackers to quickly develop code they can use to launch attacks that exploit the vulnerabilities. “Exploits for these bugs will be added to hacker’s standard toolkits,” said Guido. Shares in Intel were down by 3.4 percent following the report but nudged back up 1.2 percent to $44.70 in after-hours trading while shares in AMD were up 1 percent to $11.77, shedding many of the gains they had made earlier in the day when reports suggested its chips were not affected. It was not immediately clear whether Intel would face any significant financial liability arising from the reported flaw. "The current Intel problem, if true, would likely not require CPU replacement in our opinion. However the situation is fluid," Hans Mosesmann of Rosenblatt Securities in New York said in a note, adding it could hurt the company's reputation. https://www.yahoo.com/news/design-flaw-found-intel-chips-fix-causes-them-152935477--finance.html ... Link to comment Share on other sites More sharing options...
Monroe Posted January 4, 2018 Author Share Posted January 4, 2018 Microsoft issues emergency Windows update for processor security bugs Quote Microsoft is issuing a rare out-of-band security update to supported versions of Windows today. The software update is part of a number of fixes that will protect against a newly-discovered processor bug in Intel, AMD, and ARM chipsets. Sources familiar with Microsoft’s plans tell The Verge that the company will issue a Windows update that will be automatically applied to Windows 10 machines at 5PM ET / 2PM PT today. The update will also be available for older and supported versions of Windows today, but systems running operating systems like Windows 7 or Windows 8 won’t automatically be updated through Windows Update until next Tuesday. Windows 10 will be automatically updated today. While Microsoft is quickly addressing the issues, the fixes will also rely on firmware updates from Intel, AMD, or other vendors that are rolling out. Some anti-virus vendors will also need to update their software to work correctly with the new patches, as the changes are related to Kernel-level access. The firmware updates and software patches could cause some systems to run slower. Sources familiar with the situation tell The Verge that Intel processors that are based on Skylake or newer architecture won’t see a significant performance degradation. However, older processors could slow down more significantly due to the firmware and software updates. Intel says any slow downs will be “workload-dependent,” but the company has not expanded on how this will affect older machines. Microsoft is also planning to update its cloud-based servers with the latest firmware and software patches, and these updates are rolling out now. The Verge understands that Google is planning to document and disclose the security flaws in processors at 5PM ET today. The exact bug appears to be related to the way that regular apps and programs can discover the contents of protect kernel memory areas. Kernels in operating systems have complete control over the entire system, and connect applications to the processor, memory, and other hardware inside a computer. There appears to be a flaw in modern processors that let attackers bypass kernel access protections so that regular apps can read the contents of kernel memory. Software vendors like Microsoft and other Linux programmers are protecting against this by separating the kernel's memory away from user processes in what’s being called “Kernel Page Table Isolation.” Linux patches have been rolling out over the past month, and now Windows patches are being made available today. Microsoft has confirmed the Windows update in a statement: We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers. https://www.theverge.com/2018/1/3/16846784/microsoft-processor-bug-windows-10-fix ... Link to comment Share on other sites More sharing options...
Monroe Posted January 4, 2018 Author Share Posted January 4, 2018 (edited) Early Data Shows Linux Update to Fix Intel Security Flaw Hits Performance Hard By Joel Hruska on January 3, 2018 https://www.extremetech.com/computing/261420-early-data-shows-linux-update-fix-intel-security-flaw-hits-performance-hard Critical Intel security patch will slow PCs, servers and Macs http://www.computerweekly.com/news/450432564/Critical-Intel-security-patch-will-slow-PCs-servers-and-Macs "The impact of the flaw is potentially huge because Intel’s microprocessors are found in millions of internet and corporate servers as well as business and consumer PCs, with the performance degradation of the security patches potentially as much as 30%, according to The Register. This means if a server has the capacity to support 100 users, this could drop to 70 after the software updates are applied." ... Edited January 4, 2018 by monroe Link to comment Share on other sites More sharing options...
Tripredacus Posted January 4, 2018 Share Posted January 4, 2018 An interesting note in there that this issue does not effect AMD CPUs (Ryzen comes out on top?) but putting in the patches to computers with AMD CPUs will slow them down just the same. Seems like it could be a nightmare for anyone using Windows 10 on a Ryzen... if (at least) the linux patches are CPU agnostic, you wonder if MS will make it so only PCs with Intel and ARM CPUs will get (or be able to be) updated with these specific fixes. 5 hours ago, monroe said: AMD But according to this, it is not: https://lkml.org/lkml/2017/12/27/2 Is it all just a bunch of FUD to lump AMD into this issue or has anyone been able to replicate it on their CPUs? EDIT: topics merged and title changed. Link to comment Share on other sites More sharing options...
Luxman Posted January 5, 2018 Share Posted January 5, 2018 And in other news..... Link to comment Share on other sites More sharing options...
Monroe Posted January 5, 2018 Author Share Posted January 5, 2018 Just reading this ... looks like Intel has it covered ... I hope this will be the case. https://www.pcworld.com/article/3245508/components-processors/intel-responds-to-the-cpu-kernel-bug.html Intel responds to the CPU kernel bug, claiming its patches will make PCs 'immune' Intel said the patches for the CPU vulnerability, due next week, would bring a negligible performance hit to the average user. Claiming that the patches can make PCs "immune" from the vulnerabilities is a first, though. By Mark Hachman Senior Editor, PCWorld | Jan 4, 2018 (Editor's Note: Intel has now provided a list of the affected processors, as well as when it first learned of the problem.) Intel said Thursday that by next week, the company expects to have patched 90 percent of its processors that it released within the last five years, making PCs and servers "immune" from both the Spectre and Meltdown exploits, the company said. Intel's announcement was the latest update in an ongoing fight to patch microprocessors against a pair of vulnerabilities released this week. The company said that it had already released updates "for the majority" of its chips released in the last five years, and would hit the 90 percent mark next week. The updates are being released as firmware updates and software patches. Right now, there are two areas of concern for the Spectre and Meltdown vulnerabilities, which we've described in more detail in a separate FAQ. First, there's the security concerns: both vulnerabilities allow an attacker to peer into privileged data that normally is concealed. There's also a worry that any patches will slow down PCs as a result, though Intel has maintained that the average user will be only slightly affected. What this means: At this point, we know that major chip and operating system vendors are aware of the problem and working to release fixes. The first should probably arrive as part of Microsoft’s Patch Tuesday, or earlier. What’s unclear is how many different types of software and CPU architectures the patches will affect, and the amount of performance (if any) that PCs will suffer as a result. It’s a very complicated issue, so we’ve created an Intel CPU kernel bug FAQ that breaks down all the info we know in clear, easy-to-read language to help you wrap your head around it. How we got here If you think both Spectre and Meltdown were new to Intel -- no, they're not. In a FAQ published Thursday, Intel said it was aware of the problem in June 2017. "In this case, the security researchers presented their findings in confidence, and we and other companies worked together to verify their results, develop and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible," the company said. During a conference call Wednesday afternoon, Intel shed more light on the CPU kernel vulnerability, now being referred to as a “side channel analysis exploit.” Expect to see patches roll out to address the flaw over the next several weeks, Intel executives said. The performance impact of the patches is expected to be at frustrating levels—somewhere between 0 and 30 percent, though “average” PC users are expected to see little impact. To the question of which Intel microprocessors are affected: it's pretty much all of them. Here's the complete list, as published by Intel. Intel Core i3 processor (45nm and 32nm) Intel Core i5 processor (45nm and 32nm) Intel Core i7 processor (45nm and 32nm) Intel Core M processor family (45nm and 32nm) 2nd generation Intel Core processors 3rd generation Intel Core processors 4th generation Intel Core processors 5th generation Intel Core processors 6th generation Intel Core processors 7th generation Intel Core processors 8th generation Intel Core processors Intel Core X-series Processor Family for Intel X99 platforms Intel Core X-series Processor Family for Intel X299 platforms Intel Xeon processor 3400 series Intel Xeon processor 3600 series Intel Xeon processor 5500 series Intel Xeon processor 5600 series Intel Xeon processor 6500 series Intel Xeon processor 7500 series Intel Xeon Processor E3 Family Intel Xeon Processor E3 v2 Family Intel Xeon Processor E3 v3 Family Intel Xeon Processor E3 v4 Family Intel Xeon Processor E3 v5 Family Intel Xeon Processor E3 v6 Family Intel Xeon Processor E5 Family Intel Xeon Processor E5 v2 Family Intel Xeon Processor E5 v3 Family Intel Xeon Processor E5 v4 Family Intel Xeon Processor E7 Family Intel Xeon Processor E7 v2 Family Intel Xeon Processor E7 v3 Family Intel Xeon Processor E7 v4 Family Intel Xeon Processor Scalable Family Intel Xeon Phi Processor 3200, 5200, 7200 Series Intel Atom Processor C Series Intel Atom Processor E Series Intel Atom Processor A Series Intel Atom Processor x3 Series Intel Atom Processor Z Series Intel Celeron Processor J Series Intel Celeron Processor N Series Intel Pentium Processor J Series Intel Pentium Processor N Series Intel, whose processors were the focus of an initial report from The Register, said that both ARM and AMD, as well as several operating system vendors, have been notified of the vulnerability. The flaw was first discovered by Google’s Project Zero security team, says Intel, which Google confirmed. Two names, Spectre and Meltdown, are also being used to identify the vulnerabilities. Intel said that it would issue its own microcode updates to address the issue, and over time some of these fixes will be rolled into hardware. At press time, Microsoft declined to comment on how it would proceed, though it is expected to release its own patches soon. Google, too, issued its own report on which of its products could be affected: These include Chrome and Android phones, though the latter will depend on how quickly phone makers roll out updates. ... more reading at the link to the article https://www.pcworld.com/article/3245508/components-processors/intel-responds-to-the-cpu-kernel-bug.html ... Link to comment Share on other sites More sharing options...
dencorso Posted January 5, 2018 Share Posted January 5, 2018 Alex Ionescu has released a diagnostic tool: SpecuCheck! Now... does it run on XPSP3? If not, can it be ported? Any volunteers? 1 Link to comment Share on other sites More sharing options...
Tripredacus Posted January 5, 2018 Share Posted January 5, 2018 2 hours ago, monroe said: 2nd generation Intel Core processors 3rd generation Intel Core processors 4th generation Intel Core processors 5th generation Intel Core processors 6th generation Intel Core processors 7th generation Intel Core processors 8th generation Intel Core processors What are these anyways? They are only the CPUs in the i-3/5/7 range according to wikipedia. https://en.wikipedia.org/wiki/Intel_Core Look at the contents/index part to see the breakdown. But I thought articles were saying this issue goes back 20 years? So they are not going to offer 20 years worth of fixes or Intel says that CPUs older than the ones listed do not have the problem? Based on the list from Intel, it would seem that ... say Core 2 Quad Q6600 does not have the problem. What about Pentium 4? 1 Link to comment Share on other sites More sharing options...
dencorso Posted January 5, 2018 Share Posted January 5, 2018 AFAICS, everything from Pentium Pro on is affected. "Speculative execution" is the keyword here. The rest is silence. 1 Link to comment Share on other sites More sharing options...
Tripredacus Posted January 5, 2018 Share Posted January 5, 2018 So then we will not see fixes for legacy OS and likely even the patches we would see are for OSes in their support period or extended (paid) support period say for XP or Server 2003. If there ends up being a fix in XPe or POSReady2009, then this might be the way to get the update on desktop XP. I wonder about the methods for exploiting this, is it going to be the usual "it won't work on W95 because you need to use some thing that doesn't work on the OS" ... PS: added tags to the topic. 1 Link to comment Share on other sites More sharing options...
pointertovoid Posted January 5, 2018 Share Posted January 5, 2018 2 hours ago, dencorso said: AFAICS, everything from Pentium Pro on is affected. "Speculative execution" is the keyword here. The rest is silence. Not necessarily. The weakness results from the CPU restoring imperfectly its state when an exception occurs. Speculative execution makes restoration difficult, but alone it doesn't imply a weakness. From Intel's list, the Core 2 for instance seems immune, with the design flaw beginning at Core i3/i5/i7. I trust Intel's list (...which can evolve) better than arbitrary claims from other sources, which often rely only on the presence of speculative execution, a very old feature indeed. I wonder: exceptions occur much more frequently than after a violation of memory protection, including during legitimate operation of the OS and applications. If the restoration of state is faulty, then the CPU must introduce erroneous behaviour in the machine. This hasn't been observed before? Link to comment Share on other sites More sharing options...
Monroe Posted January 5, 2018 Author Share Posted January 5, 2018 4 hours ago, Tripredacus said: Look at the contents/index part to see the breakdown. But I thought articles were saying this issue goes back 20 years? So they are not going to offer 20 years worth of fixes or Intel says that CPUs older than the ones listed do not have the problem? Based on the list from Intel, it would seem that ... say Core 2 Quad Q6600 does not have the problem. What about Pentium 4? Exactly what I was thinking when I first read this ... I had first heard '10 years', then 20 years. I thought my Pentium M ThinkPads might be 'good to go' ... but not sure. I am also wondering if there will be a 'fix' for the older chips at some point. ... Link to comment Share on other sites More sharing options...
jumper Posted January 5, 2018 Share Posted January 5, 2018 SpecuCheck doesn't check for the vulnerabilities, it checks for a patch. No patch for Win<7, so no reason for a Win<7 SpecuCheck. From https://github.com/ionescu007/SpecuCheck/blob/master/README.md: SpecuCheck is a Windows utility for checking the state of the software mitigations against CVE-2017-5754 (Meltdown) and hardware mitigations against CVE-2017-5715 (Spectre). It uses two new information classes that were added to the NtQuerySystemInformation API call as part of the recent patches introduced in January 2018 and reports the data as seen by the Windows Kernel. ... Microsoft released patches for Windows 7 SP1 and higher...[that] apply a number of software and hardware mitigations against these issues. The enablement state of these mitigations, their availability, and configuration is...exposed to user-mode callers through an undocumented system call. SpecuCheck takes advantage of this system call in order to confirm if a system has indeed been patched (non-patched systems will fail the call) and what the status of the mitigations are, which can be used to determine potential performance pitfalls. 1 Link to comment Share on other sites More sharing options...
Dibya Posted January 6, 2018 Share Posted January 6, 2018 15 hours ago, dencorso said: Alex Ionescu has released a diagnostic tool: SpecuCheck! Now... does it run on XPSP3? If not, can it be ported? Any volunteers? Your Request My Command I attached a modified version for XP SpecuCheck.exe 1 Link to comment Share on other sites More sharing options...
dencorso Posted January 6, 2018 Share Posted January 6, 2018 I have downloaded the meltdown and spectre papers several times, inclusive from the wayback machine. When I open either in Adobe Reader 8.3.1 all I get is gibberish. IrfanView, OTOH, compliains Ghostscript (v. 8.63) thinks the files are corrupted. The files say they're PDF v. 1.5, so the readers I'm using ought to be more than enough to read either... I'm baffled! What's going on? If those files were really corrupted, they'd've fixed it already? Please advise. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now