Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers

This is true - if your computer is more than five years old, then you have two likely problems.

One is that your CPU does not contain the commands that mitigate one of the bugs (and I always get confused about which is which) without significant slowdowns.

The other problem is that of manufacturers abandoning support for older devices. I don’t really know what can be done about these, beyond the mitigations that your operating system puts in place. (Apparently these are extremely easy for Linux users.)

On the positive side, most modern (at least the last ten years, and quite possibly much earlier) motherboards permit flashing the BIOS from within your operating system. Back in the old days it was a terrifying prospect that involved much knowledge of the command line and the muttering of superstitious incantations in the hope that you didn’t brick your PC. Modern motherboards even include a ‘secondary’ or backup BIOS in case you break things.

Finally, it is important to note that no exploits have been seen ‘in the wild’ for any of the Spectre or Meltdown problems - and they will be difficult to exploit unless you install software or run a server. The biggest vulnerability exists in web servers that deal with multiple users at the same time, and in which one user’s session may be able to deduce the memory contents from another user’s session based upon the differing speed of various operations.

1 Like

"Researchers at malware and security software testing company AV-TEST have discovered 139 samples of malware that “appear to be related to recently reported CPU vulnerabilities.” Although most of the samples they discovered seem to be based on proof-of-concept software created by security researchers the number of unique samples is on the rise. "

It went from 77 samples on Jan 17 to 119 samples on Jan 23, so things are speeding up.

This next one a bit over the top with it’s “Hundreds” but still worth the read

and this "But detecting other exploits related to these chip vulnerabilities could prove extremely difficult. While Intel and AMD have said there is no evidence the flaws have been exploited in the wild, the researchers who discovered the chip vulnerabilities say it’s “probably not” possible for organizations or users to tell whether Meltdown and Spectre have been used against them.

The exploitation does not leave any traces in traditional log files,” according to an FAQ on the Meltdown and Spectre research site."

““Most of the samples appear to be recompiled/extended versions of the POCs,” Marx said via email. “Interestingly, for various platforms like Windows, Linux and MacOS. Besides this, we also found the first JavaScript POC codes for web browsers like Internet Explorer, Chrome or FireFox in our database now.””

I also noticed that Intel at this time are only releasing patches for the last 5 years of affected CPUs and these are being sent to the various OEMs to then realease to their users…so very reliant on OEMs being active in patching their boards.

2 Likes

Okay, I apparently misunderestimated the power of opportunity to drive hackers. Still, did you have to link to Lifehacker? I prefer Bruce’s take on these things.

By the way, how do you do the ‘box’ link thingy? (I may have asked this before, but now is as good a time as any to distract readers from my error.)

2 Likes

The box link just happens as part of the site mechanics. Put the full link in and if this site can it will produce a boxed link but it doesn’t do it for every site.

Why do I use Lifehacker, well I like some of the writing style, but I use a large variety of sites. Mr Security sometimes/lots of times gets wordy when I want a “quick punch” instead :-). But I will try to refrain from linking LH so much and use others.

My performance hit has been around 18% day to day. The stated generalised hit for most home PCs is around 2 to 14% but if you are doing CPU intensive stuff (I do a bit of it) the hit is generally much more. Most home PC users don’t tax their computers (and do not notice the hit) but some also do.

2 Likes

You don’t have to listen to my grouching when considering where to get your links - get your news wherever you prefer, and I will try to keep my mouth shut about my own preferences.

Mostly.

Sometimes?

1 Like

6 posts were split to a new topic: Memories: The Days of More Secure Computing :smiley:

… not to be left out, AMD have developed their own set of ‘features’ …

Ryzenfall, Fallout, Chimera and Masterkey …

They sound interesting :wink: https://www.amdflaws.com/

4 Likes

Sometimes I think they do these things on purpose to generate ever new and profitable opportunities and include the costs of ‘fixing’ and liability in their business plans.

3 Likes

My other CPU:

Also has an attack vector:

Yeah you have to wonder. Perhaps its all a big game and we are the test case. If you notice dolphins leaving the planet in large numbers let me know please …

4 Likes

Are you channeling Douglas Adams perchance? :slight_smile:

2 Likes

More fixes …

… and some details … yeah, not fixing everything. No real surprises …

BUT we are “Advancing Security as the Silicon Level” - which I think means we realise how bad this publicity has been, we are doing new stuff like we should have done old stuff, and we will be doing more, and better-er … and stuff … oh, and security stuff … more of that too …

3 Likes

You can also consider the KRACK WiFi vulnerability’s. Then realise that nearly all devices first released more than two years ago are now scrap. It seems that all my perfectly working devices excluding my iPhone 8 are now just door stops. Why? Because none of them are getting updates for any of these risks. I’ve checked!

It’s great that this discussion is high lighting how the current solutions are progressing, or not? But what will be the end result?

Perhaps we also need to consider that not everyone will be able to cure for free! Should “Fit for Purpose” include a universal software maintenance obligation for a “reasonable useful life”. I’d suggest that is five years plus from date of purchase by my experience.

It would be useful to know what percentage of PC’s, laptops, smart phones, smart TV’s and IOT devices will never be updated. It would be useful to see a snapshot survey of Choice members to be able to put a cost on this, average per consumer.

IE the cost if we dumped all those at risk devices for new. It would be a massive cost and non productive burden on our economy. Might be ok if you are Gerry Harvey or JB?

50% of 11 million households x 2.3 (mobile + tablet or laptop + smart tv + …) = $25billion or maybe $50billion, liberally adjusted down excluding labour. Have a guess!

Ps: if you recognise the formula it’s the same one used for the NBN cost forecast. Attests that it is a reliable and accurate estimate.

4 Likes

The truffle-dogs have been working overtime …

4 Likes

Noted there are now a number of class actions proposed/pending including cloud service providers over the risks of exposure of their customer’s data.

And that Intel is now partnering with Microsoft to roll out firmware updates directly for Windows users. Intel is now bypassing hardware/OEM vendors whom it was previously relying on to provide the updates (unreliably?). Which may be good news where the manufacturer is no longer providing support. (Typically only 12 months, or for Sony PC owners who were dumped and sold off two years ago).

From: ITNEWS
By Juha Saarinen
May 4 2018
10:55AM
“C’T reported that one of the new vulnerabilities is a much more serious threat than the original Spectre bug, as it could be used to bypass virtual machine isolation from cloud host systems to steal sensitive data such as passwords and digital keys.”

Link to ITNEWS article

2 Likes

Zombieload (https://www.zdnet.com/article/how-to-test-mds-zombieload-patch-status-on-windows-systems/) has a new iteration called Zombieload v2 (https://www.zdnet.com/article/intels-cascade-lake-cpus-impacted-by-new-zombieload-v2-attack/). This new one affect Intel’s 10 series CPUs (and others released since 2013). Intel are releasing patches for the v2. If you can’t get the patch then MS have released an advisory on how to disable the affected Intel TSX instruction set. While these attacks are hard to enact by malicious parties they are still a risk that should be dealt with. If a home user the vulnerability may not be a great concern unless you use Hyper V virtualisation.

From the v2 article linked above:

"While all the MDS attacks can allow attackers to run malicious code against an Intel CPU, attackers can’t control what data they can target and extract.

MDS attacks, while very much possible, are inefficient when compared to other means of stealing data from a target, an opinion that other security experts have also expressed in the past.

However, the fact that day-to-day malware gangs won’t bother exploiting something as complex as an MDS attack, or Zombieload v2, that doesn’t mean the vulnerabilities should be ignored. Applying these microcode updates should be a priority for everyone who manages critical infrastructure or cloud data centers.

If users don’t want to update and deal with a potential performance dip due to yet another patch for speculative execution attacks, Intel also recommending disabling the CPU’s TSX support, if not used".

MS Advisory:

https://support.microsoft.com/en-us/help/4530989/guidance-for-protecting-against-intel-processor-machine-check-error

1 Like

I mentioned it before and will say it again - the threat here is to servers rather than end users. If you have malware on your machine you have already lost the battle. It should not matter if you use virtualisation, unless you rent out bits of your computer to other users who may be malicious.

The other thing to note is that disabling the functions that are affected by these issues greatly reduces your computer’s performance - 20% or more are the figures I have been hearing.

While in general I am extremely keen to ensure systems are secure, there are occasions when the benefits are not worth the pain. This is, I suggest, one of those unless you are responsible for maintaining web-facing servers.

2 Likes

The TSX support can just be disabled and there shouldn’t be any or very little performance hit. This is probably more useful as a home user as most don’t use Hyper-V anyway.

2 Likes

Except where an end user is using some kind of sandboxing.

A special case of that - applicable to a home user - would be running Microsoft Windows in a VM for one legacy application that you can’t get rid of, while running everything else in Linux in a separate VM. Some of these vulnerabilities have the potential to break that separation. However there are now so many speculative execution vulnerabilities that I wouldn’t like to say which ones can break out of a VM and which ones can’t.

Needless to say that in this day and age, a threat to a server is a threat to an end user. A very large amount of our private data is stored on servers. Our employment may depend on the correct operation of servers. So while it may not be our problem to fix, it is still our problem.

I don’t think any users really have the option of not installing the fix. If you insist on staying on the current Intel microcode then sooner or later you will be forced to upgrade by some other vulnerability or other bug that really does directly impact your home computer even in simple usage scenarios. It is not as if you can fork or branch Intel’s microcode so that you can pick and choose which fixes you take.

2 Likes

It looks like TSX is used for coordinating multiple cores. If you have a highly parallelised algorithm, designed to use lots of cores simultaneously and correct operation of the algorithm requires frequent synchronisation between cores then you might notice the hit. For general tasks probably not.

This kind of algorithm is often suggested as being the way of the future, as progress on the speed of an individual core flatlines.

2 Likes

Yes, but in the case of a server you are referring to one of those multitudinous threats that the average person can do nothing to diminish. Patching this fault on your home computer will not reduce the threat to you.

Again, if you have bad software on your machine you are already in major trouble. The speculative execution set of bugs - I mean intentional design decisions that have major flaws - do nothing to change that, except for making a black hat’s task more difficult than if they have other tools at their disposal and installed on your machine.

2 Likes