Giveaway of the Day Forums

1. 

   mikiem2
   Moderator

   Meltdown and Spectre are two new *potential* security vulnerabilities that effect most people using computers, and they're at the center of controversy that's likely to last for years. The main reason for the controversy is that the proposed fixes cost CPU performance -- we won't know for sure how much until those fixes have been widely deployed, but initial testing shows up to around 50%. Because there's several lawsuits coming, much [most?] of what you read today will include some amount of hype. A good source for links to info is:

   bleepingcomputer[.]com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/

   Windows users will get the Microsoft patch on Update Tuesday, depending on your security software. It's being pushed out to Windows 10 [& *possibly* to 8] since last Thursday -- the patch's release was pushed up because of press leaks -- depending on installed security software. Security software can make undocumented calls to Windows kernel that, after applying this patch can cause BSODs, so Microsoft has instructed security software companies to add a special flag to the registry when their installed software is compliant -- Windows Update will not push this patch if it does not see this key. [Preventing this key, maybe through a task &/or script, *might* be a way to avoid having this patch installed.]
   -----
   Windows Registry Editor Version 5.00

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat]
   "cadca5fe-87d3-4b96-b7fb-a231484277cc"=dword:00000000
   -----

   The update itself is available for Windows 10 at: catalog[.]update[.]microsoft[.]com/Search.aspx?q=kb4056892 . I assume it'll be available for other Windows versions next Tuesday or Wednesday. AMD CPUs are less effected than Intel's -- AMD has requested that any patches take this into account, and don't rob the same level of performance as with Intel CPUs, but AFAIK it's unknown whether or not Microsoft has complied with their request.

   Newer Intel CPUs are said to suffer less performance loss from the fixes -- I've read starting with CPUs released in both 2014 & 2015, so we'll probably have to wait for post-patch testing to know which CPUs suffer most. Intel has pushed out firmware patches, but realistically that doesn't matter unless you have a new device, since they have to be incorporated into firmware & released by hardware manufacturers, which won't happen with most hardware. The amount of performance lost depends on what you're doing -- some programs & operations are effected much more than others -- but again we'll wind up waiting for post-patch testing to be sure where the biggest hits lie.

   A small bit more on what it is...
   Making money fixing problems you yourself caused is an ancient scam. You can cross a fine line however, and do the same thing legally, by establishing a threat that has nothing to do with you or any actions that you might take. Few have mastered this better than many [most?] involved in computer-related security, where researchers effectively act as the R&D branch of cyber crime & spying. The basic idea they present is that if they can figure out a way to do something, so can cyber criminals, so you need to pay them to always stay a step ahead. The question few ask these folks however, is: "What makes you think that cyber criminals will in fact do as you say?" That's the weak point behind their argument, and one they're well aware of, so they take it a step further, producing tutorials & programs for cyber criminals to use, saying "Told ya" when that stuff's used as they intended.

   I believe that it was this mindset that led to the original idea around July, 2017, that it *might* be possible to access protected data from the CPU's memory cache, but the person alleged to have thought this up 1st couldn't get it to actually work. Building on what that person published, and with the same mindset, a Google researcher(s) came up with proof-of-concept code using a very limited set of CPUs & OSes, giving that info to Intel, Microsoft etc. This all was kept Very silent for the remainder of 2017, as Microsoft etc. worked on fixes, and Intel's CEO sold all the Intel stock he could. Microsoft trialed their patch with Insider builds of 10, planning to release patches for all supported Windows version 1/9/2018, when news of all this was published by the Register last week.

   Everything I've read says that no one has seen anything actually using these vulnerabilities, though at the same time detecting it would be extremely difficult. To take advantage of these vulnerabilities you need local access -- IOW Windows [or whatever OS, since all are effected] would have to already be compromised. And AFAIK, as it stands, no one has addressed publicly why anyone would want to use what really is [at this point] a very complicated method to achieve what they can already get now, once they've already compromised a Windows system. Theoretically it might make exploiting a VM more attractive, as a means of breaking out of that VM to access other VMs on the same host, with Microsoft & Amazon patching their cloud services last week accordingly -- to Many customer complaints it appears, with big slowdowns reported.

   Personally I wonder why individual Windows users are being made to suffer when, again AFAIK, no one's made that case as to why a cyber criminal would use an exploit taking advantage of these vulnerabilities in the first place, when most are doing just fine with current, easier, simpler scams. This is of course pending security researchers developing better methods & code for their *clients (?)*. There *may* be a way to exploit these vulnerabilities with JavaScript, so changes are coming to all brands of browsers, but hopefully that'll carry much less of a penalty than the Windows patching.

   Posted 6 years ago #
2. 

   litemotif
   Member

   Excellent analysis, Mike.

   Thank you.

   Posted 6 years ago #
3. 

   mikiem2
   Moderator

   BE CAREFUL IF YOU HAVE AN AMD CPU

   Neowin is reporting that the Windows Meltdown/Spectre patch is effectively killing some PCs running AMD CPUs -- they won't boot into Windows after the patch is applied. Since the patch does not create a restore point on its own, the currently recommended cure is apparently to reinstall Windows, blocking this patch as possible -- there are a few ways with win10 Home to block updates for at least a little while, though that approach is more ax than scalpel as needed updates won't be installed either.

   Contrary to what's been published, Microsoft is also pushing the patch out to win7 ahead of Update Tuesday, when it was supposed to appear -- I got it Sunday.

   ------

   Purely FWIW, thinking about this mess [*I Think/Hope*] logically... Odds are Intel's CPU design teams over the past decade have not been idiots. The missing safety checks that AMD uses were then likely a design choice rather than oversight, repeated over several CPU (re)designs or generations. For Intel's CPU designers/engineers to make that choice they would have to have thought it was reasonably safe, especially considering they increased security-related features with many new generations. They either didn't think anyone could come up with an exploit like Meltdown, that it wasn't possible, or that it wouldn't be worth the amount of work necessary to use the exploit. Since Microsoft did not push out their patch for months -- they knew about it mid-year, & had a patch at least by 11/17 -- to me that lack of urgency supports the idea that Meltdown wasn't worth the effort to cyber criminals.

   Microsoft has many times in the past refused to patch vulnerabilities that required local access, saying basically that if the system's already compromised, it's Game Over. The Windows patch for Meltdown is possibly a chance to kick Intel -- it's been reported that lots of folks at Microsoft are angry with Intel & this would be payback -- and probably the same sort of thing as stupid product warning labels, there to hopefully prevent Microsoft from being sued, & both Microsoft & Intel probably will be... lawsuits against Intel have already started.

   It's possible that exploits based on Meltdown are much more serious when Windows is running in a VM, & impractical elsewhere. If this speculation on my part is true, given the performance penalties of applying the patch, it then *should* be a matter of choice, but isn't because it's a chance to kick Intel, &/or Microsoft's lawyers made the decision, &/or Microsoft sees it as a way to gain favor with manufacturers, since this patch will mean more upgrades. It does increase their cloud services revenues, as Microsoft is telling its cloud customers to pay more for those services if they want/need previous levels of performance.

   Microsoft isn't being as agressive with the 2nd potential exploit, Spectre -- that would put them in the same place as Intel, having to redesign their products, in this case Windows. It will take more software development based on Meltdown & Spectre before anyone can say for sure that Meltdown is the more serious of the two -- just like any other software, what matters to the end user [in this case cyber criminals] is both ease of use & results. What I've read says Meltdown is potentially more serious, but a good part of that [maybe even all of it] may be hype pushed out by Microsoft to deflect attention from Windows flaws regarding Spectre.

   Posted 6 years ago #
4. 

   Robert
   StrayCat

   Thanks Mike.You really got us worried now. :)

   Do you happen to know if the Meltdown & Spectre patch is included in the latest 2018-01 Security Montly Quality Rollup?
   I'm running windows 7 right now and this 2O18-01 SMQR simply kills any effort to run or install Sandboxie,for compatibilty reasons.
   (uninstalling this 2018-01 SQMR and things are back to normal)

   So blocking updates for now.

   Posted 6 years ago #
5. 

   mikiem2
   Moderator

   Microsoft has stopped pushing updates out to devices with the effected AMD CPUs/boards, which are reported to be older Athlons & Semptrons, though I haven't seen any listing of exact models yet. Microsoft pushed this patch out to those on the Windows 10 Insider fast ring in 11/17 -- if you assume that some of the effected devices were used by some of the millions of Insiders, & also assume that Microsoft would have caught the problem then, it would be logical to figure the problems are with devices applying the win7 or 8 patches, but that's based on 2 assumptions that may or may not be valid. Microsoft claims that the problem is caused by inaccurate information they got from AMD.

   support[.]microsoft[.]com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

   csoonline[.]com/article/3245770/security/spectre-and-meltdown-what-you-need-to-know-going-forward.html

   Originally Intel said that CPUs starting with the Haswell model or generation [2015] include PCID, which helps performance after patching. In an article addressing post-patch performance issues, Microsoft draws the line at Skylake [2016], saying earlier CPUs suffer more. Some articles that mentioned Haswell as being less effected have either been removed or had the Haswell info removed. The Microsoft article says most all performance slowdowns are caused by the parts of the patch dealing with Spectre, which also requires a bios [firmware] patch to be fully enabled. It's still Very early on for benchmarks, but it seems so far that the biggest hit to desktop PCs & laptops will be seen in hard drive performance, & it seems the patch has some effect, but the patch + bios update has more of an effect. As you might expect, Microsoft says win10 is less effected than earlier Windows versions.

   Servers OTOH seem to get hit hard... Microsoft is saying that for on-premises servers maybe you don't want to apply the patch, & should evaluate the balance between security & performance carefully. While gaming doesn't seem to be effected much on your PC, you might suffer playing on-line because of reduced game server performance.

   cloudblogs[.]microsoft[.]com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

   howtogeek[.]com/338269/a-huge-intel-security-hole-could-slow-down-your-pc-soon/

   guru3d[.]com/articles-pages/windows-vulnerability-cpu-meltdown-patch-benchmarked.html

   techspot[.]com/article/1554-meltdown-flaw-cpu-performance-windows/

   techspot[.]com/article/1556-meltdown-and-spectre-cpu-performance-windows/

   Meanwhile Nvidia has released GeForce 390.65 WHQL drivers to help mitigate against Spectre. Microsoft released an update for .NET on win7 that does not appear to be offered until the registry entry for security software compatibility is added -- then it's offered alongside the Meltdown/Spectre patch. Without that registry entry the Malicious Software Removal Tool, & what I suspect was a more minor .NET update were offered. Note that these are *my experiences* with Windows Update on our hardware, & mileage may vary.

   Posted 6 years ago #
6. 

   mikiem2
   Moderator

   Do you happen to know if the Meltdown & Spectre patch is included in the latest 2018-01 Security Montly Quality Rollup?

   Yes. And they don't break it down so you could remove/uninstall just the Meltdown/Spectre patch part of the roll-up. On the bright side at least you're in win7, so you can block this more easily than if you were running 10 Home.

   Posted 6 years ago #
7. 

   QunMang
   Member

   Originally Intel said that CPUs starting with the Haswell model or generation [2015] include PCID, which helps performance after patching. In an article addressing post-patch performance issues, Microsoft draws the line at Skylake [2016], saying earlier CPUs suffer more.

   Oh goody, my CPU is a Haswell. So much for not being as affected as on my older HP Dragon with Core2Extreme.

   Posted 6 years ago #
8. 

   mikiem2
   Moderator

   Both Meltdown & Spectre require code to be run on a target or victim device, but with Spectre it's feared that that code could be run by a web browser's Javascript engine. Browsers have been or will be patched to make that harder, but can't eliminate the threat. Microsoft has their Application Guard, available for Enterprise & Edu versions of 10, that's supposed to be included in the next win10 version. It can run their edge browser in a VM Container [less overhead than a regular VM], to better isolate it -- Google has something similar in development. It seems logical that they would try to include better protection from Spectre into these efforts, though this sort of thing [some sort of Virtualization] will probably use more of the device's resources.

   While it would probably be easier to write an Spectre exploit in Javascript that could run in a web browser, other software could be subverted as well, so protections need to be designed into the compilers that turn developers' code into actual software. That's where Google comes in...

   Meltdown & Spectre are a trio of related vulnerabilities, & to better protect against one of the 3, Microsoft's patch works alongside new firmware [CPU microcode], with the side effect of slowing things down. Google has developed a method of doing the same thing entirely in software, with hardly any performance penalty -- it's also been added to the compiler they use. That compiler is also used by Apple, & it's possible they use the same or similar mitigations entirely in software as well. We may/may not hear why Microsoft went the CPU firmware route, & they may or may not opt for something like Google's method in the future. I imagine Microsoft [& Amazon] will have to address the issue sooner or later, since their cloud customers are complaining, while Google reports it has yet to receive a post-patching performance-related complaint. But, according to an article at Ars Technica, Google's retpoline code may not work 100%.

   petri[.]com/protect-users-against-malicious-websites-using-windows-10-application-guard

   threatpost[.]com/experts-weigh-in-on-spectre-patch-challenges/129337/

   blog[.]google/topics/google-cloud/protecting-our-google-cloud-customers-new-vulnerabilities-without-impacting-performance/

   arstechnica[.]com/gadgets/2018/01/heres-how-and-why-the-spectre-and-meltdown-patches-will-hurt-performance/

   AMD is catching some heat from some quarters because those folks say AMD's initial response, that they were not effected, may have been misleading. While AMD's design is allegedly not vulnerable to Meltdown, they do have some vulnerability to Spectre, & have developed & are developing firmware patches, just like Intel. I haven't seen anything reporting the effects of Spectre patching on performance for AMD or Apple yet.

   I think that probably most people are not going to see any CPU firmware updates. I of course could be wrong. Motherboard manufacturers ship their boards with the bios chip(s) already programmed or flashed. They may or may not develop that programming in-house, and may or may not update that firmware -- if they do, it's pretty much only while the product is being sold, & to fix bugs. The staffing of the teams that develop that firmware change, perhaps with every project, so there may not still be anyone there familiar with the firmware used with older products. The bios firmware is also unique to each model of board, & existing firmware would have to be patched, applied, and then thoroughly tested, which is a Really Huge undertaking considering all the brands & models of boards produced over the last 10 years. There's also risk -- anything goes wrong, including user error, & the device is bricked, often without possibility of recovery -- that risk likely increases with the age of the hardware.

   That said, some companies order large volumes of identical PCs/laptops, & their suppliers may provide bios updates. In that case, people with the same brand & model refurbished corporate PCs & laptops *may* be able to get those bios updates too.

   One of the latest examples of an outraged press seem a bit silly to me... The Intel patches for the Haswell & Broadwell generation CPUs are apparently buggy, & while Intel is advising it's large corporate customers to hold off on bios updates for those chips, it hasn't made a similar announcement for individual users, sparking mumbles of coverup. This is something motherboard manufacturers should already be aware of, and they're the ones who would develop, test, & distribute bios updates, & they're the ones who would interact with their customers. If, that is, they were going to revisit their old product lines in the 1st place, & if they are, they'll start with current products & work their way backwards -- by that time the Intel patch code will most likely have been fixed.

   The impact on non-cloud-based Virtual Machines & their Host software seems uneven so far. Microsoft has said that they're applying fixes to Hyper-V, probably as it's related/connected to the software they use to handle VMs in their cloud. Google & Amazon use their own engines with their respective cloud services. The VirtualBox developers don't really have a communication channel with VBox end users, so it's likely a matter of just waiting until there's a new version & reading the release notes to see if Meltdown/Spectre are mentioned. VMWare has been issuing patches, but not much in the way of documentation.

   docs[.]vmware[.]com/en/VMware-Workstation-Pro/14/rn/workstation-1411-release-notes.html

   vinfrastructure[.]it/2018/01/meltdown-spectre-vmware-patches/

   Personally I expect that in some weeks time my wife's Lenovo 2-in-1 might get a bios update -- that will be the only device we own that is likely to get one. Since we 1st got it it's been hard drive bound -- using a slow hard drive, many, many times you just have to wait until it can finish reading/writing to that hard drive -- but so far haven't seen noticeable effects of the Windows patching. [By noticeable I mean something you'd notice without going looking for something specific, running benchmarks etc.]

   Our Beebox miniPC runs a Intel Celeron [N3150] with 8 GB RAM & an old SSD. It's generally only used to play Blu-ray video, and that seems unaffected after Windows 10 patching. My wife's PC uses an oldie but goodie 2600k Intel i7, and after patching it seems slower to start win7, but not so much win10 -- it's also hard drive bound, using a slower WD Green drive FWIW. The newer of my 2 win10 tablets uses an Intel Atom CPU & eMMC for disk storage, & disk image backup times roughly double -- otherwise performance seems roughly OK. The Opera browser now takes longer to open, while Firefox is now faster, but that could be the new version of Firefox. The other tablet, which uses an older Atom chip, has more problems with Opera, but didn't suffer longer backup times. I haven't noticed anything really on this PC, running an 4790K i7 -- if anything, transferring large files from one HDD to another *might* be just slightly faster. Running VBox in win7, win7 & 10 guests [VMs] seem about the same, though upgrading win10 Insider builds in a VM seemed to take much longer, which may be because they're pre-release, or may be because of more of the type of I/O that's hurt by the patching. Other than the longer upgrade/install time, performance seems normal with this latest Insider build.

   Posted 6 years ago #
9. 

   mikiem2
   Moderator

   Intel has now said that no one with any Intel CPU should update their device's bios until Intel releases a fixed patch -- the original Meltdown/Spectre patch they released is too buggy. Microsoft in turn has just released a small [24kb] patch that apparently makes a simple change to the registry to turn that portion of their Meltdown/Spectre patch off -- with it off Windows won't use that updated CPU microcode to avoid the crashing problems that have been reported. It *should* also restore the performance lost by adding that part of the Meltdown/Spectre patch. Running this latest patch I didn't see any dialog or any other indication that it was running. You could also copy/paste the following into a new .txt file in Notepad, saving the result, naming it [SomeName].reg, & double clicking it to make the changes to the registry.

   ------------

   Windows Registry Editor Version 5.00

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

   "FeatureSettingsOverride"=dword:00000001
   "FeatureSettingsOverrideMask"=dword:00000001

   -------------

   support[.]microsoft[.]com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2

   support[.]microsoft[.]com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

   catalog[.]update[.]microsoft[.]com/Search.aspx?q=KB4078130

   Posted 6 years ago #

RSS feed for this topic

Reply

You must log in to post.