Meltdown and Spectre — Intel vs AMD status

 Computer, Desktop, Notebook  Comments Off on Meltdown and Spectre — Intel vs AMD status
Jan 192018
 

If you have a computer powered by an AMD processor, is your risk profile any different from someone with an Intel-powered PC? This Ars Technica article (January 18, 2018) summarizes the situation: “Meltdown and Spectre: Good news for AMD users, (more) bad news for Intel.”

Windows patches are fixed, but microcode updates are causing even more trouble.

Microsoft’s patches now work with newer and older AMD systems.

If you’re unfortunate enough to have installed the previous, bad update and now have a system that crashes on startup, you’ll still have to roll back the bad update before you can install the new one.

But Intel’s firmware patches remain an issue for several generations of their processors (something that will perplex the typical PC user).

The short article concludes with a perspective on what action really is practical for most of us with older PCs.

What this means is that if you’re lucky enough to have a system that is still being supported with firmware updates from its manufacturer—because let’s be honest: good luck getting any firmware updates for any consumer PC or motherboard that’s more than about 18 months old—you probably shouldn’t install the firmware anyway. Unless, that is, you’re in a high risk category such as a cloud host or VPS provider, in which case you’ll just have to install it anyway, because the consequences of not upgrading are probably worse than the consequences of upgrading.

Patches for Spectre — impact on your iPhone?

 Computer, Phone, Tablet  Comments Off on Patches for Spectre — impact on your iPhone?
Jan 172018
 

Much in the media still about global computer security vulnerabilities Meltdown and Spectre. Apple, among other companies, released patches to mitigate the risks. This PC World article (January 16, 2018) summarizes the situation for Apple’s mobile devices — your iPhone: “Apple’s iOS 11.2.2 Spectre patch probably won’t slow down your iPhone, but here’s what to do if it does.”

Last week Apple pushed out iOS 11.2.2, which seeks to mitigate the risks associated with the Spectre chip flaw via a security update to Safari and Webkit. Since a Spectre attacker is most likely to attack your system via a Javascript vulnerability, Apple has addressed the issue in iOS 11.2.2 to make your system more secure.

The patch doesn’t actually fix the issue, however, and it’s unlikely Apple will ever release an iOS update that will. While researchers and programmers are actively working on ways to reduce the likelihood that your iPhone will ever be exploited using the Spectre flaws, Apple and others have made it clear that these are merely mitigations and not outright fixes.

We tested an iPhone 6 with an original battery both before and after installing iOS 11.2.2, and the results were much more in line with what Apple told us. … That’s roughly a 2.5-percent performance hit …

If your iPhone’s performance feels different, the article reocmmends:

  • Restarting
  • Checking storage
  • Resetting Safari’s cache
  • (Temporarily) disabling Javascript
  • Checking the battery for possible replacement
Jan 052018
 

Much in the media this week about an industry-wide problem with all devices using Intel processors — CPU chips, and perhaps those from other manufacturers as well. A security vulnerability: Meltdown and Spectre. It’s like Dorothy, the Tin Man and the Scarecrow walking through the dark forest in the 1939 classic The Wizard of OZ and chanting “Lions and tigers and bears, oh my!”

PC World’s been covering this situation with a bunch of articles. Here’re a few links:

Massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues—dubbed Meltdown and Spectre—exist in the CPU hardware itself, Windows, Linux, Android, macOS, iOS, Chromebooks, and other operating systems all need to protect against it. And worse, plugging the hole can negatively affect your PC’s performance.

Everyday home users shouldn’t panic too much though. Just apply all available updates and keep your antivirus software vigilant, as ever. If you want to dive right into the action without all the background information, we’ve also created a focused guide on how to protect your PC against Meltdown and Spectre.1

Intel said the patches for the CPU vulnerability, due next week, would bring a negligible performance hit to the average user. Claiming that the patches can make PCs “immune” from the vulnerabilities is a first, though.

Intel may have dominated most of the news surrounding the kernel bug in processors, but it’s not just Windows and Macs that are at risk. In addition to Meltdown, there is also a “branch target injection” bug called Spectre that affects mobile ARM processors found in iOS and Android phones, tablets, and other devices that could also expose your data. Here’s everything we know about it so far.

We’ve been waiting to hear from Apple ever since we first heard about the far-reaching Meltdown and Spectre CPU flaws earlier this week, and the company has finally responded with some not-so-good news: All Mac and iOS devices are affected. That’s right, all of them. However, Apple ensures us there’s no reason to panic.

So, the bottom line is that this vulnerability is serious. Lots of manufacturers of the hardware and software that make your devices run are working on the fixes. Some patches already have been released. So, just be ready for the updates. It’ll take time for everything to settle down. The major concern is impact on performance. Ironically, the vulnerabilities were a result of long-standing techniques to improve performance. As PC World stated:

“We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.”

In summary:

  • Update your operating system
  • Check for firmware updates
  • Update your browser
  • Keep your antivirus active

 

[1] That PC World article notes that:

  • Microsoft pushed out an emergency Windows patch [Windows 10 ‘1709’ edition KB4056892 patch] late in the day on January 3.
  • Apple quietly worked Meltdown protections into macOS High Sierra 10.13.2, which released in December. [Also iOS 11.2.]
  • Intel also released a detection tool that can help you determine whether you need a firmware update.
  • The major PC web browsers have all issued updates as a first line of defense against nefarious websites seeking to exploit the CPU flaw with Javascript.
  • The Google researchers who discovered the CPU flaws say that traditional antivirus wouldn’t be able to detect a Meltdown or Spectre attack. But attackers need to be able to inject and run malicious code on your PC to take advantage of the exploits. Keeping security software installed and vigilant helps keep hackers and malware off your computer.

UPDATE: I haven’t tried Intel’s detection tool, but today (January 17, 2018) Senior Editor Brad Chacos at PC World published an article about a 3rd-party tool which checks whether your system has been patched to protect against the flaws: “Is your PC vulnerable to Meltdown and Spectre CPU exploits? InSpectre tells you.”

Gibson Research recently released InSpectre, a wonderfully named, dead simple tool that detects if your PC is vulnerable to Meltdown and Spectre.

InSpectre is a small 122 KB program that doesn’t need a formal install and scans your computer for Meltdown and Spectre susceptibility in mere milliseconds. When it’s done, the program pops up with clear, easy-to-read information about the security status of your system.

This is the sort of software Microsoft or Intel should have released to help clarify the murky, convoluted patching situation around this devastating duo of CPU exploits.

Personally, I’ll wait for these tools to evolve further.