Spectre and Meltdown — Intel patches progress

 Computer, Desktop, News  Comments Off on Spectre and Meltdown — Intel patches progress
Mar 022018
 

Yesterday, PC World posted some articles regarding progress in the continuing Spectre and Meltdown saga.

The fixed Spectre fixes are coming fast and furious now. Intel quietly pushed CPU firmware updates out for Haswell (4th-generation) and Broadwell (5th-generation) processors earlier this week, following in the footsteps of recent microcode patches for Skylake (6th-gen), Kaby Lake (7th-gen), and Coffee Lake (8th-gen) processors.

Don’t expect to see the updates immediately. They need to trickle down through hardware suppliers like Dell, HP, Lenovo, and Asus in the form of motherboard BIOS updates; you can’t grab it directly from Intel. If you own a laptop or prebuilt PC from a major manufacturer, keep an eye out for an available update.

The Spectre CPU firmware updates will affect your PC’s performance, though it varies wildly depending on your hardware, operating system, and tasks at hand.

Typically, patching Spectre and Meltdown mitigations have followed a traditional pattern: Microsoft patches Windows via Windows Update, antivirus companies like AVG have patched their antivirus software, and so on. Intel, too, authors patches, as it recently did for Haswell and Broadwell CPUs. But unlike Microsoft, Intel doesn’t directly ship those patches to end users—it uses its network of PC makers and motherboard vendors to distribute them, after the appropriate testing by each vendor.

What isn’t clear is whether Microsoft will also push out Intel’s microcode via Windows Update, its usual distribution mechanism for supplying patches. … Though neither Microsoft nor Intel clarified exactly why Microsoft is providing Intel’s microcode, the likely reason is to support smaller PC makers, and especially motherboard makers … [So, for the typical PC user this does not apply, eh.]

Processor designations like Coffee Lake, Kaby Lake, Skylake, Broadwell, Haswell, etc., don’t mean anything to most of us; so, basically all this news tells us is that Intel and Microsoft (among others) are continuing to work on patches for relatively new and somewhat older PCs.

Update 3-9-2018: Intel issues Meltdown/Spectre fixes for Ivy Bridge, Sandy Bridge as patch effort winds down

Intel’s revised patches for its Ivy Bridge [3rd gen] and Sandy Bridge [2nd gen] processor families have begun rolling out to address Spectre and Meltdown vulnerabilities. With the release of the new code, just a few older processor families remain in the patch queue.

By now, Microsoft and many antivirus vendors have issued the appropriate patches, but if you’re concerned that your PC or motherboard vendor hasn’t delivered the appropriate patch, you can also check Microsoft’s site.

Update 4-6-2018: How to find your motherboard’s Spectre CPU fix – Such a crucial patch should be much simpler to find – by Brad Chacos, Senior Editor, PCWorld – April 5, 2018

Operating system patches alone can protect against the nasty Meltdown flaw affecting Intel processors, but fixing Spectre —Meltdown’s nasty sibling, which affects all CPUs — requires firmware updates for your hardware. Those firmware fixes are finally available for all Intel processors scheduled to receive a fix, dating back to the Sandy Bridge (2nd-gen) era of Core processors from 2011.

Installing Spectre fixes aren’t so easy, though, especially if you’re using a computer you’ve built yourself, or one from a boutique PC builder that uses off-the-shelf parts. You can’t download CPU firmware patches directly from Intel or AMD; instead, you need to download them from your motherboard’s provider, such as Asus, Gigabyte, or ASRock. You’ll need to know your motherboard’s model number to find the correct firmware for your device, too, and Windows doesn’t make that easy to find.

 

Meltdown and Spectre — Intel vs AMD status

 Computer, Desktop, Notebook  Comments Off on Meltdown and Spectre — Intel vs AMD status
Jan 192018
 

If you have a computer powered by an AMD processor, is your risk profile any different from someone with an Intel-powered PC? This Ars Technica article (January 18, 2018) summarizes the situation: “Meltdown and Spectre: Good news for AMD users, (more) bad news for Intel.”

Windows patches are fixed, but microcode updates are causing even more trouble.

Microsoft’s patches now work with newer and older AMD systems.

If you’re unfortunate enough to have installed the previous, bad update and now have a system that crashes on startup, you’ll still have to roll back the bad update before you can install the new one.

But Intel’s firmware patches remain an issue for several generations of their processors (something that will perplex the typical PC user).

The short article concludes with a perspective on what action really is practical for most of us with older PCs.

What this means is that if you’re lucky enough to have a system that is still being supported with firmware updates from its manufacturer—because let’s be honest: good luck getting any firmware updates for any consumer PC or motherboard that’s more than about 18 months old—you probably shouldn’t install the firmware anyway. Unless, that is, you’re in a high risk category such as a cloud host or VPS provider, in which case you’ll just have to install it anyway, because the consequences of not upgrading are probably worse than the consequences of upgrading.

Patches for Spectre — impact on your iPhone?

 Computer, Phone, Tablet  Comments Off on Patches for Spectre — impact on your iPhone?
Jan 172018
 

Much in the media still about global computer security vulnerabilities Meltdown and Spectre. Apple, among other companies, released patches to mitigate the risks. This PC World article (January 16, 2018) summarizes the situation for Apple’s mobile devices — your iPhone: “Apple’s iOS 11.2.2 Spectre patch probably won’t slow down your iPhone, but here’s what to do if it does.”

Last week Apple pushed out iOS 11.2.2, which seeks to mitigate the risks associated with the Spectre chip flaw via a security update to Safari and Webkit. Since a Spectre attacker is most likely to attack your system via a Javascript vulnerability, Apple has addressed the issue in iOS 11.2.2 to make your system more secure.

The patch doesn’t actually fix the issue, however, and it’s unlikely Apple will ever release an iOS update that will. While researchers and programmers are actively working on ways to reduce the likelihood that your iPhone will ever be exploited using the Spectre flaws, Apple and others have made it clear that these are merely mitigations and not outright fixes.

We tested an iPhone 6 with an original battery both before and after installing iOS 11.2.2, and the results were much more in line with what Apple told us. … That’s roughly a 2.5-percent performance hit …

If your iPhone’s performance feels different, the article reocmmends:

  • Restarting
  • Checking storage
  • Resetting Safari’s cache
  • (Temporarily) disabling Javascript
  • Checking the battery for possible replacement
Jan 052018
 

Much in the media this week about an industry-wide problem with all devices using Intel processors — CPU chips, and perhaps those from other manufacturers as well. A security vulnerability: Meltdown and Spectre. It’s like Dorothy, the Tin Man and the Scarecrow walking through the dark forest in the 1939 classic The Wizard of OZ and chanting “Lions and tigers and bears, oh my!”

PC World’s been covering this situation with a bunch of articles. Here’re a few links:

Massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues—dubbed Meltdown and Spectre—exist in the CPU hardware itself, Windows, Linux, Android, macOS, iOS, Chromebooks, and other operating systems all need to protect against it. And worse, plugging the hole can negatively affect your PC’s performance.

Everyday home users shouldn’t panic too much though. Just apply all available updates and keep your antivirus software vigilant, as ever. If you want to dive right into the action without all the background information, we’ve also created a focused guide on how to protect your PC against Meltdown and Spectre.1

Intel said the patches for the CPU vulnerability, due next week, would bring a negligible performance hit to the average user. Claiming that the patches can make PCs “immune” from the vulnerabilities is a first, though.

Intel may have dominated most of the news surrounding the kernel bug in processors, but it’s not just Windows and Macs that are at risk. In addition to Meltdown, there is also a “branch target injection” bug called Spectre that affects mobile ARM processors found in iOS and Android phones, tablets, and other devices that could also expose your data. Here’s everything we know about it so far.

We’ve been waiting to hear from Apple ever since we first heard about the far-reaching Meltdown and Spectre CPU flaws earlier this week, and the company has finally responded with some not-so-good news: All Mac and iOS devices are affected. That’s right, all of them. However, Apple ensures us there’s no reason to panic.

So, the bottom line is that this vulnerability is serious. Lots of manufacturers of the hardware and software that make your devices run are working on the fixes. Some patches already have been released. So, just be ready for the updates. It’ll take time for everything to settle down. The major concern is impact on performance. Ironically, the vulnerabilities were a result of long-standing techniques to improve performance. As PC World stated:

“We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.”

In summary:

  • Update your operating system
  • Check for firmware updates
  • Update your browser
  • Keep your antivirus active

 

[1] That PC World article notes that:

  • Microsoft pushed out an emergency Windows patch [Windows 10 ‘1709’ edition KB4056892 patch] late in the day on January 3.
  • Apple quietly worked Meltdown protections into macOS High Sierra 10.13.2, which released in December. [Also iOS 11.2.]
  • Intel also released a detection tool that can help you determine whether you need a firmware update.
  • The major PC web browsers have all issued updates as a first line of defense against nefarious websites seeking to exploit the CPU flaw with Javascript.
  • The Google researchers who discovered the CPU flaws say that traditional antivirus wouldn’t be able to detect a Meltdown or Spectre attack. But attackers need to be able to inject and run malicious code on your PC to take advantage of the exploits. Keeping security software installed and vigilant helps keep hackers and malware off your computer.

UPDATE: I haven’t tried Intel’s detection tool, but today (January 17, 2018) Senior Editor Brad Chacos at PC World published an article about a 3rd-party tool which checks whether your system has been patched to protect against the flaws: “Is your PC vulnerable to Meltdown and Spectre CPU exploits? InSpectre tells you.”

Gibson Research recently released InSpectre, a wonderfully named, dead simple tool that detects if your PC is vulnerable to Meltdown and Spectre.

InSpectre is a small 122 KB program that doesn’t need a formal install and scans your computer for Meltdown and Spectre susceptibility in mere milliseconds. When it’s done, the program pops up with clear, easy-to-read information about the security status of your system.

This is the sort of software Microsoft or Intel should have released to help clarify the murky, convoluted patching situation around this devastating duo of CPU exploits.

Personally, I’ll wait for these tools to evolve further.