Tag Archives: Spectre

Meltdown and Spectre – The Next Chapter

Meltdown and Spectre, the twin vulnerabilities affecting Intel and many other processors, has been a moving target.  Patches followed by “unpatches” when those patches caused computers to reboot randomly.  Then there were the software patches that slowed down computers by from 5% to  30%.

The process of mitigating these vulnerabilities has been way more complicated than we usually see.  But there is hope.

So what can you do?  Here are some answers –

First a tool – a free tool – to see what patches have been installed.  Google (or any other search tool) “INSPECTRE”.  Look for the entry from Gibson Research Corp at GRC.Com – in Google it is usually the first entry.  Download it and it will tell you, in English, if you are vulnerable or protected.

For Meltdown, there is a simple Windows (and other OS) patch that vendors have released.  Install the patch, run Inspectre to test and you are safe from Meltdown.

Spectre is the bad boy.

The problem that Spectre exploits is a decision that Intel and others made two decades ago.  It isn’t so much a bug as a design decision that had unanticipated side effects.  What this means is that fixing it means fixing the firmware inside the chip itself.

There are several variants of Spectre, some worse than others.  Intel has released patches for almost all of their chips, but getting them to install them  is the challenge.  These patches to the chip usually require you to to get a very specific patch for your model of computer from the computer’s manufacturer.

But there is some good news. 

Intel just announced that they will be selling a new “generation” of the chip later this year with the firmware patch already in place.  It appears a bit confusing at this point because they are 8th generation chips, but 8th generation chips without the patch started shipping last year. But, they will be shipping new versions of the 8th generation processors (what they will be called is not clear) that come with patches already installed (see announcement here).

But more exciting is the fact that Microsoft has started releasing patches to fix the firmware inside the chips.  Turns out Windows has always been able to do this but due to the hundreds of chips that Intel has released, Microsoft rarely if ever releases a patch that uses this capability.  This is an exception.

Microsoft has released a fix, KB4090007, but there is a catch.  Of course.

First, the patch only works if you are running Windows 10 and only if you are running the Windows 10 Fall Creators Update.  I guess that is to entice you to upgrade.

Second, you have to go find the patch and download it.  It will NOT be coming to a Windows Update near you any time soon.

Finally, it only patches certain select chips  listed in the article behind the KB link above.  You need to know the chip model you are running.  Luckily, the newest version of Inspectre will tell you that information.  Then you can go to the knowledge base article linked above to see if your chip is one that Microsoft can patch.  If it is, manually download the patch and install it.  Once done, the Inspectre software should show that you are protected.

Microsoft is supposed to be adding more chips to the list over time and hopefully, will create a fix for Windows 8 and Windows 7, since both of these are supposedly still supported.  Just not yet.  Second class citizens.

Not simple and not complete, but it is progress.

Facebooktwitterredditlinkedinmailby feather

The Challenge of Meltdown and Spectre

The twins bugs of Meltdown and Spectre are a once in a career event for security pros.

Most bugs are found quickly – these have been around for 20+ years.

Most bugs affect one hardware platform like Intel or AMD or are not related to any specific hardware device.  Spectre affects every modern computing processor from the highest end Intel chip to the ARM chips powering all phones.

Most bugs affect one operating system such as Windows or iOS.  These bugs affect Windows, MacOS, Linux and other operating systems.

Finally, most bugs are relatively easily fixed once they are found.  Spectre requires, basically, new chip designs to truly fix them.

Worse yet, researchers wrote about these problems in 1992.  At the time people figured this was too  hard to exploit so no one would try.  We have already seen proof of concept exploits on the web.

In general, the Meltdown bug is fixable in software;  to completely fix Spectre requires changes to the hardware, but software changes will make exploiting Spectre more difficult.

I am pretty diligent about applying patches, so I figured I was protected at least against Meltdown and possibly against Spectre.

Today I installed InSpectre (available at  https://www.grc.com/inspectre.htm ) .  After running it, I received this message (note there is a lot of explanatory commentary when you scroll down):

I was pretty surprised.

I checked to see if I had any pending updates and I did not.  I looked at the updates that had been installed and the January cumulative update had not been installed, but I could not see any reason why.

I eventually did find a link to download it manually and was able to install it.  The install went perfectly and did not exhibit any of the negative symptoms (like a blue screen of death) that some users had experienced early on.

After installing the patch, I ran InSpectre again and got this message:

So I guess I am making progress, but it is not complete.

This free utility written by long time security industry expert Steve Gibson is free on his web site; you might want to see if you are really protected.  Or not.

 

Facebooktwitterredditlinkedinmailby feather

Is Turnabout Fair Play?

Tech Crunch is reporting that Intel told customers about the Meltdown and Spectre flaws before the public announcement, but they did not tell the U.S. Government about it.

Most of the time, it is the other way around.  The U.S. Government knows about a flaw but doesn’t tell the company who can do something about it.

One kind of strange twist to this is that, apparently, they did tell some Chinese customers, who likely did tell the Chinese government about it.

There certainly is no law that requires them to tell the U.S. Government about the flaw, ever.  Just like there is no law that requires the U.S. Government to tell Intel about any flaws that it knows about.

Still, it seems odd that they would opt to tell a Chinese company (likely a large OEM, maybe Lenovo?) and not tell Homeland Security.

They claimed that they were unable to tell everyone they planned to tell because the news leaked early.

Just to be clear – they knew about the problem since June.  They PLANNED to announce the bug on January 9th, but it was leaked on January 3rd.

This means that even if they did plan to tell the Feds about the “issue”, they didn’t plan to tell them in enough time to do anything about it.  Intel declined to say who they did tell about the bug or who they were planning to tell about it.

There is another part to this story, however.

There was a research paper published about this flaw in 1992.  That would be 26 years ago for those who are not good at math.  There was another paper on the subject around 1995. The NSA is VERY good at reading research and figuring out if they can exploit it.  That is what they are supposed to do and even though people like to complain about them, they are pretty damn good.  Maybe not perfect, but VERY, VERY good.

SO, an argument could be made, but not proven, that (a) the NSA and maybe other parts of the government knew about this flaw, (b) other governments, friendly and not so friendly knew about it and (c) some of them might have been selectively exploiting it.  For possibly, up to 25 years.  Even if the various governments who are likely to have known about it (Russia, China, Israel, U.S. and others) denied that they knew about it, would you believe them?  After all, lying is part of their business also.

For Intel, this is just more bad news to tarnish their reputation, although it doesn’t seem to be hurting their stock price at the moment.

Still, with AMD about to release their Ryzen Threadripper 2 later this year, which is supposed to be  much faster than the new Intel i9 at less than half the price, they don’t really need any more good news.

Who said there was no such thing as bad publicity?  That person might want to talk to Intel and see if they agree.

Information for this post came from Tech Crunch.

 

Facebooktwitterredditlinkedinmailby feather

Processor Security Flaw Keeps Morphing

Last week news was leaked of a problem with Intel processors built since 1995.  The problem – they could be hacked to possibly leak important stuff like all of your passwords.

It then came out that Microsoft and the Linux community were building patches and they would be released soon.

Apple said that they released a patch for the flaw in mid December.  Wait.  No.  Only for part of the flaw.  New patch now.

But the bug also impacts AMD processors – at least some of them.

And ARM processors, like on your cell phone.

Oh, yeah, today Apple released a patch for iPhones.

And now Microsoft is halting the distribution of the patch on computers that have AMD processors in them because AMD gave them bad technical specs and if you install the patch on one of those computers they turn into a really, really, expensive brick.

The good news is that people think this flaw, which has been around for 22 years (and likely already exploited by state sponsored hackers), is relatively hard to exploit .  Until some hacker posts sample code on the Internet.

The industry is not used to such an all encompassing problem.  I can’t recall this EVER happening in my career.  Cross chip and cross operating system – that is a once in a lifetime event.

Also, there are patches being released to applications like Safari and Firefox and many others.

There is no simple answer, but it is getting sorted out.  Give it a week, maybe two tops and I think it will settle down.  There are a LOT of moving parts here.

Information for this post came from Reuters and Betanews.

 

Facebooktwitterredditlinkedinmailby feather