'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

Discussion in 'other security issues & news' started by Minimalist, Jan 2, 2018.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    A new version of GRC's InSpectre was released on "Apr 21, 2019 at 13:59"
    https://www.grc.com/inspectre.htm
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Hmm strange, was already released more than a year earlier:
    https://www.wilderssecurity.com/thr...-windows-redesign.399338/page-43#post-2750609

    Intel did release microcode updates for Sandy Bridge, and afaik Windows 10 did as well, though at a later time. Your CPU microcode version could be still at 0x2D(only original Spectre protection), or 0x2E(also SSBD). 0x2F protects against MDS. You can check microcode revision with CPU-Z.
    EDIT: I see in the screenshot from the second tool that your Microcode is still 0x2D.
    I also discovered that Windows does not enable systemwide SSBD protection on AMD and Intel by default:
    https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in
     
    Last edited: May 24, 2019
  3. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    It's got the same version number, but the installer is dated April 21 of this year.
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Ah yes, you're correct. I ran it, it still said Version 8, and also still only checks for original Spectre and Meltdown, not newer vulnerabilities.
     
  5. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    I am aware that MS doesn't enable the SSBD mitigation by default, that is why I implemented the registry changes. I was hoping they would take care of it. I was not aware of how to decipher the microcode hex digits, so thank you for that. However, I have applied all windows updates to date, so I don't know why my microcode is 0x2D and not 0x2E?!?! Any suggestions?
     
    Last edited: May 24, 2019
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Perhaps that update is not automatically distributed. They did release that microcode for 1809. Here's an article with manual download links:
    https://www.tenforums.com/windows-10-news/122479-kb4465065-intel-microcode-updates-windows-10-v1809-april-5-a.html

    EDIT: Yes, it is a standalone update:
    https://support.microsoft.com/en-us/help/4465065/kb4465065-intel-microcode-updates
     
    Last edited: May 24, 2019
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  8. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Yes, that is what I understood, as well. So, I will have to wait on MS before I can get the 0x2F microcode update.

    I followed the link you provided for the standalone update to 0x2E and applied it. Upon reboot, I got a BSOD, and then after Windows rebooted, I successfully logged in and confirmed that 0x2E has been applied and SSBD is now mitigated. So, except for the BSOD, thanks a lot for that small victory!

    I'm not sure why 0x2E didn't get applied with any previous automatic Windows updates. My PC experienced another BSOD with a recent automatic cumulative windows update (KB4494441, I believe) and when I ran both crashes through WhoCrashed, it identified the HAL as the culprit. Perhaps, the blue screens have something to do with the microcode updates not getting applied?

    Blue screens give me the format and reinstall itch. Now that 1903 is out, I may give it serious consideration once I know it's stability has been proven in the wild.

    Also, I wonder what the consensus is on keeping hyperthreading enabled or disabled. Google decided to disable it on all Chromebooks.
     
    Last edited: May 25, 2019
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Nice. I hope MS will also supply Sandy Bridge microcode updates, so far Ivy Bridge is the oldest I see, but afaik with the original Spectre microcode updates, they added older CPU's later.
    Sorry, can't help with that. I only know with HAL it might be a hardware or driver issue.
    If you want complete protection, you need to disable it. Not only for these specific attacks, but also possible future sidechannel attacks. That is why OpenBSD already disabled it back in June, and Qubes OS a few months later. Most OS'es don't do it by default because of possible performance degradation. A lot of news articles are quoting possible 40% degradation, but not linking to sources. I have read this 40% claim before and that was the maximum possible degradation for very specific scenario's. I've also read that hyperthreading doesn't matter much in most normal uses cases, and in some cases using hyperthreading may even lead to less performance. My Windows machine has an Ivy Bridge i5 without hyperthreading, so I can't compare it. I have disabled hyperthreading on my Qubes OS machine, even though you might expect hyperthreading to be benificial with quite a few VM's running simultaneously, I did not notice any difference.
     
  10. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    That sounds encouraging. I think I will give it a test drive. Do you know how to confirm in Windows (or using some other tool) that hyperthreading has been disabled.
     
    Last edited: May 26, 2019
  11. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
  12. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    I just disabled HT and can confirm that you can simply look at CPU on the Performance tab of Task Manager to see that the number of Logical processors = Cores when HT is disabled.

    Now, it is just a matter of seeing whether I can stand the performance hit.
     
  13. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    480
    Location:
    Dallas, TX
    For what it's worth, this Apple Support article Additional mitigations for speculative execution vulnerabilities in Intel CPUs also restates / confirms the "up to 40%" degradation metric...
    But I suspect you are correct, that is only on very specialized highly multi-threading dependent workloads and applications where you would see anywhere near that degree of performance degradation. However, even a more conservative estimate of an average performance degradation on general compute tasks of 5-10% could be seen as a fairly sizable hit by many. Of course, for others, just checking email and browsing a few websites... it likely won't matter at all.
     
    Last edited: May 31, 2019
  14. guest

    guest Guest

    Older Windows 10 Versions Get Intel Microcode Updates for MDS Vulns
    June 3, 2019
    https://www.bleepingcomputer.com/ne...ns-get-intel-microcode-updates-for-mds-vulns/
     
    Last edited by a moderator: Jun 4, 2019
  15. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Actually, those were already released May 14.

    Yeah I'm still waiting on that too. I'm hoping at least next week with the June updates.
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I just received the new microcode through a BIOS update from HP. These are my new results:
    CPU mds tool.png CPU powershell.png
    I wonder if Windows users can enable the user pointer sanitization mitigation manually or if MS did not release that at all.
     
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Windows update on 1809 is now offering me KB4465065, which according to the Summary of intel microcode updates page from MS, contains microcode updates for SSBD/L1TF, which was previously only a standalone update. However, when I look it up (https://www.catalog.update.microsoft.com/Search.aspx?q=4465065), it shows the latest version is dated the 11th of June, so this might be the latest microcodes with migitations for Microarchitectural Data Sampling.
     
  19. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    I tried the patch, but my system claims it is already installed, and MDS is still showing unpatched. Also, the Summary of Intel microcode updates page from MS hasn't been updated since May 14th.
     
  20. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    On the other hand, the Summary page is out of date anyway since it still says that KB4465065 is not distributed through Windows update, and the MDS microcodes already released for older Windows 10 versions don't include Sandy Bridge.
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  22. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Nothing for Sandy Bridge :(
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  24. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    They should support older generations such as Sandy Bridge until they release fully fixed processors. What they are thinking? Are they thinking it is ok to force security-conscious customers to buy current gen processors, that are known to be vulnerable?
     
  25. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    No one's forcing you to buy intel :D , the new amd 3000 ryzen cpus are looking pretty damn good and are less affected by the various vulnerabilities as far as I've read (tho don't take my word for it)

    The new 3200G with 4c/4t is starting at only $99 - https://www.pcgamer.com/amd-ryzen-3000-release-date-price-specs/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.