'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

Thanks. My newer Dell and ThinkPad laptops were already updated on the 29th and 27th of December respectively.

 

Thanks paulderdash, I have read your edit now - interesting.
Plus this morning I finally received an answer from Zemana -

Thanks for your help guys @daman1, @paulderdash, @plingman, I can now get on and add the registry edit, and go from there.

 

I have been trying to enable mitigation against CVE-2017-5715 and CVE-2017-5754 on my Windows 10 laptop by adding the registry keys discussed here:

https:\\support.microsoft.com\help\4073119

Two REG_DWORD two keys are created at:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"

They are:

FeatureSettingsOverride
FeatureSettingsOverrideMask

This is supposed to work as follows:

bit 0 of FeatureSettingsOverride toggles mitigation against CVE-2017-5715 (branch target injection) on/off (0 = enable, 1 = disable)
bit 1 of FeatureSettingsOverride toggles mitigation against CVE-2017-5754 (rogue data cache load) on/off (0 = enable, 1 = disable)

So setting FeatureSettingsOverride to 3 (binary 11) should enable mitigation against both.

Using this key I am able to successfully toggle bit 1 off/on and enable/disable mitigation against CVE-2017-5754 (using SpecuCheck to test).

However, toggling bit 0 on/off doesn't enable/disable mitigation against CVE-2017-5754

I am not sure what the mask does so it is set at 3 as in the Microsoft article.

I am not sure what is wrong. Might be me. Might be Microsoft.

Edit.

It seems these keys are only needed if you want to disable mitigation. By default, when the keys are not present mitigation should be enabled.

However, for me there is some other reason why mitigation against CVE-2017-5754 isn't being enabled. I have CPU and policy/registry support but I can't enable it. See picture.

 

Hi,

I have use the microcodeupdate for my CPU Pentium B960 and in the event viewer there is write No CPUs needed an update

 

The B960 isn't on Intel's list of processors which are affected as far as I can see (which is good news).
If that is the case you don't need the microcode, so uninstall it and delete the service that calls it at startup.

 

yes isn't in that list of affected CPU but was one of the listed CPU for the microcode on the https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t

I have unistalled the microcode update and deleted the service. So I have to update the microcode of my other two computers? One is the Celeron N3060 (affected) and the other is Pentium G3260 (not affected) but all 2 are in the list of intel download center. Or I have to wait BIOS update for the pc with Celeron N3060?

Stress

 

I have the same CPU and it is certainly affected by Spectre, because I tested this CPU using PoC (proof of concept). I don't know whether it is affected by Meltdown.

Don't stress. For now follow other security advices (update system for fixing other vulnerabilities, use NoScript or at least Ad-block and so on) and it should be enough for some time.

 

Attempting not to stress(!). Is it your understanding that the microcode updates will be rolled out by the Windows or Linux distributions in due course (IOW, I just have to be patient)? At least the recent Windows 7 roll-up patch did not include the microcode update for a supported processor in the current Intel list.

Given that Spectre is likely to run and run, I would guess we're likely to be facing repeated open-heart surgery for some while.

I think my main concern is actually guest-guest isolation in Vmware and VirtualBox. It's somewhat hard to see how this could be exploited, but from what I understand, some form of Spectre vulnerability could presumably enumerate the running virtual machines from the hypervisor process, and then, assuming it knew or could find out what was running in each VM process (which is userland as I understand it), and had an exploit for that, it could potentially have access to both kernel and user process ram in that virtual machine. I think this would be a high-value tailored attack, but you never know where automation is going to go. Anyway, early days, and I'm acutely aware I don't understand nearly enough!

For sure, I'll be taking additional steps to harden the guests in various ways (including RBAC/Firejail/Sandboxie restricting internet access for those processes that don't require it, so that exfiltration fails; and the measures you describe for internet facing apps which can run code).

 

I have an older Haswell Skylake processor that's virtually guaranteed to suffer when the Spectre flaw will have the first microcode applied via BIOS update. Lenovo hasn't provided this yet. All the available updates were applied to my vulnerable machines and I use ad-blockers in secured browsers. What more can you do? Frankly, I'm a little concerned about the potential reduction in CPU performance. From what I understand, it's going to be significant. When updates for Meltdown came out, the effects were negligible to none.

 

"More details emerge on how much Meltdown and Spectre patches will slow down your PC...

According to Microsoft, those using Windows 10 along with Skylake or newer Intel processors experience “single-digit slowdowns”, meaning less than 10%...

...[T]hose running Windows 10 with older Intel processors (Haswell, which is 4th-gen, or older) will experience more significant slowdowns, and 'some users will notice a decrease in system performance'.

Finally, Microsoft observes that in the case of those running older CPUs (Haswell or previous) along with an older OS – i.e. Windows 7 or Windows 8 – it expects 'most users to notice a decrease in system performance'..."

http://www.techradar.com/news/more-...wn-and-spectre-patches-will-slow-down-your-pc

 

I suspect this is due to the use of the VMWare driver to simulate the microcode update. In other words, some will actually have to wait for an actual BIOS update for it to be enabled by the Win OS.

 

First of all the windows patch two attacks.

1)Rogue data cache load.
This patched software and are ok to go.
If your cpu is haswell and newer the windows activates also PCID perfomance optimization and the perfomance hit is smaller. I know that the x58 socket westmere xeon has support for PCID but windows dont activate it, as i think that is so no good as newer cpus.

2)Branch target injection.
This need software and firmware update to work as intented.
The OS already patched this but to work for all variants you need and a microcode cpu update.

the only microcodes tha intel released is theese:

Intel has released all these microcodes for this until now:
sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648
sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648
sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384
sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304
sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304

I personally moded my bios with haswell microcode 23 and it is buggy and i returned to 22.


VMWare driver to simulate the microcode update dont work for this security patch because it is to slow when loading.
Generally the os patch microcode offers less bug fixes from the bios microcode is not the same.

 

I tried updating 2 PC's with the VMware driver, a Core2Duo and a first gen i3. Both are listed on the Intel 20180108 microcode page. For the i3, logs show microcode update is not needed. For the C2D, it shows succesfully updated, however SpecuCheck still shows "disabled due to Lack of Microcode Update = yes".


Working PoC against an Intel SGX enclave:
https://github.com/lsds/spectre-attack-sgx

I don't think Windows will roll out microcode updates.(Except for MS's own hardware like Surface). You're dependent on whether you manufacterer will provide a bios update.
(Or perhaps it can be done through the VMware driver or potentionally some other tool developed in the future.)

Yes, hypervisors are also affected, see for example Xen Security Advisory.
https://xenbits.xen.org/xsa/advisory-254.html

 

Ashampoo blog-entry: Meltdown and Spectre: the great processor disaster

Ashampoo® Spectre Meltdown CPU Checker
January 10, 2018

Ashampoo Spectre Meltdown CPU Checker
https://www.ghacks.net/2018/01/15/ashampoo-spectre-meltdown-cpu-checker/

Warning: This tool changes the Powershell Execution policy of "CurrentUser" to "Bypass" and doesn't change it back to the previous setting (maybe it will be fixed with a newer version, but i haven't checked it yet with the latest version [v1.1.1]). It is preferred to set it to "Default" ("Restricted" is the default):

Code:

(Powershell with Administrator privileges)
To see the ExecutionPolicy:
Get-ExecutionPolicy -list
If CurrentUser is shown as "Bypass", it should be changed:
Set-ExecutionPolicy -ExecutionPolicy Default -Scope CurrentUser

 

Thanks - I'm a bit perplexed if Windows can't rollout microcode updates since Linux can, and Intel has admitted Bios upgrade ain't practical. As you say, we may get utilities or the VMware driver might work. I'm not sure I'll ever get a bios upgrade.

I've been looking at VMware Workstation regarding their updates, I think they're in a slightly different position to Xen as a type-2 hypervisor. Fairly professional response from them so far, though I think the story has a long way to go, particularly for things like Tools.

 

There is an Intel schedule to fix ?

 

If you are advocating that, you are a security expert.
That is definitely the way to go online and keep everything else on an offline computer. If they want our private data so bad, make them work for it.

 

"Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers

Ubuntu Xenial 16.04 users who updated to receive the Meltdown and Spectre patches are reporting they are unable to boot their systems and have been forced to roll back to an earlier Linux kernel image.

The issues were reported by a large number of users on the Ubuntu forums, Ubuntu's Launchpad bug tracker, and Reddit thread. Only Ubuntu users running the Xenial 16.04 series appear to be affected..."

https://www.bleepingcomputer.com/ne...using-boot-issues-for-ubuntu-16-04-computers/

 

TH.
Pentium Dual Core CPU E6700 3.20 GHZ (Vulnerable)
W.10 + patch

 

Yeah, I checked again for other one--Skylake i7 6700k-- like it was via Powershell in post 278. Speaking of which, I have "block powershell .exe" enabled in OSArmor so this CPU checker is stopped unless OSA is disabled. Oh well, curiosity gets the better of you sometimes.

 

Microsoft could patch the microcode if they wanted to. They have done in the past. There may be further updates to Windows so we'll see. Unfortunately the VMware driver doesn't help as it is. I have tried changing it to load earlier when windows boots but I have not got it to work yet.

 

Thanks. Well, if MS don't patch with the available microcode, and Intel can't be bothered to update the BIOS on a 7yo mobo, then I'll be switching to a Linux host, which I was planning anyway.

But only when the dust settles, I'm not rushing into this given the understandable level of BSOD we're seeing.

 

The PC with cpu pentium b960 with ashampoo results vulnerable forse spectre so why it isn t in The Intel List of CPU Affected?

 

On older machine I was VERY concerned about drastic CPU downgrades with any upcoming updates for the Spectre flaw:

Spoiler

Spoiler

I ran two different tools to crosscheck results. So, I'm still concerned for the multitudes, particularly affected by the AMD/BSOD issue. But understandably, this is a real relief. Never hurts to double check.

 

WOW !!

What is the OS and the Hardware of your PC?