'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

Discussion in 'other security issues & news' started by Minimalist, Jan 2, 2018.

  1. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    502
    Location:
    Member state of European Union
    NoScript is good for blocking Javascript.
    On websites usually there are scripts downloaded from website domain and 3-rd party domain. Usually allowing scripts from the same domain + trusted 3rd-party domains containing commonly used libraries (example: code.jquery.com) gives quite good protection against malicious and tracking scripts.
    If trusted site is infected for some time and even scripts from the same domain are malicious (example: Watering hole attack) then yes, probably most NoScript users would not block that script, but this scenario is rarely the case.
    Vast majority of attacks on browsers are from untrusted sites, cracked/powned advertising servers. Even non-perfect use of NoScript is going to block these attacks.
     
  2. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    580
    Location:
    UK
    This does work on Home edition.

    The two keys in this article are the same as the first two for a Server. There is a third key for the server that isn't needed.

    If these keys are not present or if they AND to 00 then both mitigations are applied. You can add the keys to turn off either one or both mitigations as @WildByDesign has done.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,472
    Location:
    Toronto, Canada
    So you could do something such as: 01 or 10
    Is this correct? I wasn't sure about the ability to control one or both mitigations. That would be great.
    Do both mitigations utilize the microcode?

    I will have to play with these settings and see how it all shows up in SpecuCheck. :)
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,836
    Location:
    Among the gum trees
    I've seen this Start Menu bug much more often since the latest patch on two of my Win10 x64 1709 machines.

    Glad to see Microsoft are consistently fixing things until they break.
     
  5. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    705
    Same here. My computer is older than the Rolling Stones.:argh:
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,050
    Location:
    Outer space
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,472
    Location:
    Toronto, Canada
    @paulderdash and any other users experiencing WHEA hardware errors in event viewer, random reboots and significant performance impacts regarding Intel Broadwell and Haswell CPUs (https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/) due to Intel microcode update. I've got a better and more important recommendation thanks to @pling_man suggestion.

    Instead of (to disable microcode hardware mitigation):
    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    I suggest changing the "3" to "1" (in theory, 01 bitmask) for FeatureSettingsOverride registry option. This ensures that the Kernel VA Shadowing remains Enabled for CVE-2017-5754 [rogue data cache load] . It was disabled with value "3". That kernel level mitigation will remain enabled now.

    The underlying issue, Intel microcode, will remain disabled due to system policy and temporarily resolve this issue until Intel releases an updated microcode for Broadwell/Haswell CPU's.

    My recommendation:
    Code:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 1 /f
    
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    Those are done via Admin command prompt (and reboot) or add to registry manually and reboot. :thumb:
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,472
    Location:
    Toronto, Canada
    Dell and Lenovo pull faulty microcode updates at request of Intel.
    Link: http://www.dell.com/support/article...-servers-storage-and-networking-?lang=en#bios
    Link: https://support.lenovo.com/ca/en/solutions/len-18282

     
    Last edited: Jan 13, 2018
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,032
    Location:
    At the door ...
    WBD - to be clear for this less experienced user ...

    Could I just edit the "3" to a "1" in the first key, and reboot?

    Else, if I apply the Admin command prompt, as above, will it update the existing key - or do I have to delete them first?
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,032
    Location:
    At the door ...
  11. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    580
    Location:
    UK
    Each bit of FeatureSettingsOverride enables disables one of the mitigations but I see @WildByDesign has worked this out.

    I assume to get the bit pattern 01you are supposed to keep FeatureSetingsOverride = 3 and set FeatureSettingsOverrideMask = 01. But it probably doesn’t matter much

    @paulderdash you can just edit the key or run the reg commands to overwrite them. There’s no need to delete keys when you want to apply new values.
     
    Last edited: Jan 14, 2018
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,032
    Location:
    At the door ...
    Thanks @pling_man
     
  13. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    502
    Location:
    Member state of European Union
    I compiled this PoC for Spectre in Windows using Microsoft Visual C++ Build Tools.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,507
    Location:
    The Netherlands
    Yes correct. Here is a guy that agrees with me:

    https://www.beyondtrust.com/blog/intel-cpu-flaw-probably-not-affect/
     
  15. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,608
    Location:
    UK
    Again, I don't think that analysis is quite correct. By its nature, Spectre exploits on consumer clients would be confined to read-only certificate and account secret theft, possibly as part of other exploitation. But that would by no means be visible, nor would it be persistent. Therefore, exploits may be already there or imminent and we don't know it. This background level of threat is likely to continue for some years with the current crop (nb spelling) of CPUs.

    The biggest threat for the consumer at this point is bad-javascript delivery via browsers, stealing passwords (including from password managers). And the primary mitigations for that are not necessarily microcode and kernel, they are improved browser defences, ad-blocking, javascript control, and removing browser-based password managers, and using 2FA on password managers. And using a bit of opsec, such as having completely different sessions or machines for doing things like online banking and so on.

    It would be real nice at this point if websites could overcome their criminal negligence and implement practical 2FA (not smartphone/biometric).
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,472
    Location:
    Toronto, Canada
    Yes, if you are editing directly within the registry, the first option which is "FeatureSettingsOverride" can be changed from "3" to "1". Exactly as you said. Then followed by a reboot and you can use SpecuCheck to see the change. Also, you can check Event Viewer to ensure that there are no WHEA errors. It has been great for me since making the change and ensures that one of the important mitigations stays enabled while disabling the troublesome Intel microcode.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,450
    Location:
    U.S.A.
    Last edited: Jan 14, 2018
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,032
    Location:
    At the door ...
    Done, and did a Macrium backup test (previously slow, before applying any registry changes) to check that speed was still OK, and it is.

    And still no WHEA errors.

    Will believe you on SpecuCheck changes (I hadn't run it previously). :isay:
     
  19. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    974
    I still don't see any Core2Duo on that list. They're down to 2008 for intel desktops. That's about how old my intel computers are.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,450
    Location:
    U.S.A.
  21. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    974
    @itman, thanks for that link. I didn't know what timeframe Core2Duos were in so just to clarify, I was referring to techarps list is down to 2008.
     
  22. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    502
    Location:
    Member state of European Union
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,277
    Location:
    Italy
  24. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,266
    Location:
    USA, MICHIGAN
    I have another intel W8.1 box that wants to update KB4056892 should I hold off and take my chances using it with out this patch? with all the problems here I'm thinking I may.
     
  25. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,670
    Location:
    DC Metro Area
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.