'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

AMD has not released an official advisory where they essentially say that their CPUs are not vulnerable to the speculative execution vulnerabilities. The full advisory can be found here:

List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates
https://www.bleepingcomputer.com/ne...vulnerability-advisories-patches-and-updates/

 

Yeah, I understood that, and figured that was the older bug you were talking about.

Cheers!

 

If Microsoft will release a patch for this bug in the next patch security tuesday, as a security update, it means that I will be forced to install this patch - that I don't want, I don't want to lose in performance of my pc - if I want to install the other security updates.

 

https://xenbits.xen.org/xsa/advisory-254.html

 

Intel, ARM and AMD chip scare: What you need to know

 

"Microsoft issues an emergency fix for Windows 10 to address processor bug..."

https://betanews.com/2018/01/04/win...ign=Feed - bn - BetaNews Latest News Articles

Microsoft Update - 1/3/18 - KB4056892 (OS Build 16299.192)

https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892

 

https://www.wilderssecurity.com/thr...cations-for-january-2018.399358/#post-2728742

 

"Microsoft explains changes made to Edge to address Spectre vulnerability..."

https://mspoweruser.com/microsoft-explains-changes-made-edge-address-spectre-vulnerability/

 

"Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus

Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows

Microsoft has warned users that its patches for the dangerous Meltdown CPU bug won't reach them if their third-party antivirus hasn't been updated to support this week's Windows security update..."

http://www.zdnet.com/article/window...-if-you-havent-got-them-blame-your-antivirus/

"...Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY..."

https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892

 

I just want to download the patch from Microsoft. I don't want to install a compatible AV or wait for any of their stupid rollouts to get to me or read a bunch of their crap about how I'm going to wait for this. I just want the link to the patch. ASAP.

Update: Found it. Applied it on 2 computers and (older versions of) Sandboxie were disabled on first boot after the patch. Now I feel secure, lol.

 

Sorry, I should have noted that SpecuCheck is specifically only command line. I ran it with an admin command prompt because I assume it likely needs admin rights. Hopefully soon someone will release a GUI tool which would be quicker and easier.

 

Vmware's advisory is at:

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

Most products are affected but not Workstation 14 or Fusion 10.

I cannot find any information about VirtualBox updates regarding this.

Xen is also affected as noted above. Qubes hasn't had time to evaluate yet:

https://twitter.com/i/web/status/948875166913789958

More generally, this is a disaster for smartphones where it is not possible to update the Android version, though I understand it's harder to attack the phone processors.

Yet again, it highlights the disaster area that uncontrolled Javascript represents.

Being the suspicious kind of guy I am, I'm wondering whether this disclosure has been prompted by the data breaches at NSA last year. It's just the sort of thing they'd want to have had designed into popular CPUs to extract secrets on the quiet.

 

I would suggest folks follow Alex Ionescu's Twitter for some deeper details for those who want those kind of details. Go back through his whole timeline of the past day or so.

Link: https://twitter.com/aionescu/status/948817335980142592
Erik Loman surprised on that Twitter thread as well.

Definitely some performance hits for certain hardware. I've got a newer Intel Ultrabook which has the hardware mitigations (possibly more to come via BIOS updates) and I've got an older netbook which does NOT have the hardware mitigations, only software mitigations. Big difference.

 

What if AMD is not impacted the same way Intel is? So far I have not seen an AMD announcement regarding the MS patch.

My laptops (Windows and Linux) are Intel based so I'll install the patch as soon as it is offered, but I also have an AMD desktop and it is used for research. If the patch is not going to address vulnerabilities in the AMD chip design, I'd prefer not to install it. I hope the patch will be out of band and not packaged in a security bundle. The MS patch may impose a percentage performance hit under certain workloads and that is an issue.

 

It likely will take a long time before this is fixed in new CPUs I presume ?

 

The below link helped me to understand this flaw better:
https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/

So what Linux (and Windows and other OSes ?) running on x86/x86_64 have been doing
so far was splitting the virtual memory half for user running stuff (your OS, web browser etc...) and kernel stuff and trusting that x86/x86_64 keeped the bad neightbours (aka bad userland software) from snooping kernel stuff.

And now thanks to this x86/x86_64 silicone bug, the barriers are falling apart. So now the kernel stuff needs to be completely isolated, which will create some performance penalty depending of how much each application uses the kernel system calls like write(), read() etc... (List of various system calls: https://filippo.io/linux-syscall-table)

So if the software uses just few system calls rarely, these patches have no performance impact whatsoever.

 

Must be doing something stupid, I did run it in PS (Admin) but I get:

SpecuCheck.exe : The term 'SpecuCheck.exe' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ SpecuCheck.exe
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (SpecuCheck.exe:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Edit: But I agree with Krusty, I know I am affected anyway.

 

https://www.bleepingcomputer.com/ne...pdates-to-fix-meltdown-and-spectre-cpu-flaws/

 

And that remained secret until it was discovered by an entity non-3letter obligated. So Intel has to say look what we found [cough cough 10yrs later].

 

@anon

Thanks for that

 

Yip, WU has now offered it on a WD only machine (regkey exists). Nothing yet on two machines with Emsisoft AM (no such regkey).

Edit: One way for MS to make themselves look 'better', introducing a pre-req that no-one else knows about till later .

 

Nothing here, running Comodo Internet Security.

 

M$ with their 10,000+ software engineers is ignoring putting out a fix for Windows 7 till when?

 

I have installed manually the update with microsoft catalog. i have Kis2017j in one pc and kis2018f in another, Kaspersky has patched on december 29 with the compatibility for this microsoft update and I have found the

Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”

but windows update this morning not found the update with the patch so I downloaded from the catalog