Discussion in 'other security issues & news' started by Minimalist, Jan 2, 2018.
NoScript should stop that shouldn't it? Unless an allowed domain is hijacked.
Firefox ESR is less at risk:
Thank you for your reply.
I may be wrong but from what information that I could find, I think you only need to add those registry keys if you are on Windows Server...
From: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
If you compare the two Microsoft Knowledgebase Articles listed in the two quotes above, Microsoft is only mentioning adding the registry keys (configure protections) on Windows Servers.
From Bleeping Computer: https://www.bleepingcomputer.com/ne...stems-for-the-meltdown-and-spectre-cpu-flaws/
I'm waiting for BitDefender.
Good catch! That is what appears to be the case. As best that I can determine, the keys don't have any effect on client vers. of Win; at least for my AMD processer.
I also read in one of the multiple postings on this subject that even if you manually add the QualityCompat reg keg, the update might not install unless your AV is one supporting this Win update.
I shut down SAP and, then disabled it, so it wouldn't interfere, before I rebooted:
Spectre still unfixed, unlike what Intel says
By Alex Ionenscu and never_released (https://twitter.com/never_released)
Read link for more.
EDIT: This is great, concise information and most importantly current info.
I'm still running Intel 2700K on one of my computers. Looks like I will have to put together an AMD built using the parts laying around. Darn.
Intel - AMD are in the same basket.
Key thing I see is you have to allow something to run on your system before it's a problem
The update was not shown in Windows Update, so I used the .reg file from Bleeping Computer. After that, Windows Update found the update and it installed without any issues.
I heard that Spectre is much more difficult to be exploited, although it's also more difficult to patch. So maybe you are right, both Intel and AMD are affected now.
No it is not the same basket, it is no where near as bad as Intel.
Yup. Got the info earlier today from @itman
Running script in browser could be enough to trigger it.
Meltdown and Spectre: Yes, your device is likely vulnerable
Browser are starting to implement mitigations, but it will take time for browser vendors to implement strong mitigations. Probably compilers (GCC, LLVM/Clang, Rust compiler, MSVC) would have been useful to mitigate these vulnerabilities, but it would mean waiting for compiler updates, then recompiling whole projects, then update browsers with recompiled binaries.
BTW Linux kernel can update CPU microcode, so users of distributions with updated microcode don't have to wait for firmware (BIOS/UEFI) update.
Security updates outside the patch-day also for my XP:
I checked the Gigabyte web site yesterday. All I saw was one forum posting about this incident. For those that built their own PC like yours truly, I would say you will be waiting a long time for a non-Intel motherboard BIOS update, if one is issued at all by the manufacturer motherboard. Also forget it if the MB is no longer supported. My previous experiences with dealing with the Taiwanese manufacturers is far from supportive. Also Intel issued BIOS firmware updates in all likelihood will only work w/o issue for their manufactured motherboards.
So all this talk about firmware updates being the ultimate solution, "rings hollow in my ears."
Trying to consider the positives coming out of this as an aid to deciding who gets my business for my next computer. I know 4 big companies who got money last time that won't be getting it next time. Never seen so much confusion, misinformation, incomplete instructions and lack of response. I thought Y2K was bad.
Yes that could help there. Though IMO built-in mitigations (browsers, OS...) will have better success than relying on this. Specially with majority of users that would have problem using script controls and would have to "learn how internet works"