1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Vendors issue Meltdown, Spectre security updates

Discussion in 'Article Discussion' started by bit-tech, 5 Jan 2018.

Page 2 of 2
  1. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Corky42, 6 Jan 2018
    #21
  2. Anfield

    Anfield Multimodder

    Joined:
    15 Jan 2010
    Posts:
    7,062
    Likes Received:
    970
    Anfield, 6 Jan 2018
    #22
  3. jb0

    jb0 Minimodder

    Joined:
    8 Apr 2012
    Posts:
    555
    Likes Received:
    93
    Wrong vulerability. That tests for a Management Engine exploit announced last November.
     
    jb0, 6 Jan 2018
    #23
  4. Otis1337

    Otis1337 aka - Ripp3r

    Joined:
    28 Nov 2007
    Posts:
    4,711
    Likes Received:
    224
    i am, both AV's are up to date.
     
    Otis1337, 7 Jan 2018
    #24
  5. Vault-Tec

    Vault-Tec Green Plastic Watering Can

    Joined:
    30 Aug 2015
    Posts:
    14,981
    Likes Received:
    3,743
    Vault-Tec, 7 Jan 2018
    #25
    Guest-56605 likes this.
  6. Guest-56605

    Guest-56605 Guest

    Someone on the level with a vested interest not constrained by corporate BS politics and NDA's always gets my vote :thumb:
     
    Guest-56605, 7 Jan 2018
    #26
  7. Vault-Tec

    Vault-Tec Green Plastic Watering Can

    Joined:
    30 Aug 2015
    Posts:
    14,981
    Likes Received:
    3,743
    Just noticed Trillian is dead. Not just for me, but for a couple of my friends too. It's not even playing the little ditty when it opens, though I suspect it does that once it has connected to the servers.

    Also having issues with Facebook. I have instructed it to send an email about 20 times now and nothing has arrived. Eventually it just said server error, or something like that.
     
    Vault-Tec, 7 Jan 2018
    #27
  8. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    He's not wrong but although speculative execution happens across protection domains in nearly all Intel chips they also provided the ability for developers to exclude certain code from speculative execution over six years ago via PCID (Process context identifiers), LFENCE, and MFENCE, to name the most obvious.

    I can't remember if I've already mentioned it on the BT forums but mitigations for these vulnerabilities, particularly Meltdown as that's the easiest to exploit and mainly effects Intel, have been included in x86 instructions for years however because developers get stuck in their ways, and until now, there was no known ways to exfiltrate the data from the on processor memory no one bothered coding to excluded certain data from speculative execution even though the facility to do so has existed for years.

    It's probably why AMD is less susceptible as the ZEN microarchitecture was pretty much designed from the ground up whereas Intel have been making hundreds, maybe thousands, of changes to the basic Core design they introduced over 20 years ago.
     
    Last edited: 7 Jan 2018
    Corky42, 7 Jan 2018
    #28
  9. adidan

    adidan Guesswork is still work

    Joined:
    25 Mar 2009
    Posts:
    19,808
    Likes Received:
    5,594
    I was under the impression Meltdown only affects Intel. Mainly kind of implies that is not so.

    Not meaning to be picky, i'm just losing track. :confused::)
     
    adidan, 7 Jan 2018
    #29
  10. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Yea sorry i couldn't think of a word slightly less than "only" as i didn't want to say something i wasn't sure was 100% accurate, AFAIK Meltdown only effects Intel but I'm not certain of that basically. :)
     
    Corky42, 7 Jan 2018
    #30
  11. Xlog

    Xlog Minimodder

    Joined:
    16 Dec 2006
    Posts:
    714
    Likes Received:
    80
    Meltdown does affect ARM Cortex A75 (here is chart from ARM), but there are no products with it on the market yet.
     
    Xlog, 7 Jan 2018
    #31
    Corky42 and adidan like this.
  12. wolf5ster

    wolf5ster Minimodder

    Joined:
    2 May 2011
    Posts:
    800
    Likes Received:
    55
    PC updated today with just KB4056892

    I can't seem to find any info on the Qualcomm Snapdragon 801 which is inside the Galaxy S5. All confusing with mobile devices especially the older ones.

    It seems only 1 out of the 3 affects AMD. When I can get hold of some cheap DDR4 i'm looking to upgrade the kids pc. It's looking like another Ryzen R5 1600, although never know intel may drop prices.
     
    Last edited: 7 Jan 2018
    wolf5ster, 7 Jan 2018
    #32
  13. adidan

    adidan Guesswork is still work

    Joined:
    25 Mar 2009
    Posts:
    19,808
    Likes Received:
    5,594
    Ah ha, right. Thanks for that, I think that's where I was confusing myself. It does mainly affect Intel but those others that it also affects aren't on the market yet. Gotchya.
     
    adidan, 8 Jan 2018
    #33
  14. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,133
    Likes Received:
    6,728
    There are non-Intel chips affected by Meltdown which are on the market - like the Arm Cortex-A15 and A57. The confusion lies in the fact that the original Meltdown exploit, known as Variant 3 in the combined Meltdown/Spectre disclosure, was Intel specific; after the public disclosure, researchers developed a new version of Meltdown dubbed Variant 3a which is not Intel-specific.
     
    Gareth Halfacree, 8 Jan 2018
    #34
    adidan likes this.
  15. adidan

    adidan Guesswork is still work

    Joined:
    25 Mar 2009
    Posts:
    19,808
    Likes Received:
    5,594
    Ok. Right. Thanks for that, that's a bit clearer now.

    I just had a recheck of my phone CPU, it's a snapdragon 4xx so it uses an A53 arrangement so at least that seems to be ok for both Meltdown and Spectre if I read correctly.

    So coupled with my paperweight netbook I'm flourishing in safe devices! :rolleyes:
     
    adidan, 8 Jan 2018
    #35
  16. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,133
    Likes Received:
    6,728
    I can confirm that linux-image-4.13-24 and related fix Meltdown on my Dell XPS 13...

    ...and break Wi-Fi and keyboard function keys, so that's nice. Better still, Canonical's not fixing 4.10 but instead shifting Ubuntu 16.04 over to 4.13 ahead of schedule - though hopefully it'll actually be working by then.

    Oh, and even then: it does not include any protections against Spectre, which is disappointing. Again, hopefully that'll be part of the proper rollout.

    EDIT: Installed the 4.4 kernel from the PPA and manually installed the backports Wi-Fi driver into it, and I now have PTI and working network. Huzzah!

    ...unfortunately, it seems to have broken both TLP and Powertop. Balls.
     
    Last edited: 8 Jan 2018
    Gareth Halfacree, 8 Jan 2018
    #36
  17. adidan

    adidan Guesswork is still work

    Joined:
    25 Mar 2009
    Posts:
    19,808
    Likes Received:
    5,594
    It all sounds a bit of a mess. If it's breaking balls too then it's far worse than I feared. :eek:
     
    adidan, 9 Jan 2018
    #37
  18. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,133
    Likes Received:
    6,728
    Now running a version of 4.13.0-26 that doesn't kill my Wi-Fi and with a microcode update for Variant 2 from Intel, but the news ain't great:

    Code:
    blacklaw@xerxes:~/git/spectre-meltdown-checker$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-7560U CPU @ 2.40GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  YES
*     The SPEC_CTRL CPUID feature bit is set:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Checking if we're running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
    Turns out the microcode update is only any good if it has matching kernel support, which Canonical hasn't shipped yet - so I'm immune to Meltdown, but still vulnerable to both Spectre variants. Joy(!)
     
    Gareth Halfacree, 15 Jan 2018
    #38
  19. Anfield

    Anfield Multimodder

    Joined:
    15 Jan 2010
    Posts:
    7,062
    Likes Received:
    970
    Anfield, 17 Jan 2018
    #39
  20. Vault-Tec

    Vault-Tec Green Plastic Watering Can

    Joined:
    30 Aug 2015
    Posts:
    14,981
    Likes Received:
    3,743
    I'm a bit annoyed as it goes. At first I thought it may have been rebuild teething issues but now I am not so sure. About four nights ago I was happily playing Fallout 4 when it just ceased. Not froze, because the characters were all nodding around and the wind could be heard blowing but nothing was happening. No input at all. I tried to CTRL ALT DEL no joy. Ended up forcing it to power down.

    Last night (well, this morning) when I was done gaming I shut the rig down. Nothing happened, so I repeatedly clicked on "Shut Down" five times or so. Again nothing happening, CTRL ALT DEL useless. Had to force it to shut down.

    Got up this morning (barely, around 11:30 AM, who else loves pyschs who leave you without sleeping meds for three days?) and it won't start. It went to the UEFI screen and I just got a spinning logo for ages so I forced it to shut down again. Rebooted, nothing. Monitor was lit, light was on and the backlight was on but no display. I had to force shut it down again and it eventually booted. I performed a restart to see if it was OK and it seems to be but yeah, all very odd and very annoying.

    Just ran the check @Anfield and it seems I am protected from Meltdown but not Spectre.
     
    Vault-Tec, 17 Jan 2018
    #40
Page 2 of 2
Tags: Add Tags

Share This Page