|
incoherent posted:From what every smart person has said, specter can't be fixed without new silicon. Yeah that's why I find the press release intriguing, are they gonna mixmaster the speculative execution system with new microcode or somethign
|
# ? Jan 4, 2018 22:03 |
|
|
# ? May 29, 2024 18:53 |
|
Sounds to me that the updates this news release is talking about are the patches that are going out now for Linux, Windows, etc... Nothing else.
|
# ? Jan 4, 2018 22:04 |
|
mewse posted:Yeah that's why I find the press release intriguing, are they gonna mixmaster the speculative execution system with new microcode or somethign They've added microcode stuff to do some sort of branch predictor flushes, which can be used to prevent that vector when the target is the kernel... at performance cost.
|
# ? Jan 4, 2018 22:18 |
|
To make sure I'm on the same page we're supposed to deploy a patch through our respective OSes that decreases performance...then deploying microcode that...decreases performance?
|
# ? Jan 4, 2018 22:20 |
|
Here's some data that was useful for me to discover, that wasn't immediately clear to me based on reading the three MS patch pages: 1) Microsoft released a patch for certain builds of Windows, but not all. List here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 2) Microsoft is only making that patch available to windows clients using particular AVs. Turns out that a bunch of AVs were making unsupported calls to kernal memory that doesn't play nice with the patch, and can cause BSOD if patch is installed on a machine with a naughty AV. article: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released But it gets sliiiiiightly more murky. As it turns out, if you're running two AVs (lol i know) then you can get this patch pushed to you and make you vulnerable to BSODs. For a real life example, Defender comes installed by default on Win10 builds, and even if its disabled / stopped / set to manual, the "this is a good AV" reg key appears to persist. Thus, even when running only 1 AV (that's 3rd party) that ISN'T supported, you can still get the patch and put yourself into dangerous situations. 3) Even once you get the patch installed it is ineffective for both vulnerabilities without microcode update. As far as I can tell, Dell, for instance, has yet to release anything but its so frustratingly difficult to tell if that's true or if its just buried somewhere. There, I hope any of that is useful to other people's whose week is similarly cratered. If anyone has corrections or experience to share I'd love to hear it.
|
# ? Jan 4, 2018 22:52 |
|
Hey. Remember when I used to go on tirades about how garbage AV is? Yeah. I like it when I am continually being given examples of such.
|
# ? Jan 4, 2018 22:54 |
|
Eagerly awaiting patches from Asus for my 5 year old self-built system. Hahaha, I will be waiting forever.
|
# ? Jan 4, 2018 22:57 |
|
My Azure instances rebooted at 06:00 today and I didn't even notice it had happened. More through luck than any sort of skill I think.
|
# ? Jan 4, 2018 23:00 |
|
Jowj posted:But it gets sliiiiiightly more murky. As it turns out, if you're running two AVs Windows 10 will let you run defender and your preferred AV simultaneously and I think it yields to the 3rd party for major cleanup but it gives a "hey buddy" notice.
|
# ? Jan 4, 2018 23:34 |
|
Jowj posted:
Hmm I haven't run into this yet, but good to watch out for.
|
# ? Jan 4, 2018 23:38 |
|
incoherent posted:Windows 10 will let you run defender and your preferred AV simultaneously and I think it yields to the 3rd party for major cleanup but it gives a "hey buddy" notice. Hm. If its *intended* to run that way then maybe I'm interpreting the article wrong but it seems like this opens yourself up to BSODs per the articles linked previously. Cylance, for example, absolutely does not add the reg key and has been confirmed by their reps. Verified that Cylance does not add the reg key in win8.1. But in win10 Defender comes by default and does add it, and i've been able to pull the 1/3 update down no problem. I've done it again and will let you know if I run into any BSODs.
|
# ? Jan 5, 2018 00:22 |
|
Jowj posted:Hm. If its *intended* to run that way then maybe I'm interpreting the article wrong but it seems like this opens yourself up to BSODs per the articles linked previously. Cylance, for example, absolutely does not add the reg key and has been confirmed by their reps. Verified that Cylance does not add the reg key in win8.1. But in win10 Defender comes by default and does add it, and i've been able to pull the 1/3 update down no problem. I've done it again and will let you know if I run into any BSODs. The conflict is in the kernel hooks for the real-time scanning engine. When defender sees 3rd party AV, it disables its realtime protection and only does on-demand scanning. It's probably a non-issue unless you have two 3rd party engines with real-time scanning enabled at once.
|
# ? Jan 5, 2018 00:31 |
|
BangersInMyKnickers posted:The conflict is in the kernel hooks for the real-time scanning engine. When defender sees 3rd party AV, it disables its realtime protection and only does on-demand scanning. It's probably a non-issue unless you have two 3rd party engines with real-time scanning enabled at once. Good info. If that's the case then it looks like it would be problematic due to this: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released microsoft posted:The compatibility issue is caused when anti-virus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update. Since Cylance doesn't add the reg key it is likely it *does* currently make unsupported calls into Windows kernel memory.
|
# ? Jan 5, 2018 00:37 |
|
This looks handy, good job MS: https://twitter.com/epakskape/status/948781605790695424 (I think there is some /sys/ file us Linux people can cat, too, but I am not sure what it is...)
|
# ? Jan 5, 2018 01:06 |
|
Nice, my motherboard's last BIOS update was in 2013. Everybody is totally going to be safe from Meltdown.
|
# ? Jan 5, 2018 01:28 |
|
Wait so to be safe from Meltdown on Win10 x64, I will need both a BIOS update and the Windows patch? My mobo is 7 years old, I don't see a BIOS update happening any time soon. Would that mean I'd literally have to move to Linux to be secure? Or would that even be enough?
|
# ? Jan 5, 2018 01:40 |
|
Alpha Mayo posted:Wait so to be safe from Meltdown on Win10 x64, I will need both a BIOS update and the Windows patch? My mobo is 7 years old, I don't see a BIOS update happening any time soon. This has nothing to do with BIOS , only OS. Yes, updating windows will make you as secure as you can reasonably be at this time.
|
# ? Jan 5, 2018 01:42 |
|
Thermopyle posted:Eagerly awaiting patches from Asus for my 5 year old self-built system. Microcode updates can go through the OS. Windows updates occasionally include them.
|
# ? Jan 5, 2018 01:48 |
|
Yeah they can come from either the BIOS or from the OS. https://wiki.archlinux.org/index.php/Microcode
|
# ? Jan 5, 2018 01:51 |
|
The PowerShell utility is telling me to get a BIOS/Firmware update to enable support. If that ends up being a requirement for most computers, it's never going to get done.
|
# ? Jan 5, 2018 01:53 |
|
I have a feeling that most OS vendors will have a patch with the microcode as the payload. I'm sure mobo manufacturers will push it as well, but OS venders probably have greater penetration for patching.
|
# ? Jan 5, 2018 01:54 |
|
Ah, I see now. The PowerShell thing says that I am fine for CVE-2017-5754 [rogue data cache load], which is Meltdown. However, I need microcode updates for CVE-2017-5715 [branch target injection], which is one of the two variants of Spectre.
|
# ? Jan 5, 2018 01:58 |
|
Interesting, I just noticed skape said that the patch requires an updated BIOS. That wasn’t my understanding. I’m curious to know why.
|
# ? Jan 5, 2018 01:58 |
|
Evis posted:Interesting, I just noticed skape said that the patch requires an updated BIOS. That wasn’t my understanding. I’m curious to know why. Maybe the BIOS update is so PowerShell can grab data it needs? (seems like a stretch but )
|
# ? Jan 5, 2018 02:17 |
|
It would be super cool if in Windows 10 there was any way whatsoever to see if a particular update had been installed. All the update history lists in 10 are completely useless and don't show any security updates. Trying to help my parents understand if they have the right patch yet is driving me crazy, since *I* can't even tell if my PC is patched. EDIT: Thanks CALM DOWN, apparently my PC just is not getting any updates at all anymore. Nothing since 12/17 anyway. Pretty sweet. Rescue Toaster fucked around with this message at 02:29 on Jan 5, 2018 |
# ? Jan 5, 2018 02:26 |
|
Rescue Toaster posted:It would be super cool if in Windows 10 there was any way whatsoever to see if a particular update had been installed. All the update history lists in 10 are completely useless and don't show any security updates. Get-Hotfix
|
# ? Jan 5, 2018 02:27 |
|
Rescue Toaster posted:It would be super cool if in Windows 10 there was any way whatsoever to see if a particular update had been installed. All the update history lists in 10 are completely useless and don't show any security updates. That's about reasonable for the last patch cycle.
|
# ? Jan 5, 2018 02:36 |
|
Kazinsal posted:Zen is still vulnerable to Spectre. Which stepping of zen?
|
# ? Jan 5, 2018 02:53 |
|
Thanks for the explanations!
|
# ? Jan 5, 2018 03:36 |
|
Going by what Intel's saying, a microcode + OS update should be enough to fix variant 2, but at least from the original patch I saw, they're only enabling it in kernel code, which is kind of a poo poo fix since it'll still be possible to sniff user-space memory in the same process. Variant 1 is probably fixable without new silicon too, but not without making everything run like dogshit.
|
# ? Jan 5, 2018 04:01 |
|
Thermopyle posted:Eagerly awaiting patches from Asus for my 5 year old self-built system. It’s out in beta for me right now. You should have gone for the Q87 board. (They have yet to fix the Intel ME or Infineon TPM bugs, and this is the first firmware microcode update since before the TSX bug, so they really don’t get any praise from me.)
|
# ? Jan 5, 2018 04:05 |
|
OneEightHundred posted:Variant 1 is probably fixable without new silicon too, but not without making everything run like dogshit. Maybe not. Google's Retpoline construct, seems to indicate the performance hit is either negligible or can be optimized around. This is starting to get in the weeds for me, as it's getting harder to shake off the rust. The last few years I've been mostly specializing on layers 1-3 on the network and breaking stuff there. I don't know if you've seen the Retpoline write up yet. Take a look and let me know what you think, if you have time. https://support.google.com/faqs/answer/7625886 quote:Overhead
|
# ? Jan 5, 2018 04:10 |
|
Going by the way people are talking, does Windows not do microcode updates installed by the OS at boot time the same way Linux OSes do (and I have gotten intimately familiar with to avoid crash bugs)? I was pretty sure Windows did.
|
# ? Jan 5, 2018 04:14 |
|
Proteus Jones posted:Maybe not. Google's Retpoline construct, seems to indicate the performance hit is either negligible or can be optimized around. Variant 1 is the tougher case to fix, and it relies on static branches, so the retpoline trick won't work.
|
# ? Jan 5, 2018 04:38 |
|
gourdcaptain posted:Going by the way people are talking, does Windows not do microcode updates installed by the OS at boot time the same way Linux OSes do (and I have gotten intimately familiar with to avoid crash bugs)? I was pretty sure Windows did. They do, but they are released with other updates on Patch Tuesdays, so you have to wait for the next one.
|
# ? Jan 5, 2018 05:48 |
|
OneEightHundred posted:AFAICT that's for variant 2 though, and the hardware mitigation for that is basically to just shut off indirect branch prediction, which apparently isn't too bad, probably because indirect branches are already slow and hard to predict, and even with it turn off, the performance impact can be mitigated by compilers if they know what the most common target address is by just checking that address explicitly. I thought you were asking about Spectre2, sorry. I think Spectre1 is going to require fixes on a case by case basis. I'm just not seeing anywhere that indicates it can be addressed with a microcode patch. It looks like an OS patch to address any OS bundled programs, and vendor patches for 3rd party applications. But that's a BIG maybe that will work. There's a lot of side channel info leakage that I don't think patching can account for. I think this is the one that is mostly "Welp! We'll get back to you in a couple years when we have our new architecture ready" It's a loving mess is what it is. Per table entry on Google's Sec Blog for "Variant 1: bounds check bypass (CVE-2017-5753)" https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html quote:Mitigation requires analysis and recompilation so that vulnerable binary code is not emitted. Examples of targets which may require patching include the operating system and applications which execute untrusted code. That reads to me like the "requires analysis and recompilation so that vulnerable binary code is not emitted" needs to happen on a case by case basis and no general fix is known. Proteus Jones fucked around with this message at 06:13 on Jan 5, 2018 |
# ? Jan 5, 2018 06:08 |
|
For anyone still needing to wrap their heads around how Meltdown-type attacks actually work, good old Scott Manley (of Kerbal Space Program fame) has put out the clearest explanation I've seen. Spoiler alert: it's a really clever attack. https://www.youtube.com/watch?v=d7ILCoU9d4k
|
# ? Jan 5, 2018 06:16 |
|
Thermopyle posted:Eagerly awaiting patches from Asus for my 5 year old self-built system. Nalin posted:Nice, my motherboard's last BIOS update was in 2013. Everybody is totally going to be safe from Meltdown. My H81M-P Plus had an update released Jan 3, marked beta, with the note "update microcode 0x23". Won't install it yet, even though it's just a microcode update it's a beta. From Asus. I don't trust them after a bad experience fifteen years ago lol.
|
# ? Jan 5, 2018 11:48 |
|
Well it's a start I guess. Hmmmm
|
# ? Jan 5, 2018 20:08 |
|
|
# ? May 29, 2024 18:53 |
|
ChubbyThePhat posted:
Do you have an older processor? These are the results from my i7-8700k:
|
# ? Jan 5, 2018 20:15 |