CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

If you see this post from Microslop read between the lines.

The CVE-2017-5754 which is Meltdown a.k.a Rouge Data Cache Load is exclusive to Intel and ARM Cortex -A75, while the former and latter both don't have any microcode patch - BUT it has severe performance hit atleast on Intel platform, KPTI through only OS update. While the Spectre variants CVE-2017-5753 a.k.a Bounds Check Bypass also doesn't have any microcode patch. Now interesting thing is the CVE-2017-5715 a.k.a Branch Target Injection affects multiple CPUs from AMD, ARM, Intel right ? So in the M$ blog they state this needs the BIOS Microcode update and yeah coming to the Haswell, a.k.a 2014-2015 era HW (Which have proper Windows 7 / BIOS with CSM support) the performance hit is high and throws severe errors and undermines the clockspeed / OC performance as well, Also stated in the blog above

now read this again

So from the microsoft statement & the OCN thread (Haswell v23 Microcode update perf impact & analysis, thanks to the OP of this thread) are saying the same that the Variant 2 which is Spectre (5715) has maximum impact, Plus blog also states that but the below old articles say otherwise and lack the information.

Why only Intel is highlighted here and the Windows 10 Information is only pressed ? What about the AMD processors state on that, which is Ryzen which runs on Windows 7 properly and Windows 10 too. While the Skylake has issues with booting to the Windows 7 unless the OEM allows them, plus the eHCI EOLing.

Which only makes me think about only one solid truth of the industry's (Microshaft and Intel's collusion) massive plan to EOL BIOS by 2020. By making the Pre-Skylake machines go EOL faster and efficient by stating the performance hits wr.to the architectural differences and the giveaway is the Intel's marketshare in both Enterprise and Consumer by hitting that and the OS Windows 7 which favors the CSM/BIOS over the full UEFI they will be successful.

While the Win10 is perpetual alpha of 6Mo cycle with 18Mo EOL on each release unless they run the LTSC which heavily depends on the silicon release and changes, One is purported to be released in 2019. I guess for all the smart people who are running the 2016 LTSB wait for that 2019 version, Post that expect not to boot on the CSM/BIOS HW (or options enabled) properly or has issues.

Now read this article from Ars, Stance on all Companies PR - Recommended, very insightful.

INTEL

AMD

ARM

Google

Apple

Microshaft

In case you missed the Apple's statement and thought it as somewhat super neat. Nope.

And look at this article from Verge

Now Look at this Intel PR a few days back, Embargo lift on Jan 9th and they came to know about this from multiple points, Google Project Zero and TUGraz , others who I missed, still lots of missing information on the vulnerability which came last year..

Welp !

This situation is a big loss to us consumers who favor liberty, due to whatever shenanigans the corporate want to pull regarding the backdoors, utter lack of transparency etc. It's the greatest fallacy from most of the companies ever tbh in broad daylight varying from SEC warrant, Class Actions, failed M$ updates on AMD platform to the Register articles, Significant chunk of Information missing like the Spectre variant 2 patch impact on platforms other than Intel... Makes me cringe, ughhh..

I didn't update my system whatsoever in rush on patching it and get a stupid and botched performance patch. I know my limits and how to navigate in the sea of snakes. I'll wait instead and see how things progress then patch.

P.S - Excuse me for lack of chronological ordering of my post, timeline of the articles & small mistakes that might have crept in but hope you understand and construct them effectively.

 

@hmscott @Vasudev and any other linux users:

Here is the Intel links to the Linux microcode released 1/08/2018. I didn't post it earlier, I don't think, because I either figured you guys had found it or that it was incorporated with Linux OS updates. To be certain, here you are:
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File

 

NSA will publicly state Intel Chips are FUBAR and bans them on every devices and Intel will be forced to recall only KabyLake CPU and above leaving others to find a way to fix the CPU uArch issue.
Maybe its time to read Intel CPU's developer edition of pdf file to get some ideas.

 

The debian installer version isn't out, yet. I don't know how to apply the patch using iucode-tool.

 

Here is the Debian FTP server with files, including the 1/10/18 updates. I will look for instructions on how to update with iucode-tool in Deb
http://ftp.debian.org/debian/indices/files/

 

Just found simpler method:
https://www.pcsuggest.com/update-cpu-microcode-in-linux/
Published 12/30/2017
@hmscott

 

tbh i was wondering similar thing myself: is it possible that eventually there will be recalls? and if so how would that impact me considering buying new hardware. cuz part of me is thinking just buy a cheap (non-gaming) "bgabook" to "hold me over" (surfing, basic activities, older title gaming) until this huge mess is fizzling out (aka no more "surprises"; stable patches; some semblance of stability until new microarchitecture chips released--years from now i guess. speaking of which, is there any guess of realistically how soon "spectre-free" cpu could be produced? gotta be at least ~2yrs right??).

any guesses on likelihood of a recall-type scenario happening? on the one hand it seems silly to expect, but on the other hand i wonder if this is a possible outcome, especially if and when government regulatory agencies really start getting involved.

it's really a huge turnoff to consider how unstable and constantly-changing the 2018 landscape will be in terms of updates/patches, with all the various entities involved likely to continue tweaking and handling this crap in response to freshly-discovered issues, technews feedback, and consumer complaint. with great support communities like here, and the collective industry working hard to manage it, i know i could at least rely on help to figure out the best way to apply (or avoid on per-case basis) updates and patches as time goes on, but it sucks thinking that i could spend the next months continually adjusting a new computer, it's almost more hassle than it's worth, just thinking about it gives me a headache. cuz even tho i don't really care about being "protected!" and would easily ignore patches, i'm certain that as time passes there will be more and more ways that intel/windows/whoever(maybe even govt eventually) will essentially be forcing consumer to update, with little choice (and i simply don't have the patience or knowledge/expertise to commit to "arms race" and sneak around it, as some people here have).

or maybe i'm just thinking too much into it and should just stop being a baby and deal with it?

 

I disabled pagefile and rebooted this morning. NVMe speed tests with Anvil and CrystalDiskMark are essentially identical. Does not seem to have hurt or helped in any way. From my perspective, the performance hit on NVMe 4K performance is too minor to warrant concern. This hit is not perceivable unless you run a benchmark and compare the results before and after. If this one thing is the worst I will see in terms of performance impact, it is pretty much a non-issue for me.

 

I bet anything and everything they do now, and in the future, as it has been in the past, will have vulnerabilities. Whether they are treated to the same asinine level of hype and hoopla we see right now is anyone's guess, but security is a myth of equal magnitude as Santa Claus and the Easter Bunny. The ludicrous degree of media publicity and the lawsuits which follow do nobody any good except for the bottom-feeders that stand to further exploit the situation for personal financial gain. No amount of whining, complaining, temper tantrums, psychotic breaks, threats or promises is ever going to eliminate security risks. The rain falls on the just and the unjust... que sera sera.

 

Even though Windows sets my page file to around 9GB. It's smart enough not to use the page file unless you're really out of memory

I also use this tweak:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"DisablePagingExecutive"=dword:00000001
"LargeSystemCache"=dword:00000001

I also use PrimoCache and PrimoRam Disk Pro to make the most out of my RAM

 

You can set to 2048 or 3072 which is more than enough. Rest you can dedicate to OP'ing SSD.
If you use your PC as File server then Large System Cache really helps.

 

Thank you!
I run without pagefile regardless, for many years.

 

This is with the 1709 patch. Only hit seen so far is the 2-5% CDM R/W and that I can live with.

 

With 16GB, 32GB or even more of RAM, the only time one would ever actually need it is due to poorly coded software or games that rely on it for proper functionality.

If one encounters instability (BSOD) you need it enabled to save DMP files for analysis, but you can always temporarily enable page file if you need to for that.

 

I've come to a realization: I'm, sometime in the coming months, going to setup a linux/android build system, meaning a linux based system on which I will build my own customized builds of linux and android distros, based off of the github or respective linux sites. I've wanted to break away from Windows for awhile and have decided to relegate M$ to a dual boot for benchmarks, and VM for anything I cannot run on Linux....

This way I can just pull from the servers the necessary files to update builds when I care to and take a bit more control.

Edit: UBUNTU 4.15-RC7 Kernel update: http://sourcedigit.com/23105-linux-kernel-4-15-rc7-on-ubuntu/
Don't forget to clean up after you install the header info.

 

@hmscott @Vasudev - here is the .deb distribution of the still listed as unstable 20180108 microcode: https://packages.debian.org/sid/intel-microcode

 

Here's mine. Thinkpad.

 

Lenevo is on the ball...NICE!

 

MSI sent out a new bios today...Desktop in my signature is good to go!

 

All good here as well... Still not done testing to see if I am good with it being good.

 

I dont want to update my bios on my laptop, as it is an unlocked bios from the guy on the MSI forums. I guess it doesnt matter, as there is not a bios update available for my system any way.

 

I'm sure Svet is on top of this and can offer a newer version with the microcode updates, at least I hope so. Ask him and see what he says.

 

I can never remember his name..lol Thanks, I will check the forums and see.

 

I can see, that I am going to have to sit down and create a new Windows 7 installation ISO. I want to create one with all the new hardware drivers, and simplix latest, all in one. I think I will create one with a total customization of how I have things set up on most my PC's, including icons, dll's, and Mui's. So I can basically install, and go.

 

The vulnerability checker crashes for me every time I ask it to check, anybody else noticing this problem? What's a good way to measure performance loss post patch?

 

I'm trying to wrap my head around everything and boil it down to a basic checklist of necessary actions one must eventually take to protect against the vulnerabilities (not immediately due to buggy patches, BSODs, etc.):

1. Make sure your anti-virus sets the compatibility registry key for the January 2018 security patch (can set manually if you don't use AV).

2. Update Windows with said January 2018 patches (risky right now, especially for older and/or AMD CPUs).

3. Update BIOS/firmware/microcode* (must get from laptop/desktop OEM for pre-built systems or from motherboard manufacturer site for custom-built systems).

4. Update AMD/Nvidia drivers since GPUs may also be vulnerable to Meltdown/Spectre.

Is that it in a nutshell?

There's also the matter of using the latest version of your browser of choice with an ad-blocker like uBlock Origin to block possibly harmful ads/scripts. If someone wants to go further they can use an add-on like NoScript to block scripts more aggressively.

*The microcode update is where I trip up. It seems like Intel already released this, and users can either install it manually or wait for their system/motherboard OEM to release a BIOS update?

 

You forgot turning on page isolation in the browsers, but that is what can be done to date until the OS update for Spectre is available later this month. If using linux, install the beta kernel 4.15-RC6 or higher. They just released RC7, and there will be an RC8. The kernel update will be out in about two weeks. Linus Torvald had some really kind words for one guy that worked and organized the team well over the past couple months. Meanwhile, the Ubuntu LTS of 18.4 isn't dropping until the end of April. Unfortunately, freeBSD was not made aware until late December and are working as fast as possible, but do not yet have an estimate on their patches. That means PFSense, freeNAS, etc., are a bit exposed (screw the guys that didn't tell them sooner). But, other than that, you pretty well nailed it. There will be more updates throughout the month, so this is not over for awhile. And some of the upcoming fixes may really hurt performance to fix spectre by way of the OS.

 

Well you need successful build packages like this one https://launchpad.net/ubuntu/+source/intel-microcode/3.20170707.1/+build/13062837

 

Fyi:
I used VMware tool to install driver with updated microcode.
For my system (laptop MSI GT72 2QE, i7 4710MQ, Haswell), only partly, windows is not activating mitigation measure since he detects that the hardware is not using proper microcode...

As per: https://www.win-raid.com/t3351f47-Microcodes-for-branch-target-injection.html#msg46070
"It depends on the CPU. My IB-E has no HW support for mitigation against BTI, but new microcode brings that HW support, and it happens that Windows kernel is loaded before VMware driver and it sees that there is no HW support and disables the mitigation. Only after I patched the BIOS file and flashed it Windows enabled the mitigation. So if your CPU has HW support for BTI mitigation (with current microcode) then you can use VMware driver."

My assumption: Vmware driver is loaded at boot after kernel and thus, is not a proper mitigation as is a real microcode update via Bios update, but it's better than nothing cause exploit needs to happen before this driver is loaded (at least that's my understanding but I'm probably wrong).

 

I haven't had a chance to do any extensive benchmarking after the patch to both Spectre and Metltdown but I did do a little investigating on CPUZ benching tool.

Looks like single core stays about the same. Multi-core dropped about 60. Over clocked to 5.05ghz I was getting 4460 on Multi-core. Now it's right around 4400.

I'm sure Mr fox will go more in depth on pre/post patch/bios fix.

 

Just updated BIOS on my Dell M6800 (ver. A21) which also updated the Intel Microcode, but Checking with Ashampoo SpectreMeltdownCheck still shows my cpu vulnerable.
I also tried manual microcode update, but nothing changed (seems bios already updated to the same microcode version).
CPU i7-4900MQ

 

Before the Ashampoo test came out, Microsoft provided a PowerShell script to verify the various points of vulnerability - I put the info in Post #1.

It's a bit technical, but if you download the script from the MS site and follow instructions from a couple of example sites, it should be doable, give that a try and see what you see:

Speculation Control Validation PowerShell Script
This is described in the blog topic: "Windows Server guidance to protect against the speculative execution side-channel vulnerabilities."
https://gallery.technet.microsoft.com/scriptcenter/Speculation-Control-e36f0050#content

How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws
How can you check the status of the patches?
https://www.bleepingcomputer.com/ne...stems-for-the-meltdown-and-spectre-cpu-flaws/

Mitigation: 3 Practical Things to Do Now
Step 1: Verify if new Windows protections are enabled
https://blog.barkly.com/meltdown-and-spectre-mitigation

Please give it a try and let us know what you find

 

My only problem is I now have an MEI error that is keeping it from flashing on boot. Looking on launchpad.net, they have one for Bionic Beaver, but that is just going into Alpha 1. But it is my understanding that you can use it with it being newer than what is on the server. Kind of why I want to setup a build machine so I can compile my own (with 500GB+ devoted to builds for each Linux and Android). But, official support is different than it not being able to be forced. Right now, the december microcodes are being tested and the most recent microcodes are listed as unstable. You can force the install of the newer debian package over the comparative one on the servers, which are the July updates.

 

You have the deb file which was released 8 hrs ago https://launchpad.net/ubuntu/+archive/primary/+files/intel-microcode_3.20180108.1_amd64.deb

 

That is for Bionic Beaver, but I'll give it a try later today. I may just pull the alpha for Bionic and install that if there isn't problems with running VMs.

 

It turns out that beside the processor microcode, a windows update patch was also needed. Once I updated Windows, everything turned okay.

 

When governments says update or gives advice you run the other way. I don't trust them one bit tbh. They and the alphabet agencies created this mess by wanting backdoors to our pc which software fixes cannot patch. All hardware and software manufacturers were forced.

Sent from my SM-G920F using Tapatalk

 

I am noticing a few odd glitches and may go back to the previous BIOS and unpatched version of W10. I have not patched W7 yet, but I am thinking that I probably will not. I do not consider Micro$loth to be a trustworthy entity and I don't have time to fart around with undoing any of their stupid digital genocide shenanigans to sabotage their best-ever operating system.

One of the odd glitches is having to wait a minute or so idle on the desktop before doing anything CPU intensive. For example, if I run wPrime 32M as soon as my system tray icons are done loading it takes like 6 seconds. If I let the system idle for 60 to 90 seconds longer it completes in 2.8 seconds. Another example, if I am in the BIOS from a cold boot I get random freezes accessing the Boot menu UEFI options. If that happens and I power off and go back in, it generally does not happen the second time. So far, I have not been able to match or beat any of my best benchmark runs. They are within a margin of error and just as good as most of the same benchmark runs when I was trying to achieve my best scores (hope that makes sense). I will continue testing a few more days before I decide whether to stay patched or not.

 

http://cdimage.ubuntu.com/daily-live/current/
http://cdimage.ubuntu.com/ubuntu-server/daily-live/current/
http://cdimage.ubuntu.com/ubuntu-server/daily/current/
http://cdimage.ubuntu.com/

BTW, here is the daily builds of 18.04 if anyone is interested (or you can pull 17.10 daily builds if you like).

 

That's why I am waiting also. I don't trust any of them, or their sloppy patch releases, as can be seen by the Athlon no boot, and Windows 7 BSOD. For all we know it's a backdoor to the backdoor that already exists. I will wait for more extensive tests, and further releases. I can't remember the last time they released something that didn't Eff something up. Corporate greed and government meddling really has me on guard right now.

Sent from my SM-G935T using Tapatalk

 

I agree 100%. We do not have any real "friends" in the industry any more. Everyone in control is either an enemy, or a pathological liar with a self-serving agenda that is not worthy of our trust.

 

I noticed since the M$ update that MSI Command Center loading app (Checks for app version update) hangs up in a loop and never loads the application. I went in the program file to try using the utility application itself bypassing the version loading app and it works this way. So now after I saved it to my toolbar, I click on it and about 3 seconds later, command center pops up and runs fine. Timing wise it should be the same as before since the version app ran for at least 3 seconds, maybe more? Before this, I tried uninstalling and reinstalling with no joy. I download updates manually off MSI's website anyway so no harm, no foul with this.

Another problem I've seen is that my Turbo boost doesn't boost up to 4.7ghz anymore running default clocks since the initial Windows cumulative patch that was released. Using HWiNFO64, I'm only getting to 4.6ghz on one maybe 2 cores.

I see that someone else had posted the Turbo Boost problem on MSI's forum as well. I figured I would wait until after receiving the Bios update to see if that would remedy it but it's still the same.

I haven't experienced any functioning problems in my bios yet. Everything looks the same except a very small visual difference.

 

Right? Come on NSA. Hire some real talent and break in yourselves. Backdoors are lazy and only lead to complacency. "Well, we didn't really see that terrorist attack coming, but we do know private things about ordinary non-threatening citizens, and share their racy images around the office, and also stalk our exes using the data we collect, so I mean that's pretty cool."

 

Intel 8th Gen Core CPUs Show 10% Slowdown In JavaScript-Heavy Tasks After Spectre, Meltdown Patches-Hothardware.com

Yesterday, Intel followed up with the following statement:

"Based on our most recent PC benchmarking, we continue to expect that the performance impact should not be significant for average computer users. This means the typical home and business PC user should not see significant slowdowns in common tasks such as reading email, writing a document or accessing digital photos." Is this meant as a Joke? <email, writing a document>


Meltdown And Spectre Chip Flaws Have Cloud Companies Looking For Intel Alternatives-hothardware.com
"There is a lot of buzz surrounding Meltdown and Spectre, two recently disclosed chip vulnerabilities that have hardware and software makers scrambling to release patches to deal with the situation. What is not fully known yet is what performance impact these patches will have. Regardless of how all it shakes out, some of Intel's data center customers that run cloud networks are looking to jump ship."

"The chip flaws, if you want to call them that (and many do, though Intel claims its processors are working as intended) collectively affect all modern CPUs to some extent. However, Intel's silicon seems to be the most affected, as the way they are designed leaves them susceptible to both types of exploits, whereas AMD contends that its processors are immune to Meltdown. So, companies that currently use Intel chips have started looking at alternatives."

 

What is funny is that due to my settings, the program to test for the vulnerability (not including the one you run from M$, but the one everyone else is using here) cannot even get access to my powershell to check! Just saying, some of the changes are on you to conduct to secure your devices!

 

In all seriousness, what is the risk to myself if I don't install these patches? If I browse only known trusted sites that secure their end on the server, how is an attacker going to get into my computer? I'm not about browsing into shady sites, and I always clear all cookies and sensitive data after every web session.

 

Hmmm.... Great minds thinking alike??

I bit the bullet and did this very thing just about 2 weeks ago on the Mighty Muscular Mini. See my second note - http://forum.notebookreview.com/threads/mighty-muscular-mini-itx-build.812322/#post-10655852

 

The ASUS AI Suite 3 (a very useful program for changing overclock settings, controlling fan speeds, etc. - almost essential IMHO) was broken by the Windows Security Update. ASUS was quick to release an update that is working. Below are links to where I found it and a copy on my Google Drive to download for anyone that needs it. @Robbo99999 - might be something you need if your desktop is ASUS. This version is not mobo specific.

ASUS AI SUITE 3 - "THE SERVER THREW AN EXCEPTION ERROR"

https://drive.google.com/open?id=1aIyCmU_FCE4ucTtxVwCx2ewGvJYR7pf7

Probably minimal. I haven't used antivirus/security software for like 5 years now and have had no issues. Like you, I am very limited in my web browsing ventures. I delete most emails without opening or reading them, and do not have any footloose and fancy-free online browsing habits. I am not intending to patch W7 at this point, and the jury is still out on whether or not I leave the BIOS update and W10 patches in place. I am testing it for the benefit of others more than myself. I know many are really worried about it, so I am trying to help calm their fears by showing what I encountered. Thus far, I think most of the media hype is blown way out of proportion with respect to performance impairments.

I am not particularly concerned about it at a personal level and I think (hope) that I should be able to easily undo it if I don't like the outcome.

 

Yep this sounds like its the same as MSI Command Center. I will look and see if an update is posted yet when I get home.

 

I expect to do the same. I keep Bitdefender as a "just in case" measure, and it is lightweight enough to leave on my system. I've been around on the internet long enough to know how to browse it (check links addresses, where they go to, make sure it's not a deceptive site or a scam, etc). Emails I've come to expect mail from certain addresses, and pretty much everything else gets deleted upon receipt. My parents on the other hand, I've caught my dad installing malware/adware before so I need to be more proactive on his computer. Oddly enough, my mother seems to heed most of my warnings, and her habits tend to be very safe. I'm just trying to make sure there aren't other vulnerabilities in the chain of trust between UAC, secure wifi with WPA-PSK2, lightweight AV, and safe browsing habits to trusted/secure websites. I think that combination is enough to warrant avoiding installing the security patches and avoiding performance hits, unless somebody figures out some other type of exploit.