CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Yep, 390.65.

 

It's almost like the security fixes are in the driver, but not enabled - or maybe not running because there needs to be something included / enabled in the OS?

Any word from Nvidia what's up with the security changes vs. activation vs performance?

 

Meltdown/Spectre fixes made AWS CPUs cry, says SolarWinds
CPU utilization up, throughput down, but a second fix may have restored normal service
Simon Sharwood, APAC Editor 15 Jan 2018 at 08:37
https://www.theregister.co.uk/2018/01/15/solarwinds_aws_meltdown_fix_analysis/

"Log-sniffing vendor SolarWinds has used its own wares to chronicle the application of Meltdown and Spectre patches on its own Amazon Web Services infrastructure, and the results make for ugly viewing.

The image below, for example, depicts the performance of what SolarWinds has described as “a Python worker service tier” on paravirtualized AWS instances."

"The company also observed the CPU utilization of its EC2 instances as patches rolled out across different AWS availability zones. The results, depicted below, aren’t pretty."

"SolarWinds has created other visualizations of its cloud post Meltdown/Spectre and most of the results are ugly. Throughput was down as much as 40 per cent on its Kafka rig, while CPUs spiked by around 25 per cent on Cassandra.

But there’s also some good news: the company has noticed some CPU utilization rates falling and has guesstimated that it could be as a result of second-generation patches that address Meltdown and Spectre more elegantly than AWS’ first fixes.

New EC2 hot patches for Meltdown/Spectre rolling out? Previous CPU bumps appear to be dropping off starting after 10:00 UTC this morning. pic.twitter.com/OL5N5TNG1s

— Mike Heffner (@mheffner) January 12, 2018
Let’s hope SolarWinds is right, because the first lot of graphs it produced suggest that Meltdown and Spectre will make many current rigs more expensive to operate, inadequate for the jobs they were rated to perform, or both."

I'm guessing the terrible performance chased away users and the load drops are because of decreased usage.

 

Maybe the NVidia drivers somehow link into the BIOS and OS changes - my system is only updated for the OS, I'm waiting for the BIOS fix still. NVidia haven't said much in terms of any kind of performance hit with the new security patched drivers, but they have released statements explaining what they've patched & why:
https://www.nvidia.com/en-us/product-security/
http://nvidia.custhelp.com/app/answers/detail/a_id/4610
http://nvidia.custhelp.com/app/answers/detail/a_id/4617
http://nvidia.custhelp.com/app/answers/detail/a_id/4616

 

iOS Spectre performance drops noted, user sharing benchmark results gets threatened, and takes down benchmark results...

Spectre patch in iOS 11.2.2 is slowing down iPhones
https://betanews.com/2018/01/12/spectre-iphone-performance/

"One iPhone 6 owner decided to benchmark his phone and found that the performance hit is significant. So significant, in fact, that some tasks see a performance degradation of more than 50 percent."

"Melvin Mughal ran benchmarks on his iPhone 6 before and after upgrading to iOS 11.2.2. He used Geekbench 4.2.1 and found that his phone "took a serious hit in performance at every possible level" after the upgrade. Sharing the particulars of his iPhone, Mughal explains that the tests were performed with no apps running, adding "iOS is in Dutch, no jailbreak, had no battery changes, no refurbished model, no exotic configuration."

Both the single-core and the multi-core scores dropped significantly -- from 1561 to 924, and from 2665 to 1616. These are drops of 41 and 39 percent respectively.

Meghal shared the results of his tests and said:

All numbers point to the same conclusion: it took a serious hit in performance at every possible level. A lot of benchmark levels show a significant decrease in performance on the iPhone 6 up to 50 percent on some benchmark levels. Although this is not the best news, this security update is a 'necessary evil'. It demonstrates a message the security community have reminded us time and time again: security can't be compromised over performance.

Some have fairly pointed out the results could be influenced by the battery throttling that was exposed last month and confirmed by Apple. That may be a technical correct argument (which has not been proven by vendor benchmark numbers correlated with the Spectre patch). Several other users and reporters mentioned fluctuating benchmarks with some showing no loss of performance but others did (which were already throttled, so Spectre specific). The whole thing seems to be all over the place right now with no 100 percent answer what’s right.

Click through to Mughal's site to see full details of the benchmark results."

iPhone performance benchmarks after Spectre security update
https://melv1n.com/iphone-performance-benchmarks-after-spectre-update/

"Apple released iOS 11.2.2 update to address Spectre security issues. I was curious about the actual performance change. So I’ve benchmarked my iPhone before and after the security fix. Here are the results side-by-side to give you a clear view how the performance has changed due to the Spectre vulnerability."

" Update: why I removed my benchmarks
I mostly share my knowledge on this site about my experience in technical product management. I updated to 11.2.2 solely for security purposes which I found mandatory patching the Spectre vulnerability. I shared my iPhone benchmarks just out of my own amazement about the numbers. That was it, those were just mybenchmarks. Apparently some took it as an absolute truth for others (which I clearly stated it was my own device only) and presented it that way on other sites without any nuance.

The attention was overwhelming with a lot of good folks debating and some negatives (which is ok, criticism is good). Even if you didn’t agree, thought the numbers were bogus or even fake, that’s OK too. You’re entitled to your own view, do your own benchmarks and should always be skeptic.

I linked to other articles and my original scorecard benchmarks to give the most complete possible perspective. Even with the battery debate raging, which I admitted I wasn’t aware of properly at first and added this info appropriately based on the feedback. Fair criticism deserves a response and including that in the article was the right thing to do. I can miss things too.

A personal thank you to all you readers who gave me feedback and kept the discussion classy.

To those who thought I was an Apple hater: I’m Apple-only for 15+ years and my first startup ended up being an agency for iPhone apps. So surprisingly to some of you: I’m the exact opposite of that.

I’m not a professional writer. I write on my personal domain name, with my full name linked and by site info personally traceable because I always believe transparency is the way to go. Everyone should be able to publish and debate openly even when things get heated.

But tonight (16th of January 2018) it just crossed the line…

The main reason why I removed my piece: serious personal threats to my address.

I’m not sure why an iPhone discussion can ignite such anger in a person (or possibly multiple) to consider or expose a very detailed desire to harm them personally and contact through a private channel. I’m not going to accept such threats over any iPhone, battery or anything related debate. This just went too far. I hope you as a reader can understand such a degree of personal attack isn’t worth continuing a debate that seems to be getting out-of-control.

In the end, I think we all agree we want this debate to be solved by Apple giving clarity about any battery/security update issues some devices may encounter so we can keep enjoying the device we all love.

I’m not backing down on writing. I’ll still continue writing about my work experience in product to share knowledge which I still love to do for those who are following my PM articles.

And please remember: please update to iOS 11.2.2 to keep your device safe from the Spectre bug which can lead to data theft or worse. If there was one take-away, this one should be it.

Be safe out there."

 

Here's how much the Meltdown and Spectre fix hurt my Surface Book performance-Pcworld.com

We’ll try to independently verify Intel’s results on our own builds, but everything I’m seeing so far says the performance penalty will probably run the gamut from “no big deal” to “this is really testing my patience.” Again: It’ll come down to what you’re doing, and how you’re doing it.

If we’re talking an extra 500ms to launch an application that takes 1,500ms to launch, no big deal. But if we’re talking 34 seconds to import or copy photos instead of 27 seconds, it’s going to get annoying really fast and that’s what scares me. Nice if you have weak flimsy hardware from before

 

@hmscott and @Papusan Yesterday I noticed something really odd while charging my mom's iphone that Passmark scores were much lower than battery. On AC 89xx and on battery 96xx.
Is it problem with iOS and battery charging is really very slow.

 

That's an interesting observation. Perhaps there is less power headroom on battery, and the extra load hit of the patches causes too much power draw and performance is in effect throttled back on battery only? On AC there is enough power, but on battery not enough?

Makes sense, and if Apple was tuning the power limits for battery use to provide similar performance (most of the time) on batter as on AC they would have tuned the limit and designed the power available appropriately - probably with a narrow margin that is now exceeded with the perforamance demands added by the patches.

That could explain why some people don't see a problem, and some do, even on AC with a smaller wattage delivery adapter this effective power throttle could show up.

 

11.2.2 lasted just 5 days with 1 -2 hr active times.

 

The performance hit only happens in use with apps that hit the kernel, you might not notice any difference depending on your app usage, and frequency of app usage vs phone / wifi data.

What's normal? Is 5 days with 1-2hr active times normal usage?

 

Now Meltdown patches are making industrial control systems lurch
Automation and SCADA-flingers admit fix has affected products
By John Leyden 15 Jan 2018 at 18:07
https://www.theregister.co.uk/2018/01/15/meltdown_ics/

"Patches for the Meltdown vulnerability are causing stability issues in industrial control systems.

SCADA vendor Wonderware admitted that Redmond's Meltdown patch made its Historian product wobble. "Microsoft update KB4056896 (or parallel patches for other Operating System) causes instability for Wonderware Historian and the inability to access DA/OI Servers through the SMC," an advisory on Wonderware's support site explains.

Rockwell Automation revealed that the same patch had caused issues with Studio 5000, FactoryTalk View SE, and RSLinx Classic (a widely used product in the manufacturing sector). "In fairness [this] may be RPC [Remote Procedure Call] change related," said cybersecurity vulnerability manager Kevin Beaumont.

El Reg requested clarification from Rockwell but we're yet to hear back from the vendor.

The expected and well-publicised system slowdown issues from Meltdown and Spectre patches ( Reg reports here, here and here) have been accompanied by even more irksome stability problems on some systems. Incompatibility with Microsoft fixes released on January 3 freezes some PCs with AMD chips, as previously reported.

An Ubuntu Linux kernel update prompted by Meltdown caused systems to become unbootable. Patching against CVE-2017-5753, CVE-2017-5715 (Spectre) and CVE-2017-5754 (Meltdown) affected both the PulseSecure VPN client and Sandboxie, the sandbox-based isolation program developed by Sophos.

Beaumont is curating a list of issues with Meltdown security patches here.

Moritz Lipp of Graz Technical University, a security researchers credited in the discovery of both Meltdown and Spectre, praised the vendor response during the disclosure period.

"I think the response of the vendors to us was very professional during the responsible-disclosure process," Lipp told El Reg.

"Also the public response of ARM releasing a list of all vulnerable CPUs was very open as well with ideas and approaches on how to fix these issues. Apple also said that all [its] devices ([except] the watch I think) are affected and release updates for [its] devices."

Browser vendors are now implementing countermeasures that should "decrease the possibility to mount Spectre attacks within the browser successfully to zero," Lipp added.

Spectre will be more difficult to resolve than Meltdown but that too is in hand, according to Lipp.

"We will see what microcode updates can actually do to resolve Spectre attacks; the ideas are there and updates are rolled out for various CPUs," he said. "Software is recompiled with tailored compilers and in the end we will see how performance benchmarks will look, but yes, Spectre is much harder to fix than Meltdown.

"In the long run, processor designs will be adjusted to prevent such attacks with a low(er) performance overhead."

Everything running smoothly at the plant? *Whips out mobile phone* Wait. Nooo...
SCADA mobile app security is getting worse
By John Leyden 11 Jan 2018 at 13:00
https://www.theregister.co.uk/2018/01/11/scada_mobile/

 

Yes, my mom uses Youtube,Whatsapp, Garageband, iTunes/Listen,Phone,Skype and Safari.
I am getting 2 days lower than 10.3.3. 10.3.x lasted 7 days which is really close to Apple Standby times for iph 7. (The signals were bad because the tower were in the process of upgrading to LTE.)

 

Ahh, that's the data point variance I was looking for, what's the difference before / after the patch, so 2 less days of operation out of a previous 7 days of use.

That's a pretty big hit...

Again, I wish there were some kind of monitoring app that would count the times apps hit the patch code, and how much system time (CPU time used inside patch) and real-time (wall clock time) so we can really get an idea of the performance hit / battery hit overall since the patches were applied. Not only an iOS monitoring app, but for Windows, Linux, Android, etc.

 

One important thing I forgot to include is, I use AIDA64 to monitor System uptime and Active time. I disabled Apple's battery log using a Soft reset because it consumed too much battery and reduced battery by another 2 days.

 

Yeah, monitoring does have overhead, and in normal use you'd want monitoring off, but while profiling what affects what it's invaluable to find out what is causing the most hits in the kernel - maybe it helps you pick one app over another, which system services are using too much kernel patch time, providing similar results as app battery usage monitoring.

 

Oracle still silent on Meltdown, but lists patches for x86 servers among 233 new fixes
Sun ZFS Storage Appliance users: brace for super-critical fix
By Simon Sharwood, APAC Editor 15 Jan 2018 at 01:30
https://www.theregister.co.uk/2018/...n_meltdown_but_lists_patches_for_x86_servers/

"Oracle still has nothing to say about whether the Meltdown or Spectre vulnerabilities are a problem for its hardware.

Big Red today offered The Register another “no comment”, making it a notable absentee from the Intel’s list of x86 vendors’ advisories on how to handle the twin problems.

Oracle of course also operates an x86 cloud, users of which The Register imagines would be keen to learn of any imminent disruptions or service degradation.

Big Red also had nothing to say about whether Spectre and Meltdown apply to its SPARC hardware. We also asked Fujitsu about its SPARC situation and the company told The Reg "We are in the process of checking the status. Details of updates will continue to be published by Fujitsu as they become available."

But Oracle’s usual verbosity on software patches may have revealed the company's x86 fix: the company’s preview of its quarterly patch dump due on Tuesday, January 16th, lists “Oracle X86 Servers, versions SW 1.x, SW 2.x” among the 97 products to be patched.

Operators of the Sun ZFS Storage Appliance have been urged to brace for a severity 10.0 fix, while users of Oracle’s Fusion Middleware, PeopleSoft, Oracle Retail, Virtualization, Communications Applications and the Supply Chain Suite have 9.8-rated flaws to fight.

Most of the patches are for applications*, but Solaris 10 and 11.3 made the list too, as did the Java Advanced Management Console and the Java ME SDK.

* Including Oracle’s Cruise Dining Room Management application, the Cruise Fleet Management application and the Cruise Shipboard Property Management System. Who knew those apps even existed?"

 

I do get app usage time though. Only standby and active time are filled with hyphens.
Do you recommend turning on animation effects on iOS and transparency effects?

 

Added Intel's and vendor's list to the 1st post:

Side-Channel Analysis Facts and Intel Products
Facts about The New Security Research Findings and Intel Products
https://www.intel.com/content/www/u...side-channel-analysis-and-intel-products.html

There is also an FAQ and introductory info, but I thought the links to vendors treatment of the issues would be helpful.

 

I stopped using iOS long ago, mainly because there was little or no user control over such things, so if Apple has added anything that lets you toggle off resource using fluff, then yeah, turn it off and save the battery and system resources from it's overhead

I turn off all the fancy animations on Android by habit now on new devices, but the devices are likely more than fast enough not to get bogged down by them, but I still like the thought of being in control of things I don't need so I can turn them off and save battery / resources.

But, if you notice the absence of the eye-candy when off, and miss it, by all means turn it on

 

I too turn off everything which isn't necessary.
kojack has stock ios and he gets better battery life, so I suspected Apple intentionally lowers battery life when some settings are turned off for good.

 

inSpectre Download v2.0
Posted by: Hilbert Hagedoorn on: 01/17/2018 09:34 AM
http://www.guru3d.com/files-details/download-inspectre.html

"This freeware download offers you the Free inSpectre, this tool tool checks Windows computers for Meltdown and Spectre vulnerabilities. Besides checking whether the system is vulnerable to the Spectre and Meltdown attack, the tool also checks whether performance of the computer has been decreased.

This application is made by security researcher Steve Gibson. To fully protect against both attacks, users have to update both their BIOS and operating system. This can have a negative impact on performance, depending on the tasks performed on the computer. InSpectre shows which updates have been installed and what has to be done to protect the system against the attacks. The tool also makes it possible to enable or disable protection against Spectre and Meltdown.

In early 2018 the PC industry was rocked by the revelation that common processor design features, widely used to increase the performance of modern PCs, could be abused to create critical security vulnerabilities. The industry quickly responded, and is responding, to these Meltdown and Spectre threats by updating operating systems, motherboard BIOSes and CPU firmware.

Protection from these two significant vulnerabilities requires updates to every system's hardware–its BIOS which reloads updated processor firmware–and its operating system–to use the new processor features. To further complicate matters, newer processors contain features to minimize the performance impact of these important security improvements. But older processors, lacking these newer features, will be significantly burdened and system performance will suffer under some workloads.

This InSpectre utility was designed to clarify every system's current situation so that appropriate measures can be taken to update the system's hardware and software for maximum security and performance.

Gibson warns that his tool is new and that conclusions on the output of the tool should be carefully considered as he writes, “it has been carefully tested under as many different scenarios as possible. But new is new, and it is new. We may well have missed something. So please use and enjoy InSpectre now.

“But you may wish to check back in a few days to see whether we may have found and fixed some last bits of debris,” Gibson adds."

InSpectre
"Easily examine and understand any Windows
system's hardware and software capability to
prevent Meltdown and Spectre attacks."
https://www.grc.com/inspectre.htm

Download inSpectre Discussion in 'Frontpage news'
started by Hilbert Hagedoorn, Today at 9:34 AM.
https://forums.guru3d.com/threads/download-inspectre.419057/

 

Also, when I did the powershell executioncontrol check, AMD it shows does NOT kick in the kernel slowdown package present with Intel machines. Still waiting on Spectre fixes, but that is good news that M$ isn't doing something fully shady. They listened just like Linux did.

 

I suppose I should show what Powershell says for an AMD Ryzen chip:

If you notice, under the rogue data cache load, you only see it say it DOES NOT require kernel VA shadowing. If you then look at the KVAShadowWindowsSupportEnabled, it is set to FALSE.

Now, for the BTI vulnerability, that, if I recall, is the one AMD said had practically zero chance, but has since said they will have an update upcoming.

 

Oracle says SPARCv9 has Spectre CPU bug, patches coming soon
Big Red finally delivers patches for its x86 boxes – and 230-plus other problems
By Simon Sharwood, APAC Editor 16 Jan 2018 at 23:11
https://www.theregister.co.uk/2018/01/16/oracle_quarterly_patches_jan_2018/

"Oracle has told users of its SPARC-powered platforms that they have the Spectre processor design flaw.

A support document buried in Oracle’s customers-only portal, but seen by The Register, states: “Oracle believes that certain versions of Oracle Solaris on SPARCv9 are affected by the Spectre vulnerabilities.”

The document, dated today, confirms “Oracle is working on producing the patches for all affected versions that are under Premier Support or Extended Support.”

There’s no mention of when Oracle will deliver the updates; the database goliath promises it will deliver them “upon successful completion of the testing of the patches.”

“Oracle will also investigate the performance impact of these patches,” the document continues, going on to remind customers “not to allow the installation of untrusted programs on affected systems” as these applications can exploit Spectre to extract sensitive information from vulnerable computers.

“Oracle also recommends that customers limit the number of privileged users (who have the ability to install and run code) and periodically review audit logs (to detect potentially abnormal activities)”, the document concludes.

The note also clears Solaris on SPARCv9 of the Meltdown design cockup.

Confirmation of Solaris and SPARC’s Spectre vulnerabilities comes as Oracle delivers its Meltdown/Spectre patches for its x86 servers.

The batch of fixes also states that “Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode,” which is a little odd as Oracle Linux and Oracle Virtualization have already received patches.

The Register asked Oracle for comment and was, again, told the biz has no comment to make.

We’ve also probed for the status of Oracle’s x86 cloud, and have seen posts in customer forums in which users say they’ve been advised of imminent disruptions to service as Big Red Meltdown-and-Spectre-proofs its infrastructure.

And now for the other 200-odd Big Red patches
News of the x86 patches landed among news of 222 other fixes on the January 2018 Big Red quarterly patch list.

The ten-out-of-ten-rated patch Oracle warned users of the Sun ZFS Storage Appliance Kit to prepare for earned its maximum rating by virtue of allowing complete takeover of storage appliances and a likely route into other devices for good measure. Scarily, it’s one of 135 fixes for problems that allow remote execution without authentication.

Other high-scoring bugs impact Oracle WebLogic Server, which has the 9.9-rated CVE-2017-10352 that could see an unauthenticated user crash the server over HTTP.

Oracle’s Communications apps have five 9.8-rated bugs, but all are in Apache software rather than Oracle’s own efforts. Indeed, Apache Log4j appears 21 times in Oracle’s list, making CVE-2017-5645 responsible for almost ten per cent of Big Red’s patch packet. Other inherited nasties include CVE-2017-5461, a 9.8-rated problem that’s present in NSS decoders and which is present in Oracle Directory Server Enterprise Edition and the iPlanet Web Server.

Users of the Micros MC40 Zebra Handheld unit – a gadget used by retailers for scanning and taking payments with a mag-stripe reader – can be attacked over Bluetooth and WiFi networks. At the time of writing there’s no detail available about CVE-2018-2697, but we mention it anyway in case some readers are nervous sailors because it impacts the Emergency Response System in Oracle’s Cruise Fleet Management application.

Java users have lots to ponder, with Java SE and Java SE embedded, plus the Java ME SDK installer, all scoring 7-and-8-rated bugs.

So what are you waiting for, Oracle users, other than SPARC patches? There’s surely something for almost all of you in this quarter’s patch trove."

 

Biggest vuln bombshell in forever and storage industry still umms and errs over patches
Does it run in VMs, containers, systems running external code? Just. Patch. It
By Chris Mellor 17 Jan 2018 at 11:27
https://www.theregister.co.uk/2018/...ds_spectre_meltdown_patching_say_sds_vendors/

"A growing consensus among storage hardware appliance vendors is that, since they don't run external software on their hardware, they don't need to stick performance-hindering patches into their operating systems.

Software-defined storage (SDS) and hyperconverged systems vendors do, consultants claim, because they can run external, customer-supplied software on the same hardware as their software.

For example, a user viewpoint from Martin Glassborow:

Martin Glassborow@storagebod
Ho hum....the complacency of storage vendors. If you allow ssh access to your storage appliance and you are running some kind of shell on top of a some sort of standardish OS - I strongly suspect you need to patch for Meltdown/Spectre. I can run code on an Isilon node for example

He goes on to add: "If I can get access to the CLI and upload code, I suspect I can exploit. Many systems are running x86 and 'embedded' Linux, BSD, Windows and allow ssh/CLI access.

"And a huge number of Storage arrays have control/management software often running on embedded x86 servers... that also need patching. What I'm reading at the moment is nonsense from many."

Two SDS companies taking different approaches are Nexenta and Scality. The former admits vulnerability in certain cases, the latter does not.

Dell, HPE, Microsoft and HCI vendor Scale Computing all say their software needs patching. For example, Scale said: "Scale HC3 systems will likely take a small performance hit, but we will be far less impacted than most."

The ones that have said "no" to patching include DataCore, IBM, Infinidat, NetApp and Tintri.

Spoiler: ...more companies...

HPE
HPE has said patch impact on performance would vary by workload, and has identified vulnerable products in a thorough list:

• StoreVirtual – not vulnerable – product doesn't allow third-party code execution
• StoreVirtual 3000 file controller – vulnerable – further information forthcoming
• 3PAR StoreServ File Controller V3 – vulnerable – further information forthcoming
• StoreEasy 1450, 1550, 1650, 1650E, 1850, 3850 – vulnerable – further information forthcoming
• 3PAR StoreServ 7xxx, 8xxx, 9xxx, 10xxx, 20xxx – not vulnerable – product doesn't allow third-party code execution
• 3PAR StoreServ Service Processors – not vulnerable – product doesn't allow third-party code execution
• XP7 Gen1 and Gen2 SVP and MP – not vulnerable – product doesn't allow third-party code execution
• StoreOnce products – not vulnerable – product doesn't allow third-party code execution
• MSA products – not vulnerable – product doesn't allow third-party code execution
• SimpliVity – fix under investigation
• HyperConverged 250 and 380 – fix under investigation

Nexenta
Nexenta software running in virtual machines or containers is vulnerable.

Software-defined – indeed, software-only – storage supplier Nexenta's VP for marketing and channels, Don Lopes, said: "We're indeed aware of the Spectre and Meltdown bug. As you know, to exploit these hardware vulnerabilities an attacker must have the ability to run software directly on the target system. Contrary to compute platforms or hyperconverged solutions, our products are delivered as closed software appliances and do not allow running third-party software to run on them.

"Due to this, they aren't exposed to exploits. In the cases where our software is run as a VM or a Docker container, we do recommend that customers patch the underlying OS and hypervisors.

"We provided these details and have spoken to a number of our customers and partners who have accepted and are happy with our communication."

Scality
Object storage supplier Scality's chief product officer Paul Speciale said: "Scality has not taken a public position on this microprocessor and potential virus issue. We also haven't, to date, had any inquiries about it from our customer base. Our understanding is that while there haven't been any exploits from such viruses as of yet, the threat is mainly to mobile and laptop devices that are directly connected to the public internet, and have access to the root user of the operating system.

"In contrast, the Scality RING software is in nearly all cases deployed in our customers' secure data centres. This means our software is behind the multiple layers of firewalls and security devices, and accessed only by customer applications versus direct access on the internet. This insulation means we are much less susceptible to outside malicious access.

"While we do deploy on standard x86-based servers, we don't present a general-purpose server to the outside world. For example, the RING restricts access to only the necessary network ports needed for operations. We also have our own software stack virtualizing the underlying hardware, and our own management software stack."

Pure Storage Purity Run
Purity Run is a facility on Pure Storage arrays to enable customers to run their own code on them. Does that require the Purity OS to be patched?

A spokesperson told us: "We're exploring this. Keep in mind that our storage arrays are not directly susceptible, and only a small subset of customers are running third-party code within Purity Run, which we released last year.

"We know who all of these customers are and have already contacted each of them personally. We would expect no impact on non-Purity Run storage performance and minimal impact on Purity Run performance for Spectre mitigations.

"We'll be working to help users assess Meltdown mitigations for any guest environments or apps they are running within Purity Run, though the same updates would be necessary regardless of whether they are running on a virtualized platform or bare metal."

Reg Comment
What should you do about your software-defined storage and Spectre/Meltdown? The security folks will say that, unless it is ring-fenced absolutely from running external code, apply the Spectre and Meltdown patches. That seems good advice.

 

AMD Gets Hit With Two Class Action Law Suits For Spectre Vulnerabilities, Intel Hit With Four For Meltdown & Spectre
Lawsuit galore amidst x86 bug fallout: Intel hit with 4 lawsuits for x86 bug, AMD with 2 for alleged material misstatement
Before we go any further, here is a list of lawsuits against each company:

• Rosen Law Firm v Advanced Micro Devices for materially misleading statement
• Pomerantz Law Firm v Advanced Micro Devices for materially misleading statement
• Brower Piven v Intel Corporation related to Intel x86 bug
• Levi & Korsinsky, LLP v Intel Corporation related to Intel x86 bug
• Kessler Topaz Meltzer & Check, LLP v Intel Corporation related to Intel x86 bug
• Bronstein, Gewirtz & Grossman, LLC v Intel Corporation frelated to Intel x86 bug

-----------------------------------------------------------------

Adding Insult to Injury: Fake Spectre, Meltdown Patch Pushes Malware to Users
"A Malwarebytes report calls attention to the latest occurrence in the inevitable trend that that ensues a particular security vulnerability being given coverage by the media. As users' attention to the vulnerability is heightened, so is their search for a solution, for a way to reduce the risk of exposition. Hence, users search for patches; and hence, some fake patches surface that take advantage of the more distracted, or less informed, of those who really just want to be left at peace."

 

M6800 A21 BIOS installed.

Before (A19) and Windows 10 latest update the system was protected only for meltdown, as reported by Guru3D Inspecter and Ashampoo.

 

Patch-Induced Reboot Errors Impact Kaby Lake, Skylake, Ivy And Sandy Bridge, Too-Tomshardware
"There are currently no known exploits being used in the wild for these vulnerabilities, so most users should be fine waiting for the update. However, end users will have to make that decision based on their potential exposure. In related news, Microsoft pushed a patch yesterday that corrects some of the issues with AMD processors."

 

Arghh, that probably means even longer to wait for an MSI motherboard patch! (Z170A)

 

Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs
AMD PCs can now install Microsoft's Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems is gone.
By Liam Tung | January 18, 2018 -- 14:02 GMT (06:02 PST)
http://www.zdnet.com/article/window...new-updates-bring-fix-for-unbootable-amd-pcs/

"AMD users can now run Microsoft's Meltdown-Spectre patches thanks to new updates for multiple versions of Windows 10.

Microsoft has released new updates for Windows 10 that resolve an issue in its Meltdown and Spectre patches that caused some AMD systems to become unbootable.

If you've got an AMD PC and couldn't install the most recent Windows 10 security update, it is now possible to do so without causing your PC boot problems.

Spoiler: Details...

Microsoft last week halted security updates for multiple releases of Windows 10 running on AMD PCs. AMD last week confirmed that the issue affected AMD Opteron, Athlon and AMD Turion X2 Ultra CPUs, and that it was working with Microsoft on a fix.

These issues have been addressed in a round of new updates for multiple versions of Windows 10 released yesterday.

As Neowin reports, a cumulative update for Windows 10 version 1709, aka Fall Creators Update, with the label KB4073290 brings the build number up to 16299.194. I t can be manually downloaded.

A sparse release note states:

"An update is available to fix the following issue that occurs after you install January 3, 2018--KB4056892 (OS Build 16299.192): AMD devices fall into an unbootable state."

AMD users should get the fixed patch through Windows Update and WSUS, as Microsoft's previously outlined in the original update.

Microsoft has also released Windows 10 builds 1506.877 and 14393.2034, respectively for the Creators Update (version 1703) and the Anniversary Update (version 1607). People with AMD PCs on these versions of Windows 10 should be able to safely install these updates, too.

Both builds' release notes state that the update "addresses issue where some customers with AMD devices get into an unbootable state".

Both updates list as known issues that some non-Microsoft antivirus isn't compatible with Windows fixes for Meltdown and Spectre.

As ZDNet reported last week, the update will only install if the antivirus vendor has updated its product with a special Windows registry key that confirms compatibility with the Windows patches for Meltdown-Spectre. The patch contained kernel mitigations that clashed with techniques used by some antivirus, resulting in BSOD errors.

While it's been hard to miss the news about the Meltdown and Spectre attacks, the antivirus compatibility issue apparently has gone under the radar for a lot of IT admins, according to Boston-based security firm Barkly.

The firm says a failure by Microsoft and antivirus firms to proactively notify customers about this compatibility issue has resulted in a large number not having received January Windows update yet. The update is important as it contained fixes for other bugs besides Meltdown and Spectre.

Barkly ran a small survey with 75 IT pros and found that 46 percent aren't aware that Microsoft required their AV vendor to set a registry key. It also found that only 42 percent of respondents have been told by their AV vendor whether its product is compatible with the Windows security update.

While most antivirus vendors have now set the registry, only a quarter of respondents said their AV had done so for them, while 20 percent report that their AV vendor has recommended the customer set it themselves. However, most customers that have been told to set the registry key manually fear doing so due to the impact it may have on systems.

The end result is that a significant number of machines haven't been patched. According to Barkly, 26 percent of respondents said no machines they are managing had received the update one week after it was available. A further quarter of respondents said less than 25 percent of their PCs have been updated."

Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch
Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs.
By Liam Tung | January 18, 2018 -- 11:35 GMT (03:35 PST)
http://www.zdnet.com/article/meltdo...ips-also-hit-by-unwanted-reboots-after-patch/

"Intel says the unexpected reboots triggered by patching older chips affected by Meltdown and Spectre are happening to its newer chips, too.

Intel confirmed in an update late Wednesday that not only are its older Broadwell and Haswell chips tripping up on the firmware patches, but newer CPUs through to the latest Kaby Lake chips are too.

Spoiler: Details...

The firmware updates do protect Intel chips against potential Spectre attacks, but machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake architecture processors are rebooting more frequently once the firmware has been updated, Intel said.

Intel has also updated its original Meltdown-Spectre advisory with a new warning about the stability issues and recommends OEMs and cloud providers test its beta silicon microcode updates before final release. These beta releases, which mitigate the Spectre Variant 2 CVE-2017-5715 attack on CPU speculative execution, will be available next week.

"Intel recommends that these partners, at their discretion, continue development and release of updates with existing microcode to provide protection against these exploits, understanding that the current versions may introduce issues such as reboot in some configurations," the company wrote.

"We further recommend that OEMs, Cloud service providers, system manufacturers and software vendors begin evaluation of Intel beta microcode update releases in anticipation of definitive root cause and subsequent production releases suitable for end users".

Despite the stability issues, Intel has told OEMs not to withdraw the already released updates for end users.

However, it warned IT admins at datacenters to proceed with caution: "Evaluate potential impacts from the reboot issue and make decisions based on the security profile of the infrastructure".

Navin Shenoy, Intel's EVP and GM of the datacenter group, has also released test data on the performance impact of the firmware updates on servers running its latest Skylake-based server Xeon Scalable systems.

On "common workloads" in the enterprise and cloud, Intel has seen an impact of 0 to two percent, while it had a four percent impact on a simulated brokerage firm's customer-broker-stock exchange transaction system.

There is a large variance in the fix's impact on data-storage systems depending on CPU utilization and other factors, such as the read-write mix, block size, and drives.

On one benchmark at full CPU utilization, Intel found an 18 percent decrease in throughput performance, while on a 73/30 read/write model there was only a two percent hit on throughput performance.

Shenoy highlighted Google's software-based Retpoline fix for the Variant 2 attack as another mitigation that "could yield less impact".

Google last week urged the whole industry to adopt Retpoline because it mitigated the attack but had almost no negative performance impact on current hardware.

"Retpoline fully protects against Variant 2 without impacting customer performance on all our platforms," a Google executive said.

Google's fix isn't a patch that consumers would apply to their own systems and addresses the variant that has the greatest risk for virtualized cloud environments."

 

Red Hat slams into reverse on CPU fix for Spectre design blunder
Microcode mitigation triggers system wobbles
By Paul Kunert 18 Jan 2018 at 07:36
https://www.theregister.co.uk/2018/01/18/red_hat_spectre_firmware_update_woes/

"Techies are scratching their heads after Red Hat pulled a CPU microcode update that was supposed to mitigate variant two of the Spectre design flaw in Intel and AMD processors.

In a note to IT departments, the open-source player confirmed the latest version of its microcode_ctl package will not contain any solution for CVE-2017-5715, aka Spectre variant two, a processor security blunder we previously detailed here.

That's because the Spectre workaround in the microcode was causing systems to become unbootable. Here's a key part of the letter to customers, seen by El Reg:

Spoiler: Details...

Latest microcode_ctl package will not contain mitigation for CVE-2017-5715 (Spectre, Variant 2)

Historically, for certain systems, Red Hat has provided updated microprocessor firmware, developed by our microprocessor partners, as a customer convenience. Further testing has uncovered problems with the microcode provided along with the “Spectre” CVE-2017-5715 mitigation that could lead to system instabilities. As a result, Red Hat is providing a microcode update that reverts to the last known and tested microcode version dated before 03 January 2018 and does not address “Spectre” CVE-2017-5715.

To fully mitigate the vulnerability, peeps using AMD Zen and Intel Skylake-, Broadwell- and Haswell-powered kit should obtain and install microprocessor firmware direct from their hardware vendors, along with the latest kernel packages from Red Hat.

Which, er, sounds like Red Hat has given up and, to avoid any blame, has told its customers to just get whatever firmware your CPU maker is offering. And if it works, it works, and if it makes your box fall over, uh, don't look at Red Hat. Here's the next part of the customer note:

In order to mitigate “Spectre” CVE-2017-5715 fully, Red Hat strongly recommends that customers contact their hardware provider for the latest microprocessor firmware updates.

Red Hat Security is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor.

The latest microcode_ctl and linux-firmware packages from Red Hat do not include resolutions to the CVE-2017-5715 (variant 2) exploit. Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot.

The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor.

A senior techie who spoke to us on condition of anonymity said it was “now a bit harder to see what we need to do to protect our systems.”

“Do we need hardware vendor patches, BIOS patches or what? Then manually add Intel Raw firmware patches to the OS? A real mess if you ask me,” our contact added.

This follows VMware, Lenovo, and others, stalling on rolling out microcode patches.

Red Hat’s Customer Portal Labs has published a Spectre and Meltdown detector for the Enterprise Linux 5 or later edition, which can be used online for kernel detection or downloaded and run locally to ascertain if the two flavours of Spectre and one of Meltdown have been mitigated."

 

The first 5 news articles are about security patches:

Level1 News January 16 2018: Laser Bats VS Robot Strippers

1:21 - Intel Broadwell and Haswell CPUs Experiencing Reboots After Firmware Updates
2:06 - Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers
3:45 - AMD is releasing Spectre firmware updates to fix CPU vulnerabilities
6:22 - Fake Spectre and Meltdown patch pushes Smoke Loader malware
7:23 - NVIDIA updates video drivers to help address CPU memory security

Spoiler: Full Show Index

Source URL's: https://www.one-tab.com/page/bsk94Kb8To2729t1VoO-4g

1:21 - Intel Broadwell and Haswell CPUs Experiencing Reboots After Firmware Updates
2:06 - Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers
3:45 - AMD is releasing Spectre firmware updates to fix CPU vulnerabilities
6:22 - Fake Spectre and Meltdown patch pushes Smoke Loader malware
7:23 - NVIDIA updates video drivers to help address CPU memory security
9:23 - Studios Sue Dragon Box in Crackdown on Streaming Devices
12:00 - Uber's Secret Tool for Keeping the Cops in the Dark
14:10 - James Damore sues Google for allegedly discriminating against conservative white men
16:12 - Ecuador grants nationality to WikiLeaks founder Julian Assange
16:35 - FCC rule change would harm rural broadband expansion
23:18 - FCC plan to lower broadband standards is met with "Mobile Only Challenge"
24:46 - Apple Health Data Is Being Used as Evidence in a Rape and Murder Investigation
27:02 - House passes NSA spying bill after Trump tweets cause confusion
29:15 - Top U.S. Government Computers Linked to Revenge-Porn Site
32:01 - Ninth Circuit Doubles Down: Violating a Website's Terms of Service Is Not a Crime
33:54 - James Dolan, Co-Creator of SecureDrop, Dead at 36
35:15 - FBI chief calls unbreakable encryption 'urgent public safety issue'
38:20 - Apple investigated by France for 'planned obsolescence'
41:40 - Adult Themed Virtual Reality App spills Names, Emails of Thousands
42:35 - Google Pulls 60 Apps From Play Store After Malware Exposes Kids to Porn
44:12 - With WPA3, Wi-Fi security is about to get a lot tougher
45:28 - Security Flaw in AMD's Secure Chip-On-Chip Processor Disclosed Online
47:28 - US Supreme Court will revisit ruling on collecting internet sales tax
48:31 - Facebook overhauls News Feed in favor of 'meaningful social interactions'
49:45 - Yelp Accused Of Hiding Positive Reviews For Non-Advertiser
51:20 - It's not official, but sources say the secretive Zuma satellite was lost
53:35 - Intel Unveils 'Breakthrough' Quantum Computer
54:59 - Cisco can now sniff out malware inside encrypted traffic
56:11 - Facebook Dives into Home Device Market with Video Chat Product Named "Portal"
57:59 - AMD Announces 2nd Gen Ryzen And Threadripper Processors, 7nm Vega Mobile GPUs At CES 2018
1:00:56 - Is this the world's first good robot album?
1:03:27 - Americans still deeply skeptical about driverless cars: poll
1:06:11 - Jack in the Box CEO: A Robot Workforce "Just Makes Sense"
1:08:03 - These psychedelic stickers blow AI minds
1:10:42 - KODAK and WENN Digital Partner to Launch Major Blockchain Initiative and Cryptocurrency
1:12:37 - Crypto exchange Kraken goes dark and user anxiety surges
1:14:24 - Uproar over crackdown on cryptocurrencies divides South Korea
1:15:40 - Miami Bitcoin Conference Stops Accepting Bitcoin Due to Fees and Congestion
1:17:48 - Microsoft Halts Bitcoin Transactions Because It's An "Unstable Currency"
1:18:49 - Snapchat's big redesign bashed in 83% of user reviews
1:20:59 - With ingestible pill, you can track fart development in real time on your phone
1:23:44 - Robot strippers used by Las Vegas strip club to attract women during CES 2018
1:27:00 - Men Try to 'Redefine' Sexual Consent With Blockchain
1:29:28 - The corpse of Circuit City will rise again on February 15
1:31:52 - When It Comes to Gorillas, Google Photos Remains Blind
1:33:34 - Pentagon Seeks Laser-Powered Bat Drones. Really.

 

BSODs from Meltdown and Spectre Firmware Updates Are Spreading Like the Plague
"Have you ever taken your car to the mechanic shop to fix one thing but end up breaking another? Well, that's how Intel CPU owners are feeling right now."

 

I've been seeing a lot of mention of new phishing attacks disguised as Meltdown/Spectre mitigation updates in the last few days. Awesome.

 

I have a Haswell U system that I've been using often in the past 2 months. The general performance hit hasn't been too noticeable after both the Dell Bios A23 update and the MS patch. Virtual machine performance has taken a noticeable hit as has network usage. Still saturates a gigabit connection but the fan is noticeably louder and CPU usage is higher.

 

Skyfall and Solace Could be the First Attacks Based on Meltdown and Spectre? - techpowerup.com
"Out of the blue, a website popped up titled "Skyfall and Solace," which describes itself as two of the first attacks that exploit the Spectre and Meltdown vulnerabilities (it doesn't detail which attack exploits what vulnerability)."

 

Straight outta James Bond. I like it.

 

Maybe everybody needs to replace intel laptop with AMD just to get rid off vulnerabilities based off James Bond's Movie titles.

 

My Skylake-based laptop NEVER had those before... now, 2x BSODs this week after updated firmware & OS patches applied.

 

Sorry for 'liking' your post when you have a negative situation going on, but it is good to hear the experiences of users on here with all the new firmware & OS patches applied - praps this is why it's taking so long for MSI to roll out Z170A motherboard BIOS patches (maybe they're trying to fix bugs they've found in testing), I'm still on a BIOS from May!

 

I must say the same as previous post. Sorry for 'liking' your post But great that people can tell others about what they experience with the fix.

Perhaps use the inSpectre tool until you will see a better patch coming. Try disable one or both to see if it helps. Not fun with a unstable computer. And not all can flash back to previous firmware. They are now screwed.

 

https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.15-Perhaps-Today
So, the fix for variant 2 is likely out today, although variant one spectre fixes in next kernel. Other good stuff listed as well.

 

Is inspectre software reliable? It is saying im not vulnerable to meltdown and spectre bug..

 

I mean it is reliable. I tested before and after the patch was installed. If you are unsure or want more confirmations yourself, disable the protections with Inspectre tool and test with all the other known tools out there who will detect the flaws. Test also with ssd tools as ASSSD and CrystalDiskmark before and after you click disable the protections.

 

Sorry Papusan I forgot to add the reason why I am asking. I know you are a reliable source. hehehe.. The reason why I was asking is because when I ran intel SA-00086 software it is saying I am vulnerable.. Most likely intel is messed up? LOL

 

You got the answer in the other thread

 

Ryzen 7 1800X vs. Core i7 8700K, Meltdown & Spectre Updates Benchmarked
http://forum.notebookreview.com/thr...99-xeon-vs-epyc.805695/page-205#post-10668763

 

thanks..

 

And I am now wondering if this is a conspiracy by AMD to become the top of the CPU market by non-comeptitive means...

 

I am sure AMD is happy they are not in the boat fully with Intel here. This does make the AMD solution look more attractive than it first was but Intel's offerings are a bit more performance oriented still. With Zen 12nm or Zen2 things could be a bit more interesting.