CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

That's just Linux orientated rather than Windows?

 

Yes, more details below from following links in the article, filed under Linux Kernel...

Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations
Written by Michael Larabel in Linux Kernel on 26 February 2018 at 11:16 AM EST.
https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.16-More-Spectre-Melt

"The in-development Linux 4.16 kernel has already received a few rounds of updates for the mitigation work on the Spectre and Meltdown CPU vulnerabilities while more is on the way.

Thomas Gleixner today sent in another batch of "x86/pti" updates for Linux 4.16 in further addressing these CPU security vulnerabilities that were made public in early January.

With the core mitigation already in place, many developers have been focusing on optimizations to lessen the performance impact of having these features enabled. With this latest pull request there are optimizations for the entry Assembly code to reduce its footprint while making the code simpler and faster.

This code also has more sanitization work, more robust microcode loading, using IBRS (Indirect Branch Restricted Speculation) around firmware calls, objtool support for Retpolines, and various other fixes/improvements.

The complete list of patches for this latest batch of changes for Linux 4.16 can be found here."

 

Intel gives Broadwells and Haswells their Meltdown medicine
Chipzilla and Oracle are working their way back through time to deliver fixes
By Simon Sharwood, APAC Editor 28 Feb 2018 at 01:58
https://www.theregister.co.uk/2018/...spectre_microcode_releases_haswell_broadwell/

"Intel slipped out a new Microcode Update Guidance on Monday, revealing that lots of Haswell and Broadwell Xeons can now receive inoculations against the Meltdown and Spectre CPU design flaws.

The new document (PDF) says Broadwell processors with CPUIDs 50662, 50663, 50664, 40671, 406F1, 306D4 and 40671 are ready for their reaming.

Updates for Haswells numbered 306C3, 4066, 306F2, 40651 and 306C3 have also hit production.

The CPUs mentioned above include Xeon and Core silicon.

Broadwell debuted in 2014 and Haswell the year before, so these updates show Intel is working backwards through its catalog. The Update Guidance also lists 16 processor types for which Intel is still in the planning stage, meaning Intel has no schedule for delivering a fix. The affected CPUs are mostly oldies. A further 9 CPU types are listed as "Pre-beta", meaning microcode is being tested by partners under non-disclosure agreements.

Oracle's also visited its past in the pursuit of Meltown / Spectre patches: late last week it offered patches for version 5.x of its Linux."

 

So do you have to get this microcode from your re seller or from manufacturers website?

 

It will be bundled into a BIOS update that will come from the OEM or motherboard manufacturer.

 

That's the best way, if the vendor that made your computer issues a BIOS update.

There are tools to apply Microcode after POST - in the OS, but the microcode changes may not be effective unless they are part of the BIOS.

Find the product support page for your model, and look for BIOS updates there. If you haven't already, register your computer and take this opportunity to open a support ticket asking when the vendor will be updating the BIOS for your computer with the vulnerability fixes.

If your vendor isn't going to support your computer with a new BIOS, there may be 3rd parties that will do so, but it will be rare. Svet for MSI computers, and Prema for Clevo computers, and ??? for other brands.

 

Well I have the clevo but it wasn't from a prema partner so I think I will have to contact clevo.

 

Clevo won’t offer new firmware. You need to contact the seller (support) you bought from.

 

Check plutomaniac cpu ucode repo at github or at win-raid.com https://github.com/platomav/CPUMicrocodes

 

Interesting, where did they come from? Are they the microcode in the same format that Intel releases them (like the ones they publicly release for Linux)?

 

Disclaimer: All the microcodes below come only from official BIOS/UEFI updates, Intel/AMD Linux Microcode Updates, Linux Distributions, Windows Updates etc which were provided and made public by various manufacturers! It is always advised to request and/or wait for your OEM/OS to release newer fixes. The microcodes are gathered and provided with the sole purpose of helping people who are out of other viable solutions. Thus, they can be extremely helpful to those who have major problems with their systems for which their manufacturer refuses to assist due to indifference and/or system age.

Its all explained.

 

Oh yeah, it's at the bottom of that webpage that Vasudev linked, thanks.

 

Yeah I have today they say they have Spector code but nothing for meltdown.

I will wait until its all ready I don't have anything on my laptop worth taking.

 

Hey, how about this, someone over on Guru3d linked this manually applied Microsoft Windows update that upgrades the Microcode of Skylake CPUs to the latest Spectre fixed microcode - the one that Intel released to OEM's just a week or so ago: https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates

I'm thinking about applying it, I've been kinda busy today & should probably just use 'now' to relax without messing about with my PC, but I may not be able to prevent myself from trying it!

EDIT: I hadn't realised that Microsoft would release microcode updates, I was expecting to receive this microcode update from my motherboard manufacturer in the form of an updated BIOS. My plan would be to install this "Microsoft Update Software Solution" talked about in first paragraph, and then if an upgraded BIOS comes by then I'd uinstall this windows update and then install the new BIOS - to prevent a conflict of microcodes.

 

Don’t forget to run benchmarks before and after (Cinbench and Wprime). Or just download and save it

 

That PDF is pretty sound advice actually!

 

Well I ran the benchmarks while I was cooking (no time lost really, and replying to my own post for context!). Well, it's confirmed, I'm Spectre protected, and as you can see updated to C2 microcode (following screenshot)!


CPU performance has decreased with Spectre protection:

• wPrime1024 (v1.55): 1% decrease (135s before, 136 now)
• Cinebench 15: about 0.5% decrease (1050 before, 1045 now)
• 3DMark Firestrike & Timespy GPU Performance: no change
• 3DMark Firestrike CPU Physics: 3% decrease (15224 before, 14750 now)
• 3DMark Timespy CPU Physics: 2.5% decrease (6181 before, 6024 now)
• F1 2015 Game Benchmark: no change, perhaps slight decrease, 0.5% decrease (177 before, 176 now - within margin of error)
• Dirt Rally Game Benchmark: 1% decrease (167 before, 165 now)

These were based off multiple runs (about 3 in most cases and compared to historical data I already had on same NVidia driver).

The results are showing a slight decrease in CPU performance, not great news for high refresh rate gaming, but my game benchmarks are only showing about 1% loss in framerate. I don't have any means to test in high CPU usage games like Battlefield 1 multiplayer, but I imagine the effects could be amplified (perhaps close to the 3% performance loss as seen in the Firestrike CPU test I might postulate), as average CPU consumption is about 85% during an intense 64 player match in Battlefield 1.

I'm gonna leave the updated Spectre protected microcode installed for piece of mind, and performance loss is not noticeable in use - haven't noticed any slowness or lack or snappiness in desktop & general use so far. Hey, at least we're not gonna have to rely on OEM's & motherboard manufacturers to push out BIOS updates that include the Spectre fix - Microsoft will be releasing microcode updates as part of Windows Update by the looks of it - I mean they did it for Skylake (released yesterday), and this testing is me testing that update from Microsoft!

EDIT: and link to Guru3d article on the topic: http://www.guru3d.com/news-story/microsoft-will-distribute-spectre-microcode-via-windows-update.html

 

Microsoft lobs Skylake Spectre microcode fixes out through its Windows
Just go install Intel's patch while we hunt the next CPU-level security flaw in Intel's silicon
By Shaun Nichols in San Francisco 1 Mar 2018 at 23:48
https://www.theregister.co.uk/2018/03/01/intel_microsoft_skylake_spectre/

"Microsoft is pushing out another round of security updates to mitigate data-leaking Spectre side-channel vulnerabilities in modern Intel x64 chips.

Redmond said those who run Windows 10 Fall Creators Update and Windows Server Core with Skylake (aka 6th-generation Core) CPUs can go through the Microsoft Update Catalogue to get KB4090007, which contains Intel's latest microcode patches to address Spectre design flaws in the processor silicon.

Specifically, the update will give those machines patches for CVE 2017-5715, also known as Spectre Variant 2. The branch target injection flaw would potentially allow malware on a PC or server to steal sensitive data, such as passwords, from kernel, hypervisor, or application memory.

The Skylake fixes are part of a larger line of microcode updates for the Spectre flaws that Intel is planning to roll out in the coming weeks. Chipzilla said people should obtain the security patches from their computer manufacturers, or via Microsoft.

Microsoft also gave an update on its work to address the compatibility issues that have arisen between some antivirus apps and its Meltdown/Spectre mitigations.

Redmond said that while it believes the "vast majority" of commercial anti-malware products are now able to handle the mitigations without triggering a blue screen of death, there are still some packages that may have problems, meaning Microsoft will continue to check which antivirus packages are in use and whether it is compatible with the fixes before a system is allowed to install the updates.

"We will continue to require that an AV compatibility check is made before delivering the latest Windows security updates via Windows Update until we have a sufficient level of AV software compatibility," Microsoft explained. "We recommend users check with their AV provider on compatibility of their installed AV software products."

Microsoft's next scheduled security update for all of its products (read: Patch Tuesday) is March 13."


Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves
And no, you're not supposed to be able to do that
By Richard Chirgwin 1 Mar 2018 at 08:02
https://www.theregister.co.uk/2018/...pply_spectrestyle_tricks_to_break_intels_sgx/

 

Disable OS level Spectre fix and only apply OS level micrcode C2 and re-run the benches. I feel the hit will be minimal.

 

I think you need both enabled in order to be protected, so there's not much point in doing that - if that were the case I wouldn't have updated the microcode.

 

Microcode will do its job in mitigating Spectre, if you will apply/enable Spectre OS level fix for those w/o any uCode available it'll perform really worse. I did disable it since I have uCode updated and scores really went up by 3 points in CBr15 and 0.10 in CBr11.

 

I'm pretty sure when I read up about Spectre that it requires both the microcode fix and also at the same time the OS fix. I'll google it now to see what I can find. I'm also not sure on how to disable the OS fix anyway (apart from perhaps clicking the 'disable' button on the InSpectre tool -- in the screenshot in my previous post, post #867).

EDIT: I researched this again to check if you need both a windows patch and a microcode patch to protect against Spectre - the answer is yes, and that's for both Variant 1 & 2. Here it is at this link: https://cloudblogs.microsoft.com/mi...-and-meltdown-mitigations-on-windows-systems/
And here's the important part of the above link:

You can see there are Windows operating system changes that are involved in both Variant 1 & 2 of Spectre - so if you remove the OS level fix then you're not gonna be Spectre protected at all.

 

Hmmm, I think I will take a risk, with OS fix on full 100% load on CPU I had strange reboots and absolute crap performance. On Linux, i didn't even notice anything.
Let me check if OS fix wrecks my CPU or not?

 

Might be worth trying the official windows patch version of the microcode rather than using a VMware driver. Also, earlier on in January when "version 1" of the microcode was released there was a conflict with some antivirus programs that caused reboots/crashes, but since then pretty much all antivirus program producers have updated their programs so that they do not conflict.

Maximum performance hit I've seen with Spectre protection is 3% decrease in performance in Firestrike Physics, everything else is pretty much under 1% peformance hit when it comes to CPU performance. I played some BF1 multiplayer today, which is very hard on the CPU, and didn't notice any issues.

 

I'll get the uCode rollout a little late since I'm on Creators update.

 

InSpectre tool v7 (Updated version - Mar 07, 2018)

Spoiler: Changes for Release #7

• Release #7 — Added the display of the system's CPUID . . .
  Microsoft will be making Intel (and perhaps AMD?) processor microcode patches available for the most persistent Spectre Variant 2 vulnerability. These will become available over time as they become available from Intel and they will apparently need to be manually installed by interested Windows users. It is not yet clear whether Microsoft will be willing or interested in making these patches available for earlier versions of its Windows operating systems, but we can hope.
  
  The patches are applicable to specific CPU models only, which are identified by each chip's “CPUID.” For this reason, InSpectre now prominently displays the system's processor CPUID at the top of its system summary.
  
  Please check this page on Microsoft's website to see whether a microcode patch for your CPU, determined by its CPUID, is available at any time:
  
  KB4090007: Intel microcode updates
  
  You can also use your favorite Internet search engine to search for the string “KB4090007” which should always take to that page and to its related Microsoft Update Catalog page to obtain the specific Windows update.

 

Intel issues Meltdown/Spectre fixes for Ivy Bridge, Sandy Bridge as patch effort winds down

If you own an Intel processor that you bought less than eight years ago, chances are that Intel has issued a Spectre/Meltdown patch for it.

Intel's revised patches for its Ivy Bridge and Sandy Bridge processor families have begun rolling out to address Spectre and Meltdown vulnerabilities. With the release of the new code, just a few older processor families remain in the patch queue.​

Intel's microcode update document (March 6, 2018).

 

That's good to hear & probably Lenovo won't even ship uCodes update to my ivybridge based lappie. They could give us the tools and instruction to make our own BIOS and flash it.

 

Or they could offer microcodes for all Cpu models who is affected. As a software package like the one Microsoft now offer or Linux* Processor Microcode Data File. As easy install on OS level (all can do this). This won't be very difficult. But will cost them a few pennyes. Put up new as Intel push out new ones.

 

Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise Linux Tunables
Updated Thursday at 3:13 PM
https://access.redhat.com/articles/3311301

"Red Hat Customer Portal Labs provides a Spectre And Meltdown Detector to help you detect if your systems are vulnerable to these CVEs.

The recent speculative execution CVEs address three potential attacks across a wide variety of processor architectures and platforms, each requiring slightly different fixes. In many cases, these fixes also require microcode updates from the hardware vendors.

Red Hat has made updated kernels available to address these security vulnerabilities. These patches are enabled by default (detailed below), because Red Hat prioritizes out of the box security. Speculative execution is a performance optimization technique. Thus, these updates (both kernel and microcode) may result in workload-specific performance degradation. Therefore, some customers who feel confident that their systems are well protected by other means (such as physical isolation), may wish to disable some or all of these kernel patches. If the end user elects to enable the patches in the interest of security, this article provides a mechanism to conduct performance characterizations with and without the fixes enabled.

Spoiler: Details...

TABLE OF CONTENTS

• Overview
• Retpoline Kernels
• Disabling the CVEs:
• Persistently disable - Effective across a reboot
• Runtime disable - Does not persist through a reboot
• Verifying changes

• Details:
• Page Table Isolation (pti)
• Indirect Branch Restricted Speculation (ibrs)
• Indirect Branch Prediction Barriers (ibpb)
• Architectural Defaults
• Tuned for automation

Overview
Red Hat Customer Portal Labs provides a Spectre And Meltdown Detector to help you detect if your systems are vulnerable to these CVEs.

The recent speculative execution CVEs address three potential attacks across a wide variety of processor architectures and platforms, each requiring slightly different fixes. In many cases, these fixes also require microcode updates from the hardware vendors.

Red Hat has made updated kernels available to address these security vulnerabilities. These patches are enabled by default (detailed below), because Red Hat prioritizes out of the box security. Speculative execution is a performance optimization technique. Thus, these updates (both kernel and microcode) may result in workload-specific performance degradation. Therefore, some customers who feel confident that their systems are well protected by other means (such as physical isolation), may wish to disable some or all of these kernel patches. If the end user elects to enable the patches in the interest of security, this article provides a mechanism to conduct performance characterizations with and without the fixes enabled.

The security vulnerabilities described in these three CVEs may be found in modern microprocessors and operating systems on major hardware platforms including x86 (Intel and AMD chipsets), System Z, Power, and ARM.

Retpoline Kernels
As of March 2018, on X86 cpus, Red Hat is using “Retpoline” code sequences for indirect branches in the kernel to isolate those branches from speculative execution. For Intel processors prior to Skylake, Retpolines are used instead of the ibrs feature for mitigation against Spectre variant 2. For Skylake, due to full CVE mitigation concerns, ibrs will still be used and Retpolines will be disabled.

A patched GCC compiler with Retpoline support is used for compiling the Retpoline patched kernel. A patched GCC compiler is also needed to compile kernel modules which should run on the kernel. SystemTap is one example that uses kernel modules to run code in kernel space, so it also needs the patched compiler.

Disabling the CVEs:
For Red Hat Enterprise Linux kernels on x86, three debugfs tunables control the behavior of the various patches in the updated kernel. These patches require updated microcode, which can be obtained from the hardware platform providers.

These three debugfs tunables can be enabled or disabled on the kernel command line at boot, or at runtime via debugfs controls. The tunables control Page Table Isolation (pti), Indirect Branch Restricted Speculation (ibrs), and retpolines (retp). Depending on the cpu type, Red Hat enables each of these features by default as needed to protect the architecture detected at boot.

For those wanting to disable the security mitigation for these CVEs to recover the performance loss, two options are available:

Persistently disable - Effective across a reboot
The first option is to disable them via the kernel command line by adding these flags, then reboot the kernel to have them take effect: There are several flags available to do this, noted below.

spectre_v2=off nopti

Note: you can individually disable each parameter, for performance characterization it is not required that all be simultaneously disabled.

Runtime disable - Does not persist through a reboot
The second option is to disable them at runtime with the following three commands. The change is immediately active and does not require a reboot.

# echo 0 > /sys/kernel/debug/x86/pti_enabled
# echo 0 > /sys/kernel/debug/x86/ibpb_enabled
# echo 0 > /sys/kernel/debug/x86/ibrs_enabled

Note this requires that the debugfs filesystem be mounted. In RHEL 7 the debugfs is mounted by default. In RHEL 6 you can mount it manually with

mount -t debugfs nodev /sys/kernel/debug

Verifying changes
To verify the fixes for these CVEs are correctly disabled, cat the following three files to verify their values are all set to 0.

# cat /sys/kernel/debug/x86/pti_enabled
# cat /sys/kernel/debug/x86/ibpb_enabled
# cat /sys/kernel/debug/x86/ibrs_enabled

Some applications may still see a small performance loss even with the above CVE flags disabled.

Details:
The rest of this article describes more specifics about each CVE variant.

• CVE-2017-5753 (variant #1/Spectre) is a Bounds-checking exploit during branching. This issue is fixed with a kernel patch. Variant #1 protection is always enabled; it is not possible to disable the patches. Red Hat’s performance testing for variant #1 did not show any measurable impact.
  
  
• CVE-2017-5715 (variant #2/Spectre) is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software. This vulnerability requires both updated microcode and kernel patches. Variant #2 behavior is controlled by the ibrs tunable which work in conjunction with the microcode, and the retp tunable. The ibpb tunable is still visible, but now read-only and is set by the kernel.
  
  
• CVE-2017-5754 (variant #3/Meltdown) is an exploit that uses speculative cache loading to allow a local attacker to be able to read the contents of memory. This issue is corrected with kernel patches. Variant #3 behavior is controlled by the pti tunable (nopti/pti_enabled).

As noted, installing the microcode update for your hardware, if provided by the hardware vendor, is necessary to protect against variant 2. Please contact your hardware vendor for microcode updates.

Page Table Isolation (pti)
“nopti”/pti_enabled controls the Kernel Page Table Isolation feature,which isolates kernel pagetables when running in userland. This feature addresses CVE-2017-5754, also called variant #3, or Meltdown.

Customers and vendors can disable the PTI feature by passing “nopti” to the kernel command line at boot, or dynamically with the runtime debugfs control below:

# echo 0 > /sys/kernel/debug/x86/pti_enabled

Indirect Branch Restricted Speculation (ibrs)
“noibrs”/ibrs_enabled controls the IBRS feature in the SPEC_CTRL model-specific register (MSR) when SPEC_CTRL is present in cpuid (post microcode update). When ibrs_enabled is set to 1 (spectre_v2=ibrs) the kernel runs with indirect branch restricted speculation, which protects the kernel space from attacks (even from hyperthreading/simultaneous multi-threading attacks). When IBRS is set to 2 (spectre_v2=ibrs_always), both userland and kernel runs with indirect branch restricted speculation. This protects userspace from hyperthreading/simultaneous multi-threading attacks as well, and is also the default on certain old AMD processors (family 10h, 12h and 16h). This feature addresses CVE-2017-5715, variant #2.

When ibrs_enabled is set to 3, only userland runs with indirect branch restricted speculation. This can be used in combination with retpoline (spectre_v2=retpoline,ibrs_user) to provide similar security to ibrs_always with less performance overhead.

Customer and vendors can disable the ibrs implementation in microcode by passing "noibrs" to the kernel command line at boot, or dynamically with the debugfs control below:

# echo 0 > /sys/kernel/debug/x86/ibrs_enabled

Indirect Branch Prediction Barriers (ibpb)
Note: The ibpb tuning knob is now read-only and will be set by the kernel if either ibrs or retp is set. As with ibrs, ibpb needs updated microcode in order to work correctly.

Ibpb controls the IBPB feature in the PRED_CMD model-specific register (MSR) if either IBPB_SUPPORT or SPEC_CTRL is present in cpuid (post microcode update). When ibpb_enabled is set to 1, an IBPB barrier that flushes the contents of the indirect branch prediction is run across user mode or guest mode context switches to prevent user and guest mode from attacking other applications or virtual machines on the same host. In order to protect virtual machines from other virtual machines, ibpb_enabled=1 is needed even if ibrs_enabled is set to 2. This feature addresses CVE-2017-5715, variant #2.

Architectural Defaults
By default, the appropriate tunables that apply to an architecture will be enabled automatically at boot time, based upon the architecture detected.

Intel Defaults:

pti=1 ibrs=0 retp=1 ibpb=1-> fix variant#1 #2 #3 for pre-Skylake cpus
pti=1 ibrs=1 retp=0 ibpb=1-> fix variant#1 #2 #3 for Skylake cpus

pti=1 retp=1 ibrs=0 ibpb=0 -> fix variant#1 #3 (for older Intel systems with no microcode update available)

AMD Defaults:
Due to the differences in underlying hardware implementation, AMD X86 systems are not vulnerable to variant #3. The correct default values will be set on AMD hardware based on dynamic checks during the boot sequence.

pti=0 ibrs=0 ibpb=1 retp=1 -> fix variant #1 #2 if the microcode update is applied
pti=0 ibrs=2 ibpb=1 retp=1 -> fix variant #1 #2 on older processors that can disable indirect branch prediction without microcode updates

Tuned for automation
Customers may control these settings by adding the above mentioned tuning commands to a customized tuned-adm profile via this method:

How to create a customized tuned profile

Note that these security fixes for variants #1 #2 #3 are enabled by default. Therefore creating a custom tuned profile is only required if the user intends to disable the security fixes."

 

KB4090007: Intel microcode updates
Applies to: Windows 10 version 1709, Windows Server, version 1709 (Datacenter, Standard)
https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates

"Intel recently announced that they have completed their validations and started to release microcode for newer CPU platforms around Spectre Variant 2 (CVE 2017-5715 (“Branch Target Injection”)). This update includes microcode updates from Intel for the following CPUs:


This update is a standalone update available through the Microsoft Update Catalog and targeted for Windows 10 version 1709 (Fall Creators Update) & Windows Server version 1709 (Server Core).

This update also includes Intel microcode updates that were already released for these Operating Systems at the time of Release To Manufacturing (RTM).

We will offer additional microcode updates from Intel thru this KB Article for these Operating Systems as they become available to Microsoft. Please ensure that mitigation against Spectre Variant 2 is enabled through the registry settings documented in the following articles:

• Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
• Windows Server Guidance to protect against speculative execution side-channel vulnerabilities

Consult with your device manufacturer’s and Intel’s websites regarding their microcode recommendation for your device before applying this update to your device.

Known issues
Microsoft is not aware of any issues that affect this update currently.

How to get this update
Microsoft Update Catalog

 

Meltdown/Spectre: Intel plans changes to protect future chips-Pcworld.com
Of the three side-channel attacks making up Spectre and Meltdown, the first Spectre vulnerability variant has essentially been patched via software. That code was originally authored by Intel, then routed to customers via hardware makers and Microsoft. Microsoft supplied OS patches as well as Intel’s microcode via Windows Update. But software patches alone won’t be enough to patch the second Spectre variant, as well as Meltdown. Both will demand hardware revisions, which will roll out later this year.

To accomplish that, Intel said it had designed “partitions” to protect against Spectre variant 2 and Meltdown. Those partitions will first appear within the next-generation Xeon, code-named Cascade Lake, as well as an unnamed 8th-generation Core chip expected to ship during the second half of 2018.

------------------------------------------

Intel and Microsoft release final Spectre Patches up to and including Sandy Bridge

 

New Linux* Processor Microcode Data File
Version: 20180312 (Latest) Date: 3/12/2018

 

Intel: Our next chips won't have data leak flaws we told you totally not to worry about
Meltdown, Spectre-free CPUs coming this year, allegedly
By John Leyden 15 Mar 2018 at 18:28
https://www.theregister.co.uk/2018/03/15/intel_spectre_mitigation/

"Intel has claimed its future processors – shipping as early as the second half of this year – will be free of the security design flaws it totally told you not to fret about.

Over the past couple of months, it has been incredible watching Chipzilla revise its position, in public and behind the scenes, over and over again.

In public statements and private briefings to reporters and analysts, it has shifted from claiming these bugs are overblown and not a problem, to admitting they are a problem but are easy to mitigate, to confessing they are not so easy to mitigate but at least there are no ill effects, to conceding there are some ill effects but it's nothing to worry about, to finally confirming: the issues are so embarrassing, we've redesigned our processors to address the design blunders.

Today we're told Intel's upcoming desktop and server processors won't be vulnerable to Meltdown and one of the two Spectre variants. Specifically, Meltdown and Spectre Variant 2 will be fixed in hardware, whereas Spectre Variant 1 will be fixed in software. Meltdown allows a software nasty to access kernel and thus other applications' memory. Spectre Variant 2 can be exploited by malware to read kernel memory, and Spectre Variant 1 allows evil code to snoop on application memory – typically, JavaScript in one browser tab spying on another tab. Variant 1 can be fixed by patching programs to thwart Spectre-based attacks.

Chipzilla has, we're told, redesigned its processor architecture to introduce "partitioning" to prevent malware from exploiting the data-leaking vulnerabilities to steal passwords and other sensitive information from applications, hypervisors, and operating systems.

Assuming the fixes work. Intel has cocked that up recently in its microcode workarounds for Spectre.

"These changes will begin with Intel's next generation Xeon Scalable processors, as well as 8th Generation Intel Core processors expected to ship in the second half of 2018," Intel said on Thursday.

In other words: patch your systems, or buy new chips to avoid that faff. There's no word yet on whether or not the tweaks to the chip circuitry will affect performance, nor the technical details of the changes. Each chip generation introduces a modest speed-up over the previous generation: the upcoming chips may not offer much of a performance increase this time around due to these necessary redesigns.

"Think of this partitioning as additional 'protective walls' between applications and user privilege levels to create an obstacle for bad actors," Intel chief exec Brian Krzanich said earlier today.

Krzanich added that Intel has now released microcode updates for all of its products launched in the past five years that require Spectre and Meltdown workarounds. These should be available from operating system and motherboard makers.

Infosec expert Professor Alan Woodward, of the University of Surrey in England, commented: "It looks as though Intel accept that whilst they can fix variant one with software updates, the other two remain a threat. They're going to have to change their architecture but it's a bit light in detail.

"They talk of partitioning, which is good as the whole problem was being able to access data to which your app was not supposed to have access. However, what's not clear is quite how this will work and if it will completely defeat this type side channel attack."

Prof Woodward added that it will be interesting to see what this hardware approach does to execution speed. CPU performance was impaired by earlier software patches, some of which proved problematic to apply.

"The unsaid part is of course that existing hardware will continue to have some vulnerability. Some of this might be mitigated but it's not going to be removed," he concluded."

Comments

Spoiler: Spooky bugs, sidebar with review of situation

Spooky bugs
Meltdown and Spectre are both processor-level vulnerabilities that make it possible for code running in user-mode – which might include malware on a system or even malicious JavaScript served through rogue ads – to read from portions of protected kernel memory or other applications' memory, snaffling passwords and other sensitive information in the process.

Meltdown breaks the isolation between user applications and the operating system. Spectre, which is harder to exploit but also more dangerous, breaks the isolation between different applications.

Essentially, the design blunders are the result of engineers putting speed over security. The CPU cores can be tricked into revealing the contents of private memory to another process, when there ought to be mechanisms in place to prevent this leakage of information. Modern processors do include such access checks, but they can be bypassed.

Meltdown primarily affects Intel processors. Spectre – so named because it involves flaws in the speculative execution technology that speeds the work of most modern processors – affects a much larger range of processor makers including AMD and Arm. Smartphones, servers and cloud services as well as PCs were at risk of attack.

Operating system developers and cloud service providers have released and rolled out patches to defend against both Meltdown and Spectre while the world waits for silicon designers to address the security shortcomings.

How Intel Is Moving From Software Fixes to Hardware Redesigns to Combat Spectre and Meltdown
By AARON PRESSMAN, March 15, 2018
http://fortune.com/2018/03/15/intel-chips-spectre-meltdown-hardware/

"Ronak Singhal, a senior executive and 20-year veteran of chipmaker Intel, was trying to get to dinner at Helena, his favorite restaurant in Israel, a few weeks ago. But before he could join colleagues celebrating a promotion at the high-end eatery poised on the shores of the Mediterranean Sea south of Haifa, he had to explain to one of the company’s software partners what was going on with Intel’s patches for the notorious Spectre and Meltdown security problems.

Spoiler

The problem that night for Singhal, who oversees the development of the architecture for all of Intel’s processors, was that something was wrong with the patches. Among all the millions and millions of computers in use around the world running Intel CPUs, one of the patches for Spectre was causing some computers to freeze up or spontaneously reboot. Though only affecting a tiny proportion of the market, the problems were widespread enough to spook PC makers and prompt a temporary recall of the updated software. (And even stirred Linux creator Linus Torvalds to publicly proclaim Intel’s work was “pure garbage.”)

Relying on some techniques that Intel had never used previously in its software, “there were cases where the patches didn’t work as intended,” Singhal explained. It took more than an hour to assuage the contractor—Singhal’s co-workers started eating without him. “They thought I’d gotten lost or kidnapped or something,” he jokes recalling the incident. He did get to join the party and eat a dish of Helena’s famed calamari.

A few weeks later, Intel issued corrected patches and the fixes for one of the most serious security incidents in computing history have gone smoothly since then. On Thursday, Intel declared that it had fully deployed patches covering all of the chips it had made in the past five years.

Up next for Singhal are fixes that will be embedded directly in the silicon of upcoming products. The revamped chip designs will be ready for 8th generation Core processors released in the second half of the year and a line of Xeon server chips expected in the fourth quarter known by the code name “ Cascade Lake.” Building the protections into the hardware eliminates a significant amount of the impact on performance seen with the software patches, Singhal says.

“We’ve made it through the first set of software mitigations,” Intel CEO Brian Krzanich tells Fortune. “We’ve got everything five years and newer completed and we’re now starting to implement hardware mitigations where it’s actually built into our silicon.”

Spectre and Meltdown Variants 1, 2, and 3
The whole mess that revealed such serious security vulnerabilities in nearly every chip made for the past few decades, by Intel and its competitors, started small last summer. Researchers at a special security vulnerability search team at Googlereported to Intel’s security section in June that they’d uncovered a problem with a key part of CPU design.

Modern chips typically have so much idle processing power that it makes sense for programs to calculate several options to solve a problem even before earlier steps in the program have completed. Known as speculative execution, the performance enhancing strategy then throws out the answers that don’t match the results of the earlier steps.

But the Google (GOOGL, +0.17%) researchers, followed by several teams in academia, had found ways to trick chips into revealing data like passwords and encryption keys as the secrets were used in the speculative execution calculations. The researchers dubbed two variants of the trick Spectre, after the fictitious evil organization that pursues James Bond, and a third variant was called Meltdown because it effectively melted security barriers. The danger was especially acute for cloud servers, where programs from multiple customers would be running on the same chip, and in web browsers, which can execute code from a web site unknowingly.

By early July, Intel and other chipmakers had realized the vast scope of the problem and convened groups to craft solutions. Singhal held a daily morning conference call, sometimes lasting for two hours, to coordinate Intel’s response across offices in Oregon, California, Texas, and Israel. With people in different time zones working on the problem, the effort could operate around the clock.

All along, the plan was to issue software fixes first and then build the protections into future chip designs. The software patches had a cost in reducing the performance of the affected CPUs. The hit varied widely depending on the type of Intel chip involved and the programs being run. One test on a PC with a Kaby Lake Core i7 processor found most apps slowed less than 10%, which would be barely noticeable in real life usage. But Microsoft (MSFT, +0.35%) warned that PCs running its older Windows 7 or 8 and Intel’s five-year-old Haswell processors would take a big hit.

Intel’s New Security Effort
As a result of the experience, Intel CEO Krzanich set up a new group, dubbed the IPAS or Intel Product Assurance and Security, to not only work on the Spectre and Meltdown fixes but to address future security problems more effectively. Longtime Intel executive Leslie Culbertson, who joined the company in 1979, heads the IPAS group.

“This was going to be a whole new area of research and a whole new area of security understanding that required a long-term investment by Intel,” Krzanich says. The focus will be on uncovering future vulnerabilities, but also thinking about how to make its chips more secure in general. “You’re going to see a constant progression–that’s what this team will be thinking about.”

“We know this isn’t the end of the story,” Singhal adds. “This is going to be an ongoing activity probably for many of us.”

When news of Spectre and Meltdown first leaked out in early January, Intel’s (INTC, -1.89%) stock took a hit, as investors feared the security problems might slow chip sales. More recently, some analysts have argued that Intel’s new chips with built-in protection might spur more rapid sales from companies wanting to upgrade to safer hardware. Intel’s shares are up 12% so far this year, outpacing the 3% gain in the S&P 500 Index.

Krzanich is dismissive of both the positive and negative scenarios. “We’ve said since the beginning of this that we think the impact will be negligible, even on the positive side,” the CEO says. “The analyst community needs to realize that we’re constantly doing these kinds of improvements—improvements in security, improvements in performance, and adding new features to drive refresh cycles.”

(Update: This story was updated on March 15 to clarify that the impact on performance from Intel’s hardware fixes would be “a significant amount.”)

 

Cool, that looks like it includes a whole bunch of microcodes all the way back to Sandybridge (I think) - that's not such a big deal anymore for Windows folks as Microsoft are now releasing updated microcodes through KB4090007, but that's only for the latest versions of Windows 10, so still useful for Win 7 & Win 8 users.

 

Hence why I posted in forum.notebookreview.com/threads/ucode-fix-for-spectre-ht-bug-fix-and-meltdown

 

They told ya, heh. They remind me lying politicians who at first say something which looks like lie and when it finally ends up being discovered as a lie they twist and act as if that actually still means they told truth.
I told on January that Intel will not fix Spectre with in-built silicon changes and that Intel will match AMD at best

Now we see that Spectre isn't actually fixed (still software fix needed) and they pretty much matched AMD (OK, bested by a little) by alleged fix of only Variant 2 of Spectre: while GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processor AMD claimed that AMD’s processor architectures make it difficult to exploit Variant 2 (close to zero to their initial statement) and AMD says that CPU microcode updates are optional. https://www.amd.com/en/corporate/speculative-execution

Now I agree I wasn't quite right too but who is closer with their predictions to what came out: just an advanced user on tech forum (me) with 10% space for mistake or Multibillion Corporation with insider's information who intentionally spread that info as a 100% fact?

 

I've been experiencing some instability with the latest microcode for my Skylake build. I updated to the latest Spectre fixed microcode version C2 using KB4090007 in Windows Update, and the instability I've been experiencing is when running Prime95 at the same time as Firestrike Graphics Test 1 on a loop (I was doing such a torturous routine because I'm testing air temperatures in my PC case, desktop PC) - within 10 to 15 minutes it would crash out of Firestrike. I investigated potential causes such as unstable CPU or GPU overclocks, but I was able to rule that out. I realised I had updated the CPU microcode recently, so decided to uninstall KB4090007 and so revert back to my old previous CPU microcode (version BA), and then retested stability with Prime95 and Firestrike running at the same time - it was stable for 40mins, whereas with the new Spectre fixed microcode it would always crash out of Firestrike within 10 to 15 minutes.

I also noticed since reverting to my older CPU microcode that gaming is smoother - BF1 (game) had more stutters with the newest C2 microcode.

At the moment I'm on the older 'unsafe' microcode, I'm not sure if I'll update to the latest one again as the new microcode seems a little bugged when both CPU & GPU are pushed to their absolute limits at the same time, it also created that stuttering in BF1.

EDIT: added strikethrough as I later found this not to be the cause! Is smoother in BF1 though.

 

Windows Spectre Patches Are Here, But You Might Want to Wait
To fully protect your PC against Spectre, you need updated Intel CPU microcode. This is normally provided by your PC manufacturer via a UEFI firmware update, but Microsoft now offers an optional patch with the new microcode

by Chris Hoffman howtogeek.com March 20th 2018

Many of the worst fears about Spectre have been addressed by other software patches, which makes this update less urgent. For example, web browsers have released updates that prevent websites from exploiting Spectre via JavaScript code. Spectre is much harder to exploit than Meltdown was.

We also haven’t seen any serious Spectre exploits in the wild yet. So, overall, we don’t recommend rushing this. It’s possible that Microsoft themselves may want time to test this update before rolling it out to all Windows users automatically via Windows Update, although we have no idea what Microsoft’s future plans for this update may be.​

However, some types of systems are still especially vulnerable. Systems that run virtual machines containing untrusted code—like at a cloud hosting service—should almost certainly install the microcode update on those systems.

 

11 Potential Effects Of Meltdown And Spectre On The Tech Industry
MAR 21, 2018 @ 07:45 AM
https://www.forbes.com/sites/forbes...nd-spectre-on-the-tech-industry/#65531649e44c

"In the last several months, the tech world has been buzzing about Meltdown and Spectre, extremely serious hardware security flaws that could potentially affect anyone with a computer. If a malicious program exploits these vulnerabilities, it can access data stored in the memory of other programs running on your machine, including passwords, private emails, photos and other sensitive data.

Although security patches have been released to protect against Meltdown and Spectre exploits, this major issue has everyone paying closer attention to their device security, especially in the tech industry. We asked members of Forbes Technology Council how the news of these vulnerabilities might impact their field.

Spoiler: 11 Potential Effects

1. Worse Performance Per Dollar

Secure cloud resources can become more expensive after the recent news of Meltdown and Spectre. This means that we can expect a worse performance per dollar and may need to invest more to get the same performance we are accustomed to but hopefully with increased security. - Thomas Griffin, OptinMonster

2. A Greater Need To Evaluate Software Performance

The Meltdown and Spectre exploits are consequences of technical design that led to higher performance. The patches quickly delivered by the software companies are known to slow down systems, but in most cases, the end users won’t notice. However, if you make software dependent upon system performance, any impact to performance needs to be evaluated. - Tim Maliyil, AlertBoot

3. Overall Slower Devices (Until The Next Generation Comes Out)

The Spectre and Meltdown flaws have exposed a huge security hole in a large number of platforms, from mobile to laptops to desktops and data centers in the cloud. Some of the companies have come out with fixes for this flaw, but they slow down your computer. All computers are taking a performance hit and will have to wait for next-generation chips where it will be fixed in hardware. - Naresh Soni, Tsunami ARVR

4. Future Exploitation Of Unpatched Hardware

Major platforms were patched quickly, and the resulting performance hit will increase infrastructure costs in the short term. But the biggest problem is legacy hardware that remains unpatched. Millions of mobile devices and servers are unlikely to be patched any time soon, and criminals will likely be exploiting Spectre and Meltdown for years to come. - Vik Patel, Nexcess

5. Increased Cloud Adoption To Shift The Infrastructure Burden

Attackers are able to exploit these critical security gaps and access sensitive data and applications, and the fallout is severe. Today, many organizations are moving away from managing their own data centers and adopting cloud, effectively shifting the infrastructure security burden to AWS, Microsoft and others that have processes in place to quickly patch their systems. - Rich Campagna, Bitglass

6. Less Trust In Future Technology

Given the rise of tech in people's lives, it is important for us to make them trust tech. Especially, when we're asking people to use tech for things like self-driving cars (where their lives are at stake if tech fails) and smart homes (where a faulty piece of tech can make your private life not so private). Will people stop using all computers? No. Will they be more reluctant trying new technology? Probably. - Vikram Joshi, pulsd

7. The Potential For More Mass Compromise In The Cloud

This happens at a hardware/chip level every so often, and in general, it has very little direct impact on enterprises and enterprise security teams. However, now that enterprises are moving to the cloud, there could be a higher impact than we have seen before. These types of attacks might be leveraged more broadly at a hardware layer in the cloud causing mass compromise. - Tyler Shields, Signal Sciences

8. An Increased Respect For Cybersecurity

Hopefully, we have major chances to see the positive effect, as people who will experience such a massive issue caused by Meltdown and Spectre will finally learn to value cybersecurity and change their mind about its significance. Taking into consideration the new hacker approach -- crypto mining -- any vulnerability in the products that are in common use can have an enormous impact on business. - Alexander Polyakov, ERPScan

9. Future Chips Designed For Hackability

Testing for structural defects used to be done after manufacturing the processor. As chip sizes grew smaller, this was no longer feasible and "design for testability" evolved to dedicating part of the chip for testability. Similarly, what has surfaced is the need to "design for hackability." In the future, we will see part of every processor chip devoted to preventing unauthorized accesses to data. - Ketaki Rao, Jivox

10. A Multi-Layer Security Approach

The digital economy is built on the foundation of IT, which includes applications and infrastructure. This incident shows that security needs to be top of mind for everyone in the tech industry. It’s not a software issue only. Every component, layer or solution needs to be secure to meet the business needs of a digital enterprise. - Kelly Ahuja, Versa Networks

11. Diversification Of Suppliers

When a single vendor like Intel has an issue, we can’t afford for data centers across the globe to go down. The risks associated with monoculture are documented. A single disease can lead to a worldwide impact. We are already seeing a response in high tech, as data centers are now diversifying their component suppliers so a single product failure will not bring down their operations. - Radoslav Danilak, Tachyum "

7 Spectre/Meltdown Symptoms That Might Be Under Your Radar
The Spectre/Meltdown pair has a set of major effects on computing but there are impacts on the organization that IT leaders might not have considered in the face of the immediate problem.
https://www.darkreading.com/risk/7-...hat-might-be-under-your-radar/d/d-id/1331299?

 

Meltdown & Spectre: Analyzing Performance Impacts on Intel's NUC7i7BNH
by Ganesh T S on March 23, 2018 4:15 PM EST
https://www.anandtech.com/show/12566/analyzing-meltdown-spectre-perf-impact-on-intel-nuc7i7bnh

"One of the consequences of the Meltdown and Spectre vulnerabilities, besides the immediate security concerns, is what it has meant for our ongoing testing and benchmarking operations. Along with accounting for the immediate performance changes from the required patches, we've also needed to look at how we present data and how we can (or can't) compare new patched systems to older unpatched systems. From an editorial perspective we need to ensure the continuity of our data as well as providing meaningful benchmark collections.

What we've found so far is that the impact of the Meltdown and Spectre patches varies with the workload and the type of test. Nate's GPU testing shrugs it off almost entirely, while Billy's SSD testing especially feels the pinch. In the middle of course are consumer system reviews, where workloads are more varied but also much more realistic and often more relevant as well. Of course, this is also the type hardware that we most often have to return when we're done, making it the most challenging to correct.

As everyone at AnandTech has been integrating the patches and updating their datasets in their own way, I wanted to offer some insight into what's going on for system testing. With several important systems set to launch in the first half of this year – particularly Intel's Hades Canyon – I've been going back and collecting updated results for use in those future reviews. In the process, I also wanted to document how performance has been impacted by these security patches and which benchmarks in particular have been affected.
...
Concluding Remarks
While the primary purpose of this exercise was just to update our datasets for future system reviews, it none the less proved to be an enlightening one, and something worth sharing. We already had an idea of what to expect going into refreshing our benchmark data for Meltdown and Spectre, and in some ways we still managed to find a surprise or two while looking at Intel's NUC7i7BNH NUC. The table below summarizes the extent of performance loss in various benchmarks.


Looking at the NUC – and really this should be on the mark for most SSD-equipped Haswell+ systems – there isn't a significant universal trend. The standard for system tests such as these is +/- 3% performance variability, which covers a good chunk of the sub-benchmarks. What's left then are more meaningful performance impacts in select workloads of the BAPCo SYSmark 2014 SE and Futuremark PCMark 10 benchmarks, particularly storage-centric benchmarks. Other than those, we see certain compute workloads (such as the 2nd stage of the Agisoft Photoscan benchmark) experience a loss in performance of more than 10%.

On the whole, we see that the patches for Meltdown and Spectre affect real-world application benchmarks, but, synthetic ones are largely unaffected. The common factor among most of these benchmarks in turn is storage and I/O; the greater the number of operations, the more likely a program will feel the impact of the patches. Conversely, a compute-intensive workload that does little in the way of I/O is more or less unfazed by the changes. Though there is a certain irony to the fact that taken to its logical conclusion, patching a CPU instead renders storage performance slower, with the most impacted systems having the fastest storage.

As for what this means for future system reviews, the studies done as part of this article give us a way forward without completely invalidating all the benchmarks that we have processed in the last few years. While we can't reevaluate every last system – and so old data will need to stick around for a while longer still – these results mean that the data from unimpacted benchmarks is still valid and relevant even after the release of the Meltdown and Spectre patches. To be sure, we will be marking these results with an asterisk to denote this, but ultimately this will allow us to continue comparing new systems to older systems in at least a subset of our traditional benchmarks. Which combined with back-filling benchmarks for those older systems that we do have, lets us retain a good degree of review and benchmark continuity going forward.

 

Links for Meltdown and Spectre Vulnerabilities – Intel® Microprocessor Side-Channel Updater
Discussion in 'Razer' started by @Vistar Shook , Saturday at 1:19 PM.
http://forum.notebookreview.com/threads/links-for-meltdown-and-spectre-vulnerabilities-–-intel®-microprocessor-side-channel-updater.814882/

 

Microsoft's Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE
You'll want to install the March update. Like right now – if you can avoid broken networking
By Shaun Nichols in San Francisco 28 Mar 2018 at 00:21
https://www.theregister.co.uk/2018/03/28/microsoft_windows_meltdown_patch_security_flaw/

"Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes.

This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system.

We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM.

Ouch!

The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.

Sunk by its own hand
According to Frisk, who backed up his claim with a detailed breakdown and a proof-of-concept exploit, the problem boils down to a single bit accidentally set by the kernel in a CPU page table entry. This bit enabled read-write user-mode access to the top-level page table itself.

On Windows 7 and Server 2008 that PML4 table is at a fixed address, so it can always be found and modified by exploit code. With that key permission bit flipped from supervisor-only to any-user, the table allowed all processes to modify said table, and thus pull up and write to memory addresses they are not supposed to reach.

Think of these tables as a telephone directory for the CPU, letting it know where memory is located and what can access it. Microsoft's programmers accidentally left the top-level table marked completely open for user-mode programs to alter, allowing them to rewrite the computer's directory of memory mappings.

Further proof-of-concept code can be found here.

Total meltdown
"Windows 7 already did the hard work of mapping in the required memory into every running process," Frisk explained. "Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!"

Windows 8.x and Windows 10 aren't affected. The March 13 Patch Tuesday updates contain a fix that addresses this permission bit cockup for affected versions, we're told.

Microsoft did not respond to a request for comment on the matter.

In short, patch your Windows 7 and Server 2008 R2 machines with the latest security updates to protect against this OS flaw, otherwise any processes or users can tamper with and steal data from physical RAM, and give themselves admin-level control. Or don't apply any of the Meltdown fixes and allow programs to read from kernel memory.

Networking not working
Fingers crossed your system isn't among those that will suffer networking woes caused by the March security patches. Microsoft's security updates this month broke static IP address and vNIC settings on select installations, knocking unlucky virtual machines, servers, and clients offline.

For example, with patch set KB4088878 for Windows 7 and Server 2008 R2, Redmond admitted:

A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused. Microsoft is working on a resolution and will provide an update in an upcoming release.

Static IP address settings are lost after you apply this update. Microsoft is working on a resolution and will provide an update in an upcoming release.

Prevent data theft, or have working networking. Tough choice."

Comments

 

DOH! What's this!? MSI have today updated a few of their Z170A boards (my board included) with a new BIOS that according to MSI "[updates] Intel microcode for security vulnerabilities", as seen in the following screenshot. (Ignore the release date listed on the website, it's wrong, it actually only appeared on the website today). Thing is, it doesn't actually update with a microcode that addresses any security vulnerabilities, instead it updates the microcode to version BA, which is only a microcode fix for the i7 hyper threading bug, nothing to do with security - it should be the latest C2 microcode included, but it's not. That's quite misleading, it's not a fix for Spectre at all, and the InSpectre tool clearly shows me that my system is not protected from Spectre. I wonder why MSI have done this?
https://www.msi.com/Motherboard/support/Z170A-KRAIT-GAMING-3X.html

Another change with this BIOS - I had to run Package C-states at C0 rather than C6, because this BIOS would otherwise result in about 5% loss of GPU performance - weird! Idle CPU power consumption hasn't increased with that change, so that's still gravy. On a positive note this BIOS combined with the C0 Package setting resulted in a 4% increase in Graphics Score on Timespy (in comparison to previous BIOS), and a frame or two extra performance in some game benchmarks, like Dirt Rally.

 

Just a thought that came to me after Microsoft started offering the mitigation microcode through Windows instead of BIOS update, and Linux can / should do this too (anyone?), perhaps this is how such microcode should be distributed, instead of through BIOS revisions.

So, it may be that vendors like MSI would "remove" the Intel microcode updates so as to not interfere with the Windows / Linux / OS microcode updates.

Also, it's much easier and quicker to roll out a microcode change through OS updates than through a BIOS update. What with all the initial pains and regressions with the microcode updates, I would think this would be safer as well.

So that means MSI would update the BIOS with microcode extensions that would be outside the ones rolled out through the OS.

IDK, maybe this is a good side effect of the whole fiasco, we get OS delivered Microcode updates quickly instead of through BIOS updates.

The question is, should we be getting most or all of the microcode updates through the OS now, and the BIOS would be relieved of updates outside those that require running from the BIOS to solve their problem fix.

 

Yep, I'm aware I can get the latest microcode through Windows Update, but I wanted to test this new BIOS along with the microcode included. My point is, that MSI have stated that they have upgraded the microcode to protect against security vulnerabilities, and that is not the case - it's version BA which is for a hyperthreading bug, and that's not a security vulnerability. They have indeed included a newer version of microcode in comparison to their previous BIOS, but it's still not the latest microcode (latest is C2), and it does not fix any security vulnerabilities. So, MSI have been misleading, and this is my point. I don't know why they've done this, I'm wondering if they're just incompetent and actually believe that this BIOS actually fixes the Spectre issue!

 

I gave you my view on it, more directly it would be best to ask MSI through a support ticket, and let's hear what they have to say.

 

Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix
If at first you don't succeed, you're Redmond
By Shaun Nichols in San Francisco 29 Mar 2018 at 23:24
https://www.theregister.co.uk/2018/03/29/microsoft_meltdown_out_of_band_patch/

"Microsoft today issued an emergency security update to correct a security update it issued earlier this month to correct a security update it issued in January and February.

In January and February, Redmond emitted fixes for Windows 7 and Server 2008 R2 machines to counter the Meltdown chip-level vulnerability in modern Intel x64 processors. Unfortunately, those patches blew a gaping hole in the operating systems: normal applications and logged-in users could now access and modify any part of physical RAM, and gain complete control over a box, with the updates installed.

Rather than stop programs and non-administrators from exploiting Meltdown to extract passwords and other secrets from protected kernel memory, the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM.

Roll on March, and Microsoft pushed out fixes on Patch Tuesday to correct those January and February updates to close the security vulnerability it accidentally opened.

Except that March update didn't fully seal the deal: the bug remained in the kernel, and was exploitable by malicious software and users.

Total Meltdown
Now, if you're using Windows 7 or Server 2008 R2 and have applied Microsoft's Meltdown patches, you'll want to grab and install today's out-of-band update for CVE-2018-1038.

Swedish researcher Ulf Frisk discovered the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken, and went public with his findings once the March Patch Tuesday had kicked off. As it turns out, this month's updates did not fully fix things, and Microsoft has had to scramble to remedy what was now a zero-day vulnerability in Windows 7 and Server 2008.

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

BTW some of us have written kernel-mode code that manipulates MMU page tables, and it's an absolute fiddly PITA. So gg Microsoft. You got there in the end. https://t.co/bxDbbALhqE
— The Register (@TheRegister) March 29, 2018

Frisk told El Reg he only learned the OS-level bug was still present yesterday. When he went live with the flaw on his blog earlier this week, it was with the blessing of Microsoft's security group on the belief the March update had addressed everything.

Needless to say, if you own or administer either a Windows 7 or Server 2008 R2 system, you will want to test and deploy this fix as soon as possible."

Comments

 

Replying to my own post, because I have follow up information after I have now contacted MSI Support. They say that the Intel Security Vulnerability that they're referring to is "INTEL-SA-00086 issue" - this is the Intel Management Engine vulnerability. I've checked with an Intel tool, and this vulnerability has indeed been fixed with this new BIOS. Additionally, MSI support told me that they will be releasing a BIOS "in the future" which has the Spectre vulnerability fixed.

 

As long as you have an informative contact now in MSI, would you please ask them if they think the Spectre microcode needs to be done as a BIOS update, as Microsoft has already done it via Windows and Linux also provides microcode updates through Intel updates in the OS.

Thank you!