CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Sorry if already posted.

Intel facing class-action lawsuits over Meltdown and Spectre bugs

https://www.theguardian.com/technol...ction-lawsuits-meltdown-spectre-bugs-computer

John.

 

Well at least all the lawyers involved will get a nice settlement. Class action = joke to everyday people.



Sent from my iPhone using Tapatalk

 

didn't measure it benchmarks wise but it feels less snappier. I know my machine very well. It's not the same. It's like you downgraded your CPU by a few clocks and everything has a bit of a lag to it compared to before.

OR it could be the fact that I changed my RAID 0 from 128K stripe size to 16K as suggestedby @ole!!! Next time I format, I'll go back to 128K and see if the snappiness goes back to normal

 

Unless you have a true hardware Raid controller then the CPU is used to bind the striped data, The smaller the stripe size the higher the CPU overhead to combine the stripes.

 

ouch, guess I'll have to go back toe the MSI recommended 128K stripe size then

 

So are the patches supposed to be available via Windows update, or downloaded & applied manually? Windows Update offers nothing on any of the machines I have access to... \=

 

These kind of mass upgrade restarts often result in instance problems anyway regardless of the patch or changes, so rather than jump to conclusions we should watch and wait for things to work out.

Given the fixed nature of hardware you can be running at the edge of resources already and then a change pushes your performance off the edge. AWS is supposed to reduce this effect, giving you expanding resources automatically - or configurable on demand - so although there are problems upon restart, they can be mitigated automatically or manually over time.

Besides the real problems being fixed, fixing the problems through restarts are problematic themselves, and part of the whole disruption these issues bring with them.

ME TOO: Instance does not boot any more - Amazon, please help us!
https://forums.aws.amazon.com/thread.jspa?threadID=270652&tstart=0

With additional changes / updates sure to follow, this will repeat each time new updates / fixes are rolled out.

The worst part might come later when such security fixes roll out along with "regular" fixes and updates, forcing all the changes be applied due to the nature of the rollups - and the requirement to apply security fixes.

It's a mess, with ongoing messes along with any resource hits that are sustained ongoing, if any.

 

Not until next week. See -
http://forum.notebookreview.com/thr...up-to-30-percent.812424/page-18#post-10658394 for more details.

 

AWS is providing feedback now, here's an AWS customer sharing the response they got from AWS Support:

Re: Degraded performance after forced reboot due to AWS instance maintenance
https://forums.aws.amazon.com/thread.jspa?threadID=269858&start=25&tstart=0
Posted by: XXXX
Posted on: Jan 5, 2018 9:02 AM in response to: XXXX

"From last one week i.e from the day the patch got applied , we are seeing terrible performance degrade, our ETL server which is an c3.8xlarge machine which was running fine from last 2 years , all of sudden we are seeing consistent load averages between 25+ and 60+ on a 32 CPU machine which is not at all the case earlier

This is what the response we have got from AWS on this:"

"Thank you for reaching AWS Premium Support. My name is XXXX and I will be assisting you today. I understand that you have noticed an increase in CPU workload on your server i-xxx after the maintenance Reboot on 4th January 2018. As a part of the recent disclosure from research regarding the side-channel analysis of speculative execution on modern computer processors (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754), AWS is updating the underlying EC2 infrastructure to be fully protected against these issues. As a result of these fixes, depending on the precise workload, operating system, and hypervisor, customers may experience increased CPU usage. Depending on the precise workload, operating system, and hypervisor, customers may experience increased CPU usage after their instances receive the AWS updates and OS patches. We expect that for many customers the increase will be minimal, although certain workloads may see a meaningful change in performance. We are actively working with Intel and the broader community to identify ways to minimize this impact. Over the past several years, AWS has developed features, including Enhanced Networking, that offers better performance through hardware offload of common operations, and we recommend performance-conscious customers use these features. For more details about the recent disclosure on this, please see AWS security bulletin ( https://aws.amazon.com/security/security-bulletins/AWS-2018-013/) I hope this information is helpful for you. Please feel free to ask if you have any further questions or concerns and I will be more than happy to help you further! Have a good day!"

 

Class actions still help, and attorneys can only get 20-35% of the amount, after expenses. Class actions must also be certified, etc., which take work, from identifying claimants to showing the same injury. Then you have to show diversity or fed question jurisdiction, make sure you don't kill diversity, etc., etc., etc. So, yes, attorneys do take a bit, but you can see many multiples of what you would receive otherwise due to them, depending on the case.

 

For those of you interested in the Intel stock angle - https://arstechnica.com/information...-before-security-bug-reveal-raises-questions/

"Intel stock, as of today, is trading at roughly the same price as Krzanich sold stock at, so he did not yield any significant gain from selling before the vulnerability was announced."

Maybe nothing will happen to their stock price in the long run (including any effect by class action suits), but I suspect the SEC will take a long, hard look at the CEO's stock transaction.

 

I read that, yet all the machines around run Windows 10 Pro and report being up to date.

 

Regardless they are bloodsuckers for the most part. Although there are a few decent ones out there.


Sent from my iPhone using Tapatalk

 

Delete software distribution folder and re-check for updates. Otherwise download the offline installer which installs very fast than standard WU.

 

Ran Updates on my Win 10 machines yesterday. They all report up to date, but I haven't seen any update that looks like it names Spectre or Meltdown.

So, take that with a grain of salt as I'm not really sure what that means myself...

 

That isn't the only theory, although it is part. Stock drop after disclosure was a certain percent. There is an amount that the stock was above that, called inflation theory. The idea is that the stock price was inflated during the period in which he sold, which means you have to do an event study to attribute how much the stock would have been inflated at the time of sale and what portion is attributed to this omission. Now, he purposely waited for the inflation of value due to the 14-18 core chips AND them moving the release of 8700K from Q1 2018 to October, knowing that the chip had the bug (so selling it instead of eating inventory costs).

So don't believe that simplistic analysis of cost. I can think of numerous ways I'd attack this if I was running it.

Edit: and a note on 10b5-1 stock sale filings, you have to make sure the sale is setup BEFORE having inside information available to the filer. Here, he would have to claim that he was unaware of the security flaw in the chips from June to Oct. 31, when the 10b5-1 filing took place. Knowing that it was embargoed and that this potentially effects chips dating back to 1995, along with it raising potential lawsuit liabilities that effect quarterly filings due to cash reserves, etc., it seems unlikely that his explanation that he didn't know would withstand scrutiny. Further questions come on when the performance hit to the product line was known, etc., but this is all for court and discovery.

Go to Microsoft's update catalog, refine search to this month, and download the stand alone security updates for your OS and build. Will update with a link when I get back to my desk.

 

Mine updated through Windows Update yesterday after occasionally clicking the "Check for Updates" button.

 

@Starlight5 @jclausius and anyone else who needs it, go to this link and look through. Grab the MULTIPLE security updates from this month (I know I had 2, need to look through the expanded list as when I checked yesterday, only 48 had been posted):

https://www.catalog.update.microsoft.com/Search.aspx?q=2018-01

Edit: I did both the critical and security updates.

 

I went too 1709 cumulative yesterday, not sure if this includes the patch. I had to redo W10 as it again lost performance prior to the update on the CPU. Went from 26,700+ to 16,000 or so in Passmark CPU. It looses scores in both Integer and floating point tests but the others hold their scores.

This time I installed Macrium Reflect so I can try and keep an image of a working high performance and hopefully find what is killing the scores.

 

chipset raid is hardware raid, but give it a try. also remember, it is based on your usage as well, my usage is i have ram disk to take out all the garbage writes to SSD so i am strictly focusing on random read with smaller stripe size. and of course, benchmark is just benchmark, but iirc the change with OS update to patch cpu bug will hurt the performance base on your usage scenario as well.

imho theres no point of patching it, i read somewhere they mentioned cpu in the last decade are affected by this. well i've had only intel CPU since first gen i7 and no issue, people just gotta use their computer safe and understand it i guess.

 

Yes, please check and see if M$ is applying the update to AMD to show if they needlessly screw them on performance.

 

First gen i7 6 core having absolutely no issues with the patch. He actually gained performance in most cases. I think it's safe to say for now the home user has absolutely nothing to worry about.

 

I can tell you with 1709 there is no affect to CB R15 or Passmark worth noting. They seem within statistical +/- as you would expect normally. I had not tried any GPU benchmarks yet, have not had time to install them yet.

 

WORST SECURITY ADVICE EVER!!!!

Everyone needs this patch, especially since the full implications are published on the 9th, and attacks will be modeled on these disclosed exploits in short order. Already, just from discussing without details, a Ph.D. student was able to replicate it. With full disclosure, how do you think that is going to do when hackers that steal and sell data get hold of it? PATCH YOUR SYSTEMS!

try the spec benches, sisoft, etc.

 

what kind of attacks would it be? if it affects my daily usage, and risks my data going out, i'll patch it, otherwise, i won't bother.

 

There are THREE known vulnerabilities. Spectre is two, Meltdown is one. Meltdown is the one where, due to Intel's design, you will get a slowdown. So it needs patched because your user ID and password, among other data kept in the Kernel, can be leaked and sent out. Spectre is more long term and will have MANY more vulnerabilities discovered over time.

The patch helps with all three, but meltdown is the most severe, meaning take the I/O hit, which isn't severe in consumer uses (but it is present) to keep your stuff safe. Read the entire thread. Read the google papers on the issue. This isn't something you want to let go and risk it for small performance. If you are doing things GREATLY effected by this patch, then you need it even more for security.

Basically, if you don't, you can and will be owned and due to the nature of it, they can make owning you after the fact where it leaves little if any trace (plus, it looks like an authorized remote access if they have your credential information, which is some of the information this attack gets from the kernel and can be sent back, before they go back to clean up). Seriously, this is a HUGE vulnerability!

Sorry for the simplicity in the post here, but it has been detailed well over the past pages and repeating the same things becomes tedious.

 

yea, i dont mind my password/file data going out as the real important stuff is in my head. imho, though i havent read the details stuff about its risks, i'd personally think its much more of a serious problem for enterprise/business people. for consumers, if they wanted to steal data, they'd be WAYYY better off hacking companies like equalfax or other credit company and steal millions in one go. i'd keep my view the same for now, no need to patch, at least not for consumers.

 

I can't do anything than smile on the last posts in this thread From IMPORTANT SECURITY UPDATE! Thread


Edit. The pict below can tell you more than words From https://hothardware.com/


-----------------------------------

Apple devices are already protected against Meltdown without any hit to performance
"Apple stated today that while most of its devices are indeed vulnerable to the two exploits, the most recent OS updates included mitigations that guard against Meltdown. On top of that, Apple says that these mitigations come with no reduction in performance. This is significant because some security researchers have said that fixes against the exploits are possible but will likely come at the cost of performance."

 

Have been travelling and thanks to this thread was trying to follow (will try to catch up today) but this is the hottest thread on NBR I guess. Whoa as always media propaganda blows everything out of proportion. The 30% perf loss figure just skyrocketed, exploded lol. Humans tend to observe the numbers a lot over the theory part & Intel's position looks like they have been bludgeoned and burned in the coldest winter (good, tired to see them rip off and pulling off cheap games at us and forcing us, planning to EOL BIOS too), Embargoed article and massive media fueling & the results for the normal consumers aren't anywhere near that quoted number.

Glad to see BGAtel burning. Anyone interested in having some extra crisp fresh chips with some nice PR hotsauce all over ?

Thank you fellas for the updates and info

 

Playing with SP2 and update, I can't tell much of a difference in basic use, but it's showing its age anyway, so I'm not sure how much I'd notice slowness. Will check with the desktop over the weekend probably.

 

I cleared software distribution folder yet the system still report up to date. I am using Avast antivirus which is listed as compatible with this update, the compatibility registry key is there. I definitely need to understand what the **** is going on since the situation when important security update is not offered on Windows 10 is ****ing unacceptable.

 

They are rolling it out by region over time to not overload server capacity. Try to do it manually from the update catalog.

 

Always do it manually!! Can’t give better advice than this.

 

It turned out Avast was the culprit. The updates began downloading the very moment I uninstalled it. Guess it's time for a new antivirus.

 

Has nobody stopped to think how incredible it is that nearly every mainstream chip in the past 7-8 years is affected by this, across Intel, AMD, and ARM? This is ****ing ridiculous, how is it in 10 years across three totally different chip architects, that NOBODY managed to discover, or if they knew about it, patch this bug? Think about it. Every iPhone ever made, every iPod touch ever made, my damn Thinkpad T61P from 2007!

Merom > Penryn> Nehalem > Sandy Bridge > Ivy Bridge > Haswell > Broadwell > Skylake > Cannonlake > Coffee lake ALL AFFECTED.

....I'll go use my T43P Pentium M now..... (joking, but only half joking...)

 

Welcome to greed. It's good to meet you....


Really just the opening line about scammers is all that is relevant, but I do like futurama.

 

Nah, they've probably know about it for years. I absolutely refuse to believe it was just discovered. I might have been born at night, but it wasn't last night.

There is an ulterior motive for somebody for things to have played out in the manner they have. What's even far more ridiculous than how long it has been this way is all of the media attention and silly hype that it has received. Just... really... stupid. Like putting a sign in your front yard that says, "Owner is on vacation until 2/1/2018. Lots of cool stuff inside."

 

Ubuntu Updates for the Meltdown / Spectre Vulnerabilities
By Dustin Kirkland on 4 January 2018
https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/

• For up-to-date patch, package, and USN links, please refer to: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Unfortunately, you’ve probably already read about one of the most widespread security issues in modern computing history — colloquially known as “ Meltdown” ( CVE-2017-5754) and “ Spectre” ( CVE-2017-5753 and CVE-2017-5715) — affecting practically every computer built in the last 10 years, running any operating system. That includes Ubuntu.

I say “unfortunately”, in part because there was a coordinated release date of January 9, 2018, agreed upon by essentially every operating system, hardware, and cloud vendor in the world. By design, operating system updates would be available at the same time as the public disclosure of the security vulnerability. While it happens rarely, this an industry standard best practice, which has broken down in this case.

At its heart, this vulnerability is a CPU hardware architecture design issue. But there are billions of affected hardware devices, and replacing CPUs is simply unreasonable. As a result, operating system kernels — Windows, MacOS, Linux, and many others — are being patched to mitigate the critical security vulnerability.

Canonical engineers have been working on this since we were made aware under the embargoed disclosure (November 2017) and have worked through the Christmas and New Years holidays, testing and integrating an incredibly complex patch set into a broad set of Ubuntu kernels and CPU architectures.

Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible. Updates will be available for:

• Ubuntu 17.10 (Artful) — Linux 4.13 HWE
• Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
• Ubuntu 14.04 LTS (Trusty) — Linux 3.13
• Ubuntu 12.04 ESM** (Precise) — Linux 3.2
  • Note that an Ubuntu Advantage license is required for the 12.04 ESM kernel update, as Ubuntu 12.04 LTS is past its end-of-life

Ubuntu 18.04 LTS (Bionic) will release in April of 2018, and will ship a 4.15 kernel, which includes the KPTI patchset as integrated upstream.

Ubuntu optimized kernels for the Amazon, Google, and Microsoft public clouds are also covered by these updates, as well as the rest of Canonical’s Certified Public Clouds including Oracle, OVH, Rackspace, IBM Cloud, Joyent, and Dimension Data.

These kernel fixes will not be Livepatch-able. The source code changes required to address this problem is comprised of hundreds of independent patches, touching hundreds of files and thousands of lines of code. The sheer complexity of this patchset is not compatible with the Linux kernel Livepatch mechanism. An update and a reboot will be required to active this update.

Furthermore, you can expect Ubuntu security updates for a number of other related packages, including CPU microcode, GCC and QEMU in the coming days.

We don’t have a performance analysis to share at this time, but please do stay tuned here as we’ll followup with that as soon as possible.

Thanks,
@DustinKirkland
VP of Product
Canonical / Ubuntu"

Meltdown threat from vCPUs and non AWS linux distro - ubuntu specifically
https://forums.aws.amazon.com/message.jspa?messageID=822843#822843

 

Lovely being the GP Nice!!
KB4056892 bugs: Install fails, browser crashes, PC freezes, and more

 

That is why I switched to nightlies for now. I couldn't wait for the patch to be available, needed security first (and not stressing my system with Artful where it would cause many issues).

 

this just show how little people cared, and if any serious incident took place it'd be revealed much earlier, which means this probably isn't much of an issue till people made a big story out of it.

 

Yup, saw this as part of the update instructions, here's another warning from MS about AV and updates:

Important: Windows security updates released January 3, 2018, and antivirus software
https://support.microsoft.com/en-us...windows-security-updates-and-antivirus-softwa

Microsoft warns patches for Meltdown, Spectre may clash with AV
Howard Solomon Howard Solomon @howarditwc
Published: January 5th, 2018
https://www.itworldcanada.com/artic...for-meltdown-spectre-may-clash-with-av/400394

Meltdown and Spectre: what you need to know
Posted: January 4, 2018 by Malwarebytes Labs
https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/
UPDATE (as of 1/04/18): Since the Malwarebytes Database Update 1.0.3624, all Malwarebytes users are able to receive the Microsoft patch to mitigate Meltdown.

 

NOD32 must be compliant because I downloaded and installed the update from the WU catalog website with no conflict.

The only issue I've experienced thus far is one of my desktop shortcuts got corrupted to where the icon would no longer display after a system reboot. Cleaning the icon cache didn't work, so I had to uninstall and reinstall the program to get it back.

 

Bitdefender is also compatible with the update, I downloaded the update for windows 7 without problem. haven't noticed any degredation in overall system performance.

 

Google recommends Enabling Site Isolation in Chrome:

tl;dr
The Site Isolation feature is available as an experimental flag currently. It is available for all desktop systems — Windows, Mac and Linux — as well as ChromeOS and Android.

1. Load chrome://flags/#enable-site-per-process in Chrome’s address bar to jump straight to it.
2. Click on the “enable” button to change its state.
3. Restart the Chrome browser.

It looks like this when Enabled and Chrome restarted:

Out of process iframes Mac, Windows, Linux, Chrome OS, Android
Highly experimental support for rendering cross-site iframes in separate processes. #enable-site-per-process
Disable

How to enable Strict site isolation mode in Google Chrome
https://www.ghacks.net/2017/12/08/how-to-enable-strict-site-isolation-mode-in-google-chrome/

Actions Required to Mitigate Speculative Side-Channel Attack Techniques
https://www.chromium.org/Home/chromium-security/ssca

" Actions Required to Mitigate Speculative Side-Channel Attack Techniques
Researchers from Google's Project Zero recently disclosed a series of new attack techniques against speculative execution optimizations used by modern CPUs. This research has implications for products and services that execute externally supplied code, including Chrome and other browsers with support for JavaScript and WebAssembly. Further information about other Google products and services, including Chrome OS, is available on the Google Online Security Blog.

Chrome allows users to enable an optional feature called Site Isolation which mitigates exploitation of these vulnerabilities. With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process. Read more about Site Isolation, including some known issues, and how to enable it via enterprise policies or via chrome://flags.

Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018. Future Chrome releases will include additional mitigations and hardening measures which will further reduce the impact of this class of attack. Additionally, the SharedArrayBuffer feature is being disabled by default. The mitigations may incur a performance penalty.

Web developers should consider the following advice to best protect their sites:

• Where possible, prevent cookies from entering the renderer process' memory by using the SameSite and HTTPOnly cookie attributes, and by avoiding reading from document.cookie.
  
  
• Make sure your MIME types are correct and specify a nosniff header for any URLs with user-specific or sensitive content, to get the most out of cross-site document blocking for users who have Site Isolation enabled.

In line with other browsers, Chrome will disable SharedArrayBuffer starting on Jan 5th, and modify the behavior of other APIs such as performance.now, to help reduce the efficacy of speculative side-channel attacks. This is a temporary measure until other mitigations are in place."

 

You'd have to go even further back, to the original Pentium (P5). Every Intel CPU which uses OoOE (out-of-order execution) is potentially affected by Meltdown, which means virtually all of them since 1995, except for Itanium and pre-2013 Atom.

 

Alrighty then, Thinkpad 380XD with Pentium MMX it is!

 

Well at least I can rest easy knowing that my old D900F running the 990X will still be good to go!

 

Mozilla Foundation Security Advisory 2018-01
Speculative execution side-channel attack ("Spectre")
January 4, 2018 Jann Horn (Google Project Zero); Microsoft Vunerability Research IMPACT: HIGH PRODUCTS: Firefox FIXED IN: Firefox 57.0.4

Jann Horn of Google Project Zero Security reported that speculative execution performed by modern CPUs could leak information through a timing side-channel attack. Microsoft Vulnerability Research extended this attack to browser JavaScript engines and demonstrated that code on a malicious web page could read data from other web sites (violating the same-origin policy) or private data from the browser itself.

Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.

SharedArrayBuffer is already disabled in Firefox 52 ESR.

References

• Mitigations landing for new class of timing attack
• Reading privileged memory with a side-channel

Update [January 4, 2018]: We have released the two timing-related mitigations described above with Firefox 57.0.4, Beta and Developers Edition 58.0b14, and Nightly 59.0a1 dated “2018-01-04” and later. Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018.

 

To do the same as site isolation on Chrome, this is how to do it in Firefox:

1. Load the URL about:config?filter=privacy.firstparty.isolate in the Firefox address bar.
2. Double-click on privacy.firstparty.isolate to set the preference to true.
   
   https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/