CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Putting it off isn't fortunate, it's putting it off - and staying exposed.

What are you worried about?

There haven't been reports of large drops in FPS in games after the patches, and for most games not even small drops. Any small differences are within the range of error in measurement, variations between runs.

There are serious performance hits for other users, doing VM's, doing Database work, heavy disk IO uses, and who knows what else, but gaming and benchmarking aren't getting hit.

So there's really no reason to wait, why wait? What negative outcome do you expect that keeps you from updating?

@ajc9988 get's it.

 

Just don't want to install any updates.

 

Yeah, I don't like getting my Flu Shot every year either. Or, the shots for my knee's to replace fluid every few months. I wish I could ignore it all, but it hurts badly when I don't take them.

"An ounce of prevention is worth a pound of cure." - proverb

...it's easier to stop something from happening in the first place than to repair the damage after it has happened.

 

Well, something as simple as the hype and ludicrous headlines are enough reason to make some people slam on the brakes and say wait a minute. Look no further than the title of this thread.

"Intel CPU Bug Cannot Be Fixed With Microcode Update | Cripples Performance Up To 30 Percent"

Yeah, let me hurry up and get some of that!!! LOL! Better to observe what happens to those that rush to drink the Kool-Aid before tipping one's own glass.

As far as I can remember, I've never once had a flu shot. But, I do have family and friends that got very sick as a direct result of having them. Sometimes the cure is worse than the disease. When it is, finding out when it is too late to undo the mess is not a good thing.

 

My post #233 is still valid. How many of you have talked nice about disable Win Updates in the Windows and OS software threads + other places... But suddenly have changed meaning?

 

There are 30% and higher performance hits, just not on Windows gaming and benchmarking.

It gets people's attention and gets them to read or listen to the situation.

Maybe it's time to rename the thread to something like:

CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more.

Let's see what the mod's think.

 

That might not be a bad idea.

 

And, I have the opposite experiences, where co-workers get the Flu and pass it on to whole departments, and I am the only one left not a mucus dripping feverish mess.

There are bad reactions as a percentage to all preventive measures, and that's to be expected, but you can't ignore the millions of people saved from suffering from the Flu because they and everyone else around them did get a Flu shot.

The Flu shot saves lives, even those lives of the people that didn't get the Flu shot themselves.

I was also vaccinated, and haven't gotten all of those diseases, and more importantly I haven't passed them on to anyone else.

You are clearly willing to roll the dice and take the hits of suffering, but that's not cool to recommend other people do that as well, as those preventions aren't only something for the individual, they are given to everyone to prevent the spread of disease to others.

You may not suffer from the Flu when exposed, you may be able to fight it off without personal damage, but the dozens or more people you expose to the Flu may not be as lucky.

 

But, the bottom line is I get to make that decision. I would fight it tooth and nail if it were ever mandated and administered to everyone automatically without regard to individual will.

Applying Micro$loth updates manually, when appropriate and the outcome is clearly defined, is perfectly fine and good. Allowing them to automatically download and install willy-nilly still isn't very smart, and it never will be. And, it's not good that they are bundling crap and not providing full disclosure with concise release notes describing each update.

 

Pneumonia is a better example, or measles, mumps, and rubella shot. Or even how we eradicated, practically, polio or small pox (although anti-vaxers have caused pockets of these diseases to make a resurgence). As an infant, I had either measles or the mumps. I was too young for the vaccine, so was not able to get it in the time that I was exposed. I survived, but those both have killed countless infants.

Same is true with this. You might be fine with the identity theft or exposure of your documents, etc. Others may not be and could have disastrous consequences if exposed. And, yes, someone could counter that almost everyone's personal info was stolen by now (Equifax alone did that for the majority of U.S. citizens, which handled our Social security numbers for the IRS and managed their records), but that is not the point. You might open up new accounts, get a new debit card, etc. The reason they want to steal passwords, usernames, etc., is to expose new information that is being traded. Hell, I even had my bank card info stolen once. Caught it due to my own monitoring, not my bank's, but they were happy when I cancelled it and got a new card, filed an official statement, etc.

 

Will is an illusion. No one truly makes choices for themselves, but rather is forced into it by the circumstances. Those that think they are making their decisions don't understand enough variables to know they largely are not. Even the fight for being self-determinative is a conditioned state we are programmed with due to conditioning, then exploited by numerous others in society. Simple example, anti-vaxxers.

 

I have had this happen many times... probably a dozen or more. I have caught some and so have my bank, Visa and American Express. Most of the time it has happened while traveling and using my corporate Visa. It is never used online. Using the physical credit card and allowing others to touch it in stores, hotels and restaurants is more dangerous than using it online.

Whenever someone tells me they are going to do something and I have no say in the matter, or they just go ahead and do it without asking, I am going to be instantly obstinate, questioning their motives, doubting their intentions and predisposed to resist and outright defy them as a matter of principle. When I am presented with options and information, I am far more inclined to be cooperative and maybe even be supportive of whatever their agenda might be.

 

Mine was stolen from an online retailer. At the time, I had ONLY used sites that had long histories of reputable origins (amazon, newegg, etc.). The thing is, you can never be sure when and where it happens. And nowadays, skimming cards from retailers is more common digitally than just stealing the numbers by the associates handling the cards (too traceable to them).

 

If you were using your card through ATMs, you might have fallen victim to ATM skimming

 

That is because you want the precursor of a feeling of control, or at least a say. That is a conditioned state. Much happens in this world without the input of people. But that defiance does not necessarily make it a good thing, although questioning motives and intentions and trying to understand the reasons behind it is ABSOLUTELY necessary. This is why I hate the KB on some of the updates from MS that give NO information, whereas others are quite detailed.

 

No, I very rarely use ATM. Most of the time it has been my corporate Visa card and using it at an ATM flags the account for internal audit. There are all kinds of creative ways for this to happen once you take it out of your wallet and scan it, or hand it to another person when completing a transaction.

 

Exactly, a large percentage of unpatched machines creates a playground for hackers and bot makers from which to make other attacks on otherwise protected systems.

If the % of machines is small there won't be any payback worth the investment to create tools and make the effort to hack those machines.

Every machine patched is one less machine that can be used as a tool for the hacker criminals, terrorists, government and corporate spies, that exposes not just that machines owner, but every person they convinced not to patch their machines.

In this case setting a bad example by telling people not to patch their systems is helping the bad guys by providing them opportunities of attack.

 

Regarding Windows Update & whether to turn of automatic updates or not - I have a vanilla Windows 10 Home install, and let it do everything it wants (although I have disabled Cortana as much as I can through the regular setting panels), and I have a well performing trouble free system*. The latest Windows patch to fix the vulnerability discussed in this very thread didn't really drop performance or snappiness for me at all:
http://forum.notebookreview.com/thr...up-to-30-percent.812424/page-18#post-10658408

I understand people like Mr Fox though that disable Windows Updates, that want to control all elements of their system, but for most people it's simpler, safer, and not really sacrificing any performance by just leaving Windows 10 in vanilla state & allowing windows updates.


*I did post somewhere here on NBR that I had a strange issue where Windows would freeze and need to be rebooted, which happened about once every 4 days since the introduction of the Fall Creators Update of Windows 10, but at the moment it looks like I fixed the problem by updating 1 week ago to the very latest Intel Rapid Storage Technology driver available on the Intel website. So, it's clear that Windows 10 is not without problems during it's major updates, but I don't believe in disabling the updates, Microsoft could do better though - specifically in not rolling out constant feature updates (not talking security updates) to their operating system & by more thoroughly testing them prior to release!

 

It's kind of funny how when I am railing on something really sinister like castrated BGA garbage and crippled trashbooks, some folks feel inordinately obligated to tell me that my efforts are futile, I have no influence and nobody cares, stop wasting my breath, yada, yada. But, something like this, suddenly I do have way too much influence and I am going to bring hell fire and widespread destruction by stating my opinions or workflow. Again, I have never suggested that others are compelled to do what I do, or that I never apply security updates under any circumstances. I do recommend that nobody give automatic control of their computer for the Redmond Mafia to decide what happens to it. It might be a subtle difference to the casual observer, but it's actually not subtle. It's only a recommendation to take ownership of things, make your own decisions and do things deliberately rather than haphazardly allowing someone else to call all of the shots on your behalf.

You take the opposite approach on many things, like saying that nobody should ever use liquid metal thermal paste because the risk is greater than any reward, while those that do already know beyond the shadow of any doubt that the reward can be worth the risk. Does it require caution? Yes. Should they be told to never do it under any circumstances? I don't think so.

I do not live in a glass house and don't have to worry about the neighborhood thugs throwing rocks at it. Total avoidance is one approach. Caution and calculated risk is another. There is a huge difference between being careless versus deliberate and fearless. Figuring out or worrying about who is going to be stupid or careless isn't my problem. I'm still going to tell them what the best approach is based on my own experience.

The last part of your post is where the rub comes in. Because of their messed up Nazi approach to updates, it's worse than ever before to allow automatic updates. It would be one thing for them to make honest-to-goodness security updates a requirement. As much as I would find it unacceptable, it would be understandable. But, they want carte blanche control over everything, including what features. bloatware and app crap gets installed, removed or updated. This is reprehensible and in a different context could be a behavior that sends people to jail, or result in civil action with heavy fines.

 

Windows 10 updates trigger display issues on AMD computers - windowsreport.com
"Indeed, it seems that there is a compatibility issue between the latest Windows 10 updates and AMD CPUs. Intel machines don’t seem to be affected by this problem.

Microsoft has yet to issue any comments on this matter despite the significant number of user complaints.

This is not the first time when computers powered by AMD processors have been plagued by display issues. As a quick reminder, just one month ago thousands of users complained about display problems on AMD Radeon video cards.

Microsoft quickly released KB4057291 but even back then the update failed to fix the issue for all users. The nightmare is not over yet for AMD PC owners as January updates brought a new problem."

 

Yes, these are a number of AMD users being affected, not all of them. As I said in my previous post, I think Microsoft need to test their updates better, but I don't think disabling Windows Update is the way forward for the majority of users, or even myself for that matter.

 

Disable BITS as well to prevent it from re-enabling WU.
Its more of a permanent fix to stop all updates.

 

I was reacting to @Mr. Fox 's additional statement that this is all nonsense - and hype - not to the manual control of Security update installs vs Automatic Windows Updates Security update installs.

Disabling Windows Update as a way to stick your head in the sand and ignore it all, that's what I have the problem with.

There are several posts listing the Microsoft Catalog server patch downloads, lists of KB patches for all the Windows OS's, and new posts informing progress every day.

Manual updates are better, unless you can't spend the time to get the latest updates quick enough and apply them manually.

For those of us that spend time every day administering computers, this isn't much of an added burden, outside the hype the actual work is just another patch to work into the schedule of updates.

For everyone with real lives, and don't typically pay attention to security patches at all, Automatic Windows Updates are the only way to get through this with the least amount of life interruption, as long as Microsoft is careful with the patches being rolled out.

 

That's funny, my CPU has not had ANY symptoms others have had. I want to see model numbers.

EDIT: It isn't that I don't believe it. MS has botched all sorts of patches and it is clear that from AV compatibility to this, there are issues. Part of that is not having until the 9th to push the update due to the leak on the issue. That put a lot of OS companies, and other companies, in a tight spot. One week can fix a lot of code and issues.

 

Links to problem reports, and even better links to fixes to problems from these security updates would be good to post.

Talking in loose generalities and vague insinuations isn't helpful.

I've been seeing lots of reports from AMD owners that have installed the patches without issue, and have posted before and after benchmarks in some of the reddit links I've already posted.

I haven't seen a single patch problem post from anyone with a Windows desktop / laptop computer yet, let alone specific to AMD owners.

 

I always use Manual updates for Linux and Windows. Download it on 1 PC and move stuffs on every other PCs. Never had a problem.
I allow auto-updates only on phones because there's no other way of manual patching.

 

Banks are having their issues on test beds for deployment. This really is a fiasco.

 

Links??

 

https://www.reuters.com/article/us-cyber-microchips/businesses-cautious-in-installing-patches-to-fix-chip-flaw-idUSKBN1EU12H

Edit: to be clear, they ARE applying the patch, but are having to increase infrastructure because of effects of it.

 

Exactly... "Chances that a fix to a major microchip security flaw may slow down or crash some computer systems are leading some businesses to hold off installing software patches, fearing the cure may be worse than the original problem."

 

But they ARE applying it, they are just trying to assess stability and effects as quickly as possible! They don't want to cause down time, and may have to scale due to the problems, but you need to mention holding off is a matter of testing on machines and taking other precautions in the interim.

 

That article is less alarming than your post suggested

They got hit with the AV incompatibility, which is known and warned even in the original Microsoft instructions - they didn't read them or the people doing the updates weren't told to disable their AV before applying the update.

They do bring up the salient points for us desktop / laptop users doing internet browsing:

"One key risk is that hackers will develop code that can infect the personal computers of people visiting malicious websites, said Chris Wysopal, chief technology officer of cyber security firm Veracode.

He advised PC owners to install the patches to protect against such potential attacks."

Corporations with their own hardware servers will have the same performance hit that the AWS posts are showing for large servers - database - VM's - heavy IO usage, they are all requiring bumping up their Cloud Resources.

But, it's not good the corporate people are thinking like this:

"Computer servers at large enterprises are less at risk, he said, because those systems are not used to surf the web and can only be infected in a Meltdown attack if a hacker has already breached that network."

For Corporations rolling out services on their own hardware they are now going to have to increase resource allocations on VM's, move VM's to unused servers to spread the added load, and probably have to purchase more hardware servers to make up for the loss.

Most new rollouts have a % of hardware over and above that required for the rollout, for future expansion and to have on-hand in case one or more of the physical servers develop hardware problems during the build out.

If they didn't plan for expansion, infant mortality failures, and they pushed through the project with just enough hardware to apply to the current requirements, they will end up short resources by applying the patches.

In that case they would have to forgo the patches, scale back services delivered, or put up with worse response times - or failure's of the service at peak usage times.

Forgoing the patch may make them legally liable to customers for data lost, if they get hacked and data is lost, or worse yet services are interrupted.

They are playing a dangerous game in the long run if they forgo the known security hole patches.

 

This first video shows 3%-5% drop in some games, but otherwise no difference, but the SSD performance does take a hit, more on NVME than SATA and that starts at 09:20.

Problems with the online game Fortnite starting at 14:40...

Meltdown & Spectre Updates Benchmarked, Big Slow Down for SSDs!
SSD tests start at 09:20, Fortnite problems at 14:40


This Video is Pointless: Windows Patch Benchmarks

 

This is why I mentioned trying to take other precautions, like new limits on the LAN access, VPNs, WAN access and use terms, allowing connection of laptops loaned out that have connected previously outside of the network, etc.

They are not likely just leaving themselves fully exposed, but it does take awhile to assess on test client machines to look for issues with software for the corporation for deployment. This is a nightmare for many IT departments all over. The OT involved alone can blow through lots of a budget, needless to say purchasing expansions that are needed for resources. It is a god damn FUBAR.

Now, smaller departments have an advantage in that they have less hardware to evaluate for compatibility, but they often run closer to the resource limit and have smaller budgets. They can afford downtime less than other, larger players. This is why they are trying their best, including testing the spectre code, testing the ME driver and firmware compatibility, testing the OS update compatibilities, etc.

I have a small business setup at home and took the risk by applying because I didn't have separate systems to test and my systems needed secured immediately. Normally, I would have tested, etc., before deployment, but this time I took the risk because I do my own IT and couldn't risk NOT securing my network. I'm not getting sued over it for client data being exposed.

 

Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown
by btarunr Thursday, January 4th 2018 21:33 Discuss (75 Comments)
https://www.techpowerup.com/240283/intel-released-coffee-lake-knowing-it-was-vulnerable-to-spectre-and-meltdown

"By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities)."

Intel Braces for an Avalanche of Class Action Lawsuits
by btarunr Friday, January 5th 2018 08:11 Discuss (36 Comments)
https://www.techpowerup.com/240298/intel-braces-for-an-avalanche-of-class-action-lawsuits

"Following reports of Intel's gross mishandling of its CPU vulnerabilities Spectre (CVE-2017-5753 and CVE-2017-5715), and Meltdown (CVE-2017-5754); particularly its decision to not call off 8th generation Core "Coffee Lake" processor launch after learning of its vulnerability; and a general barrage of "false marketing" allegations, with a dash of "insider trading" allegations added to the mix, the company is bracing for an avalanche of class-action lawsuits in the US, and similar legal action around the world.

Owners of Intel CPU-based computers in California, Oregon, and Indiana, have filed separate complaints alleging that Intel sold vulnerable processors even after the discovery of Meltdown and Spectre; that the chips being sold were "inherently faulty," and that patches that fix them are both an "inadequate response to the problem," and "hurt performance" (false marketing about performance), by 5 to 30 percent. All three complainants are in the process of building Classes."

 

im glad i wont be installing the update. hmscott you're going crazy over this rofl, calm down a little.

 

Sell on HIGH and buy on LOW, INTEL stock that is.

John.

 

AMD is big winner from chip flaw fiasco as more than $11 billion in Intel stock value is wiped out
Companies will likely diversify their chip security architecture risk by buying more AMD server chips.
Published 7:52 AM ET Fri, 5 Jan 2018 Updated 7:58 PM ET Fri, 5 Jan 2018 Tae Kim | @firstadopter
https://www.cnbc.com/2018/01/05/amd-is-big-winner-from-chip-flaw-fiasco.html

"Fred Hickey, editor of High Tech Strategist, says AMD's new server chips "already had momentum and that momentum will likely be propelled further by the recent security issue disclosures."

Investors are piling into AMD shares and selling Intel stock after major chip security vulnerabilities were revealed earlier this week, and it totally makes sense.

Enterprises will likely diversify their chip security architecture risk for mission-critical applications by buying more AMD server chips. The company's "architecture differences" have proven immune to the more problematic one of the two disclosed vulnerabilities.

British tech website The Register reported Tuesday that some Intel processors have a "fundamental design flaw" and security issue, which spurred the company to confirm the problem later in the day.

AMD shares are up 10.4 percent in the two days through Thursday following the report, while Intel's stock declined 5.2 percent in the period, wiping out $11.3 billion of shareholder value.

One of the two vulnerabilities, called Meltdown, affects Intel processors. The other, named Spectre, could affect chips from Intel, AMD and Arm.

Intel said Wednesday that performance degradation after security updates for Meltdown "should not be significant" for the average user. But on a call with investors, the company admitted a decrease in performance of up to 30 percent was possible after fixes under some "synthetic workloads."

Bank of America Merrill Lynch told clients the big Intel performance hits were "likely for enterprise and server workloads."

On the flip side, AMD said any performance hits will be "negligible" after Spectre-related security software updates and there is "near zero risk of exploitation." The company also confirmed it is not affected by Meltdown due to processor "architecture differences."

Researchers and Apple said Spectre is more difficult to exploit.

Multiple Wall Street analysts predicted AMD will take advantage of the Intel's security issues.

AMD could use it as "a marketing edge given differing architectures and no vulnerability yet," Mizuho Securities analyst Vijay Rakesh wrote in a note to clients Wednesday.

Intel's high-profit data-center business, which sells server chips to cloud computing providers and enterprises, is the chipmaker's crown jewel.

Rakesh noted that Intel had 99 percent market share of the data-center market, representing a huge opportunity for AMD.

Analysts estimate that Intel's data-center group will generate $18.5 billion in sales and $7.4 billion in operating profit in 2017, according to FactSet.

"Longer-term customers could be more motivated to find alternatives at AMD and possibly ARM ( CAVM benefits) to diversify the architectural risks," Bank of America Merrill Lynch analyst Vivek Arya wrote Thursday. "AMD appears poised to be the most direct beneficiary."

An AMD gain of significant market share in the server market is not unprecedented. The company hit 25 percent share in 2006. If AMD is able to reach 10 percent or 15 percent market share of the data-center business, it could add billions in revenue to the company's financial results.

Any increase will be a boon for AMD because the Wall Street consensus for the company's 2017 estimated sales is just $5.25 billion.

One leading tech industry analyst says the chipmaker will do just that.

"The news of Intel's processor security issue and the potential performance degradation to correct it comes at an inopportune time as Intel currently faces heavy competitive pressure from its long-time nemesis, AMD," Fred Hickey, editor of High Tech Strategist, wrote in an email Thursday. "AMD's new line of chips is a significant challenger for the first time in many years (since AMD's Opteron chip days)."

AMD launched new line Epyc data-center processors to much fanfare last June with design wins at cloud computing providers Microsoft Azure and Baidu.

"For Intel, it likely means loss of market share (lower revenues) as well as loss of pricing power (lower gross margins) as the advantage shifts to the buyers and away from Intel, which has totally dominated the PC/computer server processor market in recent years," Hickey said. "AMD's new processor chips already had momentum and that momentum will likely be propelled further by the recent security issue disclosures.""

 

Three Lawsuits Launched Against Intel Over ‘Defective Chips’
“Defective” Chips
The plaintiffs in all three lawsuits argued that Intel has been advertising “defective” chips to them for at least the past 10 years. The Spectre flaw in particular comes from the design Intel chose for its chips a long time ago, perhaps to the detriment of security.

 

https://twitter.com/xkcdComic/status/949346844466819072/photo/1

Linus Torvalds says Intel needs to admit it has issues with CPUs
05 January 2018 Written by Sam Varghese
https://www.itwire.com/security/813...l-needs-to-admit-it-has-issues-with-cpus.html

"Linux creator Linus Torvalds has had some harsh words for Intel in the course of a discussion about patches for two bugs that were found to affect most of the company's processors.

Two flaws — dubbed Meltdown and Spectre — were revealed this week in Intel processors made since 1995 and companies have been hustling to offer fixes and workarounds.

Meltdown removes the barrier between user applications and sensitive parts of the operating system while Spectre, which is also reportedly found in some AMD and ARM processors, can trick vulnerable applications into leaking the contents of their memory.

Torvalds was clearly unimpressed by Intel's bid to play down the crisis through its media statements, saying: "I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed."

The Finn, who is known for never beating about the bush where technical issues are concerned, questioned what Intel was actually trying to say.

"Or is Intel basically saying 'we are committed to selling you **** forever and ever, and never fixing anything'?" he asked. "Because if that's the case, maybe we should start looking towards the ARM64 people more."

Meanwhile, an Australian who was part of the team that released advice about the bugs, said: "These bugs in the hardware can enable hackers using malicious programs to steal sensitive data which is currently processed on the computer. Such programs can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs."

Dr Yuval Yarom, of the University of Adelaide's School of Computer Science, and Data 61, added: "They do this because the processor leaves behind traces of the information that it's processing, and these traces could lead a hacker to discover important information."

But he said there was a positive to the findings too. "Ultimately, I think our discovery will help to change the way processors are designed, to help prevent such cyber security concerns."

The organisations involved in finding the bugs included Google's Project Zero, the University of Adelaide and CSIRO's Data61 in Australia, Graz University of Technology in Austria, Cyberus Technology GmbH in Germany, and the University of Pennsylvania, University of Maryland and Rambus in the US.

Commenting on the bugs, Ryan Kalember, vice-president of Cyber Security Strategy at security outfit Proofpoint, said: "Like most organisations, chip manufacturers have long prioritised speed over security – and that has led to a tremendous amount of sensitive data (being) placed at risk of unauthorised access via Meltdown and Spectre.

"While the vast majority of computing devices are impacted by these flaws, the sky is not falling. Both vulnerabilities require an attacker to be able to run their code on the device they are attacking. The typical consumer is still vastly more likely to be targeted by something like a phishing email than a targeted attack exploiting Meltdown or Spectre.

"However, these vulnerabilities break down some of the most fundamental barriers computers use to keep data safe, so cloud providers need to act quickly to ensure that unauthorised access, which would be very difficult to detect, does not occur."

Kalember said that if there was some good news, it was fortunate that these vulnerabilities were discovered and responsibly disclosed by respected researchers as opposed to being exploited in a large-scale, potentially-damaging global attack.

"Organisations worldwide need to immediately implement the Kaiser patch to address the Meltdown threat and we applaud the quick action by companies such as Amazon, Google, and Microsoft to do so.

While there is no immediate fix for Spectre, we would hope the chip manufacturers learn from these vulnerabilities and weigh the security implications of their new product features," he added."

 

A Big Thank You to the Mod's for changing the thread title from:

Intel CPU Bug Cannot Be Fixed With Microcode Update | Cripples Performance Up To 30 Percent

To:

CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

 

Intel designs are nearly same even after AMD Bulldozer failed miserably. Because of no competition from AMD in CPU sector, Intel played it safe by tweaking the architecture over and over again. Because of that CPU from 2nd gen and upwards are affected.
I am sure my older PC will not get any BIOS patches from Intel as OEM have EOL'ed the PCs.
Only option is to wait until a uCode in bin format is made available at Intel's download center so that I can patch them via VMware's tool.
Maybe nVidia will be next.

 

It goes back before Sandy Bridge. So you are correct that they are vulnerable, but you are wrong about the start date. Also, I think you are mistaking the solutions. Aren't the ME firmware and driver changes spectre related and microcode spectre related, while meltdown you need the OS patches to deal with because they have CLEARLY stated it CAN NOT be fixed with a microcode update for Meltdown.

Now, if you are talking Spectre, there is the all caps important security update thread by Prema, updating the browsers, and ME firmware, while the OSes have NOT patched for this vulnerability yet, only Meltdown. Why? Because Meltdown is insane and inexcusable. Even if you don't think it is a big deal, it is such a fundamental error that there is nothing to be said. It is one of those mistakes so large, you tell a person go question their life choices while sitting on a bridge (DISCLAIMER: Suicide is a serious matter. This is not to make light of that matter. If ever contemplating such actions, please contact someone for help to get through destructive feelings and behaviors. There are even hotlines that can be called. Please take action.).

So, I hope that helps a bit more on getting what is happening.

 

I haven't got a single BIOS update and ME FW for SA00086 from the OEM. So far, only OS is patched up leaving the hardware issue as it is.

 

Read through this thread! It, in part, speaks to updating the driver anyways using the most recent driver and checking for the SA00086 vulnerability after, as well as concerns of TPM keys, etc.
http://forum.notebookreview.com/threads/important-security-update.811312/

It is a start and may be the only thing you can do with EOL hardware.

 

Tried that. It failed because ME Local FW update is disabled through BIOS.

 

Dell and MSI are near the top of the control freak food chain. Their "security" is a security risk that serves only their own selfish interests. Locking crap down so that they are the only ones that can make changes to firmware is an exceedingly corrupt way to run a business. Especially so when they wash their hands and drop support for EOL hardware as soon as they have something new to sell. Screw yesterday's customers, who cares... there are still more sheeple wandering about like zombies that are waiting to get shafted. I predict that Dell/Alienware owners of last generation and older products will never get any fixes. The same is very likely for HP, Lenovo and Acer owners.

 

A suggestion for everyone reading this thread...

Don't forget to check your secondary and tertiary 'devices' for firmware/os upgrades! My router, a device (not a computer) which uses an intel Duo had both a firmware and os patch available. The wifi router needed a firmware update. And while I'm uncertain if it is unaffected, my managed Cisco switch also had a firmware update, although it was from Sept.

I still have a un-managed HPswitch, but not sure what I can do about that one until I can get a chance to take a closer look. Not sure what to do about my old Belkin Print Server, but it may be so old, it is unaffected.

So, if you have a spare moment, take a look at security updates for any other devices you may own.

 

I have disabled Windows update ever since the push to us windows 7 users to install that pastel colored trash. My system is up to date, and I will wait for a simplix pack with the patch integrated to update again. Simply going online is NOT going to make you vulnerable to being hacked. It is over reacting to say such things. Magical key loggers, and hack programs do not randomly appear on your PC, it is user error, or lack of common sense that often opens your PC to such vulnerabilities by going to nefarious sites, or downloading something one really shouldnt be.

 

I've been keeping an eye on this as well. My TVs even got their updates. My tablet for the TV as well. My phone has not, so I will likely have to root it and put on a custom OS to handle the security issue. I also have an old display that has Android that I'll have to do a custom compile to create a ROM for it when I get the time. But that is a great thing to mention. My Cisco switch had its update from Aug.

My firewall was the one I had a heart attack about and patched firmware and OS and VM software, and virtualized OSes, and turned off one of the VMs because it wasn't needed atm, just to reduce risks until things are more settled, etc. I still need to check a couple items, but I did get the majority of devices covered within the first 48 hours and have been tying up loose ends since, as should everyone.