Critical Flaws in Computers Leave Millions of PCs Vulnerable

My guess it just happened to be the easiest to fix, or maybe there are more Skylake systems in the wild than Kaby Lake, so damage limitation.

 

by Brandon Hill — Wednesday, February 21, 2018
Intel Issues Stable Spectre Microcode Update For Skylake, Kaby Lake And Coffee Lake Processors
https://hothardware.com/news/intel-...-skylake-kaby-lake-and-coffee-lake-processors
Intel continues to plug along with microcode updates for its vast stable of processors. Two weeks ago, the company released revised microcode updates with Spectre mitigations that were limited to mainstream Skylake mobile and desktop platforms. This week, the company has expanded the microcode updates to cover Skylake-X and Skylake-SP processors architectures including Core-X, Xeon Scalable and Xeon D.
In addition, the new microcode release covers Kaby Lake and Coffee Lake processors that were previously left out. Intel was forced to pull its original microcode updates after it was found that some systems were randomly rebooting. That is definitely not something that consumers will tolerate and can be especially troubling in mission-critical enterprise installations.

The new Skylake/Kaby Lake/Coffee Lake microcode updates have been distributed to Intel's OEM partners, who will then distribute them via BIOS updates for customers. Intel is encouraging users to update their systems as soon as BIOS updates are available to protect themselves from Spectre attacks, which are currently advancing past the proof-of-concept stage.


Companies like Dell, Hewlett-Packard and Lenovo pulled their BIOS updates once Intel identified the root cause of the rebooting issues. Expect to soon see these same manufacturers issuing new BIOS updates to customers over the coming days and weeks.

"This effort has included extensive testing by customers and industry partners to ensure the updated versions are ready for production," said Navin Shenoy, Intel's Executive VP and GM for the Data Center Group. "On behalf of all of Intel, I thank each and every one of our customers and partners for their hard work and partnership throughout this process."

As for Intel, the company is currently facing nearly three dozen lawsuits [PDF] regarding its handling of the Meltdown and Spectre processor vulnerabilities. The company is also promoting software-based mitigations for Spectre Variant 2 that were developed by Google.

"We are mindful of the fact that, in some cases, there are multiple mitigation techniques available that may provide protection against these exploits," added Shenoy. "This includes 'Retpoline,' a Google-developed mitigation technique for Variant 2."

You can see Intel's white paper on Reptoline here [PDF], and check out our initial coverage of both the Spectre and Meltdown chip vulnerabilities.

 

Sigh... it's not just Intel...

See:
https://www.theregister.co.uk/2018/02/21/amd_spectre_lawsuits/

CPU's from earthbound companies aren't magically different - I saw this (AMD) wreck coming...

 

Anyone can be sued for anything as they say. Now AMD has one variant of Spectre issues while Intel has multiple suits involving all three variants. This is not an AMD wreck but wreck involving the entire industry with Intel being at the forefront. And they may not be magically different but apparently somewhat different.

 

MASSIVE MALSPAM CAMPAIGN TARGETS UNPATCHED SYSTEMS
https://threatpost.com/massive-malspam-campaign-targets-unpatched-systems/130136

Cybercriminals are leveraging a recently patched critical Adobe Flash Player vulnerability in a massive spam campaign targeting unpatched computers.

According to the research firm Morphisec, cybercriminals are blasting spam messages that urge recipients to click a link to download a Word document. And when a victim opens the document and enables macros, malware attempts to exploit an Adobe Flash Player bug (CVE-2018-4878) patched by Adobe earlier this month. Victims who fall for the ploy could ultimately hand over control of their systems to an attacker, according to researchers.

 

Intel Admits It Won't Be Possible to Fix Spectre (V2) Flaw in Some Processors

As speculated by the researcher who disclosed Meltdown and Spectre flaws in Intel processors, some of the Intel processors will not receive patches for the Spectre (variant 2) side-channel analysis attack

In a recent microcode revision guidance ( PDF), Intel admits that it would not be possible to address the Spectre design flaw in its specific old CPUs, because it requires changes to the processor architecture to mitigate the issue fully.

The chip-maker has marked "Stopped" to the production status for a total 9 product families—Bloomfield, Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale, and Yorkfield.


These vulnerable chip families—which are mostly old that went on sale between 2007 and 2011—will no longer receive microcode updates, leaving more than 230 Intel processor models vulnerable to hackers that powers millions of computers and mobile devices.

According to the revised guidance, "after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons."

Intel mentions three reasons in its documentation for not addressing the flaw in some of the impacted products:

• Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
• Limited Commercially Available System Software support
• Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.

Spectre variant 2 vulnerability (CVE-2017-5715) affects systems wherein microprocessors utilize speculative execution and indirect branch prediction, allowing a malicious program to read sensitive information, such as passwords, encryption keys, or sensitive information, including that of the kernel, using a side-channel analysis attack.


However, these processors can install pre-mitigation production microcode updates to mitigate Variant 1 (Spectre) and Variant 3 (Meltdown) flaws.

Besides Intel, AMD Ryzen and EPYC processors were also found vulnerable to 13 critical vulnerabilities that could allow an unauthorized attacker to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.

AMD has acknowledged reported vulnerabilities and promised to roll out firmware patches for millions of affected devices in the coming weeks.

However, CTS Labs, the security firm that discovered and disclosed the vulnerabilities, claimed that AMD could take several months to release patches for most of the security issues, where some of them cannot be fixed.

 

Condusiv: Patches for CPU Security Flaws Can Affect System Performance
https://www.prweb.com/releases/cond...n_affect_system_performance/prweb15745392.htm
In the face of multiple threats to Intel chip security, experts advise organizations to apply fixes and simultaneously optimize system throughput.

GLENDALE, CALIF. (PRWEB) SEPTEMBER 11, 2018
In mid-August, Intel Corporation announced a first round of patches to counter Foreshadow/Foreshadow-NG, a weakness in chip design that could allow an attacker to access encrypted data being held in an isolated area of the chip meant to keep sensitive information out of the reach of other software, including malware. With Foreshadow, the data in a supposedly secure enclave could, in theory, be copied elsewhere and then accessed. Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure.1 “There’s no evidence that anyone has actually exploited this design flaw,” says James D’Arezzo, CEO, Condusiv Technologies, “and Intel, Microsoft, and other vendors are rapidly developing security patches.”2 D’Arezzo, whose company is a world leader in I/O reduction and SQL database performance, adds, “However, many of these security patches can significantly degrade system speed and performance.”
Problems with microcode security patches emerged early in the year, when the computer industry began reacting to a pair of chip design weaknesses called Meltdown and Spectre. By late January, according to Spiceworks, a professional network for people in the IT industry, 70% of businesses surveyed had begun patching against the flaws. Of those, 38% reported experiencing problems with the fixes, including performance degradation and computers crashing. The study also found that of the 29% of large companies who expected to spend more than 80 hours addressing the issue, 18% expected to spend more than $50,000 to fix them.3
Then came Foreshadow, which, according to security researchers, could affect all Intel hardware released after 2015. Researchers also note that users will mostly likely not be able to detect if they have been affected by the new attack, as Foreshadow does not leave traces. Intel has already released a patch that it says will stop the issue, and says that future processors will be tweaked in order not to be affected by Foreshadow.4
Per D’Arezzo, this is simply part of doing business in today’s computer industry. Vulnerabilities and flaws are inevitable. They will keep emerging, companies like Microsoft and Intel will continue to generate patches for them, and users will continue to struggle with poor performance.
An invaluable tool for these users is input/output (I/O) reduction software, which works steadily in the background, optimizing the flow of data in and out while situations change around it. Condusiv is the world leader in this area and users of its software solutions can more than double the I/O capability of storage and servers, including SQL servers, in their current configurations.
About Condusiv® Technologies
Condusiv Technologies is the world leader in software-only storage performance solutions for virtual and physical server environments, enabling systems to process more data in less time for faster application performance. Condusiv guarantees to solve the toughest application performance challenges with faster-than-new performance via V-locity® for virtual servers and Diskeeper® or SSDkeeper® for physical servers and PCs. With over 100 million licenses sold, Condusiv solutions are used by 90% of Fortune 1000 companies and almost three-quarters of Forbes Global 100 companies to increase business productivity and reduce data center costs while extending the life of existing hardware. Condusiv CEO Jim D’Arezzo has had a long and distinguished career in the high-tech arena.
Condusiv was founded in 1981 by Craig Jensen as Executive Software. Over 37 years, he has taken the thought leadership in file system management and caching and transformed it into enterprise software. For more information, visit http://www.condusiv.com.
1. Dunn, John E., “‘Foreshadow’ flaw found in Intel CPUs—what to do,” Naked Security, August 17, 2018.
2. Allan, Darren, “Windows 10 gets Intel’s patches for worrying new Foreshadow flaw,” TechRadar, August 23, 2018.
3. Larson, Selena, “All computers are flawed—and the fix will take years,” CNN, January 26, 2018.
4. Moore, Mike, “Intel reveals more major chip security flaws,” TechRadar, August 15, 2018.

 

New Intel CPU Flaw Exploits Hyper-Threading to Steal Encrypted Data
https://thehackernews.com/2018/11/portsmash-intel-vulnerability.html

 

Oh well... Those with Intel CPUs have their confidential Intels' stolen by a bug.

 

7 New Meltdown and Spectre-type CPU Flaws Affect Intel, AMD, ARM CPUs
https://thehackernews.com/2018/11/meltdown-spectre-vulnerabilities.html

 

The thread title should be changed from "Critical Flaws in Intel Processors Leave Millions of PCs Vulnerable" to "Critical Flaws in Intel Processors Computers Leave Millions of PCs Vulnerable" as that would be the most accurate synopsis. The day will never come when vulnerabilities cease to exist. For every flaw that is fixed, another is found, and there are many that simply haven't been found yet.

 

It made sense last time because most of them (99%) use Intel CPUs. Now, its time to generalize.

 

Thanks @Mr. Fox , I will report it to rename it now.

 

Of course. Newer architecture as eg for the AMD Ryzen chips vs. the older Intel doesn’t matter. New security flaws will pop up whatever.

 

Thread renamed, thanks for the suggestion and thanks for the moderators.

 

New Systemd Privilege Escalation Flaws Affect Most Linux Distributions
https://thehackernews.com/2019/01/linux-systemd-exploit.html

 

Intel Microcode Updates for Windows 10 1809 (KB4465065), 1803 (KB4346084) and all other versions deskmodder.de | Jan 5, 2019

Microsoft has updated the Intel Microcode updates this time for all Windows 10 versions. Unlike in January is now also the Windows 10 1809 with it. These will have been revised by Microsoft. Because the KB numbers have changed since the 9th of January.

The individual updates can be downloaded and installed via the update catalog. Pay attention to the date. The size of the update varies between 1 MB and 1.4 MB.

• Windows 10 1809: KB4465065 ( Overview )
• Windows 10 1803: KB4346084 ( Overview )
• Windows 10 1709: KB4346085 ( Overview )
• Windows 10 1703 KB4346086 ( Overview )
• KB4346087 Overview

 

Nothing new for Skylake there, still C6 microcode, which is the one I have implemented through BIOS. I also checked the list of KB's installed and I don't have the KB4465065 that would be applicable for my version of Windows 10 - I was expecting to see it installed because Windows in the past has installed such microcode KB's even though I'm on the latest C6 through BIOS implementation.

 

Improvements apply to 8th gen and above since older releases don't have any issue.

 

Cool, thanks. What's the improvements to 8th gen & above re the microcodes? The 8th gen & above don't have new security flaws above & beyond the older CPUs I don't think, so I'm wondering why this is just in reference to 8th gen & above?

 

Hard to speculate what was the fixes. I usually check here to ascertain what's the fixes! https://launchpad.net/ubuntu/+source/intel-microcode

 

Flaws in Popular RDP Clients Allow Malicious Servers to Reverse Hack PCs
https://thehackernews.com/2019/02/remote-desktop-hacking.html

 

Microsoft Patch Tuesday — February 2019 Update Fixes 77 Flaws
https://thehackernews.com/2019/02/microsoft-patch-tuesday-february.html

Microsoft has issued its second Patch Tuesday for this year to address a total of 77 CVE-listed security vulnerabilities in its Windows operating systems and other products, 20 of which are rated critical, 54 important and 3 moderate in severity.

 

Snapd Flaw Lets Attackers Gain Root Access On Linux Systems
https://thehackernews.com/2019/02/snapd-linux-privilege-escalation.html

Ubuntu and some other Linux distributions suffer from a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system.

 

Wow; if electrons are involved nothing is safe.

So much for supposed superiority of one's favorite system or another.

 

I installed snapd and flatpak based apps and I saw the app data was into home directory and un-hidden, felt some issues at heart uninstalled them and next day, bam they have some exploits and they're fixed now.

 

Another Critical Flaw in Drupal Discovered — Update Your Site ASAP!
https://thehackernews.com/2019/02/hacking-drupal-vulnerability.html


Developers of Drupal—a popular open-source content management system software that powers millions of websites—have released the latest version of their software to patch a critical vulnerability that could allow remote attackers to hack your site.

 

Warning: Critical WinRAR Flaw Affects All Versions Released In Last 19 Years
https://thehackernews.com/2019/02/winrar-malware-exploit.html


Beware Windows users... a new dangerous remote code execution vulnerability has been discovered in the WinRAR software, affecting hundreds of millions of users worldwide.

 

Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years
https://thehackernews.com/2019/02/wordpress-remote-code-execution.html



Exclusive — If you have not updated your website to the latest WordPress version 5.0.3, it’s a brilliant idea to upgrade the content management software of your site now. From now, I mean immediately.

 

I've check if Linux installed RAR5 package or not? If its installed it might need updating too!!

 

GeForce 419.17 WHQL closes security holes deskmodder.de | February 22, 2019

The NVIDIA video driver contains a vulnerability (CVE-2018-6260) that provides access to the application data processed on the GPU via a side channel. Therefore, it is necessary to install the new driver to close this gap. You can find more about this in the release notes page 11.
417.91 / 417.91-win10-win8-win7-desktop-release-notes.pdf

 

After reading the release notes you have to do an extra step to enable the security mitigations - you have to go to the NVidia Control Panel and the Developer Options and then you change Performance Counters to admin access only:

Spoiler: Quoted from Release Notes

Restricting Access to GPU Performance Counters

The NVIDIA graphics driver contains a vulnerability (CVE-2018-6260) that may allow
access to application data processed on the GPU through a side channel exposed by the
GPU performance counters. GPU performance counters are needed by developers in
order to use NVIDIA developer tools such as CUPTI, Nsight Graphics, and Nsight
Compute. In order to address CVE-2018-6260 the driver needs to be updated and
additional steps listed below are needed to disable access to non-admin users. For more
information about CVE-2018-6260 visit the NVIDIA Security Bulletin 4772.

Access to GPU performance counters should be disabled for non-admin users who do
not need to use NVIDIA developer tools.

Restricting access to GPU performance counters can be accomplished through the
NVIDIA Control Panel->Developer->Manage GPU Performance Counters page (NV Control
Panel v8.1.950). Refer to the Developer->Manage GPU Performance Counters section of the
NVIDIA Control Panel Help for instructions.

Now I use an admin account on my Windows 10 PC, and I still have access to measuring GPU performance in GPUz, so don't know if I'm protected from this vulnerability even after doing these outlined steps? I'm half assuming I am protected because I'm assuming that the performance counters are now protected by UAC control and therefore only programs that have been run "as admin" would have access to it. But does that mean that if I run GPUz (by definition it's "as admin"), and use the sensor monitoring, does that mean I'm no longer protected against this "Performance Counter Vulnerability"? Or am I getting the wrong end of the stick and "performance counters" are not related to GPUz use?

(So far performance of this driver seems fine, same as previous drivers in 3DMark).

 

Where can I find the Developer Options?

 

Skipping the update for now. I'm happy with 391. Its just their way of forcing customers to install latest drivers because download hits per hour is low and their download server is rarely used.

If you use CUPTI, NSight, MS Visual Graphics Debugger, AMD Graphics Debugger tool(For testing OpenCL 2.x) etc.. you will be affected, for general usage the counters are set to disabled since they bring the GPU to ****ty speeds and FPS which makes any application to run like garbage at the expense of extremely high logs/app telemetry every 100-500 ms timer res.
I uninstalled all my development tools in Windows to Linux and still they are on 415.xx driver and I'm not seeing any beta packages under test for that vulnerability. https://launchpad.net/~graphics-dri...s_filter=published&field.series_filter=bionic

 

Right, ok, so it's just in relation to those specific packages, it's not related to GPU temperature & power monitoring tools.

 

NVidia Control Panel > Menu at top click on "Desktop"(it's next to "File" & "Edit")>Enable Developer Options (then go from there).

 

If you're using MSI AB or similar they don't enable that. Did unwinder RTSS say anything about it? Have you seen somebody asking at Guru3d?

 

Nope, not asked there.

 

Bandizip 6.21 removes ACE support because of the CVE-2018-20250 vulnerability deskmodder.de | Feb 23, 2019

Yesterday we had about the new update of 7zip to version 7 p.m. reported . Today follows Bandzip with an update to version 6.21. Here you have removed the vulnerability in the ACE format by now ending the support.

Source: Bandzip
The bug had been discovered in the WinRar. A security issue that has not been patched in ACE format for 19 years. With the WinRar 5.70 beta 1 the problem with the UNACEV2.DLL was fixed by setting the support for the ACE format. Because you have no access to the source code. The DLL has not been updated since 2005. Currently the 5.70 Beta 2 is available for download.

But back to Bandzip. If you use Bandzip, you should immediately update to the new version. The other bugs that have been fixed are:

• Fixed issue with extraction of specific NSIS.
• The shell extension does not work in individual cases.
• Some minor bugfixes

 

Severe Flaws in SHAREit Android App Let Hackers Steal Your Files
https://thehackernews.com/2019/02/shareit-android-hacking.html

Security researchers have discovered two high-severity vulnerabilities in the SHAREit Android app that could allow attackers to bypass device authentication mechanism and steal files containing sensitive from a victim's device.

 

How I hate 'apps', let me count the ways. sigh...

 

Nvidia Patches Eight Security Vulnerabilities Across Most Product Lines Tomshardware.com | March 1, 2019
Most graphics drivers are exciting because they add support for new hardware, include optimizations for the latest games, or fix issues found in their predecessors. A batch of new drivers from Nvidia offers a different incentive: protection against eight vulnerabilities that could be used to conduct various attacks...

 

Google Discloses Unpatched 'High-Severity' Flaw in Apple macOS Kernel
https://thehackernews.com/2019/03/cybersecurity-macos-hacking.html


Cybersecurity researcher at Google's Project Zero division has publicly disclosed details and proof-of-concept exploit of a high-severity security vulnerability in macOS operating system after Apple failed to release a patch within 90 days of being notified.

 

New "Thunderclap" Vulnerability Threatens to Infect Your PC Over Thunderbolt Peripherals Techpowerup.com | Mar 4, 2019

A new security vulnerability named "Thunderclap" severely compromises security of computers with USB type-C Thunderbolt ports, or machines with Thunderbolt 3 (40 Gbps) ports. This would be pretty much every MacBook released in the past two years, Macs, and PCs with certain aftermarket Thunderbolt 3 adapters. Chronicled in a paper by the Department of Computer Science and Technology at the University of Cambridge, Rice University and SRI International, is a method for Thunderbolt devices to bypass the host machine's IOMMU (I/O memory management unit), and read its main memory over DMA.

An IOMMU translates address-spaces between devices and main memory, and hence protects your memory's contents being read by just about any device. The group has detailed possible ways to mitigate this vulnerability, and forwarded these mitigations to Apple, Intel, and Microsoft. For now no public mitigation exists other than disabling the Thunderbolt controller of your machine in your motherboard's UEFI setup program.

 

Intel’s Newest Spoiler: A Spectre-Style Hardware Exploit That Leaks Private Data Hothardware.com | Mar 5, 2019
Just when we thought that the worst was over with respect to speculative execution hardware exploits like Spectre, we get hit with another whopper. Such is the case with a new Intel processor vulnerability dubbed Spoiler. Spoiler is similar in...

Given that Spoiler was just revealed to the public, there are no current software mitigation solutions available. And there’s of course no timeline as to when a potential fix can be implemented in hardware or what kind of performance impact it would have.

 

SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability
'Leakage ... is visible in all Intel generations starting from first-gen Core CPUs'

https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/


Updated Further demonstrating the computational risks of looking into the future, boffins have found another way to abuse speculative execution in Intel CPUs to steal secrets and other data from running applications.

 

More info in this thread too:
http://forum.notebookreview.com/thr...atches-and-more.812424/page-120#post-10875985

 

And yet some more -

"All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix"

https://www.zdnet.com/article/all-i...r-non-spectre-attack-dont-expect-a-quick-fix/

 

Microsoft Releases Patches for 64 Flaws — Two Under Active Attack
https://thehackernews.com/2019/03/microsoft-windows-security-updates.html

It's time for another batch of "Patch Tuesday" updates from Microsoft.

Microsoft today released its March 2019 software updates to address a total of 64 CVE-listed security vulnerabilities in its Windows operating systems and other products, 17 of which are rated critical, 45 important, one moderate and one low in severity.

The update addresses flaws in Windows, Internet Explorer, Edge, MS Office, and MS Office SharePoint, ChakraCore, Skype for Business, and Visual Studio NuGet.

 

Adobe Releases Patches for Critical Flaws in Photoshop CC and Digital Edition
https://thehackernews.com/2019/03/adobe-software-updates.html

Adobe users would feel lighter this month, as Adobe has released patches for just two security vulnerability in its March Security Update.

The company today released its monthly security updates to address two critical arbitrary code execution vulnerabilities—one in Adobe Photoshop CC and another in Adobe Digital Editions.