CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,092
    Messages:
    19,261
    Likes Received:
    23,962
    Trophy Points:
    931
    Level1 News March 12 2019: SPOILER ALERT
    41:10 - All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix

    All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix
    Researchers say Intel won't be able to use a software mitigation to fully address the problem Spoiler exploits.
    By Liam Tung | March 5, 2019 -- 11:33 GMT (03:33 PST)
    https://www.zdnet.com/article/all-i...r-non-spectre-attack-dont-expect-a-quick-fix/

    Splork • 7 days ago
    "Speculation abounds that Apple may be planning to ditch Intel processors. There is certainly a mountain of motivation to do so. Even AMD processors would be a welcomed change. I wonder if Intel can be sued for culpable negligence when their numerous vulnerabilities cost users and enterprises significant loss..."
     
    Last edited: Mar 13, 2019
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,092
    Messages:
    19,261
    Likes Received:
    23,962
    Trophy Points:
    931
    Just a general heads up - pull'em out of the sand and patch your computers. This advice goes for individuals too.

    Computers online appear the same, whether for business, gaming, browsing, or general use. All computers can be vulnerable.

    Stop Contributing to the Global Cybercriminal Haul
    Written by Eric Jacksch on 07 January 2019
    POSTED IN SECURITY SHELF - ERIC JACKSCH
    http://www.canadait.com/index.php/i...contributing-to-the-global-cybercriminal-haul

    "According to a 2018 study led by Dr. Michael McGuire, Senior Lecturer in Criminology at the University of Surrey, worldwide cybercrime revenues are estimated at $1.5 trillion per year. In 2019, ...businesses of all sizes should take measures to stop contributing to the global cybercriminal haul.

    APPLY PATCHES AND UPDATES
    While exotic zero-day vulnerabilities grab headlines, in reality intruders frequently succeed by exploiting known security issues for which patches already exist. Unless patches are applied regularly, the resulting security landscape makes it far too easy for relatively unsophisticated cybercriminals to intrude into systems and steal data.
    Many organizations, both public and private, suffer from misaligned priorities. They deploy expensive security products, but neglect basics such as patching. Intrusion prevention and antimalware are important, but they do little to protect servers and PCs riddled with security holes.

    While it is possible to keep systems up-to-date through diligent system administration practices, a variety of vulnerability and patch management tools are available to help. If your organization has not made software updates a security priority in the past, make it one for 2019.

    HARDEN SERVERS

    It is difficult to find security advice written in the past few decades that doesn’t include server hardening. Yet time and time again, security professionals and hackers find network services that shouldn’t be there in the first place, nevermind exposed to the network.

    While legacy systems may present challenges, the majority of the time the real issue is that security is just not a priority. Insecure protocols such as FTP and telnet have no place on today’s systems. Unless the server is a file server, inbound connectivity to SMB ports should be blocked. While it might be more convenient for administrators to update web content via a Windows file share, it’s a poor security choice. SCP and SFTP are far more secure.

    Server hardening also includes making privilege escalation more difficult. Web servers, databases, and similar applications should not run with administrative privileges, and when colocated on the server should be protected against each other. As an example, a database process should not have write access to a web server’s directories.

    SECURITY AWARENESS TRAINING
    Phishing and fraud are on the rise. Never in history has it been easier to research and target individuals and businesses, and criminals are getting much better at it. In the past, poor grammar and comically bad writing made fraudulent emails easier to spot. More recently, fraudsters have seriously improved their game. Employees today are receiving well-written emails, addressed to them by name, and purporting to be from managers and executives within their organization.

    While technical controls can certainly help (it is amazing that in 2019 we don’t have a clear indicator of whether an email originated inside or outside our organization), the real key is security awareness training. In fact, training employees likely has a higher ROI than any other security expenditure.

    MULTI-FACTOR AUTHENTICATION
    Another opportunity to improve security this year is to adopt multi-factor authentication. Most major companies support it, and thanks to the standards charge lead by Google Authenticator, no extra hardware is required. Apps like Authy make it easy to manage multiple accounts and synchronize MFA credentials across multiple devices.

    Low cost FIDO U2F and FIDO2 devices make hardware-based MFA simple and easy. A single device can be used to authenticate to an unlimited number of Internet sites and accounts.

    Organizations should consider the services they use, and prioritize MFA starting with email and social media accounts. Those using cloud computing should, if they are not already, mandate the use of MFA for all administrator access.

    BACKUPS
    The final line of defence against a multitude of security incidents, including ransomware attacks, malicious insiders, hardware failures, and natural disasters, is recovering data from backups. Protecting data is an obvious business imperative, yet many business fail to adequately do so. This is particularly problematic for small businesses and individuals. Ironically, unprecedented Internet bandwidth and low-cost backup services make it easier than ever. At a cost of around $5 per PC for automatic, unlimited backup, there is simply no excuse."
     
    Starlight5, Riley Martin and ajc9988 like this.
  3. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,092
    Messages:
    19,261
    Likes Received:
    23,962
    Trophy Points:
    931
    Data-spewing Spectre chip flaws can't be killed by software alone, Google boffins conclude
    While browsers have got their act together, any other apps interpreting user-supplied code need to be aware of this
    By Thomas Claburn in San Francisco 18 Feb 2019 at 07:05
    https://www.theregister.co.uk/2019/02/18/spectre_cant_be_killed/

    "Google security researchers have analyzed the impact of the data-leaking Spectre vulnerabilities afflicting today's processor cores, and concluded software alone cannot prevent exploitation.

    The Chocolate Factory brainiacs – Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, Toon Verwaest – show that they can construct what's dubbed a universal gadget to exploit the spectre gang of speculative-execution flaws present in various CPU families, allowing attacker-supplied code running in a thread to read all memory in the same address space.

    This means, for example, a malicious webpage's JavaScript code executing in a web browser thread can potentially snoop on another webpage's JavaScript running in another thread within the same process, and steal secret data from that other page.

    There are already some mitigations in place in browsers, such as Chrome's Site Isolation that keeps webpages in separate processes, limiting what any malicious JavaScript can spy on. Firefox, Internet Explorer, and Edge, at least, block the use of JS object SharedArrayBuffer, which can be exploited to perform Spectre snooping.

    However, the underlying threat is still there for any browsers and other applications interpreting attacker-supplied code. Language-based defenses and similar safeguards within a process can't stop Spectre; you have to go down to hardware-based separation using individual processes with their own individual virtual address spaces and hardware-enforced page tables.

    Since there aren't many other scenarios in which attacker-supplied code is interpreted in the same address space as other user-supplied code – web browsers spring to mind, chiefly – the Googlers' research is largely academic, and not something to immediately panic over.

    However, if you're developing software that interprets external code – such a cloud-based execution environment in which customers' threads share the same process – this is something to be very much aware of.

    "We now believe that speculative vulnerabilities on today’s hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations, as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels," the researchers say in a paper distributed through pre-print service ArXiv.

    Shortly after The Register first reported the Spectre and Meltdown bugs in January 2018, University of Michigan assistant professor of computer science Daniel Genkin, a co-author of the original Spectre research paper who was a postdoctoral student at the time, said as much: "We are currently not aware of effective countermeasures that will eliminate the root cause of Spectre, short of hardware redesign," he told The Register last year.

    Spectre, as its name suggests, involves the exploitation of speculative execution, a feature of modern processors that involves guessing the future path of a program and making anticipated calculations while the processor is busy with other tasks.

    These calculations can be retained if the correct path was guessed, which saves time and hastens code execution. But as the Spectre flaws demonstrated, the ability to peer into the future can be abused.

    There are several Spectre variants but the basic problem is that chip designers traded security for speed. "Our models, our mental models, are wrong; we have been trading security for performance and complexity all along and didn’t know it," the researchers observe.

    Variant 4, Speculative Aliasing Confusion, has no software solution that Google's researchers could find. "Variant 4 defeats everything we could think of," the researchers say.

    Initially, software and hardware makers pushed fixes like microcode updates and techniques like Retpoline. Browser makers Google and Mozilla made timing data less accessible, to make speculative execution attacks more difficult.

    But that appears to be futile. "We argue that mitigating timing channels by manipulating timers is impossible, nonsensical, and in any case ultimately self-defeating," the researchers say.

    Google's boffins added defenses against Spectre into the V8 JavaScript virtual machine within the company's Chrome browser and found the performance penalties frustrating because they slow things down without truly fixing the problem. "None of these mitigations provide comprehensive protection against Spectre, and so the mitigation space is a frustrating performance / protection trade-off," they say.

    That's why Google shifted its browser security focus to the aforementioned site isolation. But help has to come from hardware, too, in the form of better process isolation.

    Intel announced hardware fixes for some of the Spectre vulnerabilities in March 2018, but its claim that Spectre Variant 1 "will continue to be addressed via software mitigations" now looks rather dubious."
     
    Kyle, joluke, Starlight5 and 2 others like this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,092
    Messages:
    19,261
    Likes Received:
    23,962
    Trophy Points:
    931
    15 months after Spectre and Meltdown, the fixes are still flowing
    By Simon Sharwood, Apr 8 2019, 11:16AM
    https://www.crn.com.au/news/15-months-after-spectre-and-meltdown-the-fixes-are-still-flowing-523511

    "The Spectre and Meltdown CPU design flaw bugs that emerged in early January 2018 are still creating work for users.

    Cisco last week issued a Field Notice to users of its Content Delivery Engine products, hefty servers packed chock full of disks and I/O option to stream video across a LAN or the Internet, or enable services like cloud DVRs.

    The Field Notice reveals that the devices are actually built on Intel CPUs and Supermicro servers, so are vulnerable to Spectre and Meltdown.

    Or as Cisco puts it, “CDE250/460/465 systems use third party CPUs that are potentially vulnerable. However, these products are closed systems which do not allow custom code to be run on them. While these systems are not currently included in the vulnerable product list in the security advisory below, this BIOS update is available as a precautionary measure.”

    So even though the devices are hard to penetrate, they've gone without specific remediation for 15 months. And Cisco thinks they might just need it.

    Which is just a little bit terrifying as the official Meltdown and Spectre FAQ states:

    Q: Has Meltdown or Spectre been abused in the wild?

    A: We don't know.

    And just to make things even more amusing, the FAQ also includes the following couplet.

    Q: Can I detect if someone has exploited Meltdown or Spectre against me?

    A: Probably not. The exploitation does not leave any traces in traditional log files.

    Installing a new BIOS isn’t a quick job. And it’s understandable if users have stopped checking to see if server vendors, or third parties that pack servers into appliances, have issued any new fixes.

    Cisco’s Field Notice is therefore a warning to both fix up any Content Delivery Engines you own, and revisit other product to see if any other Spectre and Meltdown fixes have landed lately."

    Field Notice: FN - 70347 - VDS - CDE250/460/465 BIOS Updates for the CPU Meltdown/Spectre Issue - BIOS/Firmware Upgrade Recommended
    Updated: April 3, 2019 Document ID: FN70347
    https://www.cisco.com/c/en/us/support/docs/field-notices/703/fn70347.html

    "Problem Description
    To enhance security, new BIOS updates are available to further improve system resiliency against known security vulnerabilities identified as Meltdown and Spectre. CDE250/460/465 systems use third party CPUs that are potentially vulnerable. However, these products are closed systems which do not allow custom code to be run on them. While these systems are not currently included in the vulnerable product list in the security advisory below, this BIOS update is available as a precautionary measure.

    Background
    Please see link below for detailed information on CPU Side-Channel Information Disclosure Vulnerabilities:
    https://tools.cisco.com/security/ce...rityAdvisory/cisco-sa-20180104-cpusidechannel

    Problem Symptom
    No symptoms are visible to the end user or administrator.

    CSCvj56715 Intel Meltdown/Spectre BIOS Updates for the CDE250/460/465 systems"
     
    Last edited: Apr 8, 2019
    Riley Martin, Kyle and Starlight5 like this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,092
    Messages:
    19,261
    Likes Received:
    23,962
    Trophy Points:
    931
    Intel may never make a CPU we can trust, but others might
    Jon Martindale, 04.6.19 - 1:00AM PST
    https://www.digitaltrends.com/computing/sidestepping-solution-spectre-and-meltdown/

    "Remember the Spectre and Meltdown security exploits from last year? Intel and AMD really hopes you don’t. Despite what they want you to believe, these speculative execution exploits aren’t going away, at least not with the solutions proposed so far.

    Instead of trying to fix each variant that comes along, a permanent fix will require a fundamental change to how CPUs are designed. The proposition? A “secure core” that make ensure your data stays safe from attackers, no matter what bugs they might try to exploit.

    It might not be the route these large processor companies want to take, but it might be the only one that actually works."

    See site for full article...
     
    Kyle, Riley Martin and Starlight5 like this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,092
    Messages:
    19,261
    Likes Received:
    23,962
    Trophy Points:
    931
    AMD addresses Spoiler vulnerability: Ryzen users are safe from this one
    By Eric Hamilton on March 17, 2019, 10:22 PM 10 comments
    https://www.techspot.com/news/79234-amd-addresses-spoiler-vulnerability-ryzen-users-safe-one.html

    "In context: Researchers continue to find ways to abuse and exploit speculative execution on modern CPUs. The newest vulnerability has been named "Spoiler," and while it'll likely be a thorn in Intel's side for some time to come with no viable solution, AMD's processors are unaffected claims the CPU maker.

    Researchers at Worcester Polytechnic Institute in the US, and the University of Lübeck in Germany, recently discovered another speculative execution vulnerabilityimpacting Intel processors. Dubbed "Spoiler," and like Spectre before it, the flaw preys upon the CPU's speculative execution engine that presciently guesses upcoming computations to boost performance.

    As the research paper explains, Spoiler is entirely independent from Spectre, so existing mitigations for Spectre and Meltdown have no effect on the new flaw. Spoiler is a complicated problem, but the paper offers a summary of sorts.

    We have discovered a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes. The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments.

    The researchers also tested AMD and ARM-based processors, but found that they were not susceptible in the same way Intel's processors are. This makes Spoiler a problem unique to Intel, and it's already found itself reeling after the frenzy that wasSpectre and Meltdown. And just like those two flaws, there's no viable software-only mitigation; microarchitecure level changes could help, but it'd come at the cost of performance.

    No doubt relieved, AMD has confirmed Spoiler does not impact Ryzen processors.

    We are aware of the report of a new security exploit called SPOILER which can gain access to partial address information during load operations. We believe that our products are not susceptible to this issue because of our unique processor architecture. The SPOILER exploit can gain access to partial address information above address bit 11 during load operations. We believe that our products are not susceptible to this issue because AMD processors do not use partial address matches above address bit 11 when resolving load conflicts.

    While AMD did have to issue some mitigations for Spectre, they seem to have dodged a bullet here. The same can't be said for Intel, unfortunately, who will have to continue to analyze their CPU design at the silicon level for improved security in the future."
     
    Last edited: Apr 10, 2019
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,092
    Messages:
    19,261
    Likes Received:
    23,962
    Trophy Points:
    931
    Intel finally issues Spoiler attack alert: Now non-Spectre exploit gets CVE but no patch
    No patch for Spoiler attack affecting all Intel chips, but a security advisory gives it an official CVE identifier CVE-2019-0162.
    By Liam Tung | April 10, 2019 -- 11:23 GMT (04:23 PDT)
    https://www.zdnet.com/article/intel...ow-non-spectre-exploit-gets-cve-but-no-patch/

    "Intel has finally posted an official security advisory in response to the recently revealed Spoiler attack, which uses a weakness in Intel CPUs to enhance already known attacks that leak secrets from memory.

    Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lübeck in north Germany in March drew attention to a weakness in Intel's proprietary memory subsystem that affects Intel CPUs all the way back to its 1st generation Intel Core processors, regardless of the operating system.

    An attacker with low privileges can use Spoiler to learn a system's virtual address mapping to physical memory addresses, Intel said in an assessment, which stressed that Spoiler itself doesn't reveal secret data.

    Spoiler is not a speculative execution side-channel attack like Spectre v2, which could leak secrets like passwords. However, Spoiler does lower the bar for other known memory-leaking attack techniques, such as Rowhammer bit-flipping in memory chips, and classic side-channel attacks.

    Intel initially didn't say much about Spoiler's impact, except that it believed software can be shielded against Spoiler issues by employing "side-channel safe software development practices" and that DRAM modules with Rowhammer mitigations should remain protected.

    Rowhammer mitigations include ECC or Error-Correcting Code memory, used in RAM for mission-critical systems. Researchers recently showed that ECC in DDR3 and possibly DDR4 is fairly brittle in the face of a specific Rowhammer attack. If it triggered three simultaneous bit flips ECC could be completely bypassed.

    Intel has now assigned the vulnerability identifier CVE-2019-0162 to Spoiler and given it a CVSS severity score of 3.8 out of a possible 10. The 'low' severity rating is likely because an attacker would need to be authenticated and have local access to the hardware, while existing mitigations further reduce risks.

    "Memory access in virtual memory mapping for some microprocessors may allow an authenticated user to potentially enable information disclosure via local access," Intel notes in its advisory.

    The researchers who discovered Spoiler predicted the chip maker would be unable to patch its memory subsystem with microcode any time soon without "losing tremendous performance".

    Indeed, Intel doesn't have a patch but points to documents detailing 'Security Best Practices For Side Channel Resistance' and 'Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations'.

    "Intel recommends that users follow existing best practices to mitigate exploitation of this vulnerability," it notes

    In a separate document, Intel says its kernel protections, such as the kernel page-table isolation (KPTI) mitigation against the Meltdown CPU attack, does "reduce the risk of leaking data across privilege levels".

    "After careful assessment, Intel has determined that existing kernel protections, like KPTI, reduce the risk of leaking data across privilege levels," Intel notes.

    "Combined with side-channel safe software development practices, like ensuring execution time and control flows are identical regardless of secret data, these protections mitigate classic side-channel methods enabled by the Spoiler exploit. Additionally, DRAM modules that are mitigated against Rowhammer-style attacks remain protected regardless of the Spoiler exploit."
     
    Last edited: May 15, 2019
    Kyle likes this.
  8. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,092
    Messages:
    19,261
    Likes Received:
    23,962
    Trophy Points:
    931
    New secret-spilling flaw affects almost every Intel chip since 2011
    Zack Whittaker@zackwhittaker / 17 hours ago
    https://techcrunch.com/2019/05/14/zombieload-flaw-intel-processors/

    "Security researchers have found a new class of vulnerabilities in Intel chips which, if exploited, can be used to steal sensitive information directly from the processor.,

    The bugs are reminiscent of Meltdown and Spectre, which exploited a weakness in speculative execution, an important part of how modern processors work.

    Speculative execution helps processors predict to a certain degree what an application or operating system might need next and in the near-future, making the app run faster and more efficient. The processor will execute its predictions if they’re needed, or discard them if they’re not.

    Both Meltdown and Spectre leaked sensitive data stored briefly in the processor, including secrets — such as passwords, secret keys and account tokens, and private messages.

    Now some of the same researchers are back with an entirely new round of data-leaking bugs.

    “ZombieLoad,” as it’s called, is a side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. Intel said ZombieLoad is made up of four bugs, which the researchers reported to the chip maker just a month ago.

    Almost every computer with an Intel chips dating back to 2011 are affected by the vulnerabilities. AMD and ARM chips are not said to be vulnerable like earlier side-channel attacks.
    ZombieLoad takes its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read.

    Practically, the researchers showed in a proof-of-concept video that the flaws could be exploited to see which websites a person is visiting in real-time, but could be easily repurposed to grab passwords or access tokens used to log into a victim’s online accounts.

    Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device.

    Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it does on PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server hardware.

    Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said.

    What does this mean for the average user? There’s no need to panic, for one.

    These are far from drive-by exploits where an attacker can take over your computer in an instant. Gruss said it was “easier than Spectre” but “more difficult than Meltdown” to exploit — and both required a specific set of skills and effort to use in an attack.

    But if exploit code was compiled in an app or delivered as malware, “we can run an attack,” he said.

    There are far easier ways to hack into a computer and steal data. But the focus of the research into speculative execution and side channel attacks remains in its infancy. As more findings come to light, the data-stealing attacks have the potential to become easier to exploit and more streamlined.

    But as with any vulnerability where patches are available, install them.

    Intel has released microcode to patch vulnerable processors, including Intel Xeon, Intel Broadwell, Sandy Bridge, Skylake and Haswell chips. Intel Kaby Lake, Coffee Lake, Whiskey Lake and Cascade Lake chips are also affected, as well as all Atom and Knights processors.

    But other tech giants, like consumer PC and device manufacturers, are also issuing patches as a first line of defense against possible attacks.

    Computer makers Apple and Microsoft and browser makers Google have released patches, with other companies expected to follow.

    In a call with TechCrunch, Intel said the microcode updates, like previous patches, would have an impact on processor performance. An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment. But, the spokesperson said, it was unlikely to be noticeable in most scenarios.

    And neither Intel nor Gruss and his team have released exploit code, so there’s no direct and immediate threat to the average user.
    But with patches rolling out today, there’s no reason to pass on a chance to prevent such an attack in any eventuality.

    I haven't seen a customer facing Intel firmware patch download yet... I'll update if I see it.

    "Intel has released microcode updates to motherboard and OEM firmware vendors already, and they should be made available to users as part of OEM firmware updates in the future."
    https://www.zdnet.com/article/how-to-test-mds-zombieload-patch-status-on-windows-systems/

    Apple, Amazon, Google, Microsoft and Mozilla release patches for ZombieLoad chip flaws
    Zack Whittaker@zackwhittaker / 17 hours ago
    https://techcrunch.com/2019/05/14/intel-chip-flaws-patches-released/

    "Big tech is stepping in to patch newly disclosed security flaws affecting almost every Intel chip since 2011.
    Researchers on Tuesday released details of the vulnerability, known as ZombieLoad — or microarchitectural data sampling (MDS) as its technical name — which can leak sensitive data stored in the processor, such as passwords, secret keys and account tokens and private messages.

    You can read our coverage here. In short, don’t panic — but you should patch your systems. Here’s how.

    Apple released macOS fixes
    Apple has fixes out for every Mac and MacBook released during and after 2011.

    The tech giant said in an advisory that any system running macOS Mojave 10.14.5, released Monday, is patched. This will prevent an attack from being run through Safari and other apps. Most users won’t experience any decline in performance. But some Macs could face up to a 40% performance hit for those who opt-in to the full set of mitigations.

    The security update will also be pushed to Sierra and High Sierra versions. iPhones, iPads and Apple Watch devices aren’t affected by the bugs.

    Google patches Android, will update Chrome
    The search and browser maker also confirmed it has released patches to mitigate against ZombieLoad.

    Google said the “vast majority” of Android devices aren’t affected but Intel-only devices will need to be patched once device makers make updates available.

    Chrome OS devices, such as Chromebooks, are already protected in the latest version, and permanent mitigations will be pushed to devices in the next version.

    And, the company’s Chrome team has a technical advisory out, but said users should rely on patches for their computer. “Operating system vendors may release updates to improve isolation, so users should ensure they install any updates and follow any additional guidance from their operating system vendor,” said Google. In other words, make sure your Windows PC or your Mac is patched.

    Google also rolled out patches to its data centers, so cloud customers are already patched, but should be aware of the company’s guidance.

    Mozilla plans long-term Firefox fix
    Firefox browser maker Mozilla said it’s got a long-term fix on the way.

    “Firefox has applied the mitigation recommended by Apple on macOS,” said a Mozilla spokesperson. “The macOS mitigation will be part of our upcoming Firefox release (67) and Extended Support Release update (60.7), both scheduled for May 21.”

    “Firefox Beta and Firefox Nightly already include the change,” the spokesperson said, adding that no action was recommended for browsers on Windows and Linux.

    Microsoft rolls out Windows updates
    Microsoft has released patches for its operating system and cloud.

    Jeff Jones, a senior director at Microsoft, said the software and cloud giant has been “working closely with affected chip manufacturers to develop and test mitigations” for its customers. “We are working to deploy mitigations to cloud services and release security updates to protect Windows customers against vulnerabilities affecting supported hardware chips,” he said.

    In a TechNet article, the company said customers may need to obtain directly from their device maker microcode updates for their processor. Microsoft is pushing many of the microcode updates itself through Windows Update, but they are also available from its website.

    Software updates will be released Tuesday also through Windows Update. Microsoft also has a page with guidance for how to protect against the new attacks.

    Microsoft Azure customers are already protected, the company said.

    Amazon patches AWS
    A spokesperson for Amazon has confirmed its cloud service Amazon Web Services has been updated to prevent attacks.

    “AWS has designed and implemented its infrastructure with protections against these types of bugs, and has also deployed additional protections for MDS,” said an advisory posted on Amazon’s website. “All EC2 host infrastructure has been updated with these new protections, and no customer action is required at the infrastructure level.”

    Updated article and headline to include remarks from Amazon and Mozilla.

    Read more:

    How to test MDS (Zombieload) patch status on Windows systems
    PowerShell script tells you if you're Windows OS is safe from MDS attacks.
    By Catalin Cimpanu for Zero Day | May 15, 2019 -- 00:49 GMT (17:49 PDT)
    https://www.zdnet.com/article/how-to-test-mds-zombieload-patch-status-on-windows-systems/

    "Four MDS attacks have been revealed today, with Zombieload considered the most dangerous of them all:
    • CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) [codenamed Fallout] 
    • CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS) [codenamed RIDL] 
    • CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) [codenamed Zombieload, but also RIDL] 
    • CVE-2018-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) [codenamed RIDL]
    To safeguard systems, users must install Intel CPU microcode updates, but also OS-level updates. Microsoft, along with other OS makers, have already released OS patches today.

    Intel has released microcode updates to motherboard and OEM firmware vendors already, and they should be made available to users as part of OEM firmware updates in the future.

    Last year, Microsoft released a PowerShell script to help system administrators detect if Meltdown and Spectre patches have installed and are working correctly.

    Today, Microsoft updated that same script to support the new MDS attacks, which just like the Meltdown and Spectre vulnerabilities, are also flaws in the speculative execution process, and can be detected the same way.

    Below are the steps to download and use the PowerShell script, as well as information to the way results should be interpreted.
    1) Open a PowerShell terminal with admin rights. You can do this by clicking the Start button, searching for "Windows PowerShell," right-clicking the option, and selecting "Run as Administrator."
    [​IMG]


    2) In the PowerShell terminal, enter "$SaveExecutionPolicy = Get-ExecutionPolicy".

    This will save your current PowerShell execution policy (access rights) to a variable, so you can restore it later.

    3) In the PowerShell terminal, enter "Set-ExecutionPolicy RemoteSigned -Scope Currentuser". Don't forget to enter "Y" and then press Enter. If that doesn't work, replace Currentuser with Unrestricted.

    4) In the PowerShell terminal, enter "Install-Module SpeculationControl". This command will download and install Microsoft's speculative execution status check script.

    5) In the PowerShell terminal, enter "Get-SpeculationControlSettings". This will produce a report like the following:
    [​IMG]
    Sections A and B are practically the same, with section A providing a reasonable explanation of what's currently installed on the system. But for clarity, we've pulled Microsoft's explanations for each of these three checks.

    MDSWindowsSupportPresent or "Windows OS support for MDS mitigation is present"

    "This line tells you if the Windows operating system support for the Microarchitectural Data Sampling (MDS) operating system mitigation is present. If it is True, the May 2019 update is installed on the device, and the mitigation for MDS is present. If it is False, the May 2019 update is not installed, and the mitigation for MDS is not present."

    MDSHardwareVulnerable or "Hardware is vulnerable to MDS"

    "This line tells you if the hardware is vulnerable to Microarchitectural Data Sampling (MDS) set of vulnerabilities (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12139). If it is True, the hardware is believed to be affected by these vulnerabilities. If it is False, the hardware is known to not be vulnerable."

    MDSWindowsSupportEnabled or "Windows OS support for MDS mitigation is enabled"

    "This line tells you if the Windows operating system mitigation for Microarchitectural Data Sampling (MDS) is enabled. If it is True, the hardware is believed to be affected by the MDS vulnerabilities, the windows operating support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled."

    6) In the PowerShell terminal, enter "Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser" to restore your system's original PowerShell execution policy. If you want to be safe, just use "Set-ExecutionPolicy -ExecutionPolicy Restricted".
    If patches have not been installed, the team of security researchers who uncovered the MDS attacks recommend disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks."
     
    Last edited: May 15, 2019
  9. ajc9988

    ajc9988 Death by a thousand paper cuts

    Reputations:
    1,442
    Messages:
    5,460
    Likes Received:
    7,767
    Trophy Points:
    681
    Do you remember Intel's advertising specifically claiming how secure they were? At this point, it is pretty obvious they sacrificed security for performance, or, sometimes it seems, for no reason at all!
     
  10. Talon

    Talon Notebook Virtuoso

    Reputations:
    1,129
    Messages:
    3,114
    Likes Received:
    3,540
    Trophy Points:
    331
    Had the patch available for download yesterday from Windows Update and ran it.

    Edit: Also updated the ME with the firmware tool and BIOS. Lost 0 points in TimeSpy Physics test, gained 15 points in Cinebench run from my initial testing at 9900K launch though as always there is variability in that test and multiple runs, tested a few games and 0 performance loss.

    Official public statement from Intel

    https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html

    Is Intel recommending that I disable HT?
    No. Intel is not recommending that users disable Intel® Hyper threading. It’s important to understand that doing so does not alone provide protection against MDS, and may impact workload performance or resource utilization that can vary depending on the workload.

    Is this mitigated in future hardware?
    Yes. MDS vulnerabilities are addressed by hardware changes with select 8th and 9th Generation Intel® Core™ processors, as well as the 2nd Generation Intel® Xeon® Scalable Processor Family. We expect all future processors will include hardware mitigations addressing these vulnerabilities.

    More information can be found by going here.

    https://support.microsoft.com/en-gb/help/4494441/windows-10-update-kb4494441 -- Here is your Windows update if you don't get it via automatic download option in Windows.
     
    Last edited: May 15, 2019
    Riley Martin, Kyle, Vasudev and 2 others like this.
Loading...
Similar Threads - Vulnerabilities Meltdown Spectre
  1. Starlight5
    Replies:
    14
    Views:
    788

Share This Page