]]>

CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. Tanner@XoticPC

    Tanner@XoticPC Company Representative

    Reputations:
    414
    Messages:
    2,879
    Likes Received:
    3,297
    Trophy Points:
    281
    To be fair, I'm leaving them on for a couple of test machines to see what happens.
     
    hmscott, Vasudev and Papusan like this.
  2. Vasudev

    Vasudev Notebook Prophet

    Reputations:
    1,586
    Messages:
    4,928
    Likes Received:
    2,801
    Trophy Points:
    231
    Was about to turn on auto updates on my sis's laptop and this move actually made me re-consider.
     
    Raiderman, hmscott and Papusan like this.
  3. Papusan

    Papusan BGABOOKS = That sucks!! STAHP! Dont buy FILTH...

    Reputations:
    8,267
    Messages:
    16,618
    Likes Received:
    23,103
    Trophy Points:
    931
    You play with the fire:D

    ----------------------------------------------

    Edit. Microcode revision guidance - February 12 2018
     
    Last edited: Feb 13, 2018
    Ashtrix, Raiderman and hmscott like this.
  4. Papusan

    Papusan BGABOOKS = That sucks!! STAHP! Dont buy FILTH...

    Reputations:
    8,267
    Messages:
    16,618
    Likes Received:
    23,103
    Trophy Points:
    931
    Microsoft Security Updates February 2018 release-Ghacks.net

    As you all know... New is always better:D Direct update downloads in the link above (to the Microsoft Update Catalog website where you can download the updates as standalone files). I wish you good luck:p I'm a Happy Camper with slow download speed. I will take my time:vbthumbsup:
    [​IMG]
     
    Raiderman, Vasudev and hmscott like this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,001
    Messages:
    14,525
    Likes Received:
    17,621
    Trophy Points:
    931
    MS-DEFCON 2 for Feb 2018: Make sure Automatic Update is turned off
    Posted on February 12th, 2018 at 08:24

    https://www.askwoody.com/2018/ms-defcon-2-for-feb-2018-make-sure-automatic-update-is-turned-off/
    [​IMG]
    "Last month’s Patch Tuesday (and Monday, Wednesday, Thursday, Friday, Saturday and Sunday) should prove, once again, that knowledgeable Windows users need to turn off Automatic Update.

    Do me a favor, wouldja? If you bump into any of the self-proclaimed security “experts” who tell everyone to turn on Automatic Update, would you post a link to their drivel? I took a lot of guff for my posts a year ago, advising folks to turn off Automatic Update. If there’s anybody in the industry who’s still spreading that kind of hooey, I want to know who and why."


    Security Vulnerability: "Meltdown" and "Spectre" side channel attacks against CPUs with speculative execution.

    https://www.suse.com/de-de/support/kb/doc/?id=7022512
    Modified Date: 12-FEB-18
    SUSE, SUSE Linux Enterprise Desktop, SUSE Linux Enterprise Server
    This document (7022512) is provided subject to the disclaimer at the end of this document.

    Environment

    Based on research from various groups and individuals a new family of side channel attacks against CPUs with speculative execution were identified that can be used by attackers to read content of otherwise inaccessible memory.

    To help mitigating this hardware implementation related flaws on the software layer, SUSE as an operating system vendor has released and is continuing to work on mitigations for these side channel attacks in the Linux kernel and other packages.

    For details on the vulnerability, please check : https://meltdownattack.com/

    Situation

    The following three attacks have been identified :
    CVE-2017-5753: variant 1 - bounds check bypass
    Local attackers could use speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets.

    This problem is mitigated by fencing speculative execution on affected code paths throughout the Linux kernel and needs to be addressed for all SUSE Linux Enterprise processor architectures.

    Fixes for this variant are contained in the SUSE Linux Kernel updates.

    AMD/Intel x86-64, IBM Power and IBM Z have received mitigations, only ARM Arch64 has not yet received them yet.

    As these mitigations need to be added to a lot of different places throughout the Linux Kernel and potentially even also other packages, future updates could be necessary.

    CVE-2017-5715: variant 2 - branch target injection
    Local attackers could use mis-predicted branches to speculatively execute code patterns that in turn could be made to leak otherwise non-readable content in the same address space, an attack similar to CVE-2017-5753.

    There are two different approaches to mitigate this issue, both complement each other :

    Approach 1 : Selectively restricting the indirect branch predictor

    This first method is done by restricting predictive branches, depending on CPU architecture either by firmware updates and/or mitigations in the user-kernel privilege boundaries.

    Terminologies used :
    - IBPB: Indirect branch prediction barrier. Previous learned branch prediction targets are forgotten at this barrier, used when switching to a different privilege context.

    - IBRS: Indirect branch restricted speculation. If set, indirect branches will not use previous speculation data from lower privilege levels.

    - STIBP: Single thread indirect branch predictors prevents indirect branch predictions from being controlled by the sibling Hyperthread.
    Further reading in this white paper from Intel: https://newsroom.intel.com/wp-conte...is-of-Speculative-Execution-Side-Channels.pdf

    Fixes needed in / by CPU architecture :
    Intel x86_64 : Linux Kernel and CPU Microcode (Microcode delivered by SUSE or vendor)
    AMD x86_64 : Linux Kernel and CPU Microcode (Microcode delivered by SUSE or vendor)
    IBM Z : Linux Kernel and CPU Microcode (Microcode delivered by IBM)
    IBM Power : CPU Microcode (Microcode delivered by IBM)
    ARM Arch64 : still in development
    This mitigation has a performance impact, and as such, this will be made configurable via the kernel command line option "nospec" in later releases. Please note that disabling it will disable the mitigation for CVE-2017-5715 and should only be done on systems with trusted users executing only trusted code (!).

    Note on Intel CPU Microcode :

    As Intel reported increased system instabilities after applying the 20180108 Intel CPU Microcode updates, we have retracted those from our update servers. We are in close contact with Intel and will be releasing new microcode updates once Intel releases them.

    A detailed technical Intel Microcode guidance document was published on :
    https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf

    The last Intel microcode update can be force installed using :
    On SLE 12 :
    zypper in -f ucode-intel-20170707-13.5.1
    On SLE 11 SP3 LTSS and SLES 11 SP4 we have released an incremental "microcode_ctl" package that again reverts to the 20170707 state of the Intel ucode, which is available from our update servers.
    Approach 2 : Rebuilding the kernel without indirect jumps by using "retpolines"

    SUSE is currently working on compiler and kernel support for the "retpolines" technology that replaces indirect jumps by return-trampolines and will be releasing kernel updates with those enabled for x86_64 in the next weeks.

    These kernel updates will mitigate the Spectre variant 2 problem without a need for microcode updates on most of the AMD and Intel x86_64 systems.

    Some new x86_64 platforms like Broadwell and Skylake will still need microcode updates even with a retpoline enabled kernel.

    CVE-2017-5754: variant 3 - rogue data cache load
    Local attackers could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.

    This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach described in the "KAISER" paper and called "Page Table Isolation" / "PTI".

    We have released updates that implement this mitigation on the Intel x86_64 and IBM Power architecture.
    This mitigation is also necessary for the ARM architecture and will be delivered in the second round of updates.

    This problem does not affect the AMD x86_64 and IBM Z processor architecture.

    This mitigation can be enabled / disabled by the "pti=[on|off|auto]" or "nopti" command line options. More details can be found in the "Additional information" section. Please note that disabling it will disable the mitigation for this issue (!).
    Resolution

    SUSE has released kernel updates for all maintained SUSE products to mitigate the "Meltdown" attack.
    SUSE has released kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 1" attack.
    SUSE has released kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 2" attack, pending on availability of CPU Microcode updates.
    SUSE has released CPU microcode updates for AMD Ryzen in the "ucode-amd" package on SLE 12 and "microcode_ctl" on SLE 11.
    SUSE has released KVM and QEMU updates to allow passing through CPU flags and MSR registers to support controlling speculative branch handling.
    SUSE has released system compiler updates including "retpoline" support.
    SUSE is in the process of releasing kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 2" using the "retpoline" method on x86_64.

    Going forward :
    SUSE will be releasing kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 2" using the "retpoline" method on x86_64.
    SUSE will also be releasing firmware updates for Intel x86_64 in the packages microcode_ctl on SUSE Linux Enterprise 11, ucode-intel on SUSE Linux Enterprise 12, once stable microcode updates from Intel are available.

    The XEN Hypervisor also needs mitigations for the described problems, these are currently in development.
    For further details on XEN, KVM and QEMU updates please review TID 7022514.


    Performance Impact

    The performance impact of these patches is highly dependent on the actual workload, but also on CPU vendor and family. We recommend to always validate the performance impact prior to deploying these updates to production systems.

    For more detail on the performance aspect, please read this SUSE blog here : https://www.suse.com/c/meltdown-spectre-performance/


    SUSE has released the following updates :

    SLES 12 SP3
    kernel-default-4.4.114-94.11.3 released Wednesday, 7th of February 2018
    kernel-default-4.4.103-94.6.1 (IBM Z Series ONLY) released Tuesday, 16th of January 2018
    kernel-default-4.4.103-6.38.1 released Thursday, 4th of January 2018
    ucode-amd-20170530-21.16.1 released Thursday, 4th of January 2018
    (**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
    (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
    qemu-2.9.1-6.9.2 released Thursday, 4th of January 2018
    SLES 12 SP3 Real Time
    Original fixes were included in GA release. Future updates will be released via maintenance.
    SLES 12 SP2
    kernel-default-4.4.114-92.64.1 released Friday 9th of February 2018
    kernel-default-4.4.103-92.59.1 (IBM Z Series ONLY) released Thursday, 11th of January 2018
    kernel-default-4.4.103-92.56.1 released Thursday, 4th of January 2018
    ucode-amd-20170530-21.16.1 released Thursday, 4th of January 2018
    (**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
    (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
    SLES 12 SP2 Real Time
    kernel-rt-4.4.104-24.1 released Thursday, 25th of January 2018
    SLES 12 SP1 - LTSS
    kernel-default-3.12.74-60.64.72.1 (IBM Z Series ONLY) released Tuesday, 16th of January 2018
    kernel-default-3.12.74-60.64.69.1 released Friday, 5th of January 2018
    (**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
    (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
    qemu-2.3.1-33.6.1 released Tuesday, 9th of January 2018
    [*SLE-12-SP1 ppc64le customers, please see 'note 2' below.]
    SLES 12 - LTSS
    kernel-default-3.12.61-52.111.1 released Tuesday, 16th of January 2018
    ucode-amd-20140807git-5.3.1 released Tuesday, 9th of January 2018
    (**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
    (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
    SLES 11 SP4
    kernel-default-3.0.101-108.24.1 (IBM Z Series ONLY) released Thursday, 18th of January 2018
    kernel-default-3.0.101-108.21.1 released Thursday, 4th of January 2018
    microcode_ctl-1.17-102.83.12.1 released Friday ,19th of January 2018
    (**obsoleted**) microcode_ctl-1.17-102.83.9.1 released Thursday,11th of January 2018
    (**obsoleted**) microcode_ctl-1.17-102.83.6.1 released Thursday, 4th of January 2018
    SLES 11 SP4 Real Time
    kernel-rt-3.0.101.rt130-69.14.1 released Tursday, 23th of January 2018
    SLES 11 SP3 - LTSS
    kernel-default-3.0.101-0.47.106.11.1 released Monday, 8th of January 2018
    microcode_ctl-1.17-102.83.12.1 released Friday ,19th of January 2018
    (**obsoleted**) microcode_ctl-1.17-102.83.9.1 released Thursday,11th of January 2018
    (**obsoleted**) microcode_ctl-1.17-102.83.6.1 released Thursday, 4th of January 2018
    SUSE CaaS Platform
    ucode-amd-20170530-21.16.1 released Thursday, 4th of January 2018
    qemu-2.9.1-6.9.2 released Thursday, 4th of January 2018

    Note 1: Observing multiple microcode-ctl and/or ucode-intel releases for the same SLE version :
    As firmware updates continue to become available for other CPU models, this will show as another new microcode-ctl and/or ucode-intel release with the date released.

    The microcode listed as (**obsoleted**)where removed from our maintenance updates and SUSE patch finder location here due to quality issues reported by customers and community.

    Note 2 : An LTSS channel for SLE-12-SP1 ppc64le does not exist.
    The patches for Spectre & Meltdown are available in the SLES-12-SP1-SAP channel. This channel is supported until May 2018 (as per the SUSE Product Life Cycle page here).

    Important note : A valid SLES for SAP subscriptions is required to access this repository.

    Cause

    CVE-2017-5753 (Spectre - variant 1)
    CVE-2017-5715 (Spectre - variant 2)
    CVE-2017-5754 (Meltdown - variant 3)
    Additional Information

    Products running on top of SUSE Linux Enterprise Server, such as SUSE OpenStack Cloud, SUSE Enterprise Storage, SUSE Manager are not directly vulnerable. For these SUSE products, updating the the Host (running SUSE Linux Enterprise Server) with the updates detailed and listed here is sufficient.


    Public Cloud:
    SUSE has updated all (on-demand and BYOS) images that are actively maintained within the SUSE Public Cloud Image lifecycle guidelines. Image information can be retrieved with the "pint" tool.

    All updated images have a timestamp of v20180104, i.e. January 4th 2018 or later.

    For all running instances of SUSE images in production within public clouds, SUSE's advice to all customers is to apply all existing kernel updates available.

    Enabling or Disabling Mitigations for Performance reasons

    Mitigations that were applied can be selectively enabled or disabled.

    SUSE Linux Enterprise chooses the default to be secure, meaning the mitigation's are enabled.

    Spectre variant 2 kernel parameters :
    For x86_64 architecture a new "spectre_v2" kernel commandline parameter has been added to control how the spectre variant 2 mitigations are enabled.
    spectre_v2=<value>
    <value> :
    on - unconditionally enable the mitigation
    off - unconditionally disable the mitigation
    auto - kernel detects whether your CPU model is vulnerable
    Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.
    Specific mitigations can also be selected manually:
    retpoline - replace indirect branches
    retpoline,generic - google's original retpoline
    retpoline,amd - AMD-specific minimal thunk
    nospectre_v2 - this is the same as spectre_v2=off

    Not specifying any option is equivalent to using : spectre_v2=auto.

    For x86_64 we also support the option:
    nospec
    This option disables the CPU microcode based Spectre variant 2 mitigations.
    The retpoline enablement is not controlled by this option.

    For s390x architecture, the parameter is called "nobp", and has following values :
    nobp=<value>
    <value> :
    on - enable mitigation
    off - disable mitigation

    PTI kernel parameter:

    The default value for x86-64 is "auto", meaning enabled for processors deemed vulnerable or unknown, and disabled on those known to be unaffected (AMD).
    For ARM the default value is "off" for the time being as the "auto" trigger has not been implemented yet.
    pti = auto
    lets kernel decide, which means it turns PTI on when is's running on Intel and turns it off when running on AMD
    pti = off
    force-disable PTI even on Intel
    pti = on
    force-enables PTI even on AMD

    Verifying if a system is protected :
    Following updating the latest kernels, it is possible to check /proc/cpuinfo for 'kaiser' or 'pti' and 'spec_ctrl' or 'ibpb' information.

    When the output includes :
    'kaiser' or 'pti' flags, then v3 (Meltdown) protection is active.
    'spec_ctrl' flag, then v2/v1 (Spectre) protection is active on Intel CPU's.
    'ibpb' flag, then v2/v1 (Spectre) protection is active on AMD CPU's.
    Additional detail :
    - The 'kaiser' flag is used on SLE versions up to SLE 12, in turn, SLE 15 will use the 'pti' flag.
    - The 'spec_ctrl' or 'ibpb' flag implies both v2 and v1 protection, but if it is not present, it means v2 is not active, but v1 still may, as it currently cannot be disabled in SLES - if the installed kernel has it, it's on.
    Disclaimer

    This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND."

    Linux Meltdown patch: 'Up to 800 percent CPU overhead', Netflix tests show the performance impact of Meltdown patches makes it essential to move systems to Linux 4.14.
    By Liam Tung | February 12, 2018 -- 12:36 GMT (04:36 PST)
    http://www.zdnet.com/article/linux-meltdown-patch-up-to-800-percent-cpu-overhead-netflix-tests-show/

    "The Linux mitigation for Meltdown known as kernel page table isolation (KPTI) can cause a massive drain on CPU performance, according to an analysis by Brendan Gregg, a senior performance architect at Netflix.

    While Intel's Spectre mitigations have attracted the most attention for causing performance and stability problems, Gregg finds that KPTI causes the "largest kernel performance regressions I've ever seen".

    KPTI prevents Meltdown leaks by using completely separate page tables for user-mode execution and kernel-mode execution.

    To test the impact of KPTI, Gregg created a microbenchmark and found that Netflix, one the largest users of AWS, is likely to see a performance overhead of between 0.1 percent and six percent due to KPTI. However, others may see much larger overheads.

    "The KPTI patches to mitigate Meltdown can incur massive overhead, anything from one percent to over 800 percent," he writes.
    "Where you are on that spectrum depends on your syscall and page fault rates, due to the extra CPU cycle overheads, and your memory working set size, due to TLB flushing on syscalls and context switches."


    Gregg's analysis looks at five key factors that influence overhead, including system call rates, context switches, page fault rate, the working set size, and cache pattern access. Depending on the measurements for each factor, the performance overhead can balloon from two percent to 17 percent.

    The circumstance where the overhead can exceed 800 percent is when using a version of Linux that didn't support PCID or process-context ID.

    The Linux kernel added support for PCID in version 4.14, improving its handling of the Meltdown-fixing separate tables so long as the CPU supports PCID too.

    Exactly how much the system is impacted depends on the characteristics of the application. As he notes, applications with higher system call, or syscall, rates, such as proxies and databases that do lots of tiny I/O, will suffer the largest losses. The impact also rises with higher context switch and page fault rates.

    Gregg offered the following summary:

    • Syscall rate: There are overheads relative to the syscall rate, although high rates are needed for this to be noticeable. At 50,000 syscalls per second per CPU, the overhead may be two percent, and climbs as the syscall rate increases. At Netflix, high rates are unusual in the cloud, with some exceptions, such as databases.

    • Context switches: These add overheads similar to the syscall rate, and the context switch rate can simply be added to the syscall rate for the following estimations.

    • Page fault rate: Adds a little more overhead as well, for high rates.

    • Working set size, hot data: More than 10MB will cost additional overhead due to TLB flushing. This can turn a one percent overhead (syscall cycles alone) into a seven percent overhead. This overhead can be reduced by a) PCID, available in Linux 4.14, and b) huge pages.

    • Cache access pattern: The overheads are exacerbated by certain access patterns that switch from caching well to caching a little less well. Worst case, this can add an additional 10 percent overhead, taking, say, the seven percent overhead to 17 percent.

    He expects Netflix will be able to reduce the performance overhead to less than two percent by using Linux 4.14 with PCID support, huge pages, syscall reductions and other methods to fine-tune performance.

    However, Gregg notes that KPTI is only one source of performance overheads in the fixes for Meltdown and Spectre, which include cloud hypervisor changes, Intel's microcode, and compilation changes such as Google's Retpoline fix.

    [​IMG]
    Brendan Gregg has set out the cost of extra CPU cycles in the syscall path.
     
    Last edited: Feb 13, 2018
    Raiderman and Vasudev like this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,001
    Messages:
    14,525
    Likes Received:
    17,621
    Trophy Points:
    931
    Microsoft delivers free Meltdown-Spectre assessment tool for IT pros
    Protecting an organization from attacks based on two widespread and potentially deadly security vulnerabilities requires monitoring software, firmware, and antivirus updates. New capabilities in Microsoft's Windows Analytics service display that status on a single dashboard.
    By Ed Bott for The Ed Bott Report | February 13, 2018 -- 17:00 GMT (09:00 PST)
    http://www.zdnet.com/article/microsoft-delivers-free-meltdown-spectre-assessment-tool-for-it-pros/
    "If you're an IT pro and you haven't been sleeping soundly since the New Year, blame Meltdown and Spectre. These serious security flaws, more formally known as "speculative execution side-channel attacks," are present in all modern CPUs and represent the sort of problem that can keep any network admin up at night.

    The biggest challenge is keeping track of all the pieces that need to be patched. To fully protect your Windows PCs from the inevitable attacks aimed at these vulnerabilities, you'll need to apply multiple software patches and update the BIOS or firmware on the underlying hardware.

    (For more details, see "Meltdown-Spectre:Four things every Windows admin needs to do now.")

    If your organization has standardized on third-party antivirus software, you'll also have to assess whether that software is compatible with those software and firmware patches. (You might also need to edit the registry on affected PCs to unblock security updates for those devices.)

    Oh, and if you installed one of the early, defective firmware patches, which were the cause of "higher than expected reboots and other unpredictable system behavior," you might have still one more item to add to your checklist: Undo the January 2018 update (KB4078130) that temporarily disabled the software mitigations.

    But don't do that until the PC maker pushes out a new firmware update to replace the defective one.

    If you're responsible for a single PC, that checkup is easy to do manually. In a small office with a half-dozen PCs, it's a tedious but manageable task.

    On a network with hundreds or thousands of Windows PCs, however, inspecting and patching every device by hand is impractical.
    To address that acute problem, Microsoft announced today that it's releasing a new set of tools to help Windows admins assess what they need to do to protect their enterprise PCs from Meltdown and Spectre.

    These capabilities are available through the free Windows Analytics service, which collects data from an organization's registered devices using the built-in Windows telemetry service and displays the aggregated protection status on a single dashboard like the one shown here.

    [​IMG]
    These capabilities are newly added to the Windows Analytics dashboard.
    Image credit: Microsoft
    The Windows Analytics capabilities are available on Pro, Enterprise, and Education editions of all supported desktop versions of Windows: Windows 7 with Service Pack 1, Windows 8.1, and Windows 10. Setting up the service requires an Azure Active Directory account, which is also free. (If your organization has a business or enterprise Office 365 subscription, you already have the Azure AD infrastructure in place.)

    As the screenshot above illustrates, the dashboard displays three crucial pieces of information, called status insights:
    • Antivirus software status: Most third-party antivirus software has been updated to be compatible with the Windows security updates for Spectre and Meltdown. This status insight should identify any devices that still require updates.
    • Windows security update status: This panel shows which security updates have been installed on a device that's being monitored and also indicates whether any of those updates have been disabled. This status insight includes information for all original January 2018 updates as well as the updates released as part of the February 2018 Patch Tuesday release. (For a complete list of software updates by edition, see "Protect your Windows devices against Spectre and Meltdown" [KB4073757].)
    • Firmware security update status: In an interview ahead of today's announcement, Klaus Diaconu, Partner Group Program Manager at Microsoft, acknowledged that this piece of the puzzle is "still evolving." Intel pulled its original microcode updates, and some of the PC makers who were burned with the initial batch of defective updates are being more cautious with the latest round of updates.
    From that dashboard, an IT pro can drill down into groups and even to specific devices to determine what actions are still required.

    Most large organizations already have update management tools in place to deliver Windows security patches and antivirus updates as needed. Firmware updates are potentially the most problematic, as they don't always allow for automated updates from a centralized server.

    This is not a problem for Microsoft's Surface devices, which deliver firmware and other system software updates through Windows Update. For other PC OEMs, the update workflow might be more challenging, and it might be weeks or months before the required updates are available.

    In the short run, this service solves a serious problem for harried IT pros. In the long run, it also represents an opportunity for Microsoft to introduce its relatively new Windows Analytics service to a generation of admins who haven't tried it yet. Because, sadly, the Meltdown-Spectre cleanup is going to be a long process, with more updates to come.

    Windows Analytics
    Windows Analytics now provides insights into device status for Meltdown and Spectre
    https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics
     
  7. Tanner@XoticPC

    Tanner@XoticPC Company Representative

    Reputations:
    414
    Messages:
    2,879
    Likes Received:
    3,297
    Trophy Points:
    281

    If it's as little impact as last time, I might update others, but that's why I do this in the first place. I guess if you only have in-use systems to test with, better your sis's than yours. ;)
     
    Vasudev, Raiderman and Papusan like this.
  8. Papusan

    Papusan BGABOOKS = That sucks!! STAHP! Dont buy FILTH...

    Reputations:
    8,267
    Messages:
    16,618
    Likes Received:
    23,103
    Trophy Points:
    931
    What a nice brother. Use his sister as Guinea Pig:D Some better?:p
     
    Vasudev and Raiderman like this.
  9. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    2,984
    Messages:
    5,215
    Likes Received:
    3,498
    Trophy Points:
    431
    Updated my desktop with these latest updates, but did do a Macrium Reflect image beforehand just in case! Update went fine, and haven't discovered any issues yet. Just did a quick 3DMark and Timespy benchmark to check performance, that's the same. Couldn't really find any negative reports about this update when I looked about a couple of hours ago.
     
    Vasudev, Papusan and hmscott like this.
  10. Vasudev

    Vasudev Notebook Prophet

    Reputations:
    1,586
    Messages:
    4,928
    Likes Received:
    2,801
    Trophy Points:
    231
    She won't let me near her PC, so I have to update it offline when she goes to College. Too much hassle and she isn't bothered by slow-downs and telemetry and other ****.
    Maybe I'll turn ON auto-updates because I am finding it an hassle to do background work and optimising the PC for peak performance.
     
    Papusan, hmscott and Raiderman like this.
Loading...

Share This Page