• A note about the “new” Spectre NG revelations

    Posted on May 23, 2018 at 11:25 CDT by Comment in the Forums

    Several of you have pinged me about the Spectre NG (variously, Specter V4, Spectre V4, Specter-NG, and enough alternatives to make Google search interesting) posts by Microsoft and Intel earlier this week.

    We talked about those bad boys on May 3, when Günter Born posted his first exploration of the problems and their fleeting solutions. Born has since updated his exploration with a further discussion of the mysteries surrounding Microsoft’s patches — which are horribly documented, as usual.

    Microsoft has posted two Security Advisories, ADV180012 (for CVE-2018-3639) and ADV180013 (for CVE-2018-3640) that deal with related problems. The first Advisory says that Microsoft doesn’t have any idea which versions of Windows (or Azure) are affected. The second Advisory says that Surface machines are affected, but there’s no fix right now.

    Intel has a good overview of the “side-channel analysis” problems, which says that Intel anticipated the problem, increased its bug bounty, and:

    We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.

    Which should send a chill down the spine of anyone who’s had to deal with the earlier Meltdown, Spectre V1, V2, and V3 fire drills.

    @Kirsty has been following the latest developments in our Code Red forum. She points to excellent articles by Catalin Cimpanu, Steven Vaughan-Nichols and Martin Brinkmann.

    Big open question: How much more performance will the new mitigations consume?

    Noel Carboni has a key observation:

    It strikes me again and again that “Spectre” and “Meltdown” are first and foremost tools to manipulate the masses, used by those trying to make money in “security”.

    Nailed it.

    I’m not saying that Microsoft, Intel, AMD, Qualcomm and others had a hand in bringing down the Meltdown/Spectre curtain. I am saying they stand to make a whole lotta money out of it, and added publicity doesn’t hurt one whit.

    Oh. And it should go without saying that we haven’t yet seen one, single, solitary Meltdown or Spectre exploit in general use.

    Windows Patches/Security , , , , , ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    March 2025
    S M T W T F S
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.