And you’re gonna need to buy a (much) bigger screen to make the Pinocchio scale fit there for Intel: Intel Publishes Microcode Security Patches With No Benchmarks Or Profiling Allowed

Perfectly said by Susan that these side channel Spectre threats are the least of our problems when we go online.
Yes they are theoretically possible but not really probable. They are a good marketing tool for Intel and Microsoft though.

I’m a bit confused by the use of the ‘Pinocchio’ scale. Is the article suggesting that Microsoft is lying? Isn’t the mantra to ‘never confuse as deception that which can be put down to incompetence or stupidity’?

Did I read the article incorrectly? (Always possible… 🙂 )

August 2018: More technical information from Intel regarding the ‘speculative execution side channel update’ with affected CPU’s and pdf link:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf

You’re right, people are worrying about this way more than they should have to.

Marketing people love it when we worry about things we can’t control or understand.

In my case, with a machine with Xeon x5690 processors not being provided firmware updates by anyone, and continuing to want to run OMG! Positively Ancient Windows 8.1, I’m supposed to believe I’m SOL, right? Better Get Windows 10 on new hardware! Yet this “old” hardware still actually works just fine, and more than meets my needs. Yikes! What can I do?!?

Maybe we need a new phrase… “Contrived obsolescence”.

Worse, with all this worry, we really have no idea whatsoever what the impact of patches is going to be on OUR systems when we try to do OUR work… Brand new hardware, of course, is always faster, and will offset all the slowdowns we can imagine.

All this just to try to reclaim a fleeting, false sense of security once again. So we can worry hard, learn and work all day to fix it, and still end up… Worried.

Or we can just get Windows 10, let Microsoft manage our systems, and be worry-free! Mother knows best.

It feels like being in front of a tsunami. You see and know exactly what’s happening but there isn’t all that much you can do about it.

-Noel

Alert! https://support.microsoft.com/en-us/kb/4100347

The ****** from Microsoft throwed it at Microsoft Updates; and it’s offered even if the CPU is not listed.. Keep fingers crossed that wushowhide works… And make sure NOT to touch the ‘Update’ button!
Edit for content: refer to Lounge Rules

I would also add that anyone running Debian that the microcode’s are delayed because of some sort of licensing hiccup. But I agree with Susan, way too many other concerns actually happening in the wild to be concerned about what might happen with Spectre or Meltdown which has yet to materialize. Maybe because these attack through hardware gives everyone the fits? I would also add some older hardware isn’t getting firmware updates, as some PC makers seem to be skipping their support. So the microcode options is probably best for them. Gibson’s InSpectre check has passed all my PC’s so that’s good enough for me.

woody wrote:

The Pinocchio scale arose from Susan comparing Microsoft’s stated goals with patches to the actuality. These patches fail the “Simple, Predictable, Agile and Transparent” criteria — the SPAT test — in every way.

Thanks, Woody. I missed the original article which explained the use.

For folks with Dell systems you can use Dell Command update utility to acquire firmware updates if they are available. This is the first thing I run on a re-image to insure all the proper drivers are installed.

Just about any system I have re-imaged in the past few months has received a firmware update and Inspectre reports they are fully patched after the update.

I’m still relatively new with Windows 10.
Could someone please advise the steps for obtaining, downloading, and manually installing one of these recommended updates for version 1709?

Thanks

I may be wrong, but isn’t the excerpt below from Microsoft regarding the Windows 7 August Monthly Rollup update KB4343900 say its installing these same micocodes?

This security update includes improvements and fixes that were a part of update KB4338821 (released July 18, 2018) and addresses the following issues:

Provides protections against a new speculative execution side-channel vulnerability known as L1 Terminal Fault (L1TF) that affects Intel® Core® processors and Intel® Xeon® processors (CVE-2018-3620 and CVE-2018-3646). Make sure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)

• Addresses an issue that causes high CPU usage that results in performance degradation on some systems with Family 15h and 16h AMD processors. This issue occurs after installing the June 2018 or July 2018 Windows updates from Microsoft and the AMD microcode updates that address Spectre Variant 2 (CVE-2017-5715 – Branch Target Injection).

• Provides protections against an additional vulnerability involving side-channel speculative execution known as Lazy Floating Point (FP) State Restore (CVE-2018-3665) for 32-Bit (x86) versions of Windows.

EDIT html to text – content may not appear as intended

News in from theRegister: https://www.theregister.co.uk/2018/08/23/intel_microcode_license/

Intel has backtracked on the license for its latest microcode update that mitigates security vulnerabilities in its processors – after the previous wording outlawed public benchmarking of the chips.

How can you make a worst publicity for yourself by attracting attention to an issue by specifically putting a ridiculous clause that highlights the issue in bold. The first thing people will think is why would anyone do that if they don’t have anything to hide?

Susan, I am not sure if you talk about all side-channels vulnerabilities in your first paragraph. It is not clear to me. I would like to comment about all side-channels vulnerabilities. From what I gathered out of them, I agree with you that we are in this for years. I also think right now there is more risk to having the normal methods of malware delivery used and I would say that a worm exploitable vulnerability is much more problematic in practice right now than a Meltdown type flaw for home users.

But I would respectfully submit a few distinctions to see if it makes sense to you and others or if my understanding is wrong since security is a very complex subject.

There is the Spectre type flaw that is exploitable using only javascript in a browser and that seemed maybe a bit fixed at some point but not really for the long term.  I don’t know where we stand now on this, but thinking other vulnerabilities of this type might exist is a bit scary since we talk about drive-by download type of vulnerability that can read protected memory. This is not a small thing, to me. Not knowing if it is exploited in the wild or not is not that reassuring to me. The great thing about this type of flaw is precisely that you can silently spy without being detected, by temporarily injecting code in a targeted web site. Not being perceived as active in the wild is a big asset for those in this business. You can target someone, put a spying code on a website this person goes to, read private memory, then just remove the code when done.

Then, there are the vulnerabilities that need code to run on the machine. In that sense, I don’t see it as that problematic to normal users except when they have a false sense of security when they test potentially unsafe code in a VM when that code can cross VM boundaries. So yes, for people who don’t rely on these safeguards and just run their trusted apps, the risk doesn’t seem significantly different than any rogue code that needs to be put on the machine and run. But we need to remember the VM boundary has been broken at a lower level and it is not a minor thing.

I have been saying this since this whole mess started, but I don’t think we can assume at all that it is the end of it. It is just a beginning and I predict we will see more creative use of similar flaws in the future. I think some spying agencies and hackers are probably working very hard to find other similar flaws they could exploit silently and I don’t feel we can consider that VM boundary hasn’t been broken or that cloud services are that safe. If I was a big company with IP to steal, I wouldn’t put the plans of my latest product on a shared cloud service.

I also think that the Spectre type vulnerability has also opened up the possibility of breaking the distinction between protected and user memory without having to run compiled code and this is also quite problematic on a theoretical level.

I don’t want to scare people and I get it that one might choose to take the small chance perceived of issues due to non patching to avoid other problems or performance issues, especially on the normal user front.

But I think that we must not dismiss the vulnerabilities either as I think they are groundbreaking, shattering long-time held expectations, just like I realized a very long time ago that a picture or music file could contain malware when I understood what a buffer overflow was and this idea that if it is not an executable it is safe went down the drain for good. Maybe those specific vulnerabilities won’t be easily exploited, but I think it is possible that we will discover one that is easier to exploit in the future. Hopefully, that won’t be the case, but the can of worms have been open and it can’t be closed.

If we need to disable hyperthreading, the price of security is way too high for many, especially in relation to the risk. But this doesn’t make the flaws less problematic and it doesn’t look good for the future and unlike some that thinks about a possible Intel-Microsoft conspiracy to sell newer PCs, I think it just makes me want to postpone buying a new PC for a very long time until we have a better grasp of all this and be more confident that there is less possible undiscovered similar flaws hiding in the chips.

For those who have a Fujitsu (- Siemens) system and are interested to know, I found this overview dated August 24:

(Spectre & Meltdown) Security Review:
List of affected Fujitsu Products
Reference: Security vulnerabilities (CVE 2017- 5715, CVE 2017- 5753, CVE 2017- 5754, SA-00088)

which also shows whether an update is available or not, or when the update will be pushed (weeks 36, 38 and 40).

Susan:

I’ve followed your patching advice for years with Windows Secrets and now with Askwoody’s excellent website.

Talking about “Microcode confusion”, I’m still not clear if I should install Microsoft .NET Framework 4.7.2  KB4054530 on my Windows 7 Ultimate PC?

I currently have 4.7.1. Is it safe or not to install? And is it really necessary on a home PC?

Thanks for all the great advice over the years.

BD

Edit to remove HTML – Please use the “Text” tab in the post entry box when you copy/paste

All microcode updates are expired now (WSUS). Available only due Microsoft update catalog.