I continue to recommend that you keep your PC locked down. There’s no compelling reason to apply yesterday’s myriad Windows patches right now. You’ll
[See the full post at: Meltdown and Spectre from a Windows user’s point of view]
|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
-
Meltdown and Spectre from a Windows user’s point of view
- This topic has 204 replies, 33 voices, and was last updated 7 years ago.
AuthorViewing 105 reply threadsAuthor-
Thanks Woody, and thanks to all those who have been researching and commenting on this sorry saga. Holding off for a short time certainly seems a commonsense approach to the myriad of patches at the moment, not least until it’s established what the situation will be so far as both next week’s Windows Updates and also AMD machines are concerned. It seems to me that the report of slower performance is only one critical issue with these patches, the other is the reputation of kernel-changing updates generally.
-
I have AMD based systems and I am not going to install an MS patch that will affect the performance of my systems just because Microsoft has had to bale out their buddies at Intel.
1 user thanked author for this post.
-
Wait, am I interpreting this correctly?
We’re about to get a patch that will lower performance of software running on virtually all modern processors because of the possibility of getting some spyware?
And is everyone convinced there is NO OTHER WAY to protect a system, such as, I don’t know, detecting the spyware on the way in and blocking it?
The prospect of losing significant performance from the high-end computer I paid dearly for would certainly be enough to make me consider stopping updating Windows. Do we know how much performance would be lost? How much longer specific activities would take?
I don’t get spyware/malware. I have protections both against malware being loaded into and running on my computer AND against unexpected communications (which are presumably what the malware would want to do with sensitive information). Nor do I subscribe to the notion that malware WILL ultimately run inside my computer, and so I have to give up performance to protect against it!
Am I missing something important here?
If not, does anyone beside me here think a patch that will ruin the performance of existing systems because of the possible threat of spyware is ridiculous?
-Noel
8 users thanked author for this post.
-
@Noel – Isn’t just about everything about this security hole ridiculous? There’s a lot of finger pointing between the major players, Intel AMD, ARM, Google, etc., but the fact is they’re all to blame. They all say it’s not a flaw because the chips are operating as they were designed to operate. Well, the design is flawed, pure and simple.
On a practical level, though, I’d bet that most users who aren’t backed by an IT department would have a lot of trouble stopping traffic and malware into or out of their computers as you have done, and hence the need for patches.
2 users thanked author for this post.
-
DrBonzo, I have roughly 150 client computers that have not been patched since May, 2017. Not a single problem!!! We use Bitdefender Antivirus+ and occasional use of ADWcleaner, along with a bit of commonsense and conservatism, as Noel describes.
CT
5 users thanked author for this post.
-
-
-
And is everyone convinced there is NO OTHER WAY to protect a system, such as, I don’t know, detecting the spyware on the way in and blocking it?
If it can be just a JavaScript on the web page that will mine the data, I guess it’s basically impossible. What is more worrying is that you need BOTH the patch and BIOS update – and how many mainboard manufacturers will provide them, when and for how old products? Somehow I don’t believe that 5-yr old ones will get the update, not mentioning any older ones…
The prospect of losing significant performance from the high-end computer I paid dearly for would certainly be enough to make me consider stopping updating Windows. Do we know how much performance would be lost?
Supposedly up to 30% when many I/O operations are involved. Many benchmarks vary:
http://www.guru3d.com/articles_pages/windows_vulnerability_cpu_meltdown_patch_benchmarked,1.html
https://www.techspot.com/article/1554-meltdown-flaw-cpu-performance-windows/
Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider1 user thanked author for this post.
-
The Firefox devs report that the exploits rely on very precise timing, and they’re working on mitigations to keep the scripts from having that kind of precision available. And, of course, NoScript is always a good idea if you are security-minded.
If this is true, it might be possible to detect attempts to use the exploit by means of heuristic analysis, either by an antimalware/antiexploit program or within the browser itself.
My gut tells me that for now, the performance and possibly the stability impact of the bugfixes for these exploits are going be pretty obnoxious, but in time, I think they will be pared down and optimized to the point that it won’t be that big of a deal. In addition, both Linux and Windows have ways of turning off the fixes. In Windows, it’s apparently a big enough change to cause BSODs with antimalware programs that aren’t expecting the new schema, so MS is leaving the fix in the OFF state even after it is installed until a certain registry key is set by a fix-compliant antimalware program.
In the case of Linux, it looks like a parameter set in GRUB at boot time will turn it off.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)1 user thanked author for this post.
-
If it can be just a JavaScript on the web page that will mine the data, I guess it’s basically impossible.
I need to see the details beyond someone online somewhere saying, vaguely, “it could be exploited with JavaScript”.
Thing is, I’m finding it hard to understand how JavaScript can suddenly do things even a compiled executable would be hard-pressed to accomplish, especially secretly.
It’s not like suddenly no one in the world understands how JavaScript works. People have been trying to exploit JavaScript for a long time.
I find it hard to believe that turning scripting off entirely is going to be the only solution, BUT… This issue really isn’t much different than disallowing ActiveX / executable code to download and run… Even blocking scripting entirely could (would?) be preferable to having a computer that’s 30% slower at doing real work just so you can visit web pages with scripts running. Think about it.
What is more worrying is that you need BOTH the patch and BIOS update – and how many mainboard manufacturers will provide them, when and for how old products?
What worries me is how everyone immediately jumps to the part where they MUST have patches to close off the vulnerability du jour, without first understanding the risks vs. benefits.
Heed Woody’s comment about being suspicious of vulnerabilities with cute icons and overdeveloped marketing campaigns, and always be aware that people can be manipulated for various reasons, not all of which are necessarily good for you and me.
-Noel
3 users thanked author for this post.
-
-
-
-
I would certainly test patches first in a VM – as I ALWAYS do – but with things like chip-level exploit mitigations how can you know what it will do to the performance of an actual hardware system?
What if, for example, the OS patch were to instruct the virtual processor to somehow stop doing speculative execution? Would that mean the host system’s processor would not actually be doing it?
This could be a case where testing in a VM doesn’t really validate a patch.
-Noel
-
-
These are related topics:
Intel “Kernel Memory Vulnerability” is going to hit all of us
MS-DEFCON 2: Batten down the hatches, there’s a kernel patch headed your way
Microsoft updating Win10 today with “special fix” for the Kernel Memory Vulnerability
1 user thanked author for this post.
-
Thanks much for posting link to woody’s article on computerworld.
As I post this, the article is still not showing when I load his blog page at
https://www.computerworld.com/blog/woody-on-windows/
We should all wait maybe a week after the patch has been released on tuesday before installing the update, this is a kernel patch after all. By the way, Woody, you should probably edit the MS-DEFCON page so that it no longer includes Windows Vista, it might confuse some people. Thanks!
1 user thanked author for this post.
-
Because of the severity of these two recent vulnerabilities, Microsoft has released the patches early this month.
1 user thanked author for this post.
-
“Meltdown is the one that only affects Intel CPUs and ARM. Not AMD.”
1 user thanked author for this post.
Woody, the line in your story in Computerworld has got to be one of the best lines I have ever read. It is priceless and is a wonderful word picture:
“It’s possible Microsoft’s kernel team has pulled off another change-the-blades-while-the-blender-is-running feat.”
CT
5 users thanked author for this post.
-
Hope spins eternal….
3 users thanked author for this post.
-
Group A Win 7. I
ve been taking the full updates for several years. After the up date I go in and do the disk clean up with the windows up date clean up. I can still defrag also. Didnt slow my computer down. I have AMD . When the up date arrives I`ll let you know if the up date affects the speed after I do the clean up.This is the best article I have read to date on this. I have forwarded the ComputerWorld article link to some of my colleagues and friends to give them a better understanding of the issues that does not carry baggage, agendas, and hyperbole, or get so technologically detailed that they are lost.
When I forward an AskWoody link, I always tell them to read the comments from users and experts.
Well done!
-
Bill C. Ditto. I did the same. I could not agree more.
CT
1 user thanked author for this post.
Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs
Notice from this article that some non-Intel processors are known to be affected by Meltdown.
1 user thanked author for this post.
Thanks for linking the list of affected processors @Woody. The only problem I have now is that I can’t tell if my processor is listed or not. My processor is an Intel Pentium dual E2180. I can’t imagine its not there, I just really don’t know what to look for. Thanks in advance.
1 user thanked author for this post.
Is Intel really considering only processors made in the last 5 years? That sounds unbelievably irresponsible!!!!
CT
1 user thanked author for this post.
From More details about mitigations for the CPU Speculative Execution issue: “Project Zero discussed three variants of speculative execution attack. There is no single fix for all three attack variants; each requires protection independently.”
The latter part of this link should be read by everyone who wants to understand how to protect against these vulnerabilities.
5 users thanked author for this post.
I think I will dedicate one of the laptops for the sole purpose of checking my bank balances and NOTHING else – no surfing, no email, nothing.
I will also stop any actual online purchases (rare for me normally, but sometimes used). I will still shop online, but actually call the order in via the land line (my normal process).
At least until the OS patches come and more info is available as the the efficacy of the patches, I choose careful over convenience.
Not sure if it will even make a difference since you have to consider all the CPUs in all the nodes and servers along the way, but it cannot hurt to be cautious. We should have learned that from the investigation of the credit data hack that many machines will remain unpatched for a while.
PS: My paragraph 2 cautions may be worthless with paragraph 4 conditions. Inevitably, somewhere someone will put that data into a vulnerable system.
1 user thanked author for this post.
This has been posted elsewhere by MrToad28, but I think it is worth copying it here, as it might offer a measure of reassurance at this time:
MrToad28 wrote:
I found this plain English article useful…my notes below link:
https://www.cnet.com/news/Spectre-Meltdown-Intel-Arm-Amd-Processor-Cpu-Chip-Flaw-Vulnerability-FAQ/
major vulnerabilities, called Spectre and Meltdown, could let an attacker capture information they shouldn’t be able to access, like passwords and keys.
The good news is that hackers would first need to install malicious software on your computer in order to take advantage of these flaws..they need to select their targets and hack each one of them before running a sophisticated attack to steal a computer’s sensitive information.So good security practices…antivirus, avoiding phish attacks and updating should mitigate threat risks.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV2 users thanked author for this post.
-
-
-
Firefox patched 57.0.4 – https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
Caveat: there is so much still unknown about these vulnerabilities that the best guidance is to assume the early patches are just the first salvo in what will likely be a long-term process
-
-
-
-
1 user thanked author for this post.
Extremely useful and important update from Microsoft TechNet
Intel’s Security Advisory:
Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088Intel ID: INTEL-SA-00088
Product family: Systems with Speculative Execution
Impact of vulnerability: Information Disclosure
Severity rating: Important
Original release: Jan 03, 2018
Last revised: Jan 03, 2018
A helpful FAQ/information site on both Meltdown & Spectre, written for non-techies: http://www.meltdownattack.comMeltdown and Spectre
Bugs in modern computers leak passwords and sensitive data.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer.
Noel, I could not agree more. This was built into the Intel chips in order to provide greater security and just the opposite has happened. Now, even Intel is untrustworthy. They are a bit different from Microsoft, because at least they still have the skill and intelligence to do better.
I am with you. I do NO patching whatsoever of Microsoft software.
I have closed down Windows Updates from Microsoft of all kinds. I know there is some risk in doing this.
However, my considered opinion is that the risk of Microsoft changing our systems into something we would not have considered buying, and fouling up our systems with windows update errors too numerous to count is virtually 100%.
This as opposed to some hacker breaking into one our systems and posing a serious threat which I consider to be a risk of well below 1%.
We are well protected with one of the best antivirus programs in the market. We are relatively conservative in the use of our systems, which in itself lowers risk. We are all protected with routers that hide our IP addresses. We are all using Windows 7 systems that have had 9 years of security updates and are now finely tuned reliable stable systems.
Backup is the critical key. I strongly encourage my clients to do backups once a month.
It is important to note that none of my clients are businesses or people who depend on their computers for a living. We are just plain common folk who use our computers primarily for email and internet browsing and we are switching away from the less-popular and less-secure Internet Explorer to the better Google Chrome browser.
We have not applied a single Microsoft update since May, 2017. We have not had a single instance of a problem.
There was a time before this when you could apply security only updates as a safe strategy. However, last June, Microsoft committed a serious error. They patched an erroneous security only patch within a “quality” all in one patch, which we have no intention to ever use. That meant that unless you followed their quality roll-ups, you would be left with an erroneous patch. That behaviour just cannot be accepted. So, that was the end of Microsoft updating.
Hacking has changed a lot in the last 10 years. It used to be the threat of some kid in the basement making a pain of him/herself. They threatened anyone that they could get at. That has morphed now into a big business enterprise — hacking. They are there to make a profit and we are not the type of profile that they would seek. They are going to go after organizations and enterprises.
CT
-
The approach advocated by @Canadian Tech and @Noel Carboni makes sense to me. Correct me if I’m wrong, but my understanding (so far) of these vulns is that they can be exploited assuming that suitable malware designed to use them manages to get on your system. The key, then, is to keep said malware off your system.
Instead of slowing down our PCs and incurring the risks of royally messing up our systems that are inherent to kernel changes, it seems sensible to tighten our usual defenses (run as a standard account; keep your applications up to date; use a good AV plus resident anti-malware plus anti-exploit software; install uBlock Origin on your browsers and set up an extensive hosts file; point your IP settings to a security-oriented DNS server).
2 users thanked author for this post.
-
Visiting a website is an attack vector for Spectre.
1 user thanked author for this post.
-
-
-
-
“So then you disagree with Canadian Tech’s approach to Meltdown/Spectre?”
I will install all of the fixes available.
3 users thanked author for this post.
-
I support this as well.
It is very possible most people won’t even perceive a difference in performance in their day to day usage or it will likely be due to bias. But we don’t really know yet exactly so it is speculative. Noel of course have specific performance requirements so his approach is always a bit more extreme in terms of no compromise on performance. I understand also why it seems crazy to him and upsets him. But that doesn’t mean you shouldn’t install patches.
Although I respect both Noel and Canadian Tech opinions, I do not share it. I very often see malware cross the boundaries of anti-virus among users. About only one out of three new viruses are detected by antivirus if I am not mistaken. I have other mitigations so I don’t have issues, really, but relying on antivirus and common sense might not be enough. Some talked about a VM but if I understood correctly, this particular problem can even cross the VM or sandbox boundaries, which is another reason why it could potentially be that bad, unlike your standard buffer overflow that anti-exploit kits, EMET or the new thing in FCU might block.
I don’t have enough understanding about this new complex problem to issue strong opinions about whether the real world threat will be important or not, especially due to some mitigating factors. For example, Firefox patched the javascript problem. But when you read about it, it seems like a good idea, but is it enough? Will it be circumvented later? I don’t know and I bet many people don’t know.
Waiting a little bit to see how this all works might not be a bad idea, but just plain saying you won’t install a patch because of possible slowdowns in specific scenarios like data intensive applications such as database don’t seem to me like the best approach.
I understand Canadian Tech position and it might work for him and his customers, but relying on never visiting a tainted website by being careful is not in theory an approach that will work all the time, although the risk might be small and having good backups might be enough for some people who care less about the data stolen than loosing the data.
Last year, for the first time in maybe 15 years, I stumbled upon a drive-by download by clicking on an apparently legitimate link on a reputable web site that was just not valid anymore and had been replaced by something else. There was no reasonable way I could have avoided that browsing normally like everyone does. Nothing bad happened because it wasn’t a sophisticated attack, but I doubt anybody here could pretend they can avoid this kind of situation. Noel’s black list might have blocked it, or not, as if you read the studies reported here by MrBrian, black lists are not THAT effective and had Noel clicked on the link, I bet there could have been a good chance the web site would not have been on the black list yet.
That doesn’t mean the approach don’t work in practice most of the time and one can decide to balance risk/benefits the way one wants and I respect that. For some the cost is higher than others. But I don’t think people should feel too confident about running unpatched computers, but then again, most people that I see think they are not infected and when I carefully look into their computer, I find out they are and they just didn’t know it. Do they get consequences they perceive out of this? Maybe not. Maybe their credit info was stolen, but then mine was stolen at Equifax without me being able to do anything that could have prevented this. But I still prefer to err on the side of security on the computers I control. Outsmarting the bad guys is very hard even for experts.
4 users thanked author for this post.
-
Alex, I and some of my clients have experienced the “drive-by” threat that I think you are referring to. Most of them recognize it now. When they see it, our process is to:
Right-click on the taskbar
Choose Task Manager
Applications tab
click once on the offending app
Click End.Sometimes it takes a repetition of the same action, but that always clears it out.
The danger is if you click on anything in the window.
CT
3 users thanked author for this post.
-
-
I just wish we had harder information about what the performance impacts will actually be.
I’m not beyond choosing to patch, but without more info I’m not going to jump down a rabbit hole there’s no clear way to climb out of.
Wouldn’t it be great if we could actually say, “Gee, if I patch it’ll only take 2% longer to do the thing I do a lot, which makes it worth doing for the added peace of mind.”
How do we do that without potentially making the wrong choice and throwing away a perfectly good system?
I believe we’ll know more in time. For now I’ll be doing searches like “How much does the Meltdown / Spectre patch slow down Visual Studio builds” and similar.
-Noel
1 user thanked author for this post.
-
There are registry settings for enabling and disabling the protections, documented at https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution. I don’t know if they work on non-Server operating systems.
1 user thanked author for this post.
-
A serious gamer has tested the Windows patch and found a performance reduction of only 3% https://overclock3d.net/reviews/software/windows_10_meltdown_spectre_patch_performance_impact_assessment/11
1 user thanked author for this post.
-
“Thanks, but presumably that would not involve visiting just any random website: it would have to be either a malicious site, or a benign site that’s unwittingly serving up malicious software via (e.g.) advertisements.”
Those are two possible ways but there may be other ways.
I’m imagining that the big, tangled shared code base out there of scripts that are loaded and run higgledy piggledy by sites could become infected with these exploits. Who tracks where their scripts are loaded from, and how they interact? Even with things like uBlock on tap there actually are a lot of scripts being run. There’s a script that runs this edit box, for example.
Scripting is kind of growing out of control, making it difficult to configure a system to be conservative about running scripts. Just use the “developer tools” network monitor in most browsers and watch the JavaScript file activity to get pretty much any web site on the screen.
What if, for example, you learn you can’t visit this site and type into an edit box without incurring a real risk of having your browser send a bunch of private data somwehere, especially knowing what’s loaded to your computer (given the scripting sources are all over the place) isn’t well-controlled by the site owner? Food for thought.
It seems we’re entering a time when quantifying risk vs. reward is harder than ever.
-Noel
1 user thanked author for this post.
-
-
-
-
My understanding is a javascript could be used as a attack form to gain access. Security suites have not said anything about being able to protect you. In fact the proof of concept has been able to access the information without leaving any trail of even doing so. This is what makes this so serious, you could potentially be compromised and not even know it. I personally would not count on any security suite to save you with Spectre especially. I do however believe most of what we know is only proof of concept examples and it may be days or weeks before we really find out what is developed and placed in the wild to exploit this. Let’s also remember that because is so potentially silent in its attack we may not know much about these exploits unless they are discovered or published. This could be unlike anything that has been dealt with before.
1 user thanked author for this post.
I researched what to do to get the required Intel microcode update if your device manufacturer doesn’t supply new BIOS updates for your device anymore and if Microsoft doesn’t publish the microcode update to Windows Update (older example). The solution: [How to] Update microcode from Windows but instead use the latest Linux Processor Microcode Data File. This solution should not be used until Intel releases a newer Linux Processor Microcode Data File that has the required Intel microcode updates.
-
-
-
If Intel releases the new microcode for a given CPU, it may be possible to create a BIOS update yourself. If you download the Intel Linux microcode file, which is a CSV text file, you can use a program called Microdecode to turn that into a binary microcode file that can be imported into your firmware by means of a tool like AMI’s MMTOOL. I’ve done this with the BIOS on the laptop I am using right now (among other things). If you do this, it’s at your own risk!
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)1 user thanked author for this post.
-
-
Find out if your Windows PC is affected by Meltdown/Spectre vulnerabilities
by Martin Brinkmann | January 05, 2018 / Last Update: January 05, 2018
Meltdown and Spectre are designed vulnerabilities in modern processors that allow attackers to read virtual memory arbitrarily. What this means is that attackers may read the memory of computer systems to steal passwords and other sensitive data.
Read the full article here-
An alternative tool is SpecuCheck from Alex Ionescu.
-
The reason for this omission is likely because according to both More details about mitigations for the CPU Speculative Execution issue and Intel Analysis of Speculative Execution Side Channels whitepaper, CVE-2017-5753 needs to be fixed in the operating system and also in each program in which the vulnerability could be exploited. Interestingly, the Intel whitepaper mentions that developers use the LFENCE instruction to mitigate CVE-2017-5753, and the newer Intel microcodes modify the LFENCE instruction according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367 (“LFENCE terminates all previous instructions (Spectre variant 2 mitigation, conditional branches)”).
This is contrast to Intel’s statement at https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/ that “Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero.”
-
Anyone know what version of Powershell is needed to load and run the detection script Martin Brinkmann is refering to. Windows 7 v2.0 sure as heck doesn’t work. v5.1 in W10 works.
UPDATE: Install Powershell 5.1 in Windows 7 and script still will not load / run in Win7. Microsoft says it should work in Win7 (and in 8.1 too) but no go here
Viper
1 user thanked author for this post.
-
I’m having trouble running it, too, on Win10 1703. Something about NuGet not supporting the right calls.
1 user thanked author for this post.
-
It’s working for me on Windows 8.1 with WMF 5.1
it requires two steps, installing NuGet, and trusting PSGallery repository
Install-PackageProvider -Name NuGet -Force
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
Install-Module SpeculationControl
Get-SpeculationControlSettingsand you also might need to change the ExecutionPolicy
Set-ExecutionPolicy Bypass -Scope CurrentUser -Force1 user thanked author for this post.
If a car or a toy had a fault that made it unsafe, it would be recalled. The manufacturer would be obligated by law to repair/replace the faulty component at their expense. All units affected with the fault would be recalled, not just the ones that were sold in the past 5 years.
Unsafe cars and toys are treated like this to assure people do not get hurt or killed.
Likewise, a component design flaw can render a computer unsafe (insecure). A patch or series of patches may fix it, but there are situations where a replacement is the only solution. However, the component manufacturer is not obligated, by law, to do anything. An unsafe (insecure) system can continue to operate – the user assumes all the liability. When component manufacturers do not voluntarily recall faulty units or refuse to fix all of the unsafe (insecure) units, it is basically a business decision. They determine how much hurt their brand can endure and the impact to their bottom line.
Unsafe (insecure) systems do not kill people but lives can be destroyed if an attacker successfully breaches the system through a discovered vulnerability.
Considering there are billions of users of computers, that is a lot of hurt.
4 users thanked author for this post.
From the Spectre paper (https://spectreattack.com/): “As a result, any software or microcode countermeasure attempts should be viewed as stop-gap measures pending further research.”
1 user thanked author for this post.
From Meltdown & Spectre security flaws – the industry responds: “Such a wide-scale attack has not been seen for some time, so ITProPortal asked the technology industry for its views on the issue.”
Win 8.1 – still nothing in WU.
My test Win 10 1709 install – 2018-01 Rollup installed, 3D Mark run:
Overall pre-patch: 6.872 points
Overall post-patch: 6.872 points
Physics (CPU test) pre-patch: 7.148 points
Physics (CPU test) post-patch: 7.112 points
Difference within error margin for me… And gaming is actually the only area where I need 100% performance. So these results are nice to see.
Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider4 users thanked author for this post.
A user’s performance impact test results: https://www.reddit.com/r/pcmasterrace/comments/7obokl/performance_impact_of_windows_patch_and_bios/.
1 user thanked author for this post.
1 user thanked author for this post.
Get and run SpeculationControl on Windows 7 / 8.1 without installing WMF 5.1
https://pastebin.com/DkG7e3hv-
Article is updated and they added a downlodable version for “legacy” OSs
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
https://aka.ms/SpeculationControlPS
Last year, for the first time in maybe 15 years, I stumbled upon a drive-by download by clicking on an apparently legitimate link on a reputable web site that was just not valid anymore and had been replaced by something else.
The only malware I’ve ever had on my PC since I started using x86 PCs in 1990 was acquired in this way as well. I’ve already told the story here, so if it seems familiar, it probably is.
The web site I attempted to visit (based on a Google search) was about guitar strings, not something that is usually in that “risky” category like “warez” or porn sites. Apparently, the site was hacked/hijacked by a miscreant who installed a redirect to a site whose URL was something about drugs, and that site used a vulnerability in Java (this was years ago, during the XP era, when people having Java enabled was normal) to cause my PC to silently download and run an executable program.
It was also the norm for everyone to run their XP machines with full admin privs… and if you’ve ever tried to run an XP machine with a limited user account, it’s pretty frustrating. They don’t have UAC, so any attempt to do anything that requires admin privs just gets an “Access denied,” and that’s that. Linux is miles ahead on this; the user level/su (root) level privilege system was a part of it from the start, so it’s not tacked-on the way it was in Windows (to try to mitigate some of the threat without breaking every bit of software that assumes everyone runs as admin). While I have run Windows post-XP in UAC-disabled mode most of the time, I wouldn’t even think of running with root privs in Linux all the time. It’s just not the way one does things in Linux.
I was alerted to this drive-by malware’s presence because I was running Agnitum Outpost, a security program that had a robust HIPS module that detected the errant program trying to run, popping up a dialog asking me what to do. If you’ve read my previous posts on the matter, you know that even though my mind immediately registered this as highly suspicious, the force of habit of having clicked or selected “allow” tens of times a day for years took over, and I allowed it even as my brain was yelling at my hand to stop.
I recognized it as what it was immediately and disconnected from the net, first with the tray icon and then by physically unplugging the ethernet cable, then looked in the Outpost logs to see where the program I’d allowed now lived. I had Outpost on maximum paranoia level, so the next thing the malware tried to do (set a registry key) also popped up a dialog, and this time I answered Block & Terminate, which worked.
Turns out it was a previously unknown malware that had not been detected by the signature check (AV) portion of Outpost. No idea what it came to be called when it was added to their databases, or what it was supposed to do… I just know that I sent it to several antimalware companies, and one wrote me back to tell me it was indeed a new malware.
As far as this Meltdown/Spectre issue is concerned, I’m not against patching ever, but I am against being forced into a 30% slowdown to mitigate a threat that may not even apply to me at this time. I’m of the opinion that an elegant, efficient way of mitigating the vuln will be found… whether it’s a signature or heuristic approach in antimalware programs, a change in the .js engines in browsers to prevent the issue, a browser addon to detect and block suspicious scripts (again, heuristically), or an OS patch that won’t result in any kind of noticeable performance hit, I think it will happen. Just a gut feeling, at this point, but it’s too early to know anything about how this will end up just yet.
For now, the exploit has never been seen in the wild, and until it does, I am not too worried. Could I become the first one to end up at a compromised site and “discover” the newly-operationalized malware in the wild? It’s possible, but not terribly likely. There are thousands of white hats with this very exploit on their minds; they’re out looking for this. More likely they’ll find it than me, should it ever come to pass. If so, they will report on the attack vector, and we’ll know a little more about it.
Until then, I’m inclined to let other people take the performance hit and do the beta testing. A hypothetical threat only demands a hypothetical solution, and we already have that, so we’re golden, for the time being.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)5 users thanked author for this post.
-
I’m still looking for people reporting speed differences for e.g., I/O-heavy stuff. -Noel
Up to 40%!
https://www.techspot.com/article/1556-meltdown-and-spectre-cpu-performance-windows/page3.html
…and BIOS updates will slow down things even more:
Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider
-
Detailed information about what fixes need to be done for the three vulnerabilities for both Windows and Linux: https://twitter.com/aionescu/status/949442252689981440. A thing I hadn’t read before: “Warning 2: 32-bit Windows does not have Meltdown patches. Beware.”
Related information is found in the first two links from https://www.askwoody.com/forums/topic/meltdown-and-spectre-from-a-windows-users-point-of-view/#post-156508.
-
-
This warning has been added: “Warning 3: Windows XP/Vista and Windows Server 2003/2008 will never get Meltdown updates. Windows 8.0 is out of support, it’ll not get Meltdown updates too.”
1 user thanked author for this post.
-
Firefox ESR news from https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/: “Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018.”
1 user thanked author for this post.
-
One of the replies links to 2017 paper “Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript”.
Paper abstract (my bolding):
“Research showed that microarchitectural attacks like cache attacks can be performed through websites using JavaScript. These timing attacks allow an adversary to spy on users secrets such as their keystrokes, leveraging fine-grained timers. However, the W3C and browser vendors responded to this significant threat by eliminating fine-grained timers from JavaScript. This renders previous high-resolution microarchitectural attacks non-applicable.
We demonstrate the inefficacy of this mitigation by finding and evaluating a wide range of new sources of timing information. We develop measurement methods that exceed the resolution of official timing sources by 3 to 4 orders of magnitude on all major browsers, and even more on Tor browser. Our timing measurements do not only re-enable previous attacks to their full extent but also allow implementing new attacks. We demonstrate a new DRAM-based covert channel between a website and an unprivileged app in a virtual machine without network hardware. Our results emphasize that quick-fix mitigations can establish a dangerous false sense of security.“
3 users thanked author for this post.
-
From CPU security bugs caused by speculative execution: “This repo is an attempt to collect information on the class of information disclosure vulnerabilities caused by CPU speculative execution that were disclosed on January 3rd, 2018.”
-
Alex, your supposition is that there is good management at Microsoft that would recognize a problem and actually manage their resources to solve it. Unfortunately, that clearly is just not an attribute that it currently has.
CT
1 user thanked author for this post.
IT’S NOT JUST CPU’s
Just a heads up for nVidia GFX Card users. NV has released the 390.65 WHQL Drivers that mitigate the Spectre variant that nVidia’s GPU are apparently exposed to.
https://www.ghacks.net/2018/01/08/nvidia-geforce-driver-390-65-whql-is-a-security-update/
https://www.geforce.com/drivers
AMD Radeon users should no doubt be watching for security driver releases for their GPU’s as well.
Viper
2 users thanked author for this post.
First off… I have not tried to install the January patches for my Win 7 Home… but I wanted to know what was going on, on my laptop…
So I checked if my antivirus (AVG free) had updated to include the new QualityCompat registry key. I updated it manually, every day, since the news about the registry key came out, but there was no change in the absence of the registry key, and Windows Update did not offer the January Quality and Security Rollup. AVG support said that it was compatible and including the key since January 3rd, but I wasn’t seeing it.
I did a partial uninstall of AVG to trigger repair, because someone else on their support site had the repair work for them. It didn’t work for me. I uninstalled AVG, then downloaded and attempted to re-install AVG from their website. It said it encountered an unexpected Error code: 0xc007271d and couldn’t update. I couldn’t find that on their support site… sigh…
So I thought about what could prevent me from installing anything. I remembered I had Windows10FirewallControl free version installed. I checked that, and it was indeed blocking AVG’s install attempts. When I attempted to give AVG permission to install through the Firewall, it said that the free version would not allow any system changes. Deep breathing practiced for several minutes…
I uninstalled Windows10Firewall… installed AVG… reinstalled the firewall… and I now have the QualityCompat registry key… and finally the January update is being offered in Windows Update. I have an old i5 Sandy Bridge processor, and I haven’t heard anyone test that compatability yet, and I sure don’t want to volunteer as a guinea pig!
I repeat, I am not installing, just wanted to be ready when the time comes… but that was a lot to go through just to become eligible for any future updates…
And it isn’t because I wanted to look dumb, that I post this… there will be other non-techy people hitting roadblocks like this, and maybe this will encourage them to check out different things…
I really appreciate the information posted here, that let me get this far.
Non-techy Win 10 Pro and Linux Mint experimenter
Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities has been modified to include the registry changes used to disable and enable the Spectre/Meltdown Windows fixes.
3 users thanked author for this post.
The browser rendering engine WebKit‘s developers have written blog post What Spectre and Meltdown Mean For WebKit, parts of which are probably applicable to web browsers in general:
“Security researchers have recently uncovered security issues known as Meltdown and Spectre. These issues apply to all modern processors and allow attackers to gain read access to parts of memory that were meant to be secret. To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim’s processor. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user’s processor. Spectre impacts WebKit directly. Meltdown impacts WebKit because WebKit’s security properties must first be bypassed (via Spectre) before WebKit can be used to mount a Meltdown attack.
WebKit relies on branch instructions to enforce what untrusted JavaScript and WebAssembly code can do. Spectre means that an attacker can control branches, so branches alone are no longer adequate for enforcing security properties.
Meltdown means that userland code, such as JavaScript running in a web browser, can read kernel memory. Not all CPUs are affected by Meltdown and Meltdown is being mitigated by operating system changes. Mounting a Meltdown attack via JavaScript running in WebKit requires first bypassing branch-based security checks, like in the case of a Spectre attack. Therefore, Spectre mitigations that fix the branch problem also prevent an attacker from using WebKit as the starting point for Meltdown.”
2 users thanked author for this post.
Mark Burnett has three mitigation-related flowcharts at https://github.com/m8urnett/Windows-Spectre-Meltdown-Mitigations.
2 users thanked author for this post.
From Microsoft: Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems.
3 users thanked author for this post.
From Microsoft: Protect your Windows devices against Spectre and Meltdown.
1 user thanked author for this post.
-
“We will not be issuing updates for Windows Vista or Windows XP-based systems including WES 2009 and POSReady 2009.
Although Windows Vista and Windows XP-based systems are affected products, Microsoft is not issuing an update for them because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems. We recommend that security-conscious customers upgrade to a later operating system to keep pace with the changing security threat landscape and benefit from the more robust protections that later operating systems provide.”
1 user thanked author for this post.
MS has withdrawn some patches for Win10 on AMD machines because they brick the machines:
CT
1 user thanked author for this post.
Understanding the output of the Get-SpeculationControlSettings PowerShell script
Note that there are 2 mitigations that can be independently enabled/disabled.
3 users thanked author for this post.
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities was revised again on January 9: “Revised the Affected Products table to include updates for supported editions of Microsoft SQL Server 2008, Microsoft SQL Server 2008, and Microsoft SQL Server 2016 because these updates provide mitigations for ADV180002.”
1 user thanked author for this post.
-
Three FAQs were added on January 10.
1 user thanked author for this post.
From Protecting guest virtual machines from CVE-2017-5715 (branch target injection): “This page provides additional detail about protecting virtual machines on Hyper-V hosts from CVE-2017-5715 (branch target injection).”
1 user thanked author for this post.
1 user thanked author for this post.
Alex Ionescu claims to have a reliable Meltdown proof-of-concept for Windows.
2 users thanked author for this post.
-
Meltdown. It’s a “weaponized”/reliable PoC against Windows, you got it…. This is just for fun. Won’t release anything. No I don’t work anywhere with access to this in advance or anything non public.
He knows what he’s doing, too. This is disconcerting….
1 user thanked author for this post.
-
-
From https://twitter.com/phillip_misner/status/951491825390428160: “At this point there is no plan for Windows Update to offer microcode updates. You will still need to get those from your OEM.”
1 user thanked author for this post.
From AMD: An Update on AMD Processor Security (January 11)
From Intel Offers Security Issue Update: “In early December we began distributing Intel firmware updates to our OEM partners. For Intel CPUs introduced in the past five years, we expect to issue updates for more than 90 percent of them within a week, and the remainder by the end of January. We will continue to issue updates for other products thereafter.”
2 users thanked author for this post.
-
Meltdown and Spectre – Performance and stability, the results are in.
Hello Woody!
the old report is since 1995, not from 1992, sorry for that 🙁
https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf
and the discover is someone, his/her(?) nick is tullido, located in a spanish forum called meneame:
Thank you very much and I’m looking forward if someone could publish this info as soon as possible.
Thanks.
1 user thanked author for this post.
-
Thanks for the link to Intel document which discusses mitigations for two of the three side channel vulnerabilities. For additional Intel discussion on all three, please see their companion white paper.
Posts https://www.askwoody.com/forums/topic/meltdown-and-spectre-from-a-windows-users-point-of-view/#post-159341, https://www.askwoody.com/forums/topic/meltdown-and-spectre-from-a-windows-users-point-of-view/#post-159352, and https://www.askwoody.com/forums/topic/meltdown-and-spectre-from-a-windows-users-point-of-view/#post-159368 were moved from another topic to this topic.
1 user thanked author for this post.
For developers: From Spectre mitigations in MSVC:
“Software changes are required to mitigate variant 1 on all currently affected CPUs.
[…]
In order to help developers mitigate this new issue, the MSVC compiler has been updated with support for the /Qspectre switch which will automatically insert one of these speculation barriers when the compiler detects instances of variant 1.
[…]
It is important to note that there are limits to the analysis that MSVC and compilers in general can perform when attempting to identify instances of variant 1. As such, there is no guarantee that all possible instances of variant 1 will be instrumented under /Qspectre.”
1 user thanked author for this post.
1 user thanked author for this post.
From ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities: ’01/19/2018 1 – Updated FAQ #10 to announce that Microsoft has resumed updating all AMD devices with the Windows operating system security update to help protect against the chipset vulnerabilities known as Spectre and Meltdown. See the FAQ for links to information on how to download the update for your operating system. Customers with AMD-based devices should install the updates to be protected from the vulnerabilities discussed in this advisory. 2 – Added an update to FAQ #7 that security update 4073291 is available to provide additional protections for the 32-bit (x86) version of Windows 10 Version 1709 related to CVE 2017-5754 (“Meltdown”).’
From What can I do to protect my PC from the Meltdown and Spectre flaws? (January 25, 2018):
‘You’re most likely to be attacked via your web browser, and browser suppliers are already updating their software. It’s now particularly important to keep your browsers up to date.
You can reduce the risk by using “site isolation” in the Chrome browser. As Google explains: “Site Isolation offers a second line of defense to make such attacks less likely to succeed. It ensures that pages from different websites are always put into different processes, each running in a sandbox that limits what the process is allowed to do.”’
1 user thanked author for this post.
From Hate to ruin your day, but… Boffins cook up fresh Meltdown, Spectre CPU design flaw exploits (Feb. 14, 2018): ‘In a research paper – “MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols” – out this month, bit boffins from Princeton University and chip designer Nvidia describe variants of Meltdown and Spectre exploit code that can be used to conduct side-channel timing attacks.’
Hat tip: user GoneToPlaid.
1 user thanked author for this post.
-
From New MeltdownPrime and SpectrePrime exploits surface: “The team concludes that mitigation techniques can be largely the same as for the original exploits can be used, but generic hardware level protection can be difficult, maybe impossible, to implement. As working proof the team created an exploit written in the C language that worked 99,95% times out of 100 test runs. An Apple Macbook Pro using macOS Sierra was used for the test.”
1 user thanked author for this post.
From a conceptual perspective – and my opinion is based on a lifetime of computer geekdom – it’s nigh impossible to protect a computer system from attacks from within. As these latest revelations show us there has always BEEN some risk, there is some risk still, and there always will be.
Thinking something is “completely secure” is both an oversimplification and, well, is a false sense. And a quick look at history confirms it… Are there zero computer viruses today? Can you say with certainty that your data isn’t already being taken without your knowledge?
We simply cannot assume our computers are completely secure against software running in them or ever will be. Not with or without the Spectre/Meltdown/Whatever comes tomorrow patches. Much as we want to think, “I want to make my computer secure”, there is no such thing. Only making it more secure.
A key thing to consider is this:
We must balance risk against the fact that downloading things to run from the cloud brings value. How much would we be getting from our computing hardware if we didn’t rely on software developed by other people?
Now, the rubber meets the road:
- Do we want to ALWAYS trust Microsoft – or any vendor – to only ever deliver risk-free software via their cloud? Whom do we partner with? Whom do we trust?
- Or do we want to NEVER trust anyone, turn everything off, and just go into the wilderness and learn to grow our own food? You have to admit, that kind of self sufficiency sounds attractive…
Surely there must be a balance somewhere in between.
Consider that it’s impossible for any individual to judge all of what’s in software nowadays. Even most software developers can’t be sure (we almost always rely on libraries and operating system code from others). On the other hand, people really DO get some value from computer software written by others. You’re here reading this; it must not be all bad.
History has shown us that we can reduce our risk by running only software that’s well-tested, from a vendor that’s proven to be reliable, disallow our computer systems from visiting every site on the wild Internet, and get to know how our systems behave over time… But just think how that’s becoming less and less manageable in light of such things as rapid releases, software (e.g., web page software) that draws from multiple sources online in real time, and packages that are literally gigabytes in size (Adobe anyone? Windows Updates?) delivered over our hyper-fast Internet connections. No human I know can even imagine a collection of a billion things in their heads. Yet we can transfer a gigabyte of data now in a few moments.
I suggest that we’re crossing a threshold where trust is becoming paramount – right at a time when companies care less about earning our trust than ever.
We are also in an era where people are being manipulated by others through slick marketing. Meltdown and Spectre are potential security problems that don’t (or at least didn’t) even have real exploits in the wild, yet here we are finding ourselves told we must be willing to give up on up to a third of our computer performance just to mitigate them?!?
Let’s try to resist giving up on common sense. The little voices in our heads telling us “Whoa, slow down, take a deep breath, does this make sense?” might not be wrong.
-Noel
12 users thanked author for this post.
-
Noel, very well put. Obviously from a wise and experienced professional. Thanks.
Not so long ago, I and many, if not most people would have put Microsoft on the top of the Most Trusted list. Through disgustingly bad management, Microsoft has managed to slide off the list altogether.
Consequently, I do not use ANY Microsoft update. Microsoft updates are far more risky than the risk of a hacker or virus attack.
CT
4 users thanked author for this post.
-
Backups are for the contingency that nothing has gone well, trust notwithstanding.
On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender2 users thanked author for this post.
From Intel didn’t tell CERTS, govs, about Meltdown and Spectre because they couldn’t help fix it (Feb. 23, 2018): “Letters sent to the United States Congress by Intel and the other six companies in the Meltdown/Spectre disclosure cabal have revealed how and why they didn’t inform the wider world about the dangerous chip design flaws.”
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities was updated on March 1, 2018: “Added FAQ#14 to announce that a stand-alone update for Windows 10 Version 1709 is available via the Microsoft Update Catalog. This update includes microcode updates from Intel. See Microsoft Knowledge Base Article 4090007 (https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates) for more information.”
From FAQ #14: “Microsoft will make available Intel microcode updates for Windows operating systems as they become available.”
1 user thanked author for this post.
From https://www.theregister.co.uk/2018/03/01/us_researchers_apply_spectrestyle_tricks_to_break_intels_sgx/ (March 1, 2018):
“The Spectre design flaws in modern CPUs can be exploited to punch holes through the walls of Intel’s SGX secure environments, researchers claim.
SGX – short for Software Guard eXtensions – is a mechanism that normal applications can use to ring-fence sections of memory that not even the operating system nor a hypervisor can access, let alone other programs.”
Highly technical blog post from Microsoft: KVA Shadow: Mitigating Meltdown on Windows.
Another flavor described here:
https://www.bleepingcomputer.com/news/security/academics-discover-new-cpu-side-channel-attack-named-branchscope/On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender1 user thanked author for this post.
It seems, something went terribly wrong: January/February 2018 Meltdown patches from Microsoft opens even a bigger hole. No more exploit is necessary to access the memory from user processes (and even write it).
See Windows 7 Jan./Feb. 2018 patches opens Total Meltdown vulnerability
Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author
https://www.borncity.com/win/
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities was updated on April 10, 2018. From that link: “By default, user-to-kernel protection for CVE-2017-5715 is disabled for AMD CPUs. Customers must enable the mitigation to receive additional protections for CVE-2017-5715. Enabling this mitigation may affect performance.”
Viewing 105 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Microsoft Manager Says macOS Is Better Than Windows 11
by 14 minutes ago
-
Outlook (NEW) Getting really Pushy
by 25 minutes ago
-
Steps to take before updating to 24H2
by 1 hour, 36 minutes ago
-
Which Web browser is the most secure for 2025?
by 1 hour, 39 minutes ago
-
Replacing Skype
by 2 hours, 5 minutes ago
-
FileOptimizer — Over 90 tools working together to squish your files
by 2 hours, 56 minutes ago
-
Excel Macro — ask for filename to be saved
by 2 hours, 33 minutes ago
-
Trying to backup Win 10 computer to iCloud
by 1 day, 10 hours ago
-
Windows 11 Insider Preview build 26200.5570 released to DEV
by 2 days ago
-
Windows 11 Insider Preview build 26120.3941 (24H2) released to BETA
by 2 days, 1 hour ago
-
Windows 11 Insider Preview Build 22635.5305 (23H2) released to BETA
by 2 days, 2 hours ago
-
No April cumulative update for Win 11 23H2?
by 14 hours ago
-
AugLoop.All (TEST Augmentation Loop MSIT)
by 2 days, 2 hours ago
-
Boot Sequence for Dell Optiplex 7070 Tower
by 2 days, 17 hours ago
-
OTT Upgrade Windows 11 to 24H2 on Unsupported Hardware
by 2 days, 21 hours ago
-
Inetpub can be tricked
by 1 day, 4 hours ago
-
How merge Outlook 2016 .pst file w/into newly created Outlook 2024 install .pst?
by 1 day, 15 hours ago
-
FBI 2024 Internet Crime Report
by 3 days ago
-
Perplexity CEO says its browser will track everything users do online
by 10 hours, 1 minute ago
-
Login issues with Windows Hello
by 3 days, 12 hours ago
-
How to get into a manual setup screen in 2024 Outlook classic?
by 2 days, 23 hours ago
-
Linux : ARMO rootkit “Curing”
by 3 days, 23 hours ago
-
Employee monitoring app leaks 21 million screenshots in real time
by 3 days, 23 hours ago
-
Google AI is now hallucinating idioms
by 4 days ago
-
april update
by 2 days, 4 hours ago
-
Windows 11 Insider Preview build 27842 released to Canary
by 4 days, 1 hour ago
-
Quick Fix for Slowing File Explorer
by 4 days, 1 hour ago
-
WuMgr not loading?
by 2 days, 21 hours ago
-
Word crashes when accessing Help
by 11 hours, 16 minutes ago
-
New Microsoft Nag — Danger! Danger! sign-in to your Microsoft Account
by 4 days ago
Remembering Woody
