45 total posts
(Page 1 of 2)
sure glad I use AMD processors exclusively
"If you are running an AMD processor, you're fine. AMD confirmed its processors are not vulnerable.
Linux kernel patches are already available, with Microsoft expected to role out the Windows patch for the next Patch Tuesday happening next week."
We have a message for AMD users too.
Anyhow, Intel, AMD and ARM chips which account for most computers today. Ouch.
"Back on 26 December is when Tom Lendacky of AMD posted a patch to confirm this PTI problem shouldn't affect the company's processors -- at least with what information is currently known. Lendacky wrote, "AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."
What about without the patch?
I'm sure you know of Linux servers that just run and run but the owners are loathe to patch.
So is the patch needed to block this?
Maybe this answers the question
the fixes are different between the Intel processors. Some need one fix, others need 2 fixes applied.
2 pages there.
" Intel and AMD CPUs, and selected Arm cores, are vulnerable to Spectre Variant 1 attacks. Intel and said Arm cores are vulnerable to Spectre Variant 2. Only Intel CPUs and one Arm core – the yet-to-ship Cortex-A75 – are vulnerable to Meltdown. Oh, and Apple's Arm-compatible CPUs are affected by Meltdown and Spectre, too,
to protect yourself from Spectre Variant 1 attacks, you need to rebuild your applications with countermeasures. These defense mechanisms are not generally available yet. To protect yourself from Spectre Variant 2 attacks, you have to use a kernel with countermeasures, and if you're on a Skylake or newer core, a microcode update, too. That microcode is yet to ship. "
Basically, a crapshoot with various sources putting out "fixes" for kernels, processor microcodes, browser adjustments, and little is definite yet.
"The other vulnerability, Spectre, meanwhile, has been demonstrated on Intel Ivy Bridge, Haswell and Skylake processors, AMD Ryzen CPUs, and several ARM-based Samsung and Qualcomm system-on-chips used for mobile phones."
My guess is this;
More servers will switch to motherboards that run with AMD processors, since they are at risk mostly if someone is running in root or superuser mode, but the Intel chips are at risk of limited user accounts being able to allow access to protected user space. Most Linux users always run in a limited user mode, which means those on AMD currently are safer than those on Intel, until adequate fixes are out and applied. AMD processors it seems have a strong wall between limited user accounts and what runs in root or protected mode, for both windows and linux. The problem for windows is many if not most of their users tend to run in Admin mode all the time.
I hope I'm wrong, but I get the feeling it could become like Adobe Flash, where constant new fixes must be applied as new threats emerge.
AMD vs Intel
There's a simple command that can be added "nopti" to GRUB boot line on AMD machines that will keep the processor from being slowed down by a newer "patched" Linux kernel aimed at Intel CPU's.
Other pertinent links in that post. This is going to hit the gamers the hardest.
"There is evidence of a massive Intel CPU hardware bug (currently under embargo) that directly affects big cloud providers like Amazon and Google. The fix will introduce notable performance penalties on Intel machines (30-35%).
People have noticed a recent development in the Linux kernel: a rather massive, important redesign (page table isolation) is being introduced very fast for kernel standards... and being backported! The "official" reason is to incorporate a mitigation called KASLR... which most security experts consider almost useless. There's also some unusual, suspicious stuff going on: the documentation is missing, some of the comments are redacted (https://twitter.com/grsecurity/status/947147105684123649) and people with Intel, Amazon and Google emails are CC'd.
According to one of the people working on it, PTI is only needed for Intel CPUs, AMD is not affected by whatever it protects against (https://lkml.org/lkml/2017/12/27/2). PTI affects a core low-level feature (virtual memory) and as severe performance penalties: 29% for an i7-6700 and 34% for an i7-3770S, according to Brad Spengler from grsecurity. PTI is simply not active for AMD CPUs. The kernel flag is named X86_BUG_CPU_INSECURE and its description is "CPU is insecure and needs kernel page table isolation"."
what they are, Spectre and Meltdown
Some in depth links there for anyone interested in getting into the deeper part of this.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
I couldn't resist having fun with their LOGO.
Linux to the Rescue. First as always.
The x86 PTI patches are mainline for this past weekend's release of Linux 4.15-rc6......Newer Intel CPUs with PCID should also help in ensuring less of a performance impact......These x86 PTI patches are being back-ported to all supported Linux kernel series right now.......I ran tests on a Core i7 8700K "Coffee Lake" system as well as an older Core i7 6800K "Broadwell E" system, the newer system on Ubuntu 16.04.3 LTS and the older on Ubuntu 17.10.....More extensive benchmarks are coming up soon.
Re: first as always
Microsoft is pushing a (required) Windows update very hard, so I expect it to be active world-wide soon.
For Linux it not only depends on how active and fast the maintenance team of a certain distro is, but - if I understood your recent posts correctly - also on the individual user periodically reviewing all available updates manually and deciding it they have to be done or not one by one. My guess: it takes half a year before half of the Linux desktop users is updated. Late as always.
Post was last edited on January 5, 2018 5:53 AM PST
LOL, every the critic. Also Firefox users must update to 57.
Love it. Yes, but many like me checked for update yesterday. Today I learned since kernel updates are usually not done so often and the fix is there, you probably are correct that many linux users may not do the update in timely fashion. But, it's available, first, if they want it.
forgot to post the link.
That update is aimed at Intel processors
Unfortunately, it's breaking systems running AMD processors, so should be avoided by windows users on AMD. The AMD processors are only susceptible to one variant of Spectre, and not Meltdown at all. I'm not sure if that applies to the AMD Ryzen. Remember, Microsoft and Intel are often referred to as "wintel", so of course Microsoft's efforts are aimed most strongly at the Intel chips vulnerability.
Some talk around forums that the Microsoft patch is deliberately crippling AMD computers, so more will go buy new w10 computers. That makes little sense to me, since many of the new computers would also have AMD chips in them, so sounds like foolish conspiracy stuff.
Another article from our former sister site, ZDNET
whistling past the graveyard?
" Microsoft released patches for Windows, outside its usual Patch Tuesday update schedule -- Windows Insiders on the fast-ring already received the patches in November. Apple reportedly patched the flaw in macOS 10.13.2. A spokesperson did not respond to a request for comment. And, patches for Linux systems are also available.
Many cloud services running Intel-powered servers are also affected, prompting Amazon, Microsoft, and Google to patch their cloud services and schedule downtime to prevent would-be attackers from reading other processes on the same shared cloud server.
Microsoft and Amazon have announced scheduled downtime of their cloud services in the coming days.
Google, whose Project Zero team was credited with finding the vulnerability, said in a blog post that, "as we learned of this new class of attack, our security and product development teams mobilized to defend Google's systems and our users' data." " (more in article)
Here come the class action lawsuits against Intel
Last modified on Fri 5 Jan ‘18 17.00 EST
"Intel has been hit with at least three class-action lawsuits over the major processor vulnerabilities revealed this week.
The flaws, called Meltdown and Spectre, exist within virtually all modern processors and could allow hackers to steal sensitive data although no data breaches have been reported yet. While Spectre affects processors made by a variety of firms, Meltdown appears to primarily affect Intel processors made since 1995.
Three separate class-action lawsuits have been filed by plaintiffs in California, Oregon and Indiana seeking compensation, with more expected. All three cite the security vulnerability and Intel’s delay in public disclosure from when it was first notified by researchers of the flaws in June. Intel said in a statement it “can confirm it is aware of the class actions but as these proceedings are ongoing, it would be inappropriate to comment”.
List of Intel Chips Affected
WARNING; Microsoft's current patch is breaking systems
If you have an AMD processor, avoid the patch!
"Microsoft rolled out Windows 10 cumulative update KB4056892 yesterday as an emergency patch for systems running the Fall Creators Update in an attempt to fix the Meltdown and Spectre bugs affecting Intel, AMD, and ARM processors manufactured in the last two decades.
But as it turns out, instead of fixing the two security vulnerabilities on some computers, the cumulative update actually breaks them down, with several users complaining that their systems were rendered useless after attempting to install KB4056892.
Our readers pointed me to three different Microsoft Community threads (1, 2, 3) where users reported cumulative update KB4056892 issues, and in every case the problem appears to be exactly the same: AMD systems end up with a boot error before trying a rollback and failing with error 0x800f0845."
more in article
Here's a performance benchmark on an i7 Intel processor with the current patch applied. Hit can be 20% on windows 10 and for most general use seems about 9-12% in speed reduction. Nice graphic chart makes it easy.
Notice "Prefetch" which is built into windows
It's these "prefetch" in windows I believe that are used by the processors, for them to "prefetch" the most often and most recent data to internal processor memory storage.
"The meltdown exploit demonstrated that having the kernel mapping available in userspace can be risky. Modern processors prefetch data from all mappings to run as fast as possible. What data gets prefetched depends on the CPU implementation. When a running userspace program accesses a kernel mapping, it will take a fault and typically crash the program. The CPU however, may prefetch kernel data without causing any change to the running program. Prefetching is not usually a security risk because there are still permission checks on the addresses so userpace programs cannot access kernel data. What the meltdown researchers discovered was it was possible to measure how long data accesses took on prefetched data to gain information about the system. This is what’s referred to as a side-channel attack. The KPTI patches reworked how page tables are set up so that the kernel is no longer mapped in userspace. This means that userspace cannot prefetch any kernel data and thus the exploit is mitigated."
Bleeping Computer, a MUST read page
Goes over EVERYTHING! Great page to get a handle on all this and what it means.
For those on Linux using Intel CPU, the fix is any new kernel with these patches in it.
CVE-2017-5753, and CVE-2017-5754
For Android there's three of them.
CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
For Windows, ONLY use on Intel CPU based computers, because AMD computers which get this "update" may see problems caused by it.
"On January 3rd 2018, Microsoft released emergency out-of-band updates for Windows 7 SP1, Windows 8.1, Windows 10, and various Windows Server versions. Though these updates help to mitigate the Spectre and Meltdown speculative execution side-channel vulnerabilities, but to be fully protected you will also need to install the latest firmware & bios updates for your computer."
Regarding a clash between Windows update and some antivirus programs, see this article.
'Q1: Why are some anti-virus solutions incompatible with the January 3, 2018, security updates?
A1: During testing, we discovered that some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur.
Microsoft has assembled the following resources to help potentially impacted customers:' (see article for more)
Remember AMD users, you have very little at this time to worry about, other than taking on fixes aimed at Intel CPU's and having them create a problem for you. So, avoid the fixes being given for Intel CPU's.
For those on Linux, AMD users should be safe when updating to newest kernel with fixes, coming about Jan 9 for Ubuntu based distros.
SSD's face 40% slowdown due to MeltDown fix for Intel CPU's
That could drive many SSD back close to HDD speed values.
"Sunday January 07, 2018
Benchmarks of Meltdown and Spectre Updates Suggest Big Slow Down for SSDs
TechSpot has published four pages of insight on how the OS and motherboard patches for Meltdown and Spectre could affect your desktop system. While the primary concern for many is CPU performance, the hits to SSDs are also noteworthy: results show up to 40% degradation for processes such as sequential read and write."
From what I've been reading, avoid BIOS updates for now
The ASUS Bios update seems to give the most significant slowdown in performance. The Microsoft updates available as of today do not seem to slow computers down that much, and in some odd cases even seem to give a very small boost in speed.
The biggest impast is to SSD speed and even that may be due to BIOS update rather than the windows update.
Remember, those most at risk are using Intel CPU's, and AMD CPU's seem only affected by a single variant of Spectre, which the windows update should protect against sufficiently, other than the newer Ryzen AMD processors which may be affected by both Spectre variants known today.
Linux systems have newer kernels, some not available till tomorrow, which uses a KPTI (Kernel Page Table Isolation) fix, and of course continuing development for improvement on it. Also the KPTI will be backported to other LTS (long term service) Linux distro kernel versions.
Just installed the patch from msft.
Ran a benchmark.
Nothing jumps at me as being different.
what type of benchmark?
a hard disk benchmark? I don't expect that to change. Benchmarks based on various programs ARE showing slowdowns, some about 3% and some on SSD's high as 40%. There are differing benchmarks, and the ones that are of concern are those that test programs performances.
Videos of Meltdown in Action on Intel CPU's
Back to Computer Help forum
(Page 1 of 2)