# “Meltdown” and “Spectre”



## Johnny b (Nov 7, 2016)

* "Meltdown" and "Spectre": Every modern processor has unfixable security flaws *

https://arstechnica.com/gadgets/201...odern-processor-has-unfixable-security-flaws/


----------



## SpywareDr (Mar 31, 2014)

Microsoft issues emergency Windows update for processor security bugs


> Jan 3, 2018, 4:41pm EST
> 
> Microsoft is issuing a rare out-of-band security update to supported versions of Windows today. The software update is part of a number of fixes that will protect against a newly-discovered processor bug in Intel, AMD, and ARM chipsets. Sources familiar with Microsoft's plans tell The Verge that the company will issue a Windows update that will be automatically applied to Windows 10 machines at 5PM ET / 2PM PT today.
> 
> ...


----------



## Coco767 (Jul 31, 2015)

Hello, sorry if this is in the wrong forum. I have a question. Is the Intel Core Duo 2 T2300E 1.66 GHz processor in a WinXP Dell Latitude D500 affected by the recent flaws discovered in processors? Also, what processor does an Lenovo Thinkpad W500 have? Is it affected by the recent processor flaws discovered? What other processors are affected, please, can I have a list or URL saying them?


----------



## texasbullet (Jun 11, 2014)

You may want to check this thread for details.


----------



## Johnny b (Nov 7, 2016)

MS update info concerning anti virus:

https://www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/



> Microsoft has released updates for Windows to block attempts by hackers and malware to exploit the Meltdown vulnerability in Intel x86-64 processors - but you will want to check your antivirus software before applying the fixes.


----------



## Johnny b (Nov 7, 2016)

Retpoline: a software construct for preventing branch-target-injection

https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html

https://www.theverge.com/2018/1/4/16851132/meltdown-spectre-google-cpu-patch-performance-slowdown

https://support.google.com/faqs/answer/7625886


----------



## SpywareDr (Mar 31, 2014)

How Will the Meltdown and Spectre Flaws Affect My PC?


----------



## SpywareDr (Mar 31, 2014)

MeltDownAttack.com has a full list of vendor advisories.


----------



## texasbullet (Jun 11, 2014)

More details here.


----------



## Johnny b (Nov 7, 2016)

* Meltdown and Spectre: Here's what Intel, Apple, Microsoft, others are doing about it *

https://arstechnica.com/gadgets/201...el-apple-microsoft-others-are-doing-about-it/


----------



## 2twenty2 (Jul 17, 2003)

https://www.theguardian.com/technol...ction-lawsuits-meltdown-spectre-bugs-computer



> *Intel has been hit with at least three class-action lawsuits* over the major processor vulnerabilities revealed this week.
> 
> The flaws, called Meltdown and Spectre, exist within virtually all modern processors and could allow hackers to steal sensitive data although no data breaches have been reported yet. While Spectre affects processors made by a variety of firms, Meltdown appears to primarily affect Intel processors made since 1995.


----------



## SpywareDr (Mar 31, 2014)

Microsoft has released KB4056894 for Windows 7. It's the 2018-01 Security Monthly Quality Rollup.


----------



## Johnny b (Nov 7, 2016)

https://www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_pcs/



> Users report Athlon-powered machines in perfect working order before the patch just don't work after it. The patch doesn't create a recovery point, so rollback is little use and the machines emerge from a patch in a state from which rollback is sometimes not accessible. Some say that even re-installing Windows 10 doesn't help matters. Others have been able to do so, only to have their machines quickly download and install the problematic patch all over again …
> 
> Those who have suffered from the putrid patch will therefore need to disable Windows Update as just about the first thing they do. Keeping the machine off networks seems a helpful precaution.


----------



## 2twenty2 (Jul 17, 2003)

https://www.engadget.com/2018/01/08/apple-updates-macos-and-ios-to-address-spectre-vulnerability/



> Just a few days after Apple disclosed how it would be dealing with the Meltdown bug that affects modern computers, it's pushed out fixes for the Spectre exploit as well. iOS 11.2.2 includes "Security improvements to Safari and WebKit to mitigate the effects of Spectre," the company writes on its support page, while the macOS High Sierra 10.13.2 Supplemental Update does the same for your Mac laptop or desktop. Installing this update on your Mac will also update Safari to version 11.0.2.


----------



## Johnny b (Nov 7, 2016)

https://www.theregister.co.uk/2018/01/08/meltdown_fix_security_problems/



> Patching against CVE-2017-5753 and CVE-2017-5715 (Spectre) and CVE-2017-5754 (Meltdown) borks both the PulseSecure VPN client and Sandboxie, the sandbox-based isolation program developed by Sophos.


----------



## Johnny b (Nov 7, 2016)

https://www.theregister.co.uk/2018/01/09/ibm_melts_down/

* IBM melts down fixing Meltdown as processes and patches stutter *


----------



## SpywareDr (Mar 31, 2014)

How to Check if Your PC Is Protected Against Meltdown and Spectre


----------



## SpywareDr (Mar 31, 2014)

Microsoft.com > *
Windows operating system security update block for some AMD based devices*


----------



## Johnny b (Nov 7, 2016)

* Intel is having reboot issues with its Spectre-Meltdown patches *

https://techcrunch.com/2018/01/12/intel-is-having-reboot-issues-with-its-spectre-meltdown-patches/

link:
https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/
Intel Security Issue Update: Addressing Reboot Issues



> We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center. We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue.
> 
> End-users should continue to apply updates recommended by their system and operating system providers.


----------



## Johnny b (Nov 7, 2016)

https://arstechnica.com/gadgets/201...sing-trouble-as-realistic-attacks-get-closer/



> ......patching is proving problematic. The Meltdown protection is revealing bugs or otherwise undesirable behavior in various drivers, and Intel is currently recommending that people cease installing a microcode update it issued to help tackle the Spectre problem. .......
> 
> .................
> The Spectre updates are also proving problematic. Microsoft withdrew the patch for AMD systems last week after some machines were left unable to boot. The company has resumed distribution of the patch to most AMD systems, but some older machines are still being excluded.
> ...


----------



## Johnny b (Nov 7, 2016)

https://arstechnica.com/gadgets/201...in-quest-to-get-meltdown-and-spectre-patched/

The good:


> The good news: Microsoft suspended shipping its Spectre and Meltdown Windows patches to owners of AMD systems after some users found that they left their systems unbootable. Microsoft partially lifted the restriction last week, sending the update to newer AMD systems but still leaving the oldest machines unpatched.


The bad:


> The bad news: Intel has previously warned that the microcode update it issued to provide some processor-based mitigation for some kinds of Spectre attack was causing machines with Haswell and Broadwell processors to reboot. It turns out that the problems are more widespread than previously reported: the chip company is now saying that Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake systems are affected, too.


----------



## Johnny b (Nov 7, 2016)

https://linux.slashdot.org/story/18...alls-intel-patches-complete-and-utter-garbage



> Later Linus says forcefully that these "complete and utter garbage" patches are being pushed by someone "for unclear reasons" -- and adds another criticism.


----------



## Johnny b (Nov 7, 2016)

https://www.slashgear.com/intel-spectre-and-meltdown-proof-cpus-coming-this-year-25517122/



> Intel plans to have versions of its processors directly addressing the Spectre and Meltdown security flaws on the market later this year


----------



## Coco767 (Jul 31, 2015)

Johnny-be-Good said:


> https://www.slashgear.com/intel-spectre-and-meltdown-proof-cpus-coming-this-year-25517122/


That is good to know.


----------



## Johnny b (Nov 7, 2016)

https://www.bleepingcomputer.com/ne...and-update-that-disables-spectre-mitigations/



> Microsoft has issued on Saturday an emergency out-of-band Windows update that *disables patches* for the Spectre Variant 2 bug (CVE-2017-5715).
> 
> The update -KB4078130- targets Windows 7 (SP1), Windows 8.1, all versions of Windows 10, and all supported Windows Server distributions.
> 
> Microsoft shipped mitigations for the Meltdown and Spectre bugs on January 3.


----------



## Johnny b (Nov 7, 2016)

A bit more explanation of what bothers Torvaids:

https://www.theregister.co.uk/2018/01/22/intel_spectre_fix_linux/



> Rather than preventing abuse of processor branch prediction by disabling the capability and incurring a performance hit, Chipzilla's future chips - at least for a few years until microarchitecture changes can be implemented - will ship vulnerable by default but will include a protection flag that can be set by software.
> ......
> Instead of treating Spectre as a bug, the chip maker is offering Spectre protection as a feature.


----------



## Johnny b (Nov 7, 2016)

https://news.hitb.org/content/intel-warned-chinese-companies-chip-flaw-us-government



> In initial disclosures about critical security flaws discovered in its processors, Intel Corp. notified a small group of customers, including Chinese technology companies, but left out the U.S. government, according to people familiar with the matter and some of the companies involved.


----------



## dvk01 (Dec 14, 2002)

So what! and Why should anybody inform the US or any other Government?
What could US gov't do?
It is more sensible that they inform their direct customers than anybody else initially

China makes over 90% of computers worldwide and are the biggest purchasers of Intel Chips

Another wonderful example of trying to sensationalize nothing


----------



## dvk01 (Dec 14, 2002)

I have merged all the numerous threads about meltdown /spectre /intel into this one topic
please add new posts or articles to this thread and not keep creating new ones. It is much easier to follow 1 topic than 50


----------



## Johnny b (Nov 7, 2016)

dvk01 said:


> So what! and Why should anybody inform the US or any other Government?
> What could US gov't do?
> It is more sensible that they inform their direct customers than anybody else initially
> 
> ...


National Security could be a big reason.
The US Govt. is a big consumer of Intel chips.


----------



## Johnny b (Nov 7, 2016)

Interesting discussion about Spectre here:

https://www.theregister.co.uk/2018/...spectre_pressing_its_nose_against_your_glass/


----------



## Johnny b (Nov 7, 2016)

Wall Street Journal article addressing early Intel notifications and potential National Security issues that could have been possible in respect to Spectre:

https://www.wsj.com/articles/intel-...f-chip-flaws-before-u-s-government-1517157430



> Because the flaws can be leveraged to sneak sensitive data out of the cloud, information about them would be of great interest to any intelligence-gathering agency, said Jake Williams, president of the security company Rendition Infosec LLC and a former National Security Agency employee. In the past, Chinese state-linked hackers have exploited software vulnerabilities to get leverage on their targets or expand surveillance.
> 
> It is a "near certainty" Beijing was aware of the conversations between Intel and its Chinese tech partners, because authorities there routinely monitor all such communications, Mr. Williams said.


----------



## Johnny b (Nov 7, 2016)

Malware Leveraging the Meltdown and Spectre Vulnerabilities?
Just a matter of time.

https://www.bleepingcomputer.com/ne...ing-the-meltdown-and-spectre-vulnerabilities/



> Malware samples detected after release of PoC code


----------

