SPECTRE, Meltdown and BIOS/firmware disaster


  • Moderator

    These large security holes (called SPECTRE and Meltdown) need almost BIOS and firmware updates for mainboards and CPUs.

    Unfortunately not all mainboards will get a BIOS update and f.ex. Microsoft does not update the microcode firmware of CPU (even if they could and did in the past!). I hate this MS behavior.
    Linux can patch the microcode and did it.

    In the past we were using Intel CPUs because more compatibility with Linux PCs for our office work.

    My problems:

    • A 5 year old Gigabyte board GA-B75N (Intel i5-3470) – no updates for BIOS (last was 2015!) can be found. :(
      But is has Linux so it may be safe after microcode patches?

    • other PC is brand-new (bought mid 2017!) has a Intel i5-7400 (B250 chipset) on a GA-B250-HD3P with Windows 10 pro – BIOS/firmware updates , nothing at Gigabyte page :(

    And the bad is Intel knew since half a year about such problems.
    Makes me angry to be force to use expensive, unsafe hardware.

    How do you feel and cover the problems with you (may be unsafe systems)?



  • @gwen-dragon said in SPECTRE, Meltdown and BIOS/firmware disaster:

    And the bad is Intel knew since half a year about such problems.

    The money...

    This would help to check about Spectre.


  • Moderator

    @zalex108 This check does not catch all issues with the security holes from Intel.
    Only a short check.


  • Moderator

    Effrontery by Intel (press/fake news division?): They tell us the CPU work as designed and has no bug, That is no Defect, they say.
    Nice. We do not know if Intel CPU has the holes but we have to buy it.



  • @gwen-dragon

    Politics behind the scene...
    Corruption, Lies... Control.

    That kind of society always do the same.

    It seems that CPU's since 1995...

    If they fix the problem, would be in a hidden update and forced by money pressures, not because people safety but for Government secrets/control safety and because AMD will gain market...



  • Furthermore, up to now Intel has not shown data on or released information about updates for pre-Skylake processors (Haswell, Broadwell), which are vulnerable also.

    Their latest press information about speed losses only go back to 6th generation Core-i (Skylake).

    If somewhere Intel released patches for earlier processors, I'd be glad to see them... otherwise on those systems patched applications will be essential to mitigate Meltdown and Spectre as far as possible...


  • Moderator

    tell me, how did you all secure your PCs against these AMD/Intel/ARM sec holes?



  • Not different from anything before. So, generally being paranoid enough :)

    As I have a Haswell processor, I don't get an Intel firmware update (yet).

    • install all OS updates (Mac)
    • install all app updates, as far as available
    • don't open unknown code
    • generally disable JS
    • only allow JS on whitelisted domains
    • use strict adblocker (UO, disable all 3rd party elements per default, disable all scripts per default)
    • don't go to websites I think I might ought not to go to...

    Oh, and:

    • have regular, good, complete and two independent backups!


  • Unfortunately, as frustrating as it is, I think this is something we must come to simply accept.

    We have all become Beta Testers for everything from our technology to our automobiles. Companies are releasing product with the expectation that consumers will report any flaws with the item. They keep a slush fund to pay off any affected buyers/users.
    Do they then fix the flaws?... Sometimes. Until i sold off my car I was getting recall notices regularly for some minor issue or other. Here I was thinking I bought a properly built (NEW) car. One fix to the airbag made the horn unworkable!!
    With Tech it is even more difficult (and with tablets/phones it is even worse). Why is MS the one to fix a processor manufacturer's fault? (Oh, there's something about a Registry Key having to be set first...).
    Should they not the processor manufacturer be providing firmware updates for their own product directly?

    What do I do?

    • Update regularly (OS, programmes, Extensions/Add-Ons)
    • Backup regularly
    • Have an updated backup Linux box I can use just in case this one gets bricked by some update/fix.

    At least I can keep moving forward. Perhaps I should go to Linux on this laptop also.
    Also I make regular sacrifices to the gods of technology to ensure nothing goes wrong. </sarcasm>



  • @zalex108 said in SPECTRE, Meltdown and BIOS/firmware disaster:

    If they fix the problem, would be in a hidden update and forced by money pressures, not because people safety but for Government secrets/control safety and because AMD will gain market...

    Ok,
    Now I've read that AMD suffers the same problem too.


    Maybe would be necessary use a none affected CPU computer to change Online Banking passwords as well for Shopping sites with the Credit Card/Paypal credentials and use that machine for that kind of things.

    Meanwhile Wipe the current OS on affected systems.

    :thinking:
    ...but if those PC companies are affected... the problems still happens... ¬¬

    Despite nothing said about Server CPU's - If I'm not wrong -... should we trust?



  • Keep in mind, Spectre and Meltdown are both bugs that allow you to read memory you should not have access to; neither bug actually allows a hacker to modify something. Not that you really want someone reading your browser passwords, but it is a completely different matter from privilege escalation or being able to run arbitrary code. As long as you avoid suspect sites you should be okay.



  • Since these security holes in the chipsets of the computer equipment were known long ago, if there were great efforts to remedy them, it makes me think in the intentionality of having a back door available to the secret services of certain governments.



  • Why aren't computer journalists, magazine types investigating what really took place at Intel to even cause this problem? why do we just get general responses by Fake News media and CEO's? What about people who actually design chips that know what happened?



  • @stpvid1 I don't design chips, so I can't say for sure. To me it simply looks like a use case that no-one thought of beforehand which some researchers then discovered could be exploited to impact security.

    I don't think there was anything at Intel (or indeed other manufacturers) that directly caused this problem.



  • @lonm just checked the Acer website , my PC model isn't on the list so thats good to know. Intel does have updated info about Spectre/Meltdown on their website. HTH



  • @gwen-dragon said in SPECTRE, Meltdown and BIOS/firmware disaster:

    tell me, how did you all secure your PCs against these AMD/Intel/ARM sec holes?

    Hi Lilo. The Manjaro Devs have been really proactive on this. We've received a flurry of updates targeting this, & there's more coming. FYI here's my current status, as far as i can understand it.

    My 2015 i7 Tower:

    1. Kernel 4.14.x is patched for Meltdown
    2. Intel microcode update installed. My earlier assumption was this was supposed to have patched me against Spectre, but despite this, sadly i'm still vulnerable to Spectre [see codeboxes below]

    My 2011 i5 Lappy:

    1. Kernel 4.14.x is patched for Meltdown
    2. No Intel microcode update available yet, so still vulnerable to Spectre.
    [[email protected] ~]$ dmesg | grep microcode
    [    0.000000] microcode: microcode updated early to revision 0x23, date = 2017-11-20
    [    0.510236] microcode: sig=0x306c3, pf=0x2, revision=0x23
    [    0.510621] microcode: Microcode Update Driver: v2.2.
    [[email protected] ~]$
    
    [[email protected] ~]$ sudo spectre-meltdown-checker
    [sudo] password for steffie: 
    Spectre and Meltdown mitigation detection tool v0.28
    
    Checking for vulnerabilities against running kernel Linux 4.14.13-1-MANJARO #1 SMP PREEMPT Wed Jan 10 21:11:43 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  NO 
    > STATUS:  VULNERABLE  (only 21 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation:  YES 
    *   Kernel support for IBRS:  NO 
    *   IBRS enabled for Kernel space:  NO 
    *   IBRS enabled for User space:  NO 
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO 
    *   Kernel compiled with a retpoline-aware compiler:  NO 
    > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  YES 
    * PTI enabled and active:  YES 
    > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
    
    A false sense of security is worse than no security at all, see --disclaimer
    
    

    PS - Per my earlier thread, i'm also running V with the Strict site isolation flag enabled.


  • Moderator

    Microcode patches as in Linux are a nice workaround, but it would be safer to have safety before linux bootloader.

    I hope we get until mid january some fixed firmware/BIOS.


  • Moderator

    Now Gigabyte GA-B250-HD3P (Intel i5-7400) got Firmware F10b for updated Intel microcode.

    Check in Windows Powershell with Get-SpeculationControlSettings shows all Green \o/ :v:

    Happy about the fix. :white_check_mark:



  • Damn, I'm really unlucky...I have i5-4690k and I'm on Windows 7 which is allegedly going to get bigger performance hit than Windows 10. I also just noticed that I didn't even receive the Windows update/patch for Spectre and Meltdown, some previous update messed up the Windows Updates so I had to download the update manually so now I have OS patch at least but I don't think I'm getting BIOS update for my ~4 year old Gigabyte Motherboard :/


  • Moderator

    @longlife said in SPECTRE, Meltdown and BIOS/firmware disaster:

    ... I don't think I'm getting BIOS update for my ~4 year old Gigabyte Motherboard

    Perhaps the patches for some older boards come after the newer boards get all fixes.
    I hope so as i have a mini-PC with GA-B75N with Intel i5-3470 on my office desk important for my daily use.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.