Major Flaw in Millions of Intel Chips

Corrine

Administrator,
Microsoft MVP,
Security Analyst
Staff member
Joined
Feb 22, 2012
Posts
12,338
Location
Upstate, NY
From Major flaw in millions of Intel chips revealed - BBC News:
A serious flaw in the design of Intel's chips will require Microsoft, Linux and Apple to update operating systems for computers around the world.

Intel has not yet released the details of the vulnerability, but it is believed to affect chips in millions of computers from the last decade.

The UK's National Cyber Security Centre (NCSC) said it was aware of the issue and that patches were being produced.

Some experts said a software fix could slow down computers.

Note: Windows Insiders running Build 17035 already have the fix.

Response from Intel at Intel Responds to Security Research Findings:

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
 
Microsoft issues emergency Windows update for processor security bugs - The Verge
Microsoft is issuing a rare out-of-band security update to supported versions of Windows today. The software update is part of a number of fixes that will protect against a newly-discovered processor bug in Intel, AMD, and ARM chipsets. Sources familiar with Microsoft’s plans tell The Verge that the company will issue a Windows update that will be automatically applied to Windows 10 machines at 4PM ET / 1PM PT today.

The update will also be available for older and supported versions of Windows today, but systems running operating systems like Windows 7 or Windows 8 won’t automatically be updated through Windows Update until next Tuesday. Windows 10 will be automatically updated today.

Just checked and no updates here, Windows 10, 64bit, Version 1709.
 
So do I. :eek:
No updates from windows updates, nor from my motherboard support website.
DUMO free shows nothing new.
By the way, not only Intel (and its customers) are in trouble:
Intel and other technology companies...
...many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
...Intel has begun providing software and firmware updates to mitigate these exploits.
...Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available.
 
The update will come from Microsoft (for Windows users), but only if your Anti-Virus is compatible and has signified this by setting a registry key as per this article here: https://support.microsoft.com/en-us...garding-the-windows-security-updates-released

Microsoft has identified a compatibility issue with a small number of anti-virus software products.
The compatibility issue is caused when anti-virus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.

If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor.

Microsoft has been working closely with anti-virus software partners to ensure all customers receive the January Windows security updates as soon as possible

Note: Customers will not receive these security updates and will not be protected from security vulnerabilities unless their anti-virus software vendor sets the following registry key:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

The bug affects all Intel Processors newer than the Pentium II (excluding pre-2013 Atoms and some Itanium chips). There are two main bugs - Meltdown (which affects Intel) and Spectre (harder to exploit in the real world, but affects ALL CPUs (AMD/Intel) and has no patch)

For those after a more technical explanation of the issue...

The official bug website for Meltdown/Spectre: Meltdown and Spectre

TheRegister has a good breakdown: Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign • The Register and here Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs • The Register
The Google Project Zero blog: Google Online Security Blog: Today's CPU vulnerability: what you need to know

Note the patch will have significant performance impacts on certain workloads, specifically server loads such as databases - up to 20% reduction in some scenarios.

Mozilla have posted that it seems to be possible to exploit this attack through a web browser: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
 
Update applied to all systems here. No degradation in performance noticed.

You'd be unlikely to have performance issues unless you're doing a lot of CPU intensive workloads.

Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes - Phoronix
The Register on Twitter: "PostgreSQL SELECT 1 with the KPTI workaround for Intel CPU vulnerability https://t.co/N9gSvML2Fo

Best case: 17% slowdown
Worst case: 23%"


This bug is being blown up slightly out of proportions tbh. Meltdown isn't code execution, it's information disclosure. It's unlikely there will be many real world uses of this attack.

This article is a really nice, easy to read summary of what's being going on: Virus Bulletin :: Meltdown and Spectre attacks mitigated by operating system updates
 
You'd be unlikely to have performance issues unless you're doing a lot of CPU intensive workloads.
I know.
This bug is being blown up slightly out of proportions tbh.
Slightly??? NO!

I am seeing in many IT articles and press reports all sorts of highly exaggerated, blown way out of proportion claims (or implications) those huge performance hits will likely affect most users. :(

And sadly, I am seeing on many of the forums I visit daily, regulars totally believing and often parroting those exaggerated reports - (to include AMD fans piling on to say how great AMD is).

In other words, I was just trying to counter poor and unethical reporting by some bloggers and tech sites, and to set straight forum posters who believed those reports, and to put in check those who automatically parrot those reports without doing their homework.

IMO, the best and most common case for normal users is 0% (okay, ~0%) slowdown.

***

As for that Virus bulletin pointing out Microsoft has not stated which anti-virus programs are incompatible, see this.
 
This bug is being blown up slightly out of proportions tbh.
Slightly??? NO!

I am seeing in many IT articles and press reports all sorts of highly exaggerated, blown way out of proportion claims (or implications) those huge performance hits will likely affect most users. :(

And sadly, I am seeing on many of the forums I visit daily, regulars totally believing and often parroting those exaggerated reports - (to include AMD fans piling on to say how great AMD is).

In other words, I was just trying to counter poor and unethical reporting by some bloggers and tech sites, and to set straight forum posters who believed those reports, and to put in check those who automatically parrot those reports without doing their homework.

IMO, the best and most common case for normal users is 0% (okay, ~0%) slowdown.

***

As for that Virus bulletin pointing out Microsoft has not stated which anti-virus programs are incompatible, see this.

Yeah, I agree. I'm tending to look at this from a server/enterprise standpoint since that's where my interests lie - but for the average consumer they really don't need to worry. Yes, install the patch - but that's all they need to do. This is an information disclosure vulnerability. It cannot be used to execute code or load malware.

AMD fans often haven't realised that AMD processors are just as susceptible to Spectre as Intel is. It's only Meltdown that AMD isn't affected by.

That's why the sites I'm linking to are all researchers or sources that have done a deep dive into the issue. :)
 
I even heard on Headline News this morning that all these affected processors will have to be replaced! :eek: :doh:
 
Quick, switch back to a Pentium I, they're not vulnerable to any of the attacks :p
 
From Meltdown Mitigation - Malwarebytes Endpoint Protection - Malwarebytes Forums:
For now, users with MB3 based software installed and registered with Windows Action Center will not be able to receive any MS updates automatically, starting with the Jan. 2018 update. You can either apply the update manually or set the Malwarebytes action center setting to "Never register Malwarebytes in Windows Action Center" so that the MS update can apply automatically. Only Windows 10 and Server 2016 have patches.
 
Wow! That sure is not good. Glad I had mine set to "Never register" so I can run Windows Defender at the same time.
 
Same here, although my pre-1995 Intel CPU has not been offered/received the update on Windows 10, 1709.
 
I did finally get the update yesterday evening.

BTW, Pale Moon isn't vulnerable to Meltdown/Spectre. From "Meltdown"/"Spectre" and Pale Moon/Basilisk:
Pale Moon already set the granularity for the performance timers sufficiently coarse in Oct 2016 when it became clear that this could be used to perform hardware-timing based attacks and fingerprinting.
Pale Moon also, by design, doesn't allow buffer memory to be shared between threads in JavaScript, so the "SharedArrayBuffer" attack is not possible.

Even so, we will be adding some additional defense-in-depth changes to the upcoming version 27.7 to be absolutely sure there is no further room for any of these sorts of hardware-timing based attacks in the future.
 
After the patch I noticed a heavy degree of performance decrease, I couldn't access most Windows programs normally (explorer, start menu, control panel, taskbar and everything you can access through these programs). I could only restart the system using msconfig.

I restored a backup and removed the registry key to prevent this update being installed, for now it won't be installed on my system until there are changes from Intel, Microsoft and/or Gigabyte (my mobo vendor)
 
Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems – Microsoft Secure

One of the questions for all these fixes is the impact they could have on the performance of both PCs and servers. It is important to note that many of the benchmarks published so far do not include both OS and silicon updates. We’re performing our own sets of benchmarks and will publish them when complete, but I also want to note that we are simultaneously working on further refining our work to tune performance. In general, our experience is that Variant 1 and Variant 3 mitigations have minimal performance impact, while Variant 2 remediation, including OS and microcode, has a performance impact.

Here is the summary of what we have found so far:
  • With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
  • With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
  • With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
  • Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel. We will publish data on benchmark performance in the weeks ahead.
 
Last edited:
Back
Top