Intel bug incoming? Meltdown and Spectre exploits

Cromulent · 5 Jan 2018 at 10:56

Steampunk said:
You need to check that. That is how it works, but a lot of those won't let you load settings in from a different version of the BIOS. ie it's fine for/loading saving different settings on the same BIOS, but won't help you if you update the BIOS and expect to load the old settings into the new BIOS.

Ah, damn. That sucks. I'll see what I need to do. Failing that it might be time to take a photo of every BIOS screen and then just copy the settings by hand.

Homer-Simpson · 5 Jan 2018 at 10:58

KiNgPiN83 said:
Thanks for that! Although the page isnt showing for me right now. Getting a 404. I'll keep checking it though in case they are updating it or something.

No problem

It should be up, not having an issue accessing it at the moment.

gbgt2 · 5 Jan 2018 at 11:03

No comment from ASUS yet .. I usually avoid BIOS updates like the plague but it looks like I'm going to have to do it this time.

KiNgPiN83 · 5 Jan 2018 at 11:04

Homer-Simpson said:
No problem It should be up, not having an issue accessing it at the moment.

For whatever reason i cant get to it from IE at work but can from Chrome...

Maybe my colleagues in the States need to rethink their we are an IE house policy.

Cromulent · 5 Jan 2018 at 11:05

gbgt2 said:
No comment from ASUS yet .. I usually avoid BIOS updates like the plague but it looks like I'm going to have to do it this time.

Yeah. I'm waiting for information from ASUS as well. Hopefully the BIOS fix will come soonish.

thenewoc · 5 Jan 2018 at 11:12

Homer-Simpson said:
For people that want to catch up on this quickly, I'd recommend looking at the slides below:

https://www.renditioninfosec.com/files/Rendition_Infosec_Meltdown_and_Spectre.pdf

and the recorded webinar can be found here:

Thanks this was very detailed, however it didn't confirm whether the pending Windows patch would be enough if you haven't also updated your BIOS which I assume is to rebake in the Intel Management Engine firmware with the latest fixed version.

thenewoc · 5 Jan 2018 at 11:18

Cromulent said:
OK so apparently my motherboard has an Overclocking profile thing in the BIOS where you can save your BIOS settings to a file on a USB drive. Am I right in thinking that to update the BIOS all I need to do is save the settings to USB, update the BIOS and then load the settings back again? I really hope the update process is easy.

If your BIOS allows you to take screenshots I would do that of each page of your BIOS settings as not all updated BIOS's allow you to use the settings from a previous BIOS version.

Homer-Simpson · 5 Jan 2018 at 11:21

thenewoc said:
Thanks this was very detailed, however it didn't confirm whether the pending Windows patch would be enough if you haven't also updated your BIOS which I assume is to rebake in the Intel Management Engine firmware with the latest fixed version.

The answer to that is no (and this doesn't relate to the ME vulnerabilities discovered last year), the MS patch isn't enough to fully mitigate the issues.

More information can be found here for servers - https://support.microsoft.com/en-us...-to-protect-against-the-speculative-execution

and here for the desktop OS - https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in

Warning

Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer.

Note Surface customers will receive a microcode update via Windows update.

Main things to note, you need an AV that is adding the reg-key for the patch to be installed. If you're on a Windows server OS then you will also need to add reg-keys AFTER the patch install to enable the fix.

There is also a powershell module that you can install to verify the status of the machine.

Cromulent · 5 Jan 2018 at 11:21

thenewoc said:
If your BIOS allows you to take screenshots I would do that of each page of your BIOS settings as not all updated BIOS's allow you to use the settings from a previous BIOS version.

Unfortunately it sounds like I'll have to do that which will be a pain. Thanks for the info.

V F · 5 Jan 2018 at 11:25

How far are these BIOS updates going back? Will z77 be getting them?

shankly1985 · 5 Jan 2018 at 11:35

Rossi~ said:
Are you running the latest version?

Here are the KBs for different versions:

1709 - https://support.microsoft.com/kb/4056892

1703 - https://support.microsoft.com/kb/4056891

1607 - https://support.microsoft.com/kb/4056890

1511 - https://support.microsoft.com/kb/4056888

Are you running any of these AV applications:

Vendor

Product

Sets registry key

Supported

Sophos
Anti-Virus and Central

N
N

Symantec
Endpoint Protection

N
N

Trend Micro

N
N

Webroot

N
Y

Cyren
F-PROT

N
?

EMSI
Anti-Malware

N
N

Intel
McAfee

?
?

Carbon Black

N
N

edit: Sorry, formatting lost in paste.

Yeah latest window 10 only recently fresh install from the creator update. Anti virus software I using is avast.

beany_bot · 5 Jan 2018 at 11:39

Sorry. Why are people updating BIOS now?

Homer-Simpson · 5 Jan 2018 at 11:41

shankly1985 said:
Yeah latest window 10 only recently fresh install from the creator update. Anti virus software I using is avast.

https://forum.avast.com/index.php?topic=212648.msg1439270#msg1439270

Have you checked to see if the reg-key has been created?

Energize · 5 Jan 2018 at 11:47

Can anyone confirm that disabling the windows update service stops the patches?

We have a bunch of vms including database servers in test environments where security is no issue but performance is.

Homer-Simpson · 5 Jan 2018 at 11:50

Energize said:
Can anyone confirm that disabling the windows update service stops the patches?

We have a bunch of vms including database servers in test environments where security is no issue but performance is.

Do not do this, if it's a Windows Server OS then the patch will apply BUT it will not be enabled. Please read the MS articles.

You have to manually enable the patch (you have to add 2 reg-keys), which will then potentially cause/give a performance impact.

EDIT: I would seriously recommend you also read this article - https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server

Cromulent · 5 Jan 2018 at 12:07

beany_bot said:
Sorry. Why are people updating BIOS now?

Because you need a BIOS update / CPU microcode patch to fix the security issues. If your motherboard maker hasn't released an update in the last 24 hours then wait until they do and update as soon as possible. These security issues can't just be fixed by an operating system patch, you need a BIOS update / CPU microcode fix.

Duke · 5 Jan 2018 at 12:08

Bonjour said:
VMware 5.5 or 6? I'm not seeing any patch for 5.5 as of yet.

Those and some 5.1 which doesn't look to be supported. It seems that firmware upgrades are not needed to cover off Meltdown but does the other exploits so it isn't quite as urgent to do those over the software updates.

Cromulent · 5 Jan 2018 at 12:09

Doesn't look like VMWare Workstation Pro 14.0 has a patch out for it yet. I'll keep an eye on things and see what happens over the coming days.

triss · 5 Jan 2018 at 12:10

Cromulent said:
Because you need a BIOS update / CPU microcode patch to fix the security issues. If your motherboard maker hasn't released an update in the last 24 hours then wait until they do and update as soon as possible. These security issues can't just be fixed by an operating system patch, you need a BIOS update / CPU microcode fix.

TBH i cant see the majority of pcs getting a bios fix Unless your on a reasonably recent chipset

Homer-Simpson · 5 Jan 2018 at 12:13

Cromulent said:
Doesn't look like VMWare Workstation Pro 14.0 has a patch out for it yet. I'll keep an eye on things and see what happens over the coming days.

According to the VMware notification sent yesterday, Workstation 14.x isn't vulnerable.