So is this fixed at the OS level, ie a Windows Update, my laptop manufacturer just pointed me towards https://meltdownattack.com
-
Competitor rules
Please remember that any mention of competitors, hinting at competitors or offering to provide details of competitors will result in an account suspension. The full rules can be found under the 'Terms and Rules' link in the bottom right corner of your screen. Just don't mention competitors in any way, shape or form and you'll be OK.
That is good to know.
Soldato
I agree, I'm running a really old chipset and CPU what are the chances people like us get a bios update?, and if we don't do we just throw our gear into the bin?
Unless the testing is purely functional, it should really be run in an environment that's representative of production - i.e. with the patch enabled. It'll be no good proving performance in test only for it to be slower when released to live.
I realise I've made a lot of assumptions above
Unless the testing is purely functional, it should really be run in an environment that's representative of production - i.e. with the patch enabled. It'll be no good proving performance in test only for it to be slower when released to live.
I realise I've made a lot of assumptions above
Plus if you use production data in the test environment then security is just as important as in production. I imagine in testing you'd want to try and emulate production as closely as possible to minimise any surprises that might happen when moving from testing to production.
No point running tests on a test database with 100MB of data if your production database is several GBs.
Soldato
Thanks for the detailed response.
It's not looking good for folks like me on older hardware. My MSI mobo bought in April 2012 stopped receiving BIOS updates in November of the following year so I also don't have the Intel ME fix either.
Kaspersky is apparently good to go for the MS patch but without the firmware updates this is rather a problem.
What I've done so far is enable ad blocking as I see the browser as the biggest attack vector along with obvious precautions on other software being installed such as dev reputation and source of files.
Also, this is the link for the Chrome suggestion to isolate sites into their own processes as touched on in that video.
https://support.google.com/chrome/answer/7623121?hl=en-GB
Any idea if the fixed CPU microcode can be sourced directly from Intel without it needing to be baked into the mobo BIOS and it being applied like a driver update?
Don
There are 2 separate vulnerabilities (Meltdown and Spectre), however there are 2 different exploits discovered against Spectre so far.
Meltdown: affects Intel CPUs and one Arm core – the yet-to-ship Cortex-A75 - this can be mitigated via OS updates (of which MS have released updates, and Linux updates are available)
Spectre variant 2: affects Intel and Arm cores. OS Kernels and hypervisors (i.e. VMs) need patching. Skylake (and later) CPUs need a microcode update (so potentially a BIOS update) to help mitigate this.
Spectre variant 1: affects both Intel and AMD CPUs, and certain ARM cores. It is difficult to exploit as relies on timing based attacks, but some measures are being taking by Software developers (e.g. Browsers already have a patch to make timers less accurate)
Paraphrased somewhat from:
http://www.theregister.co.uk/2018/01/05/spectre_flaws_explained/
Edit:
Misread Skylake microcode clause
Last edited:
Permabanned
How do you know there's no attack?
The point is there's no record of the attacks if/when they happen - so nobody can know.
Now everyone knows about the attacks they're very likely, so quick fixes are important.
I still think there will have been lots of attacks historically, but obvs can't prove it.
Don
Possibly doable yourself if I'm reading the below correctly?
http://forum.notebookreview.com/threads/how-to-update-microcode-from-windows.787152/
Caporegime
Well my board still gets BIOS updates (Asus x99-A), last one was 4th December, and ive only updated the BIOS once, when i got it, with the 1004 BIOS for the Xonar compatability, not looking forward to having to do another.
Can see many a machine being bricked here.
Can see many a machine being bricked here.
Don
BIOS update, OS Updates, and any application updates e.g. Web Browsers
Soldato
- Joined
- 29 Dec 2009
- Posts
- 7,235
So, how exactly is this exploited? For example; If you're running a server and not installing any new software or browsing any websites, how can an attacker possibly exploit the meltdown/spectre vulns?
Permabanned
I think you're basically safe in that scenario.
Don
On a standalone server with no Virtualisation, then risk is low - you would need some other exploit or user intervention to get into a situation where this would be exploitable.
However on VM's and similar this potentially allows data to "leak" between VMs - hence why Cloud providers are understandably worried.
For home users, the risk is that information can potentially be "leaked" between sandboxed apps (e.g. browser tabs), e.g. a maliciously coded advert etc in one tab, could potentially read information from a 2nd tab.
Although exploits are difficult to produce and not necessarily in the wild - now the vulnerability is public knowledge, it's likely that more evolved exploits will come.
Soldato
So I assume other devices like routers, switches and hardware firewalls are not affected due to an attacker not being able to run code on them devices?
Soldato
- Joined
- 29 Dec 2009
- Posts
- 7,235
Yeah, my thoughts exactly, thanks for confirming. I've not had chance to really read up for myself.