Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

How to protect your PC against the major ‘Meltdown’ CPU security flaw
www.theverge.com ^ | Jan 4, 2018, 8:12am EST | By Tom Warren

Posted on 01/04/2018 6:45:29 AM PST by Red Badger

Only Intel machines are affected by Meltdown

Details have emerged on two major processor security flaws this week, and the industry is scrambling to issue fixes and secure machines for customers. Dubbed “Meltdown” and “Spectre,” the flaws affect nearly every device made in the past 20 years. The Meltdown flaw only affects Intel processors, and researchers have already released proof of concept code that could lead to attacks using Meltdown.

The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain key strokes, passwords, and other valuable information. Researchers are already showing how easy this attack works on Linux machines, but Microsoft says it has “not received any information to indicate that these vulnerabilities have been used to attack customers at this time.” "Protecting a Windows PC is complicated"

Protecting a Windows PC is complicated right now, and there’s still a lot of unknowns. Microsoft, Google, and Mozilla are all issuing patches for their browsers as a first line of defence. Firefox 57 (the latest) includes a fix, as do the latest versions of Internet Explorer and Edge for Windows 10. Google says it will roll out a fix with Chrome 64 which is due to be released on January 23rd. Apple has not commented on how it plans to fix its Safari browser or even macOS. Chrome, Edge, and Firefox users on Windows won’t really need to do much apart from accept the automatic updates to ensure they’re protected at the basic browser level.

For Windows itself, this is where things get messy. Microsoft has issued an emergency security patch through Windows Update, but if you’re running third-party anti-virus software then it’s possible you won’t see that patch yet. Security researchers are attempting to compile a list of anti-virus software that’s supported, but it’s a bit of mess to say the least.

A firmware update from Intel is also required for additional hardware protection, and those will be distributed separately by OEMs. It’s up to OEMs to release the relevant Intel firmware updates, and support information for those can be found at each OEM support website. If you built your own PC you’ll need to check with your OEM part suppliers for potential fixes.

If you own a Windows-powered PC or laptop, the best thing to do right now is ensure you have the latest Windows 10 updates and BIOS updates from Dell, HP, Lenovo, or one of the many other PC makers. We’re hoping Microsoft or Intel creates a simple tool (they have a PowerShell script right now) to check protection for both the firmware and Windows updates, but until such a tool is available you’ll need to manually check or get familiar with PowerShell. Here’s a quick step-by-step checklist to follow for now:

Update to the latest version of Chrome (on January 23rd) or Firefox 57 if you use either browser Check Windows Update and ensure KB4056892 is installed for Windows 10 Check your PC OEM website for support information and firmware updates and apply any immediately

These steps only currently provide protection against Meltdown, the more immediate threat of the CPU flaws. Spectre is still largely an unknown, and security researchers are advising that it’s more difficult to exploit than Meltdown. The New York Times reports that Spectre fixes will be a lot more complicated as they require a redesign or the processor and hardware changes, so we could be living with the threat of a Spectre attack for years to come.

Update, 9:15AM ET: Removed links to Intel’s detection tool that a now deleted Microsoft security blog may have incorrectly referenced.


TOPICS: Business/Economy; Computers/Internet; Society
KEYWORDS: 10; 7; amd; android; apple; arm; chrome; computer; cpu; firefox; flaw; google; hack; hardware; hardwarebug; intel; intelchip; intelprocessor; kernelpanic; macos; meltdown; microsoft; mozilla; pc; smartphone; software; spectre; tablet; windows; windowspinglist; windowsupdate; xp
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-65 next last
To: Zathras

What about puppies?

Can we have puppies?......................


41 posted on 01/04/2018 2:31:05 PM PST by Red Badger (Road Rage lasts 5 minutes. Road Rash lasts 5 months!.....................)
[ Post Reply | Private Reply | To 20 | View Replies]

To: palmer

42 posted on 01/04/2018 2:32:28 PM PST by Red Badger (Road Rage lasts 5 minutes. Road Rash lasts 5 months!.....................)
[ Post Reply | Private Reply | To 39 | View Replies]

To: ShadowAce; Abby4116; afraidfortherepublic; aft_lizard; AF_Blue; amigatec; AppyPappy; arnoldc1; ...
Meltdown ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

Thanks to ShadowAce for the ping!!

43 posted on 01/04/2018 2:43:22 PM PST by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 13 | View Replies]

To: palmer; Red Badger
But you don't need AV to preclude running malicious EXEs. Nor do you need any patch as long as you practice safe computing.

Sorry to rain on your parade, but people who practice safe computing can still be compromised by malware, ransomware, etc. Ads that pop-in from even Google's ad rotations have been known to carry malicious content added after they've been vetted by Google. This is one of the known ways RansomWare has been pushed onto supposedly locked down computer networks.

Another way with Meltdown could be exploited is to hide malicious code in a steganographic image that could be called by a process loaded in another "look ahead" loaded into another. Javascript was just one modality of attack presumed as a means of using this vulnerability. The real problem associated with Meltdown and the look-ahead processing is that it can be exploited by so many other means until a way is found to vet the looking ahead processing that now is independent of any such vetting. ANYTHING can be stuck in there. If it IS useful to what is needed, it's used. If not, it's discarded. That look-ahead has access to the bus. . . and any data on it.

All a bad actor has to do is figure out how to insert his code in there—and no, it does not have to be a .exe file, just machine code—and it WILL be processed.

44 posted on 01/04/2018 2:46:38 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 39 | View Replies]

To: Swordmaker

PLUS.....if a malware, virus or bad code is ‘new’ and never seen before, the ANTI-virus programs won’t know it and won’t do anything, just like your body’s immune system..........


45 posted on 01/04/2018 2:50:17 PM PST by Red Badger (Road Rage lasts 5 minutes. Road Rash lasts 5 months!.....................)
[ Post Reply | Private Reply | To 44 | View Replies]

To: little jeremiah
Thank you very much!

My laptop says “Intel Inside” Core 17.

Hey, Jeremiah, that is an Intel Core Letter "I" 7, not ONE SEVEN . . spoken: "EYE SEVEN."

You are not alone in this. A lot of people in the Apple world erroneously talked about the Mac OS EX. . . when it was actually a Roman Numeral for TEN, Mac OS TEN, with a pun for the underlying UNIX operating system. . . now they are referring to the new iPhone EX. . . when it is actually the iPhone TEN, also a Roman Numeral with the pun being it's the tenth anniversary iPhone.

46 posted on 01/04/2018 2:54:40 PM PST by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 33 | View Replies]

To: Vinnie

“...Aw, I’m running 10.10.5 Yosemite and have been reluctant to upgrade. Heard Hi Sierra can really slow down an older machine....”

I’m running 10.13.2 High Sierra on a mid-2010 iMac w/32gb of ram, and it hasn’t slowed this old beast down a bit. Of course, I’m not compiling mountains of raw computer code...just email, web browsing and real-time streaming market data.


47 posted on 01/04/2018 3:03:50 PM PST by lgjhn23 (It's easy to be liberal when you're dumber than a box of rocks.)
[ Post Reply | Private Reply | To 19 | View Replies]

To: Swordmaker
The required instructions won't be in a JS machine, so there is no JS code to run those instructions. In the case of rowhammer it needed CLFLUSH. Then they figured out they could do it without CLFLUSH: http://www.seclab.cs.stonybrook.edu/seclab/pubs/host16.pdf

But I think the fact that the current types of attacks have been talked about: https://pdfs.semanticscholar.org/e544/00824814fed2ef52bb84151b2fc04c863e99.pdf but not exploited from vectors like Javascript should be reason enough to not be too concerned.

Another way with Meltdown could be exploited is to hide malicious code in a steganographic image that could be called by a process loaded in another "look ahead" loaded into another.

As I have been pointing out, in every comment I have made, that requires running malicious code. It doesn't matter if that malicious code triggers other malicious code stegged into an image. It requires malicious user-mode code to start with.

All a bad actor has to do is figure out how to insert his code in there—and no, it does not have to be a .exe file, just machine code;and it WILL be processed.

Sure machine code will be processed. But arbitrary machine code cannot be processed from Javascript unless there is a bug in the JS machine that allows that. There have been such bugs, but this CPU flaw does not make them more likely. Also protections built into JS machines after rowhammer (which never really worked) also preclude the use of this CPU flaw.

Bottom line: malicious code has to run. There are not so many means to do that. Javascript is not one, nor is Flash, nor Java. I would not be too concerned. But given my second PDF link above, I would not be complacent either. I would practice safe computing even more vigorously given the new situation with Intel.

48 posted on 01/04/2018 3:16:37 PM PST by palmer (...if we do not have strong families and strong values, then we will be weak and we will not survive)
[ Post Reply | Private Reply | To 44 | View Replies]

To: Red Badger
PLUS.....if a malware, virus or bad code is `new' and never seen before, the ANTI-virus programs won't know it and won't do anything, just like your body's immune system..........

That's why I don't use or recommend AV except for the built-in Windows Defender since I have no good reason to turn it off. My point is to practice safe computing to avoid running malicious code. You don't need AV to do that.

49 posted on 01/04/2018 3:18:39 PM PST by palmer (...if we do not have strong families and strong values, then we will be weak and we will not survive)
[ Post Reply | Private Reply | To 45 | View Replies]

To: AppyPappy

why not? I thought linux was more secure on internet? Do these exploits affect linux more than windows?


50 posted on 01/04/2018 5:23:03 PM PST by Bob434
[ Post Reply | Private Reply | To 2 | View Replies]

To: palmer

[[If you don’t run malicious executables then the intel flaw can’t be exploited.]]

If this is true, then linux users should be very well protected against the intel flaw because it can’t run windows based malicious executables, right?


51 posted on 01/04/2018 5:29:25 PM PST by Bob434
[ Post Reply | Private Reply | To 39 | View Replies]

To: Red Badger

That’s an old pic which just increases its worth. Funny as hell. Thx.


52 posted on 01/04/2018 5:34:55 PM PST by upchuck (President Trump is great because he actually runs something other than his mouth!)
[ Post Reply | Private Reply | To 42 | View Replies]

To: Bob434
I don't think Linux users will be any better off since they can run a malicious executable too. I didn't mean to imply only windows by insisting on EXE. That was shorthand for any executable like an ELF on Linux.

I was trying to distinguish those from javascript, java, python, flash, ruby, or other scripted or interpreted languages that cannot run arbitrary (and very rarely used) instructions. Those instructions are generally needed (but not 100% of the time) to run these types of sides channel attacks. Also the timing of the instructions can be important and the scripted languages don't give a lot of control over timing.

53 posted on 01/04/2018 6:13:14 PM PST by palmer (...if we do not have strong families and strong values, then we will be weak and we will not survive)
[ Post Reply | Private Reply | To 51 | View Replies]

To: little jeremiah

No, it will not be sufficient. Anti-virus will also not be sufficient.

But at the same time, it’s hard to say yet exactly how easy this problem is to actually exploit against you - assuming you aren’t somehow tricked into downloading malicious software.


54 posted on 01/04/2018 6:42:00 PM PST by mbj
[ Post Reply | Private Reply | To 26 | View Replies]

To: mbj

Thank you. I take care never to download any malicious software since I know my limits. Limits are basically typing and copy/pasting...


55 posted on 01/04/2018 8:26:03 PM PST by little jeremiah (Half the truth is often a great lie. B. Franklin)
[ Post Reply | Private Reply | To 54 | View Replies]

To: lgjhn23

Mine’s about a yr newer than yours. Might try it. Just wish there was a way to revert if needed.


56 posted on 01/04/2018 8:30:39 PM PST by Vinnie
[ Post Reply | Private Reply | To 47 | View Replies]

To: palmer

Thanks for clearing that up- do you think there would be many ELF executables written whereas linux isn’t as popular an os? I can patch my windows system, but not sure if linux will have a patch as well? Or is it just dependent on patchign the intel stuff and linux will then be protected somewhat too?


57 posted on 01/05/2018 12:50:04 AM PST by Bob434
[ Post Reply | Private Reply | To 53 | View Replies]

To: Bob434
Linux is not as popular a target as Windows so there will be fewer malicious ELFs available for downloading. Linux users tend to be more aware of what they are doing.

Patching is a somewhat different issue. I don't know how things will be patched but I do know that it won't require patching every EXE and ELF. That's because non-malicious EXEs and ELFs are not a problem. I think the patching will be in the kernel, but I'm not sure how you stop the potentially malicious behavior. One possibility may be to not patch anything but to add another layer of behavior-based defense. That would be a relatively simple monitoring program (probably added to the kernel) that would monitor for particular bad behavior by user mode EXEs or ELFs. The reason why behavior-based defense may be possible is that side channel attacks exhibit very distinct repetitive behavior they must repeat millions of times to execute an attack.

Then the first job of an attacking program would be to try to kill the monitor. But that's an arms race that is familiar to antivirus people. Perhaps antivirus vendors will add the capability, or perhaps the OS vendors or open source Linux kernel people will have to do it. Ultimately the chip vendors will have to fix it.

58 posted on 01/05/2018 3:25:55 AM PST by palmer (...if we do not have strong families and strong values, then we will be weak and we will not survive)
[ Post Reply | Private Reply | To 57 | View Replies]

To: Red Badger

The updates exist and are out there, but if your antivirus software vendor hasn’t updated their code if they didn’t already support not making these calls to your hardware incorrectly, then you won’t see the update appear in windows update (there has to be a specific registry key present).

Look upthread just a bit at my last post and you’ll see a link there. I believe that is a much better explanation of what is going on and how to manage/fix the issue.


59 posted on 01/05/2018 4:36:17 AM PST by jurroppi1 (The Left doesnÂ’t have ideas, it has cliches. H/T Flick Lives)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Vinnie

“...Mine’s about a yr newer than yours. Might try it. Just wish there was a way to revert if needed....”

I run a backup with Carbon Copy Cloner before I do any update and save it to an external drive. IF, for any reason, I needed to revert back, I can restore to my previous backup. I’ve never actually had to do it...at least not so far, but I believe it would work if I needed to.
FWIW, my machine is a 27” iMac 2.93 Ghz I7 w/32gb of ram and an updated 2TB hard drive. I’ve had no issues with High Sierra 10.13.2 on this older machine, but like I said, I’m not compiling mountains of hard core raw computer data either...just email, web browsing and real-time streaming of stock data. However, on any given weekday while monitoring the stock markets, I’ll have as many as 7 desktops open at any one given time. I have an another external Asus 27” monitor in vertical mode tied on as well. To date, I’ve not had any stability issues with the OSX.


60 posted on 01/05/2018 5:30:23 AM PST by lgjhn23 (It's easy to be liberal when you're dumber than a box of rocks.)
[ Post Reply | Private Reply | To 56 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-65 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson