Slashdot Mirror
Microsoft Issues Rare Out-of-Band Emergency Windows Update For Processor Security Bugs (theverge.com)
An anonymous reader shares a report: Microsoft is issuing a rare out-of-band security update to supported versions of Windows today (Wednesday). The software update is part of a number of fixes that will protect against a newly-discovered processor bug in Intel, AMD, and ARM chipsets. Sources familiar with Microsoft's plans tell The Verge that the company will issue a Windows update that will be automatically applied to Windows 10 machines at 5PM ET / 2PM PT today. The update will also be available for older and supported versions of Windows today, but systems running operating systems like Windows 7 or Windows 8 won't automatically be updated through Windows Update until next Tuesday. Windows 10 will be automatically updated today.
Is everybody ready for the slowdown? Thanks, Intel!
Due to the performance impact of this workaround it should have an option to disable it like Linux is providing. An alternate, more refined approach would be to selectively enable the kernel page-table isolation on a per-process basis, based on either user configuration or an automatic trust determination such as whether the app is signed by a trusted certificate source (ie, downloaded, unsigned apps would run with page isolation enabled).
to Meltdown. . . which is the only thing PTI will help with. Seems like an unnecessary performance penalty to push on AMD users. Most likely down for simplicity/consistency on Microsoft's side for kernel code management.
"Lifetime" licensing.
So is The US Navy going to get a fix while the rest of us get the finger again? You better believe it!
Apple already deployed a fix in Mac OS X 10.12.3
What about Spectre?
Dont look here then https://twitter.com/aionescu/status/948609809540046849
PTI doesn't fix Spectre
Comment removed based on user account deletion
There are two kinds of vulnerabilities: One which allows reads across privilege boundaries. Page table isolation prevents reads of kernel memory from user mode and is needed to mitigate this vulnerability, which has only been shown on Intel processors. The other vulnerability does not cross privilege boundaries and is thus not mitigated by PTI. The performance penalty resulting from PTI is unnecessary on AMD processors.
The date of TFA was January 3rd. The verbage in the article saying "today" was referring to January 3rd. The patches for Windows 10 rolled out already. I installed mine last night.
Oh, sure. Leave all of us PowerPC Mac users in the dust...
#DeleteFacebook
Isn't that James Bond's problem?
#DeleteFacebook
Read more than the headlines.
There are two bugs. Some articles have reported that one of the bugs is Intel-specific, and one of them is not (Intel, AMD, and ARM). Whether the necessary patches will carry the same performance hit for each is not yet clear from what I've been reading, but it looks like the latter one might be less serious.
I was planning on playing games at exactly 17:00 EST today! My gaming session is totally ruuinned! /Stewie
#DeleteFacebook
That's what comes from just barely reading the headlines. There are 2 classes of bugs (Spectre, Meltdown) and 3 exploits (Spectre-1, Spectre-2, and Meltdown-1). AMD and ARM are resistant to only to Meltdown. They are susceptible to Spectre.
Meltdown goes back to Core2, Spectre goes back down to Pentium Pro. Many other processors are likely vulnerable to Spectre, any CPU that does speculative execution may be vulnerable. Mainframes have been doing this since the 60's IIRC.
You've been mired there for quite awhile.
10.13.2.
10.12.3 is still quite vulnerable, as is every Mac unable to run Sierra (any hardware prior to 2009).
While Microsoft can manage to patch an OS circa 2009, Apple couldnâ(TM)t be bothered to patch anything older than Sept 2017.
Anybody reading a bit beyond the bare headlines will know that everybody except AMD claims that AMD CPU's are affected by this bug.
This includes the security researchers who actually found the bug.
OMG this affects PowerPC too! It's bigger than I thought!
Just junk food for thought...
But people reading deeper will discover that there is a lot that is still confusing or unknown.
Anyone care to comment on the performance hit after the patch? Is it obvious, measureable?
https://support.microsoft.com/...
https://support.microsoft.com/...
https://support.microsoft.com/...
https://portal.msrc.microsoft....
https://docs.microsoft.com/en-...
https://www.powershellgallery....
Firmware Updates required for...what devices?? P.O.S. article.
Maybe someone can mock them on Twitter until they finally decide to fix the bug.
I mean, hey, it worked for the "root with no password" bug.
All Windows updates have failed on my machine since 2015 or so, and I have tried every assistant, hot fix and third party assistant on earth trying to fix this issue.
Yes 10.13.2, I stand corrected.
I have run Windows Update several times today, but five minutes ago it was still telling me that there are no updates for my computer. (Windows 7 SP1, i7-940).
And I am running MSE, not any "third party" anti-virus.
This is normal behaviour. For many years Windows updates have not appeared here in the UK until at least 24 hours after the USA.
I am sure that there are many other solipsists out there.
Seriously, this is an escalation flaw on Windows and it's a "priority patch"?!!!
I don't really care how many processors the "same bug" might affect, how can any version of Windows come close to saying that the most humble executable can't own the whole system if written correctly?
Linux can't say this, Apple can't say this, OpenBSD won't even try to say this and yet suddenly plugging one such hole in Windows requires an out of band patch that also trashes performance? What, did someone's digital restrictions management break?
Java got ousted from the browser when people suddenly started looking at their sandbox again after 10 years of applets. If Microsoft "userland" was so safe, then we wouldn't even need the Java sandbox, we'd just run browser plugins in a separate process.
So, I don't trust Microsoft upgrades for shit - they tend to add telemetry, and they tend to break older OS versions to force upgrades. That said - just how bad are these exploits this time around? Will my firewall protect me if I don't browse porn sites or is opening any page in a browser guaranteed to result in infection?
Is it a coincidence that this flaw in CPUs since '96 has only been recently discovered and the article from a few days ago that top tech snoops are leaving the NSA?
But is it applied? Meaning, the code fix is in the kernel, but will it only enable it if the CPUID reports back as an Intel, and disabling if AMD?
Life is not for the lazy.
lol
There is no fix for either of the bugs. Page Table Isolation (PTI) mitigates the bug that allows kernel memory to be read from user mode, which has only been shown on Intel CPUs. That's the one with the reported slowdowns up to 30% depending on the type of workload (basically how much it uses syscalls).
The other bug is present in all modern CPUs and the only way around it is to prevent certain code patterns from being run. This will require modifications to JIT compilers, mostly, because that's how untrusted code is run these days. The guarantees that interpreted languages provide were meant to be maintained through careful translation into machine code, but JIT compiler authors trusted the CPUs too much. Speculative execution happens even when the code is guarded by explicit bounds-checking that fails, because the CPU doesn't wait for the check to complete. The result of the speculatively executed instructions is then thrown out, as it should, but the execution has already left a trace by loading data into the CPU cache. The JIT authors will have to generate code more carefully with these vulnerabilities in mind. This is probably not going to result in significant slowdowns, as it can be done at "compile time".
curious what the damage is.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
There seem to be Intel sockpuppets flooding technical forums, making the false equivalence between Meltdown (affects only Intel) and Spectre (affects all CPUs), whereas Meltdown is a clearly exploitable and in fact the exploit was demonstrated in a fucking browser running a Javascript. There is no known way to exploit Spectre. Spectre does not cross userspace-kernelspace.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Read more than the headlines.
There are two bugs. Some articles have reported that one of the bugs is Intel-specific, and one of them is not (Intel, AMD, and ARM). Whether the necessary patches will carry the same performance hit for each is not yet clear from what I've been reading, but it looks like the latter one might be less serious.
Spectre cannot be patched, but it cannot be exploited, either (as far as we know).
Meltdown, meanwhile, is seriously dangerous because it is very easy to use, even with just a malicious webpage!
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
I'll not hold my breath waiting for Apple. They're getting worse and worse lately.
Don't let the fact that they've already addressed the issue interfere with your anti Apple bias.
I was waiting for this.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I'd mod you up if I had mod points. I've noticed plenty of unusually worded Intel-AMD equivocation comments across a variety of tech forums since this broke and it doesn't smell right for "Intel fanboys," it just smells like shilling.
Seems like an unnecessary performance penalty to push on AMD users. Most likely down for simplicity/consistency on Microsoft's side for kernel code management.
Doesn't seem to have any impact at all on my AMD machine, though I'm seeing around a 5-13% drop in performance with my Intel machine. Both are running the current version of Win10, I'm sure there's going to be a lot of screeching on gaming forums later today when people suddenly start having serious performance issues, especially since Intel holds around 80-90% of the gaming marketshare according to steam. My development machine that's in slow ring right now hasn't seen a patch pushed out yet, probably won't for a few days as a guess. Though there's a lot of talk on the MS boards about it and "when" they're going to push one out.
Om, nomnomnom...
Yeah and ignore that impact bit. Since it appears that it was a force nvidia driver update, that decided to install itself despite telling it never to update the driver. What a fucking shitshow on that one.
Om, nomnomnom...
You should be more careful with "cannot be exploited" comments. All three bugs have been exploited on actual hardware. You might think that a process reading some of its own memory through a convoluted exploit of a CPU behavior isn't a problem. But we run untrusted code all the time. We allow it, because we assume that it cannot read all in-process memory. That's what Javascript in a web browser is. Your browser holds secrets in memory that must be kept hidden from scripts. If a script is translated into machine code that can exploit this vulnerability, then any script on a web page can access all unprivileged process memory. In the words of our great leader: Sad!
Apparently you didn't get the Ryzen memo.
Also, it not a Windows flaw. Its a flaw with the CPUs.
Apparently, the slow down is substantial for 5th gen Intel CPUs and older. 6th - 8th gen CPUs performance hit should be negligible. That said, Microsoft it saying that BIOS/Firmware updates should be applied from your vendor so as to obtain new microcode. Exactly how all this ties together is known to me at this point, but I'm guessing the microcode update is for further optimization of the 6th-8th gen units post security patch installation.
Life is not for the lazy.
Since the most likely result of the vulnerability to desktop users is being able to defeat kernel-enforced DRM and Windows licensing, it's no surprise Microsoft would push this out as a mandatory update of the highest priority.
why AMD and will this messup Xbox as well?
Does anyone have the KB number or number(s) for this patch?
Spectre can be exploited. It's the same path as the JavaScript implementation of meltdown targeting the browser process memory rather than kernel memory.
Seriously, this is an escalation flaw on Windows...
How does it feel to be one of those people who comments on a topic they don't understand? I mean, your post demonstrates that you didn't even have a basic understanding of the headline, much less the summary or the actual article, so you just sound so profoundly ignorant right now. I want to know... what's that like?
Correct.
But as GP noted, this is likely for ease of code mgt on MS's part.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
I agree with you about Intel shills, but Spectre can be used to attack any address space you have a code image of.
The most severe form (indirect branch pollution) can be prevented with special code sequences ("retpolines") for indirect branches, which are being added to GCC and the Linux kernel right now. But without such mitigation, the kernel is attackable.
I don't think you get it.
Every OS has holes in this area, many of them known and unpatched for years. Why is this layer that won't be secure after the patch anyway suddenly important?
I don't know why I'm bothering to respond to anonymous cowards but...
This is a patch for a privilege escalation attack on Microsoft Windows.
From the article:
There appears to be a flaw in modern processors that let attackers bypass kernel access protections so that regular apps can read the contents of kernel memory.
So, yes it's a processor flaw, but the only problem is that some application processes may get to read some kernel memory that they aren't supposed to read. That's the very definition of privilege escalation, and not even total privilege escalation, just being able to take one more privilege than normal temporarily.
This is a Microsoft Windows patch. Who in their right mind thinks that breaking the user / kernel boundary will be impossible after this patch? Why would it be important to rush to plug a tiny hole in a dam that's been dry and broken for years?
If this were, say, Android OS I could see why cross-process exploits would be important because that is an important strong and relied on feature on Android but this is Microsoft Windows. When have they EVER had a strong track record with privilege escalation attacks? Ok, maybe they've been better with the user / kernel boundary than they have been in other areas but that doesn't mean the track record in that area is actually good.
DRM seems clearly the most likely application of this flaw especially since it doesn't need a perfect boundary to get some use from it. You could argue this also might affect the security of using your banking website but if you've got one bad executable, a key logger is pretty trivial with or without this flaw.
Maybe you think I'm wrong about applications of this exploit, but if you can't understand why this might be related to privilege escalation, maybe you should re-read the article.
So Microsoft has out-of-band access to the CPUs of Windows users computers so that they can make updates to it? What in the world? Glad I don't use that operating system.
I believe that's true of the Linux patch. Do you have any reason to believe it's true of the MSWind patch?
I think we've pushed this "anyone can grow up to be president" thing too far.
To my knowledge, the HAL is universal between AMD and Intel. But, depending on the CPU, features are available or not based on capability.
I still have some 680x0 Macs.
We would really like not to be forcibly spied on and have our data stolen. Please.