Microsoft Resumes Meltdown and Spectre Updates for AMD Devices

Microsoft has resumed the rollout of security updates for AMD devices. The updates patch the Meltdown and Spectre vulnerabilities. From a report: Microsoft released these patches on January 3, but the company stopped the rollout for AMD-based computers on January 9 after users reported crashes that plunged PCs into unbootable states. After working on smoothing out the problems with AMD, Microsoft announced today it would resume the rollout of five (out of nine) security updates.

but why

amd isn't affected...

Re:but why

[sqorbit]

AMD did make statements that is not effected by Meltdown, which was also stated by some other sources. Spectre however was verified on AMD according to the research release

Re:but why

[DontBeAMoran]

So is the title flamebait, as is usual for our new Slashdot overlords?

Re:but why

Well, yeah? Rhetorical question or joke I assume.

Re:but why

No, it's mstrash showing yet again why (s)he has no business being an "editor" on a technical website.

Re:but why

[phorm]

Spectre is pretty much anything with a modern chip, including Intel, AMD, and ARM. Some of the few exemptions were processors that don't do speculative/out-of-order execution. The only more recent hardware I've seen that's immune are the Raspberry Pi (in-order-execution) and some ARM hardware such as various Snapdragon or Cortex-A53/55. Some of the older Atom stuff is also safe because it doesn't do OOE, but Spectre will hit the majority of the rest.

Meltdown was quite certainly an Intel thing according all legit sources. It seem part of Intel's PR machine that somehow managed to group the two together even though they're quite separate vulnerabilities with quite different risk and effect factors.

Re:but why

[gravewax]

The changes are deep in the OS kernel, hence whether AMD has the bug or not it IS AFFECTED. regardless while they aren't affected by meltdown they are vulnerable to spectre which is also fixed in the patch

Re:but why

Meltdown is only an issue on Intel chips and certain ARM chips.

Spectre is more general and an issue on any chip that [a] has a cache, [b] has speculative execution, [c] does speculative memory loads based on speculative execution and [d] you have security boundaries within a memory context.

Raspberry Pi, for example, is immune to Spectre because its processor does not do any speculative execution. It speculatively loads instructions, but the only information you can glean from that is about your own code.

It's a non-issue if you trust all the code you run on the processor (so normal c programs are unaffected - Spectre doesn't grant them access to anything they can't already directly read).

The major issue is untrusted code that's JIT'd (e.g., web browser JIT compiling JavaScript) where the JS code can read from the web browser's memory that it shouldn't be able to. But, untrusted .Net assembiles, loading user-provided BPF bytecode etc are all an issue. (That's particularly worrisome because such bytecode runs in kernel space).

I think the Microcode updates introduce new opcodes for a 'barrier' that the JIT compilers can inject. This barrier simply halts speculative execution beyond the barrier, completely defeating Spectre. (Obviously, this requires both new microcode AND new JIT compilers; and will have a performance impact as speculative execution is a good thing for performance.)

Re:but why

the company stopped the rollout for AMD-based computers on January 9 after users reported crashes that plunged PCs into unbootable states.

One (of many) reasons why forced updates are a bad idea. Time to go back to Windows 7, which doesn't have forced updates, until Microsoft/AMD get their shit together and can issue patches that don't fuck up your computer.

Re:but why

[tsqr]

So is the title flamebait, as is usual for our new Slashdot overlords?

Not just Slashdot. From TFA, on Bleeping Computer: Microsoft has resumed the rollout of security updates for AMD devices. The updates patch the Meltdown and Spectre vulnerabilities.

Then, later in TFA: The Meltdown flaw does not affect AMD devices, but these updates include an OS-level patch for the Spectre flaw.

Proofreading is apparently becoming, or already has become, a lost art.

Re:but why

"Spectre is pretty much anything with a modern chip"

Ugh. If you're going to talk rightly about Intel smearing other chip makers, don't make a halfway effort yourself. And separate ARM the company from ARM the chip versus ARM the foundry. Snapdragon is Qualcomm. Otherwise Raspberry Pi is ARM.

And there's a whole slate of devices that were excluded (Intel's Puma Broadcom). As well as other mobiles that seem unmentioned, like Apple's A lineup and Samsung's dies.

Re:but why

Nvidia GPUs apparently use in-order execution as well.

Re:but why

[Opportunist]

But how are they going to test their patches for their paying customers without the guinea pigs that don't have the money to sue?

Re:but why

It's more likely a pre-emptive patch for a similar or related vulnerability that isn't quite affected, but could be in coming months. It's best to hit this preemptively now, even if there is some minor performance hit. 4% isn't noticeable for most things. Major vulnerabilities that can potentially get keys to kingdoms, that is.

Re:but why

Not necessarily. So it does patch the software at the OS level, and they are applied to all computers including AMD devices. BUT it is not necessary for AMD CPUs. Just like Linux kernel patched for it even if you are using AMD cpus. What's likely is that the code that does a "hey, is this a CPU that is affected? ok, go with the slow/extra safe code paths" or something else in the update is causing problems.

Re:but why

[MoarSauce123]

It didn't help that the same people reported both vulnerabilities at the same time in regards to clarity. Let's call it unfortunate that both vulnerabilities are always lumped together. Meltdown is caused by a massive design flaw of Intel processors. I think Intel should replace all affected processors at no charge and cover the expenses to make hardware replacements. Instead they hand out patches that to a varying degree cripple performance. Nice going after folks already overpaid. Intel used to be only expensive, now it is expensive and crappy...just like Apple.

Re:but why

[Megol]

Most of us define a modern chip as one with a modern processor (processors) and modern is generally one with out of order execution.

The main advantage of OoO execution is enabling speculation where instructions that can't be guaranteed to be executed in the future _but_ are likely to be are allowed to begin execution.

This means things that would stall (=halt execution) a processor with no speculation can be bypassed which greatly increases the performance of the design, if the instruction is later detected to be wrongly executed the processor erases anything dependent on it and restarts on the right path.

Spectre and Meltdown both take advantage of the fact that while architectural state (what the programmer should see) isn't the same as the micro-architectural state including what is stored in caches (not architectural in the majority of designs). Thus the result of speculative execution can sometimes be read in the micro-architectural state via e.g. timing of cache misses/hits.

But note that modern processor cores that doesn't support OoO execution still generally have limited speculative execution and can in theory be susceptible to Spectre - I don't know of any example.

TL;DR Spectre does indeed attack pretty much anything modern as in having used modern designs.

Re:but why

GPUs are not affected.

creimer is fat and a gay

Q: What did the toilet paper roll say to creimer last night?

A: Is it in yet?

Thank God automatic updates can be turned off

[reboot246]

I have all of my computers (all with AMD and all with Windows 7) set up to tell me about updates but let me decide which ones and when to install them.

If they had been set up to automatically update, at least one, or all of them, would have been stuck by now. I can't imagine the fear of living with Windows 10, never knowing when the next automatic update will brick your computer. Or being right in the middle of something important, like work, and having the computer decide that this would be a nice time to update. No, thank you, Microsoft.

So far I haven't seen the new update listed. I think I'll still let other users go first before I risk it.

Re:Thank God automatic updates can be turned off

[KingMotley]

So you are perfectly content with fearing when the next manual update will brick your computer. Perfectly reasonable.

As for updates just happening forcefully while working, that hasn't been true for a very long time, unless you keep delaying the update for weeks AND you are working outside of your normal work hours (or you haven't set windows update to not update during those hours).

Re:Thank God automatic updates can be turned off

>So you are perfectly content with fearing when the next manual update will brick your computer. Perfectly reasonable.

Yes. I have backups and saved all my work. With automatic updates, not so much.

Re:Thank God automatic updates can be turned off

I can't imagine the fear of living with Windows 10, never knowing when the next automatic update will brick your computer. Or being right in the middle of something important, like work, and having the computer decide that this would be a nice time to update.

I have one workstation (i.e. it is used for work) with Windows 10 Pro which has currently an uptime of 116 days. I don't know what you are talking about.

Re:Thank God automatic updates can be turned off

[Duhavid]

Having an update screw your machine is always concerning.

Doing it manually means that you get to chose when.
Normal working hours....
While working...
I left my machine running a application that I knew would run a long time, and who's result I really needed the next day.
I foolishly had not yet turned off automatic updates. I am sure you see where this is going, the machine updated and rebooted and killed by app.
For me, normal working hours is not a concept.
If it works for you, awesome, but it does not work for me.
I can just see telling my boss :"sorry, I cant tend to this emergency issue, my machine is updating".
I need to be able to pick, and having to pay thru the nose for this "privilege" is galling.

Re:Thank God automatic updates can be turned off

[KingMotley]

So... If you manually update then you won't get any emergency calls that you have to fix right now. That's interesting.

Nothing wrong really with wanting to control the when updates apply, but saying it's because you are afraid that you might get a call while the update is happening isn't a valid reason.

Also, Windows Pro has all the options to delay, postpone, not install during specific hours, and not while you are using the computer. Or are you saying that you are using Window Home and you'd need to pay to upgrade to Pro and that is too expensive for a computer that you use for work and use 24/7?

Re:Thank God automatic updates can be turned off

You're assuming that a task can only be done with one computer. There are times when I'm perfectly ok updating a system, even if I get hit with an emergency request as in those times I have another device available to me. One may argue that all professionals should have 2 or 3 computers around them at all times, but that's probably a bit extreme (and we could say that increasing the attack surface might hurt security more than postponing updates to reasonable times).

Re:Thank God automatic updates can be turned off

[rtb61]

Dude entirely too complex. How to explain it to the anal idiots at M$. Manual update, I do one machine if it works, I do the next machine and if it doesn't well that fucking sucks and M$ are a pack of arsehole fuck knuckle cunts and various other bits of swearing as I try to fix the machine, yes the swearing really does happen. Automatic updates, all my machines are broken, fuck you to hell M$, no more fucking windows and hello Linux. I had M$ as a server once, it was fucking shit, I switched to a Linux server and something like six months latter, when I thought I only had the Linux server in for few weeks, I realised it had been there for six months.

Fuckig hell M$ the arse holes demand the right to install any software they want to on your computer at any time and fuck you if you don't like it, nah mate, fuck them. Ain't no way I am doing windows 10 shit, unless it is the corporate licence version M$ can go right royally fuck themselves, seriously.

Re:Thank God automatic updates can be turned off

You're either lucky or didn't connect it to internet.

Re:Thank God automatic updates can be turned off

[Duhavid]

Yes, I might get a call right after my update gets to the uninterruptible part, after I chose to start it.

An aside, the mocking, irritating way of trying to make a point wont win you points. It is the opposite of persuasive.

Back to the point.
It is a valid reason, I got to chose the time based on my assessment of the availability of other machines, my staff members, the probability of a call, and other factors as they relate. Also, I am unlikely to decide to interrupt a long running, important running task with an after update reboot.

My understanding is that one has to get Windows 10 Enterprise before one can choose when updates are applied. Am I misinformed?

The only "features" I see in updating from Windows 7 Pro ( my home and work machines ) to even Window 10 Pro are telemetry ( which I dont want ), access to their app store ( which I dont want ), Cortana ( which I dont want ) and forced updates ( which I dont want )
If I am incorrect about Windows 10 Pro allowing deferment, there are three misfeatures in there.

Re:Thank God automatic updates can be turned off

[Duhavid]

Another point I had meant to make on the manual updates.

If you allow Microsoft to schedule it, you could have your whole department/office/ set of machines bricked in one swell foop.

If you do them manually, you can
    A, wait a few days, see if any of the bright eye'd and bushy tailed "gonna do it, gotta have it" group have blazed that trail and reported ( or not ) problems
            ( kinda like with this update set ). ( and yes, you need to assess the risk, if needed you can elect to update immediately )
    B, perform the update set on a subset of your machines, take a backup before you apply, otherwise mitigate your risk.

Re:Thank God automatic updates can be turned off

I've used most conservative settings everywhere, but no hacks like disabling/uninstalling system services.

Of course it has Internet and it regularly tells me what shiny new updates are available. I just close the Windows Update window when it pops up.
Never had a forced restart.

Re: Thank God automatic updates can be turned off

[Brockmire]

Probably not God, probably just a developer added that capability.

Re:Thank God automatic updates can be turned off

[KingMotley]

Yes. Windows 10 Pro has the following options for managing updates:
Change active hours -> You can select 18 hours per day in which updates will not happen.
Restart Options (different from applying the update, this affects when it will restart the machine to finish applying the update if it needs to) -> Schedule time pick any time in the next x days (set in advanced options) in which the PC will restart to apply the update if you don't manually restart before then.
Restart Options -> Show more notifications (on/off) -> if you want to see more or less notifications about restarting.
Advanced -> Pick how many days you can delay the update for feature updates from 0 to 365 days.
Advanced -> Pick how many days you can delay the update if it contains security updates from 0 to 30 days.
Advanced -> Pause all updates for up to 35 days (on/off)
Advanced -> Auto download updates on metered connections (on/off)
Advanced -> Delivery Optimization (many options in here)
Advanced -> Privacy settings (Here you can turn off the telemetry stuff)

That's pretty comprehensive.

Re:Thank God automatic updates can be turned off

[Duhavid]

That is pretty comprehensive.

It sounds like they are all "pre" settings, where I would have to choose beforehand to delay updates a set amount.

I am partial to the Windows 7 method, it tells me there are updates available and downloaded.
If the coast is clear, I start the update. If not, it reminds me, and I take care of them when convenient to me.
It requires diligence on my part, I have to make sure to set the time aside, and not let them sit too long.

Thank you,

What about the children?

[scdeimos]

Well, not really. But what's Microsoft going to do about all of the AMD systems it already bricked with its flawed patches?

Re:What about the children?

[Opportunist]

What should they do? These machines are already in a stable state.

Re:What about the children?

Funniest post in the thread. Stable state but unusable unfortunately.

Re:What about the children?

[Opportunist]

But fulfilling two of the three qualities of the CIA triad. If this was politics, I'd win!

Since Spectre doesn't actually needs to be patched

[blind+biker]

all you who have an AMD CPU can just relax.

Let me repeat: spectre doesn't need patching - it cannot be practically used for exploits.

Re:Since Spectre doesn't actually needs to be patc

[Opportunist]

Would you bet your money on that claim? It would not be the first "oh that cannot possibly be exploited in a real life scenario" bug that turned into a nightmare when someone with lots of creativity and criminal energy went to work.

Re:Since Spectre doesn't actually needs to be patc

The only case in which an intel exclusive flaw can be exploited on an AMD product is if you don't know that you have an AMD product.

Re:Since Spectre doesn't actually needs to be patc

[Woldscum]

The 2 Specter variants are just theoretical. It is just Intel FUD.To distract he public from what a nightmare Meltdown truly is to Intel.

Re:Since Spectre doesn't actually needs to be patc

[blind+biker]

I am in fact doing that. You know why? Because I can read, and I use that ability to collect information. For instance, I collected information about Spectre.

Try it sometimes.

Re:Since Spectre doesn't actually needs to be patc

Read the article about Specter at https://spectreattack.com/. There is a proof of concept code in the article even in JavaScript.

Re:Since Spectre doesn't actually needs to be patc

[AvitarX]

My understanding is that AMD is theroretically vulnerable to hard to mitigate spectre (version 2?), But the proof of concept didn't work on it and AMD says it's super improbable. Certainly that warrents mitigation though.

Other Spectre easy to fix is easy to fix (version 1?).

And AMD is immune to meltdown.

Please correct me where I'm wrong, there's a lot of FUD and also a lot of super "AMD is immune" nonsense.

As it is, there is no proof of concept for hard to fix spectre on AMD.

Re:Since Spectre doesn't actually needs to be patc

[bloodhawk]

Many of the worst malware in the last two decades started with vulnerabilities that were announced as theoretical!

Re:Since Spectre doesn't actually needs to be patc

[thegarbz]

There's nothing theoretical about it. All three bugs had working proof of concepts published on the day of release.

Re:Since Spectre doesn't actually needs to be patc

How functional are these proof of concepts? I remember someone pointing me at a section in the Meltdown paper to show how AMD was also vulnerable. The section only had a test for out of order execution, with the researchers guessing that their actual exploit code just wasn't optimized enough. We now know that Meltdown never worked on AMD CPUs.

Re: Since Spectre doesn't actually needs to be pat

[Brockmire]

That makes no sense. Your computer privileges have been revoked for being an idiot.