Meltdown and Spectre, vulnerabilities affecting all computing

caff!!! · Jan 3, 2018

Attempted to do some (very unscientific) disk tests with crystaldiskmark on my 256 GB Intel 600p NVMe drive, and see no huge performance loss on the update. At worst, <5% speed loss

Rayne said:
Oh this requires you to be on 1709?

Ehhhhhh.

~~yeah, no 1703 branch update yet so I just jumped to the new branch~~

never mind, it's out now

Popstar · Jan 3, 2018

gagewood · Jan 3, 2018

In the last year we had the Cloudflare Cloudbleed, WannaCry ransomware, Equifax data breach, CCleaner backdoor, HP keylogger, KRACK wi-fi flaw, and now Meltdown/Spectre.

Starting to think Ron Swanson had the right idea...

BLLYjoe25 · Jan 3, 2018

chromatic9 said:
Is everyone on 1709?

I ran the updates and it started the latest creators update, it's now finished and I've lost about 16gb of space on my SSD. I cannot see one feature I will use in this.

Seems as though the fix requires 1709 but I'm livid at losing 16gb for fucking nothing.

If you've just updated to the Creator's Update then Windows will have saved a back up of your old system incase you want to rollback. You can check this by going into your SSD and looking for a folder called Windows.old. to delete it run Disk Cleanup and select "Previous Windows Installation(s)"

psyer · Jan 3, 2018

Rayne said:
Oh this requires you to be on 1709?

Ehhhhhh.

This does not require 1709. You can manually download the update based on what version it is.

Here is the kb for build 1703 for this particular update.

https://support.microsoft.com/en-us/help/4056891

caff!!! · Jan 3, 2018

wonder when the long term support XP branches (POSReady, etc) are going to get a update now, heh

Cow Mengde · Jan 3, 2018

So with all of this information going on and all the confusion, can someone sum up what is going on? I have an Intel CPU and I already patched it. Obviously I'll continue to patch, but does applying this patch reduce my performance or what? Because I'm reading that the patch causes performance lost in Intel chips.

killerrin · Jan 3, 2018

Man, this is utterly fucked. Intel really screwed the pooch here

Zafir · Jan 3, 2018

chromatic9 said:
Is everyone on 1709?

I ran the updates and it started the latest creators update, it's now finished and I've lost about 16gb of space on my SSD. I cannot see one feature I will use in this.

Seems as though the fix requires 1709 but I'm livid at losing 16gb for fucking nothing.

Rayne said:
Oh this requires you to be on 1709?

Ehhhhhh.

I don't believe so. If you look at the patches for 1703 for example, there was also a patch released on the 3rd of Jan which also mentions security fixes, including the kernel.

https://support.microsoft.com/en-us/help/4056891

chromatic9 · Jan 3, 2018

dark494 said:
Try googling.
https://www.windowscentral.com/how-...er-installing-windows-10-fall-creators-update

Thanks.

I did google 1709 size while it was downloading. which was said to be about 5gb and leaves the OS 2.5 gb larger. I expected this to be another typical creators update, not a dumping of the OS.

Rayne · Jan 3, 2018

caff!!! said:
Attempted to do some (very unscientific) disk tests with crystaldiskmark on my 256 GB Intel 600p NVMe drive, and see no huge performance loss on the update. At worst, <5% speed loss

~~yeah, no 1703 branch update yet so I just jumped to the new branch~~

never mind, it's out now

Zafir said:
I don't believe so. If you look at the patches for 1703 for example, there was also a patch released on the 3rd of Jan which also mentions security fixes, including the kernel.

https://support.microsoft.com/en-us/help/4056891

psyer said:
This does not require 1709. You can manually download the update based on what version it is.

Here is the kb for build 1703 for this particular update.

https://support.microsoft.com/en-us/help/4056891

Oh sweet thanks :D

eyeball_kid · Jan 3, 2018

killerrin said:
Man, this is utterly fucked. Intel really screwed the pooch here

Not just Intel, but potentially any system the last 20 years using speculative execution techniques.

ARM has come out with a statement that their chips are affected; who knows how many Android devices will basically go unpatched forever.

Coreda · Jan 3, 2018

Popstar said:
Microsoft has fixes for other versions of Windows, not just Windows 10 1709.

From technet:

From what I read they have patches for W7/8 which users can download manually but won't be sending them out via Windows Update until the upcoming Patch Tuesday, unlike W10 which received them automatically.

Astronut325 · Jan 3, 2018

gagewood said:
In the last year we had the Cloudflare Cloudbleed, WannaCry ransomware, Equifax data breach, CCleaner backdoor, HP keylogger, KRACK wi-fi flaw, and now Meltdown/Spectre.

Starting to think Ron Swanson had the right idea...

Computer technology was a mistake. It's nothing but trash.

Dobby · Jan 4, 2018

Hard to believe this hasn't been exploited in the wild yet.

Seems like potentially the most profitable exploit ever discovered in the history of modern computing.

Grateful the security researcher who found it was on the right team.. But you have to think their resources are a fraction of Black Hat hackers.

Alvis · Jan 4, 2018

So uh Windows 10 keeps telling me there are no updates available

Popstar · Jan 4, 2018

Astronut325 · Jan 4, 2018

Dobby said:
Hard to believe this hasn't been exploited in the wild yet.

Seems like potentially the most profitable exploit ever discovered in the history of modern computing.

Grateful the security researcher who found it was on the right team.. But you have to think their resources are a fraction of Black Hat hackers.

Let's not assume it hasn't been exploited. I would not be surprised if various governments or large corporations aren't utilizing these to get information on people.

Coreda · Jan 4, 2018

Popstar said:
My post was more in response to the people who thought they needed to upgrade to 1709 to get the patch.

Although there are also links for Windows 7 and 8.1 in the technet post I quoted for people who don't want to wait.

Defo appreciated :)

FrankJaeger · Jan 4, 2018

No update for me, do not want slow down in performance.

Primus · Jan 4, 2018

Patched my i7-7700k system, seeing about a 4% drop in CPU-Z benchmarks, but otherwise no performance decreases to the naked eye. Ran some Destiny 2 and my FPS was exactly the same as pre-patch.

chromatic9 · Jan 4, 2018

The link in the OP only gives 1709 updates. Glad to hear you don't need it but it's too late for me. Had no idea 1709 was effectively a new install.

I might have to roll back as I use IE11 sometimes and the tabs no longer show the site web icons, each tab now has the plain explorer icon.

Others having the same issue
https://answers.microsoft.com/en-us...709-ie11/96269456-4a80-4c93-a580-7b8cf3297fcb

Might be easier to roll back. These creator updates are just awful.

Previous creator updates have removed reopen a closed tab and made your top sites boxes rely on cookies so when you clean them all your sites you've added disappear and MS populate with their own suggestions including the Daily Mail, facebook and other rubbish. You have to manually type your favs in each time you clear. Also they introduced news feed by default if you launch a new tab and disabling this this relies on cookies. I just like using IE11 on my gaming PC for mainstream browsing and using quick zoom view option but I might have to give up.

Rayne · Jan 4, 2018

Yeah if it had required the creator's update I'd skipped it. Not worth that hassle.

So far I'm just noticing mod organizer feels like it's dragging when it boots Skyrim. Otherwise no fps drops. But my god the drag in it booting is ridiculous. Feels like it's almost twice as long. /

Deleted member 14649 · Jan 4, 2018

FrankJaeger said:
No update for me, do not want slow down in performance.

Is there even an easy way to stop updates now? I'm in the same boat.

Mr.Mike · Jan 4, 2018

I've changed the link in OP to be one that has all the different versions of the update. Sorry for any inconvenience.

SRG01 · Jan 4, 2018

eyeball_kid said:
Not just Intel, but potentially any system the last 20 years using speculative execution techniques.

ARM has come out with a statement that their chips are affected; who knows how many Android devices will basically go unpatched forever.

Like I mentioned earlier, Meltdown is the more catastrophic one but is relatively easy to patch. Spectre relies on branch prediction so there's a lot of variables that limit its effectiveness -- processor specific is one. However, it is the more difficult one to patch, as noted by the quote from Dark494 earlier:

dark494 said:
Spectre is a can of worms. The way the netsec guys explained it to me was this:

Software patches can attempt to patch known avenues that exploit Spectre as they become known, but the underlying problem in the hardware that makes Spectre a vulnerability is an inherent flaw in the hardware and there's no fix for it without rearchitecting the hardware in the future, or just straight up turning off speculative execution which would lead to worse performance hits than the current patches going around to address Meltdown (this is the KPTI patch that impacts syscalls). They're not resorting to that or it would impact everyone and everything much more than this patch will, so over time expect incremental patches to more or less patch up holes Spectre makes when people discover them.

https://www.reddit.com/r/netsec/comments/7nya2h/meltdown_and_spectre_cpu_bugs/

eyeball_kid · Jan 4, 2018

SRG01 said:
Like I mentioned earlier, Meltdown is the more catastrophic one but is relatively easy to patch. Spectre relies on branch prediction so there's a lot of variables that limit its effectiveness -- processor specific is one. However, it is the more difficult one to patch, as noted by the quote from Dark494 earlier:

Yup.

One thing that hasn't really been mentioned–and I almost feel it needs its own thread on the Gaming side–is vulnerability of game consoles. I imagine all of the current gen and last gen consoles are vulnerable to attack. The most likely attack vector would be the included web browsers, as the Javascript exploit code I've seen is trivial.

SRG01 · Jan 4, 2018

eyeball_kid said:
Yup.

One thing that hasn't really been mentioned–and I almost feel it needs its own thread on the Gaming side–is vulnerability of game consoles. I imagine all of the current gen and last gen consoles are vulnerable to attack. The most likely attack vector would be the included web browsers, as the Javascript exploit code I've seen is trivial.

That's a good point. They're known processors -- literally identical CPUs in each console -- so they'll be highly vulnerable to Spectre.

edit: I'm editing my post earlier to include the assessment matrix now officially published by AMD: https://www.amd.com/en/corporate/speculative-execution

mugurumakensei · Jan 4, 2018

eyeball_kid said:
Yup.

One thing that hasn't really been mentioned–and I almost feel it needs its own thread on the Gaming side–is vulnerability of game consoles. I imagine all of the current gen and last gen consoles are vulnerable to attack. The most likely attack vector would be the included web browsers, as the Javascript exploit code I've seen is trivial.

And console makers are so slow to update said browser since it's not a major focus of the consoles.

Vulcano's Assistant · Jan 4, 2018

Popstar said:
Microsoft has fixes for other versions of Windows, not just Windows 10 1709.

From technet:

oh man, wish I had I known. I just spent like 45 minutes getting to 1709

SRG01 · Jan 4, 2018

And final post for the night since it's getting late: since they were one of the first to report it, The Register has a (snarky) analysis of what just transpired tonight: https://www.theregister.co.uk/2018/01/04/intels_spin_the_registers_annotations/

Some tidbits:

Meltdown – on Intel CPUs and the Arm Cortex-A75 – allows normal applications to read protected kernel memory, allowing them to steal passwords and other secrets. It is easy to exploit, but easy to patch – and workarounds to kill the vulnerability are available for Windows and Linux, and are already in macOS High Sierra, for Intel parts. There are Linux kernel patches available for the Cortex-A75.

There's also another security flaw named Spectre that affects, to varying degrees, Intel, AMD, and Arm. Depending on your CPU, Spectre allows normal apps to potentially steal information from other apps, the kernel, or the underlying hypervisor. Spectre is difficult to exploit, but also difficult to fully patch – and is going to be the real stinger from all of this.

If you hammer the disk, the network, or use software that makes lots of system calls in and out of the kernel, and you're lacking working PCID support, you will see a performance hit. And it's a good idea to warn you, right?

It's a given for this particular issue that any slowdown is dependent upon the kind of work the affected system is being asked to do. Gamers will maintain their frame rates, but that's not what this is about. It's about enterprise workloads and data centers. With reports of SQL database slowdowns of up to 20 or so per cent, it seems premature to say the impact should not be significant. If a company's AWS, Microsoft Azure, or Google Cloud bill ends up being, say, three, five or eight per cent higher as a consequence of prolonged compute times, that's significant.

They also link to Linus Torvalds' response to Intel, but I think that has already been posted here.

IrishNinja · Jan 4, 2018

Popstar said:
Microsoft has fixes for other versions of Windows, not just Windows 10 1709.

From technet:

...any word on windows 7 yet? i can't imagine it's a priority for them, but still

Vulcano's Assistant · Jan 4, 2018

IrishNinja said:
...any word on windows 7 yet? i can't imagine it's a priority for them, but still

bottom of the list

IrishNinja · Jan 4, 2018

Vulcano's Assistant said:
bottom of the list

ah, cheers!

Wolf · Jan 4, 2018

So the tldr is that Microsoft is patching one of the issues, but that patch isn't up for the newest version of Windows yet?

Is there more data on how much this truly slows things down?

Are there any plans for a class action against Intel? Are customers just expected to accept a performance hit?

Have we seen any malware using this method as an attack vector yet?

How worried should I really be about this?

mugurumakensei · Jan 4, 2018

Wolf said:
So the tldr is that Microsoft is patching one of the issues, but that patch isn't up for the newest version of Windows yet?

Is there more data on how much this truly slows things down?

Are there any plans for a class action against Intel? Are customers just expected to accept a performance hit?

Have we seen any malware using this method as an attack vector yet?

How worried should in really be about this?

1) I'm pretty sure windows 10 patch has been downloaded by some already.
2) no noticeable performance impact for the average computer workload. In this very thread, people have already tested games or 3D mark showing no hit outside of the margin of error. For heavy IO and network traffic, you're more likely to hit the 30% performance hit. Microsoft, Digital Ocean, Amazon, etc are the big losers rather than desktop pc users.
3) likely not as 2 out of the 3 attack variants occur on all processors and one variant also affects the cortex a75 arm processor.
4) no known malware uses this attack vector.
5) just make sure you update.

Edit:

Addendum: long term Spectre which impacts everyone will be a bigger issue as it does allow reading other processes memory and has no known fix at this point in time.

Wolf · Jan 4, 2018

mugurumakensei said:
1) I'm pretty sure windows 10 patch has been downloaded by some already.
2) no noticeable performance impact for the average computer workload. In this very thread, people have already tested games or 3D mark showing no hit outside of the margin of error. For heavy IO and network traffic, you're more likely to hit the 30% performance hit. Microsoft, Digital Ocean, Amazon, etc are the big losers rather than desktop pc users.
3) likely not as 2 out of the 3 attack variants occur on all processors and one variant also affects the cortex a75 arm processor.
4) no known malware uses this attack vector.
5) just make sure you update.

Edit:

Addendum: long term Spectre which impacts everyone will be a bigger issue as it does allow reading other processes memory and has no known fix at this point in time.

best post in this thread, thank you! :)

kitress · Jan 4, 2018

This does seem more serious than what was said in Intel's initial press release. What is the likelihood of Intel getting sued for this?

xenocide · Jan 4, 2018

Astronut325 said:
Let's not assume it hasn't been exploited. I would not be surprised if various governments or large corporations aren't utilizing these to get information on people.

Bingo. If you think something hasn't be exploited, it likely means it hasn't been exploited that we know of. If you have doubts, read an indepth analysis of Stuxnet, the malware designed to target the Iranian Nuclear Program, that was believed to have been developed by Israel and the US working together.

KarmaCow · Jan 4, 2018

I just realised my phone no longer gets security updates. Are there any ways to protect myself, like a noscript for Android browsers?

Skux · Jan 4, 2018

Damn son

mugurumakensei · Jan 4, 2018

KarmaCow said:
I just realised my phone no longer gets security updates. Are there any ways to protect myself, like a noscript for Android browsers?

Eh, you can turn off JavaScript in your mobile devices. That said, Spectre vulnerability allows programs to read other process memory so you'll also have to scrutinize any apps you download.

Cyanity · Jan 4, 2018

Has anyone done a before and after of The Witcher 3 for this patch? That game is supposedly very CPU intensive.

mugurumakensei · Jan 4, 2018

Cyanity said:
Has anyone done a before and after of The Witcher 3 for this patch? That game is supposedly very CPU intensive.

Again CPU intensive activities are not harmed by the patches. Things which require transfer of control from the program to the kernel like network calls and reading/writing from/to external storage are what's impacted most.

sprsk · Jan 4, 2018

Cyanity said:
Has anyone done a before and after of The Witcher 3 for this patch? That game is supposedly very CPU intensive.

I started playing yesterday for the first time, installed the patch this morning, didn't notice a difference afterwards. That said I didn't futz with the video settings at any point. It started at 60fps and remained 60fps after the patch.

KarmaCow · Jan 4, 2018

mugurumakensei said:
Eh, you can turn off JavaScript in your mobile devices. That said, Spectre vulnerability allows programs to read other process memory so you'll also have to scrutinize any apps you download.

I'm probably unreasonably wary of any apps I download but I'm looking for something that can whitelist certain sites or scripts rather than globally block all JavaScript and break most websites I visit.

Edit: meaning something that is actually designed for mobile in terms of UI hopefully.

mugurumakensei · Jan 4, 2018

sprsk said:
I started playing yesterday for the first time, installed the patch this morning, didn't notice a difference afterwards. That said I didn't futz with the video settings at any point. It started at 60fps and remained 60fps after the patch.

Eh, the thing that would be impacted would be load times. Witcher 3 is single player so there's no network traffic. The only impact it could have would be during loading as that should be the only time there's a large number of system calls which is what was slowed down by these patches.

Vipu · Jan 4, 2018

So this update have to be downloaded manually at the moment?
Is any creators updated required to download it?
No negative effect from patch so far for normal users?

Bold One · Jan 4, 2018

on a scale of 1-10

How horrified should I be?

eyeball_kid · Jan 4, 2018

KarmaCow said:
I'm probably unreasonably wary of any apps I download but I'm looking for something that can whitelist certain sites or scripts rather than globally block all JavaScript and break most websites I visit.

Edit: meaning something that is actually designed for mobile in terms of UI hopefully.

The chances are still decently high that one rogue third-party JS could get through the gauntlet and get loaded on a site you trust. Your security would be compromised at that point and you wouldn't even know it. I hate to say it, but if you know your phone will never get security updates, you should think strongly about a phone that will.

Meltdown and Spectre, vulnerabilities affecting all computing

SVG Wizard

Saw the truth behind the copied door

SVG Wizard

User requested account closure

Elizabeth, I’m coming to join you!

Elizabeth, I’m coming to join you!

Elizabeth, I’m coming to join you!

Elizabeth, I’m coming to join you!

Resettlement Advisor

Elizabeth, I’m coming to join you!