'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

Its official:

https://www.bleepingcomputer.com/ne...curity-updates-unless-avs-set-a-registry-key/

The question is what does "updating their product" mean? Might be what has been previously inferred to by registering in Win Security Center. Or far more reaching, they no longer bypass KPP? Oh, my ................

 

This.

 

I think I know what this means. Eset for example, not only updated the noted registry key but also select AV modules. So it appears to me that there is indeed a Microsoft certification requirement involved and an AV vendor registry key update alone is not sufficient.

Bye-bye to the non-major AV vendors. I also suspect that Microsoft will next be going after non-AV security vendors if already not underway. Bye-bye to all those security products Wilders folks seem to enjoy so much?

 

All I know is I am glad I migrated my users at my job to ESET last fall. That is all.

 

Yes, I agree. If they start to mess with kernel each patch Tuesday, small vendors could have problems making their software compatible.

 

The update worked fine for me with zemana antilogger. If you have no AV you might consider enabling windows defender just to get the update offered. Or you can just add the registry key manually,

Because zemana is a complimentary anti malware program, they cannot set the registry key because they don’t know what AV you are running it with (if any).

 

@noway - I've always done this using a persistent Live Linux (mainly Puppy) from a regular USB stick. ONLY used for that purpose, and never for any general browsing.

One little trick you can use with the persistence is to take the stick out once the system is loaded into RAM. You can transact with the bank, then when it comes down to leave, you just shutdown and forget the write errors. This way, there is no way your passwords etc can be saved to disk.

On the other hand, if you want to update the system, you can do so without browsing or entering any sensitive data, and persist as normal.

It's kind-of similar to revert-to-snapshot and take-a-snapshot with a virtual machine.

 

https://labsblog.f-secure.com/2018/01/09/some-notes-on-meltdown-and-spectre/

 

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

 

Not sure if this has been posted yet, but here is a clear BIOS release schedule for Dell systems:
Link: http://www.dell.com/support/article...e-2017-5754---impact-on-dell-products?lang=en

Looks like the BIOS/microcode for my system is released tomorrow. Hopefully all OEMs are pushing this out efficiently.

 

In this MS link below, there is a list of all the OEMs with a link to each of their websites you need to visit for a BIOS/MC fix.
I checked out the Lenovo site and there is an extensive list of all their products with a date for the fix and a link to get it if it is already available...

https://support.microsoft.com/en-us...your-windows-devices-against-spectre-meltdown

 

@emmjay Excellent, thank you. That is a fantastic resource site for sure and I was not yet aware if it.
It has been such a fast paced past week in the security world.

 

A new microcode.dat file to address these issues for intel CPUs is now available on the intel download site.

https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t

This can be used with the VMware CPU Microcode Driver to patch your CPU microcode.

You need the file called microcode-20180108.tgz"

You can unpack this using 7-Zip for example. Then follow the instructions on the VMware site.

https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver

After applying this I get these results:

There's more stuff in green now but still some red.

 

Hi
This warning scares:

Have you updated only one pc with Windows 10 x64?
TH.

 

I have only done one, Windows 10 Home x64 with a Haswell chip. I have another laptop with a later chip and will do that tomorrow.

I have to read the other posts and find out how to enable some of the OS protections. The Microsoft site was less than helpful. This will have to wait though as I am getting tired tonight.

 

Appears to me that OS mitigation for branch target injection is not enabled for some reason. With OS and hardware support for same showing "true," it should also be showing "true." Appears to me all the microcode update did was mitigate the Meltdown vulnerability.

 

The Microsoft link referted to above in "Suggested actions" in the PS tool output gives reg keys to enable it. But the wording isn't very clear and I haven't tried that yet.

 

Supposedly those are only required for Win Server OSes, but I have not 100% bought into that.

 

It is not clear. There is a lot of confusion about this for sure.

 

I will state in regards to AMD processors, the MS related updates are indeed a mystery. I was just reading on the AMD forum that someone with a Phonem 4 core processor got a blue screen on boot after installing the updates. I am running a Phonem 6 core processor with zip issues after the update. In fact my performance in regards to apps starting and running is better than that prior to the update. All this leads me to believe that other factors are involved than the MS updates in themselves.

-EDIT- User with 4 core processor was high-end performance one. Mine is the exact opposite; low-end performance one. Wonder if the OS update timing changes made have a larger impact on high-end CPUs both in performance and stability in a given class vs. low-end CPUs?

 

Please excuse my ignorance, but will any of these help my HP machine with this Meltdown and / or Spectre issue?

 

These are regular hardware drivers, and the likelihood for Intel to implement a cure for Meltdown/Spectre into these drivers is close to zero.

 

SpecuCheck 1.0.5
Link: https://github.com/ionescu007/SpecuCheck/releases/tag/1.0.5

 

Oh. Thanks.

I'm surprised HP have been pushing so many updates in the last week or two considering the machine ran out of warranty on the 27th of December.

 

See my post #322 edit.