I'm increasingly skeptical of security holes that are fitted with their own logos and PR campaigns. Yesterday's sudden snowballing of disclosures about two kinds of vulnerabilities, now recognized as Meltdown and Spectre, has ended in enormous amount of reports of varying quality, and widespread panic within the streets. When it comes to Intel's stock price, that's similar to blood on the streets.
While it's genuine that both vulnerabilities affect every single computer produced in the past 19 years, it's also true that the threat - shell out plain-vanilla Windows users - isn't imminent. An individual of the situation, but avoid the stampede. The sky isn't falling.
How your Meltdown and Spectre flaws were found
Here's how it all unwound. Instruction online June 2017, a burglar researcher named Jann Horn, helping Google's Project Zero team, discovered one way for a sneaky program to steal information from regions of a computer which can be supposed to be off limits. Horn and Project Zero notified the vendors - Google, evidently, as well as Intel, Microsoft, Apple, AMD, Mozilla, the Linux folks, Amazon or anything else - and a quiet effort began to plug the protection holes without alerting "the bad guys."
Although the Linux community leaked details, in the KAISER series of patches posted in October, few realized the enormity for the problem. In general, people in the know agreed to keep it all quiet until Jan. 9 - this month's Patch Tuesday.
On Monday, Jan. 1, the beans started spilling. An anonymous poster calling him/herself Python Sweetness place out in the open:
There is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes absolutely resolve. Urgent continuing development of a software mitigation is currently being done in outside and recently landed throughout the Linux kernel, and a noticeably similar mitigation began appearing in NT kernels in November. While in the worst case the software fix causes huge slowdowns in typical workloads.
John Leyden and Chris Williams along the Register turned the leak into a gush on Tuesday, with details of the effort to plug the Meltdown security hole:
A fundamental design flaw in Intel's processor chips has forced a large redesign of one's Linux and Windows kernels to defang the chip-level security bug.
Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the desired changes for that Windows operating system on an upcoming Patch Tuesday: These changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.
By Wednesday, the Patch Tuesday gag was thrown into your wind, accompanied by a definitive statement by Google's Project Zero, festooned with official logos ("free to employ, rights waived, via CCO") and metric a ton of ink followed. There are thousands of explainer articles circulating these days.
If you need a survey, look at Catalin Cimpanu's essay in BleepingComputer or use the New York Times piece from Cade Metz and Nicole Perlroth. The period says:
The Meltdown flaw is specific to Intel, but Spectre is mostly a flaw in design that is been used by many processor manufacturers for several years. It affects create microprocessors that you can buy, including chips that is caused by AMD that share Intel's design therefore the many chips founded upon designs from ARM in the united kingdom.
Those of you hating on Intel should remember there's plenty of blame to serve. That said, I still cast a jaundiced eye at CEO Brian Krzanich selling $24 million in INTC stock on Nov. 29.
Microsoft releases Windows patches
Last night, Microsoft released Windows patches - Security-only Updates, Cumulative Updates, and Delta Updates - in a wide array of Window versions, from Win7 onward. Get the Update Catalog for details. (Thx, @Crysta). Be aware that the patches are listed making use of a "Last Updated" date of Jan. 4, not Jan. 3, the nominal release date. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). I've been assured that Win7 and 8.1 Monthly Rollups comes out monday on Patch Tuesday.
The Win10 patch for Fall Creators Update, version 1709, contains other security fixes besides those resulting from Meltdown. Yet another Win10 patches are considered Meltdown-only. Those of you running the beta version of Win10 1803, in the Insider Program, have already received the patches.
BUT?- you won't have any patches installed unless and until your antivirus software sets the registry key. (It now entirely possible that the value of the crucial doesn't matter; simply the presence of the registry entry switches on Meltdown protection. Thx, @abbodi86, @MrBrian.) If you're running third-party antivirus, it needs to be updated ahead of Meltdown patch installer will run. It seems as if one can find known failures of bluescreens for some antivirus products.
Remember, there are cumulative updates for Ie 11 within versions of Win7 and 8.1 indexed by the Update Catalog. The fixes for Win10, and with Edge, are on the respective Win10 cumulative updates. Microsoft also released fixes for SQL Server 2016 and 2017.
Noticed that the Windows Server patches are certainly not enabled automagically. Those of you who would like to turn on Meltdown protection will have to change the registry. (Thx @GossiTheDog)
Or windows 7 and Server 2003 don't yet have patches. Not sure on whether Microsoft will release those eventually.
Kevin Beaumont, @GossiTheDog, is maintaining a list of antivirus products and their Meltdown-related problems. On-line Docs, it goes without saying.
Meltdown and Spectre facts
With your news swirling, perhaps you may feel inclined to purchase patched up at present. I say wait. There's a little facts that stand in the way of a superb scare story:
There are the same as active exploits for either Meltdown or Spectre, though there are some demos running in labs.
Updating Windows (or any operating platform, including macOS and ChromeOS) isn't sufficient. You will want to install firmware updates, too, and none of the major PC manufacturers have firmware updates. Genuinely Microsoft.
It's unclear in the meanwhile which antivirus products set the orlando magic registry key, although Windows Defender is apparently one of the compliant products.
If the whole planet were ending, Microsoft would've released Monthly Rollups for Win7 and 8.1, yes?
In addition, we have no clue how these rushed-to-market patches will clobber the billion or thereabouts extant Windows machines. I'm already seeing a report of conflicts with Sandboxie on AskWoody, and Yammer going offline isn't reassuring.
It's possible Microsoft's kernel team has realized another change-the-blades-while-the-blender-is-running feat. But it's also quite probable that we'll hear loud screams of pain from many corners today or tomorrow. The anticipated performance penalty may or may not pan out.
There's an enormous number ofget rid of Pros prevent against speculative execution side-channel vulnerabilities (consisting of the warning about firmware updates)
Windows Server Guidance refer to it as against the speculative execution side-channel vulnerabilities (along with a PowerShell script to find out if your machine is safe)
Mitigating speculative execution side-channel attacks in Microsoft Edge and Web browser
Important information regarding the Windows security updates released on January 3, 2018 and antivirus software
Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
SQL Server Guidance to reduce against speculative execution side-channel vulnerabilities
Nowadays hardware or software manufacturer yourrrre able to name has some warnings/explanations posted. I looked for AMD's response (basically, Meltdown poses "near zero risk" on AMD chips) particularly enlightening. Reddit carries a megathread devoted specifically on the topic.
:: بازدید از این مطلب : 954
|
امتیاز مطلب : 0
|
تعداد امتیازدهندگان : 0
|
مجموع امتیاز : 0