ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

[michael louwe]

http://news.softpedia.com/news/intel-s- ... 0489.shtml
(Intel's Microcode Update for Spectre Makes a Comeback in Ubuntu's Repositories
Available on Ubuntu 17.10, 16.04 LTS, and 14.04 LTS
Apr 1, 2018 04:59 GMT )

[Terryphi]

Old news. See this thread for user experience : viewtopic.php?f=90&t=266766

[DAMIEN1307]

intel has announced today that it will make no further attempt to patch spectre variant 2 in the following chipsets mentioned in these 2 articles...DAMIEN

http://www.zdnet.com/article/intel-we-n ... ese-chips/

https://www.theregister.co.uk/2018/04/0 ... _be_fixed/

[xenopeek]

Good info DAMIEN1307.

The direct link from the articles to the updated list from Intel (PDF): https://newsroom.intel.com/wp-content/u ... idance.pdf
Those marked in red won't get patches.

[G-Mo]

Anyone using Mint 18.3 spot the newer micro-code roll into the Update Manager? Seems the earlier version came up in the U-manager over a month ago but I never installed it as not for my I5 model.

Is everyone doing a manual install or waiting for the manager to populate it? The manual method mentions overwriting an existing directory containing the files, not a clean install. I don't have the first directory created to copy over.

[smurphos]

Anyone using Mint 18.3 spot the newer micro-code roll into the Update Manager?

Yep - viewtopic.php?f=90&t=266766&hilit=microcode & viewtopic.php?f=90&t=266811&hilit=microcode

[thx-1138]

...just stumbled upon this, for those that can grasp the more technical know-how.

...as for mere mortals likes the rest of us, slide 60 mentions setting IUCODE_TOOL_INITRAMFS=no in /etc/default/intel-microcode,
as another way of disabling it from loading: ie. an alternative method than setting dis_ucode_ldr in Grub,
which is more widely known & mentioned in kernel-parameters.txt...might come handy as a future reference.

[JohnFrumm]

Good info DAMIEN1307.

The direct link from the articles to the updated list from Intel (PDF): https://newsroom.intel.com/wp-content/u ... idance.pdf
Those marked in red won't get patches.

I hate to help resurrect this thread (the subject is long in the tooth and I stopped following it months ago), but an older computer I occasionally use has a red-flagged cpu on that list.

So my question is, does MInt expose the cpu model to the world? Can that value be obtained remotely in a browser (via firefox media queries, for example)?

[DAMIEN1307]

hi JohnFrumm...yep, i was of the "long in the tooth" opinion as well and i did ask mods if i should mark this as solved...their opinions were to not do so as the total resolution of spectre and meldown is still far from total resolution as of this time with new outcroppings still showing up...i can tell you that it is not LM exposing the "red flagged" CPUs that wont be receiving any more updates for this flaw but rather, it is Intel telling the world that Intel is not going to support them any longer...DAMIEN

[JohnFrumm]

i can tell you that it is not LM exposing the "red flagged" CPUs that wont be receiving any more updates for this flaw but rather, it is Intel telling the world that Intel is not going to support them any longer...DAMIEN

Hi Damien,
actually I meant dynamically exposing the cpu model in the browser, as with browser responsive design, viz. fingerprinting. I am new to responsive design and don't know all of the parameters that are/can be exposed. The OS, screen size, window size, cpu cores available, browser version, I know can be obtained by servers (and gobbled up by trackers - like google). What about the cpu model?

https://panopticlick.eff.org/

[DAMIEN1307]

hi JohnFrumm...i use this site to see what my browser is spewing out with and without my VPN running...cannot see any CPU info mentioned...maybe someone else here might know something more of this than i do...DAMIEN

http://www.whatsmyip.org/more-info-about-you/

[rene]

The OS, screen size, window size, cpu cores available, browser version, I know can be obtained by servers (and gobbled up by trackers - like google). What about the cpu model?

As a matter of design, no: JavaScript and certainly browsers' implementation thereof is severely limited as to what it can in fact do/see, and directly probing CPU information nor for example reading a client's /proc/cpuinfo are among it (HTML5 provides for a general File I/O API but with it the user would need to explicitly pick /proc/cpuinfo to share/upload). There is of course always the possibility of the JavaScript "sandbox" being compromised through a security bug but by design: no.

A useful site as to an overview of what information can be obtained from JavaScript: http://clientjs.org/ (although one should note that for many of those the user can elect to lie by f.e. providing a custom user agent string).

[JohnFrumm]

The OS, screen size, window size, cpu cores available, browser version, I know can be obtained by servers (and gobbled up by trackers - like google). What about the cpu model?

As a matter of design, no: JavaScript and certainly browsers' implementation thereof is severely limited as to what it can in fact do/see, and directly probing CPU information nor for example reading a client's /proc/cpuinfo are among it (HTML5 provides for a general File I/O API but with it the user would need to explicitly pick /proc/cpuinfo to share/upload). There is of course always the possibility of the JavaScript "sandbox" being compromised through a security bug but by design: no.

A useful site as to an overview of what information can be obtained from JavaScript: http://clientjs.org/ (although one should note that for many of those the user can elect to lie by f.e. providing a custom user agent string).

Thank you for that link (I just noticed your post). I bookmarked that site and will look through it more tomorrow (beer o'clock right now). Pursuing through it there really are some DISTURBING methods available (w.r.t. privacy).
Aside from privacy and security, such information does have one useful application: responsive design.

[Portreve]

So, for a moment, let's kind of take this back to the basics.

It's my guess that back in the day a decision was made that host (i.e. the computer running the browser client) data should be exposed to the outside world. It was probably considered harmless enough at the time, since even though there were such things as computer viruses even back in the 1980s, that was geared towards a whole different mindset and purpose. That someone would try and do (potentially horrific) things through exploiting host data probably really hadn't crossed anyone's mind.

So, my question is: why not just eliminate that entire range of the feature set from the design of web browsers? I'm not saying that alone would deal with all possible exploit vectors, but wouldn't that eliminate a whole bunch of them?

[rene]

People expect "dynamic content" and sometimes, rightly so. Let's take one of the more detailed bits of retrievable information from that site as an example, getCurrentResolution(): this enables a site to dynamically adjust its content/layout to the viewport-size and can be quite welcome.

Frankly I'm not too impressed by ClientJS' possibilities...

[BG405]

as an example, getCurrentResolution(): this enables a site to dynamically adjust its content/layout to the viewport-size and can be quite welcome.

It would be welcome if it were used a bit moe often. Too many sites are a couple of dozen pixels too wide, or have a generally objectionable layout on a PC screen. Maybe it could be used to detect that you are using a PC or laptop, NOT a phablet. Especially sites aimed primarily at PC & Laptop users.

[michael louwe]

https://www.phoronix.com/scan.php?page= ... 6-32-Lands (Meltdown Protection For x86 32-bit Aligned For The Linux 4.19 Kernel;
Written by Michael Larabel in Linux Kernel on 20 July 2018)

[michael louwe]

https://www.zdnet.com/article/spectrers ... omponents/ (SpectreRSB: New attack targets CPU return stack buffers; Updated: The "Spectre class" attack can be used to recover and pull sensitive data from victim machines. - 24 July 2018)

[neversaynever]

https://www.phoronix.com/scan.php?page= ... 6-32-Lands (Meltdown Protection For x86 32-bit Aligned For The Linux 4.19 Kernel;
Written by Michael Larabel in Linux Kernel on 20 July 2018)

Hi Michael and thank-you for the news.
I have Linux Mint 18.0 32-bit with kernel 4.4.0-116.140 and the last version of microcode Intel.
Up to now I couldn't mitigate Meltdown.
Do you think that i can try to update to kernel 4.19 without problems?
If yes, do you think it is worthwhile?

[michael louwe]

.

.
Right now, there is only mainline/upstream Linux kernel 4.17 Stable available for manual install ... https://www.kernel.org/ . So, you will have to wait awhile for kernel 4.19 Stable.

Hopefully, Ubuntu/LM will also provide downstream Linux kernel 4.19 in the Update Manager of 32 bit LM 18.x and 17.x.