ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

Chat about just about anything else
Post Reply
User avatar
Spearmint2
Level 16
Level 16
Posts: 6316
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners

Post by Spearmint2 » Fri Jan 05, 2018 8:02 am

DAMIEN1307 wrote:i do notice that the toms hardware article in the above post is based on INTELs response to the uproar and do i trust INTELs response? oh yea...just like i trust a Microsoft response...what i DO expect is that these folks, in order to protect their own self interests as well as their own piggy bank, is that they will continue to apply lipstick to their pig along with a little maybeline makeup and then pronounce the pig as being "pretty"...my personal opinion? its still a pig no matter how much you try to pretty it up...DAMIEN
You sound like you don't appreciate all the wonderful things they've done lately for us Linux users like GPT, UEFI, Secure Boot, Lenovo's single drive proprietary RAID, et al. :roll:
Last edited by Spearmint2 on Fri Jan 05, 2018 8:26 am, edited 1 time in total.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Spearmint2
Level 16
Level 16
Posts: 6316
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners

Post by Spearmint2 » Fri Jan 05, 2018 8:05 am

pizzadude wrote:Everyone with an Intel CPU should upgrade their kernel ASAP. It pains me that people in this thread are saying they won't update. Most tasks won't be affected by the performance penalties. Do you honestly care about performance more than security? You could literally visit a website and have your computer compromised rootkit level. :evil: I'm running the kernel with the security fix already (4.14.11) from mainline ppa installed using UKUU.
The ones hit the most by this degrade in performance will be all those heavy Intel chip gamers and their i7 processors. That's when the screaming starts.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Spearmint2
Level 16
Level 16
Posts: 6316
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners

Post by Spearmint2 » Fri Jan 05, 2018 8:14 am

michael louwe wrote:Bear in mind that a successful Spectre attack through the Internet allows the hackers to read secret data that are stored in the kernel memory address space of RAM, afaik. This means the hackers can capture usernames, passwords, encryption keys, etc that had been used by the computer users. The hackers may then be able to read the users' emails, credit card data, bank account data, website log-in credentials, etc = do further phishing, financial fraud, etc.

IOW, the Spectre bug may expose the users' private data to hackers, which can then be further exploited. In comparison, the EternalBlue SMB1 bug only allows the hackers to plant ransomware on users' computers, eg WannaCry and Petya.
They still have to get past NAT on router, the router's firewall, and Linux GUFW, so I don't think this is much for average home linux user to worry overmuch about.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Spearmint2
Level 16
Level 16
Posts: 6316
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners

Post by Spearmint2 » Fri Jan 05, 2018 8:19 am

xenopeek wrote: As for Linux Mint 17.3, yes you manually install kernel updates there through the View > Linux kernels menu of Update Manager.. You must use either kernel 3.13.x or 4.4.x series on Linux Mint 17,x. All other kernel releases are no longer maintained by Ubuntu kernel team. Easiest is to just scroll to the very end of the kernel list and install the newest 4.4.x version.
The risks with these vulnerabilities for home users is first in their web browser (as that runs untrusted software, JavaScript from websites for example) and web browser developers are mitigating these risks in the web browsers themselves so that they are also safe on unpatched kernels.
That answers my question on why I didn't find an update yesterday when I checked. I'm running Kernel~3.13.0-100-generic i686l, so will update that today.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

rene
Level 11
Level 11
Posts: 3725
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners

Post by rene » Fri Jan 05, 2018 9:55 am

Spearmint2 wrote:
rene wrote:I'd hate to have the fact that this problem is likely exceedingly hard to exploit in a useful manner in the first place drop from the thread so please consider that remarked upon again also...
Yes. I find this more as something interesting, but not distressing for the average home user. For mainline servers, then of course.
Now that details are known, let me make this a bit more precise.

The matter has been partitioned into two parts dubbed Meltdown and Spectre both with speculative execution of pipelined CPU's and most specifically Intel's at the heart of it; meltdown is the one that the in this thread primarily discussed KPTI patches defend against. What the issue boils down to is a possibility of unprivileged code to infer contents of memory regions which it does not have normal read access to. Note, "infer" and not "read" as such: it's a timing-based inferral; slow and involved. In the case of Meltdown it is scriptable though: the technical details that have surfaced are even at this point enough to have a fair number of people knowledgeable wrt. machine-level programming reconstruct the exploit, and certainly fair enough to have this group contain more than one person pubescent or American enough to confuse the right to publish what you want with the obligation to publish that which others do not. It does as such make sense to not skip the KPTI patches once available; that first group will undoubtedly feed a much larger group of script-kiddies world over.

But, yes, this (first stage of) exploitation still requires the exploit to execute on your machine; full-blown malware is at least on Linux anything from rare to non-existent as an actual threat-model; browser-based code such as JavaScript could in our cases be expected to be the only somewhat practical delivery method but is given the slow and especially timing-dependent nature of the exploit both error prone and easily defended against. We'll for example see an update to Firefox coming down our update-pipelines shortly which denies access to high-precision timer sources, mitigating or even flat-out solving our only worry: https://blog.mozilla.org/security/2018/ ... ng-attack/. This is by the way in addition to me in some 20 odd years of using Linux never having found myself on a website that executed malicious code in the first place -- but I shall admit I don't do Facebook...

Spectre has the same underlying principle as Meltdown but is (even) harder to exploit in any useful manner not being similarly scriptable, so, yes, I would say that chances of an actual exploit based on this issue not affecting any actual system out there is in fact very big. Conceptual versus actual seems in issues such as this a hard distinction to make for many people but -- even though I would as mentioned not skip the KPTI kernel patches -- there is really no need for great concern. What's special about this issue is that it's hardware based; that the issue lurks inside of most of our systems and is although able to be solved through software updates in some sense, mitigated in others, really only definitively solvable by hardware replacements.

Laurent85
Level 16
Level 16
Posts: 6075
Joined: Tue May 26, 2015 10:11 am

Re: ATTN!...Intel CPU owners

Post by Laurent85 » Fri Jan 05, 2018 10:06 am

AMD cpus are also vulnerable to variants #1 & #2 Spectre exploits. By design AMD cpus are not affected by variant #3 Meltdown only.

Variants #1 & #3 requires kernel patch, variant #2 requires both kernel patch AND cpu microcode update.
Image

User avatar
thx-1138
Level 7
Level 7
Posts: 1846
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners

Post by thx-1138 » Fri Jan 05, 2018 10:48 am

https://fedoramagazine.org/kpti-new-ker ... -meltdown/

...from the last paragraph:
Actually writing an attack to collect useful data from this exploit can take weeks or months to develop for a single system. Still, in the interests of security the KPTI patches were merged to close this hole.
So...while it's certainly serious...it is by no means Doom's Day...the Skynet didn't took over yet, and there's no need for Arnold / T-1000 to come from the future to help John Connor... ;-)
=========================================

https://www.chromium.org/Home/chromium-security/ssca
Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018.
Considering that Google itself (& affiliates) were the ones who 'discovered' the flaws in the first place...

=========================================
...from another thread, thanks to aes2011 - as this i assume is what the vast majority of people wanted to know...
Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible. Updates will be available for:

Ubuntu 17.10 (Artful) — Linux 4.13 HWE
Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
Ubuntu 14.04 LTS (Trusty) — Linux 3.13
Ubuntu 12.04 ESM (Precise) — Linux 3.2
......................
Furthermore, you can expect Ubuntu security updates for a number of other related packages, including CPU microcode, GCC and QEMU in the coming days.
Last edited by thx-1138 on Fri Jan 05, 2018 11:25 am, edited 1 time in total.

User avatar
Minterator
Level 5
Level 5
Posts: 596
Joined: Thu Jan 10, 2013 8:29 am

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Minterator » Fri Jan 05, 2018 12:51 pm

This is the topic of the decade, it really belongs in "Releases & Announcements"
Mint 17.3 MATE, kernel 4.11.12

User avatar
michael louwe
Level 10
Level 10
Posts: 3297
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Fri Jan 05, 2018 12:55 pm

https://arstechnica.com/gadgets/2018/01 ... -about-it/
(Latest news on Meltdown & Spectre)

Seems, the Intel microcode or firmware update to fix the Spectre bug requires corresponding updates to programs/apps/software and OS. Otherwise, they may break or become non-functional. IOW, installing the Intel microcode or firmware update may brick your OS and programs/apps if they have not been correspondingly patched.

In comparison, the KPTI patch to fix the Meltdown bug will likely not break your OS and programs/apps, except for incompatibility with some AV programs for Windows.

So, better to wait awhile before applying the Meltdown & Spectre patches. Like they say, "Do not fix what ain't broken".
Last edited by michael louwe on Sat Jan 06, 2018 1:59 pm, edited 1 time in total.

User avatar
chrisuk
Level 5
Level 5
Posts: 593
Joined: Thu Jun 12, 2008 6:16 am

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by chrisuk » Fri Jan 05, 2018 1:18 pm

Just to give some idea of progress elsewhere:

Patched Kernels reached Manjaro (Arch) this morning - so typing dmesg -T | grep isolation gets me

Code: Select all

[Fri Jan  5 16:57:53 2018] Kernel/User page tables isolation: enabled
However, the patched Firefox (57.0.4) has been released by Mozilla, but not in Manjaro repos yet. All this doesn't mitigate "Spectre" though... nothing does/will AFAIK (although I'm guessing firejail helps).
Chris

Manjaro MATE - MX Linux - LMDE MATE

rene
Level 11
Level 11
Posts: 3725
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Fri Jan 05, 2018 3:26 pm

chrisuk wrote:However, the patched Firefox (57.0.4) has been released by Mozilla, but not in Manjaro repos yet. All this doesn't mitigate "Spectre" though... nothing does/will AFAIK (although I'm guessing firejail helps).
Certainly Firefox 57.0.4 does mitigate: its elimination of high-resolution timer sources boils down to not being usable by malicious web-content to detect cache hits vs. misses, the basis of both Meltdown and Spectre; to eliminating itself as a possible platform for exploits of either of these issues.

What does not help is firejail...

DAMIEN1307
Level 7
Level 7
Posts: 1966
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by DAMIEN1307 » Fri Jan 05, 2018 4:07 pm

This is cumulative of what i have found thus far

Number 1 - it may be of interest to note that INTEL has released a new microcode today...the link provided here is from the oregon state university repository...i have applied it to my back up system, a dell laptop, which is an INTEL core i5 chip from which im typing on right now... http://ftp.us.debian.org/debian/pool/no ... microcode/ ...

Number 2 - the reason i found for updating the microcode though it is only a partial help requireing also the kernel fix that is forthcoming is found in this article... https://www.theregister.co.uk/2018/01/0 ... explained/ ...

a few key paragraphs keyed in on this part of the issue

"On pre-Skylake CPUs, kernel countermeasures – and on Skylake and later, a combination of a microcode updates and kernel countermeasures known as Indirect Branch Restricted Speculation, aka IBRS – to kill Spectre Variant 2 attacks that steal data from kernels and hypervisors."

and

"Fixing the bounds bypass check attack requires analysis and recompilation of vulnerable code; addressing the branch target injection attack can be dealt with via a CPU microcode update, such as Intel's IBRS microcode, or through a software patch like "retpoline" to the operating system kernel, the hypervisor, and applications."

and

"In other words: to protect yourself from Spectre Variant 1 attacks, you need to rebuild your applications with countermeasures. These defense mechanisms are not generally available yet. To protect yourself from Spectre Variant 2 attacks, you have to use a kernel with countermeasures, and if you're on a Skylake or newer core, a microcode update, too. That microcode is yet to ship. It's not particularly clear, through all the noise and spin this week, which kernels have been built and released with countermeasures, if any. A disassembly of latest Windows releases suggests Microsoft is, for one, on the case."

and

"Wagner observed that software fixes aren't enough. "Ultimately, this is a problem with the processor and addressing it in the browser requires removing useful functionality and degrading performance," he said. "We hope the future microprocessor improvements would allow less drastic measures in the browser while still maintaining safety."

it is a 2 page article but appears to me (i could be wrong) that this is only a part of a total fix down the road...just waiting now for the kernel security update to follow...

Number 3 - this article has some work arounds for chrome/chromium based browsers and to a lesser extent firefox browsers to harden up their isolation capabilities that should help until the kernel/ microcode fixes become finalised...DAMIEN

http://www.linuxandubuntu.com/home/how- ... h-solution

To enable Site Isolation in Chrome/Chromium, copy the following URL in URL bar -

chrome://flags/#enable-site-per-process


To enable First-Party Isolation in Firefox

type about:config in the url bar. Search for site isolation and you'll get the following options -
enable first-party isolation in firefox
As you can see the value of privacy.firstparty.isolate is set to false. Double click to set it to true.

restart the browsers for isolation to take effect...

i have applied these workarounds until the real security update fixes become available on all four of my home systems and all is working fine here and am really hoping these workarounds along with their explainations as described in the articles will be of some real value and use to the community...DAMIEN
Last edited by DAMIEN1307 on Sat Jan 06, 2018 4:14 am, edited 5 times in total.
ORDO AB CHAO

User avatar
michael louwe
Level 10
Level 10
Posts: 3297
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Fri Jan 05, 2018 4:59 pm

https://www.theguardian.com/technology/ ... s-computer
(Pending Class-action lawsuits against Intel)

SuperSapien
Level 4
Level 4
Posts: 234
Joined: Tue Sep 29, 2015 5:36 pm
Location: United States

Intel’s Response to Meltdown & Spectre Vulnerabilities

Post by SuperSapien » Fri Jan 05, 2018 10:52 pm

If you heard anything about Intels vulnerabilities you might want to watch this video.: https://www.youtube.com/watch?v=8ZzuR0v3UKw

User avatar
Sir Charles
Level 7
Level 7
Posts: 1897
Joined: Thu Jan 04, 2018 1:00 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Sir Charles » Sat Jan 06, 2018 12:52 am

Linux KPTI Tests Using Linux 4.14 vs. 4.9 vs. 4.4

Here is the result of som tests that Phoronix has run to show the impact of the KPTI on performance:
https://www.phoronix.com/scan.php?page= ... pcid&num=1

It seems that the negative impact of the security measures are not as bad as what was believed at the beginning of this cpu scandal.
Last edited by Sir Charles on Sat Jan 06, 2018 2:07 am, edited 1 time in total.
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

DAMIEN1307
Level 7
Level 7
Posts: 1966
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by DAMIEN1307 » Sat Jan 06, 2018 1:24 am

i have taken note that the 4.10 kernel series does not appear to be in the offering of the forthcoming kernel security update being put out by ubuntu on the 9th of january...my guess is either regress to 4.4 or go for the 4.13 series...DAMIEN

https://insights.ubuntu.com/2018/01/04/ ... rabilities
ORDO AB CHAO

User avatar
Sir Charles
Level 7
Level 7
Posts: 1897
Joined: Thu Jan 04, 2018 1:00 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Sir Charles » Sat Jan 06, 2018 1:51 am

DAMIEN1307 wrote:i have taken note that the 4.10 kernel series does not appear to be in the offering of the forthcoming kernel security update being put out by ubuntu on the 9th of january...my guess is either regress to 4.4 or go for the 4.13 series...DAMIEN
For the time being, I have chosen to run 4.14 which is patched until the updates will be available for the officially supported kernels.
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

User avatar
smurphos
Level 12
Level 12
Posts: 4116
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by smurphos » Sat Jan 06, 2018 1:56 am

DAMIEN1307 wrote:i have taken note that the 4.10 kernel series does not appear to be in the offering of the forthcoming kernel security update being put out by ubuntu on the 9th of january...my guess is either regress to 4.4 or go for the 4.13 series...DAMIEN

https://insights.ubuntu.com/2018/01/04/ ... rabilities
I'll stick my neck out and say
Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
is possibly a typo - 4.4 HWE does not exist for xenial (it does for trusty) - 4.10 HWE does however and is supposed to be in support until February and is listed here (package - linux-hwe) as pending an update for the relevant CVE - https://people.canonical.com/~ubuntu-se ... -5754.html

Edit: Maybe not....possibly as Zesty 17.04 is imminently EOL they are not bothering to patch the 4.10 kernel. If so I'd expect Update Manager to offer the 4.13 patched version to folks on 4.10
Last edited by smurphos on Sat Jan 06, 2018 9:33 am, edited 1 time in total.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
michael louwe
Level 10
Level 10
Posts: 3297
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Sat Jan 06, 2018 2:17 am

http://news.softpedia.com/news/windows- ... 9238.shtml
[Windows 10 Cumulative Update KB4056892 (Meltdown & Spectre Fix) Fails to Install on mostly AMD-based computers; Users complaining of boot issues after installing the patch]
.
This is also affecting Win 7 AMD computers.
... Seems intentional on M$'s part, ie using the Meltdown patch in Windows Update to push AMD users onto new Win 10 Intel computers since Wintel is an oligopoly.
Last edited by michael louwe on Sat Jan 06, 2018 5:21 am, edited 1 time in total.

User avatar
michael louwe
Level 10
Level 10
Posts: 3297
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Sat Jan 06, 2018 4:10 am

https://www.reddit.com/r/pcmasterrace/c ... _and_bios/
[A user’s performance impact test results for the Windows patch and/or Intel microcode/firmware patch.]

Post Reply

Return to “Open chat”