Page 3 of 3

Re: Spectre and Meltdown: Next Generation

Posted: Tue May 22, 2018 6:51 pm
by absque fenestris
DAMIEN1307 wrote:
Tue May 22, 2018 10:54 am
It is now officially known as Spectre variant 3a and Spectre variant 4...following article discusses just which CPUs are vulnerable and once again telling us about staying up to date on microcode updates as well as any update patches to come...note also that atom processors are now also included...thus far only Intel processors seem to be affected but we all know by now that the experts will probably find out that the other manufacturers products may soon join the list...more fun to come...lol...DAMIEN
I'm so glad about the N Series... :mrgreen:

Intel® Atom™ Processor C Series (C3308 - C3958)
Intel® Atom™ Processor E Series
Intel® Atom™ Processor A Series
Intel® Atom™ Processor X Series (x5-E3930, x5-E3940, x7-E3950)
Intel® Atom™ Processor T Series (T5500, T5700)
Intel® Atom™ Processor Z Series

Re: Spectre and Meltdown: Next Generation

Posted: Tue May 22, 2018 7:03 pm
by stephanieswitzer
DAMIEN1307 wrote:
Tue May 22, 2018 3:58 pm
Hi stephanie...that microcode in your driver manager is the latest one released thru the mint updater and recommended for your system...i always install the most up to date microcode recommended and have never had a failure...yes your system is "chirping" right along with the existing microcode, however this newest one has new "mitigation" code re-written within it to mitigate vulnerabilities found in your Intel CPU chipset...this should be installed as well as any updates that will be forthcoming from the linux mint update manager...DAMIEN

run this code to check your microcode version, dont panic if nothing shows up, it just means that you have what came installed and have probably never updated it...after installing and REBOOTING your computer, run the code again and it should show up.

dpkg -l | grep microcode


after you have done the above, run this code, the last word in the terminal after running this should say "patched"

grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched" || echo "unpatched"


and lastly, run this code in your terminal and it will show that mitigations have been applied

grep . /sys/devices/system/cpu/vulnerabilities/*
Thank you so much Damien. I’ll give it a whirl 😊

Re: Spectre and Meltdown: Next Generation

Posted: Wed May 23, 2018 5:24 am
by DAMIEN1307
hi stephanie...let us know how you make out with this...DAMIEN

ps-is The Governor Massey Inn in downtown Toronto still in business?

Re: Spectre and Meltdown: Next Generation

Posted: Wed May 23, 2018 5:26 am
by DAMIEN1307
hi absque...my experimental netbook is an "N" series too...lol...DAMIEN

Re: Spectre and Meltdown: Next Generation

Posted: Wed May 23, 2018 12:19 pm
by KBD47
By the time these variants and additional patches are all through, will these cpu's even work at all :( Am I right in understanding that javascript is primarily how these problems will affect user's computers?

Re: Spectre and Meltdown: Next Generation

Posted: Wed May 23, 2018 1:29 pm
by rene
KBD47 wrote:
Wed May 23, 2018 12:19 pm
Am I right in understanding that javascript is primarily how these problems will affect user's computers?
No. This family of vulnerabilities require fairly involved code executing on your computer to exploit. As part of a piece of malware already on your system or, as the only way in which Javascript entered into this at all, as part of for example Javascript code executing on your system by your browser when visiting a malicious site.

Seeing as how you can to a large degree defend against locally installed malware yourself simply by not installing it, the web-based attack vector got the most attention but with the mitigations implemented by browsers (denying code easy access to high resolution timers, needed for the exploit) that threat is in fact at this point probably least likely.

And that's saying something especially on Linux: with the lack of serious malware for Linux out there you'd need to go out and try really hard to get exploited by any of this...

Re: Spectre and Meltdown: Next Generation

Posted: Wed May 23, 2018 2:03 pm
by stephanieswitzer
DAMIEN1307 wrote:
Wed May 23, 2018 5:24 am
hi stephanie...let us know how you make out with this...DAMIEN

ps-is The Governor Massey Inn in downtown Toronto still in business?
I did the Microcode update and here is the resulting outputs:

Code: Select all

sps@spsMini ~ $ dpkg -l | grep microcode
ii  intel-microcode    3.20180425.1~ubuntu0.16.04.1   amd64   Processor microcode firmware for Intel CPUs
ii  iucode-tool          1.5.1-1ubuntu0.1                        amd64   Intel processor microcode tool

Code: Select all

sps@spsMini ~ $ grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched" || echo "unpatched"
CONFIG_PAGE_TABLE_ISOLATION=y
patched
And

Code: Select all

sps@spsMini ~ $ grep . /sys/devices/system/cpu/vulnerabilities/* 
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: OSB (observable speculation barrier, Intel v6)
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB (Intel v4)
Not sure what all this means, but my system still works fine :)

P.S. Not sure about the The Governor Massey Inn in downtown Toronto, as I haven't been to Toronto for quite a while.

Re: Spectre and Meltdown: Next Generation

Posted: Wed May 23, 2018 2:18 pm
by KBD47
rene wrote:
Wed May 23, 2018 1:29 pm
No. This family of vulnerabilities require fairly involved code executing on your computer to exploit. As part of a piece of malware already on your system or, as the only way in which Javascript entered into this at all, as part of for example Javascript code executing on your system by your browser when visiting a malicious site.

Seeing as how you can to a large degree defend against locally installed malware yourself simply by not installing it, the web-based attack vector got the most attention but with the mitigations implemented by browsers (denying code easy access to high resolution timers, needed for the exploit) that threat is in fact at this point probably least likely.

And that's saying something especially on Linux: with the lack of serious malware for Linux out there you'd need to go out and try really hard to get exploited by any of this...
That's the bottom line--how likely is it that Linux users will be affected by this? Sometimes the cure is worse than the illness. Dual-core machines already lack speed, and some machines are never going to get patches anyway. I just wonder if users keep their browsers updated, stick to software in the repositories, and don't download sketchy programs, how big a threat is it?

Re: Spectre and Meltdown: Next Generation

Posted: Wed May 23, 2018 2:19 pm
by DAMIEN1307
hi stephanie...sounds like you did it all just fine...stay tuned to this thread for when the next microcode becomes available for your Intel CPU...your speculative storage bypass is still vulnerable only because Intel hasnt put out an updated new microcode to mitigate it as of yet but dont really worry about that...problems with that just yet are really remote and the "Press" really overhypes the problem as something earth shattering...lol...with linux you would have to really, really work very hard to get anything malicious into your system...(the article link below will tell you all about the SSB vulnerability that still needs to be mitigated)...On another note, The Governer Massey Inn was a favourite watering hole of mine when i used to live in New Hampshire near the Canadian border and used to spend my vacations in Ontario Provence...now i live only an hour away from the Mexican border here in New Mexico...lol...DAMIEN


https://arstechnica.com/gadgets/2018/05 ... and-intel/

Re: Spectre and Meltdown: Next Generation

Posted: Wed May 23, 2018 4:39 pm
by rene
KBD47 wrote:
Wed May 23, 2018 2:18 pm
I just wonder if users keep their browsers updated, stick to software in the repositories, and don't download sketchy programs, how big a threat is it?
Extremely minimal. Both on this Core 2 Duo that's never going to see microcode updates as well as on my other systems, some of which I've even disabled the kernel-side mitigations on due to having no desire for even small real slowdowns so as to defend against virtual-only threats. The interesting aspect of this family of exploits is the location of the vulnerability: not in any one of the thousands of pieces of software we've got installed but in hardware, in the most core bit of hardware at that, and THEN not just as a braino-type of thing but fairly intrinsically tied to a core technique used by any and all non-archaic CPU designs.

As in "ouch". But not as in "tremble".

Re: Spectre and Meltdown: Next Generation

Posted: Tue Jul 10, 2018 7:43 pm
by DAMIEN1307
The "gift" that just keeps on giving, seems like engineers knew to at least to an extent, that they were sacrificing chip security for the sake of faster speeds and thus profit, as well as form of planned obsolesence...Intel is now going to issue a slew of microcode updates for flawed chips, (the ones they will support until they decide not to), on an order of every three months, much like a M$ "patch tuesday"...enjoy the link article...DAMIEN

https://www.theregister.co.uk/2018/07/1 ... dvisories/