Can Spectre, Meltdown etc mitigations be bypassed?
-
Can Spectre, Meltdown etc mitigations be bypassed?
I noticed Chrome have updated their browser with a 'new security feature' that will keep users safe from Spectre etc, however it will use 10-13% more RAM because of the increased number of processes running in real time. With this in mind - I know Microsoft has said that patches were being worked on to similarly mitigate these potential threats, and I'm guessing that new security updates would contain these protective patches, I also remember it being said that in a lot of cases performance would take a hit due to more processes being needed to run the codes etc.. I'm admittedly not overly-technical minded, but was wondering if a person is not affected by these bugs (as I found out I wasn't by reading my PC manufacturer's list of affected PC's, motherboards etc [https://sp.ts.fujitsu.com/dmsp/Publi...-products.pdf]) then are these mitigations being put in place unnecessarily or can the patches/protective code determine whether it's needed or not and thereby negate the performance problems the patches cause? If anyone knows what I'm talking about or has any insight into these questions I'd be grateful. Thanks in advance
-
-
I noticed Chrome have updated their browser with a '
[FONT="]new security feature' that will keep users safe from Spectre etc, however it will use 10-13% more RAM because of the increased number of processes running in real time. With this in mind - I know Microsoft has said that patches were being worked on to similarly mitigate these potential threats, and I'm guessing that new security updates would contain these protective patches, I also remember it being said that in a lot of cases performance would take a hit due to more processes being needed to run the codes etc.. I'm admittedly not overly-technical minded, but was wondering if a person is not affected by these bugs (as I found out I wasn't by reading my PC manufacturer's list of affected PC's, motherboards etc [https://sp.ts.fujitsu.com/dmsp/Publi...-products.pdf]) then are these mitigations being put in place unnecessarily or can the patches/protective code determine whether it's needed or not and thereby negate the performance problems the patches cause? If anyone knows what I'm talking about or has any insight into these questions I'd be grateful. Thanks in advance[/FONT]
Run the InSpectre tool.
If you use W10 the 1709 and 1803 versions have a standalone MCU patch for anything =>Sandy Bridge
The standalone is not required if the manufacturer has updated the UEFI/BIOS MCU and you run that firmware update. This may extend protection to the full Intel advisory level which includes slightly older Core processors (and variants).
Some Spectre variants cannot be mitigated as yet. Some are mitigated with the OS updates and the MCUs.
It's confusing, but surely Chrome SI mitigation is helpful, even if your processor is unpatched. I would not be concerned with the extra RAM requirement as that can be handled inexpensively by adding RAM. It would not concern me if I used 8GB RAM, maybe if I had 4GB and depending on workload but I would have upgraded to 8GB or more already if I had a workload that required it.
Thing is Spectre doesn't have to operate just in a browser, it could be any process that snoops into others in cache.
Upshot is, do both. Do the OS & CPU patching AND use Chrome.
-
OK thanks - so let me get this straight, although my PC manufacturer's list of affected machines doesn't include my current PC model or mainboard, therefore telling me I'm not affected.. the fact that my main CPU is an Ivy Bridge processor means that my computer IS vulnerable ?!
I downloaded InSpectre and it tells me I'm Meltdown, but not Spectre protected and that Microcode Update is available.... I have 16GB RAM so I take it, from your reply, that I shouldn't notice a difference.
-
-
OK thanks - so let me get this straight, although my PC manufacturer's list of affected machines doesn't include my current PC model or mainboard, therefore telling me I'm not affected.. the fact that my main CPU is an Ivy Bridge processor means that my computer IS vulnerable ?!
I downloaded InSpectre and it tells me I'm Meltdown, but not Spectre protected and that Microcode Update is available.... I have 16GB RAM so I take it, from your reply, that I shouldn't notice a difference.
Yep, the IvyBridge CPUs are affected (as are most Intel CPUs since the late 90s, but most more than 8 years old can't be patched). If there is no manufacturer BIOS update then basically the Microsoft patches will provide a soft patch.
It differs for different versions of Windows 10. Once one patch is installed, the upgrade should install the standalone in the next version.
https://support.microsoft.com/en-us/...rocode-updates
I can't promise there won't be performance penalties, but most are task specific and in my own instance, the patches haven't slowed down anything I've noticed, but YMMV.
-
Uses MS Edge Browser myself, applied the system bios update and WIndows 10 Microcode standalone patch for my Kabylake processor, same for laptop, Chrome not even installed on the Laptop.
Think I'm pretty safe, also keep Avast Free up to date, but if need be I can make some changes
-
Uses MS Edge Browser myself, applied the system bios update and WIndows 10 Microcode standalone patch for my Kabylake processor, same for laptop, Chrome not even installed on the Laptop.
Think I'm pretty safe, also keep Avast Free up to date, but if need be I can make some changes
The weird thing is the patch will install, even if the microcode has been updated in BIOS. (It's not needed but I don't think there's any real benefit from applying the patch update; unless it's newer than the MCU in BIOS. There is now a discrepancy between the Intel MCUs and the Microsoft versions.)
Avast can't help, unless the executables that are known to exploit Spectre are somehow detectable, which to my knowledge they're not, because they're not known.
-
-
I downloaded the Microsoft microcode update as suggested by winactive, when I ran InSpectre before I installed the update it told me I was protected against Meltdown but not against Spectre. Now after installing it, it says I AM protected against Spectre but NOT against Meltdown.
And when I click on the "Enable Meltdown Protection" button (via Administrator) and run it again it still says the same.thing.
My CPU is an i5-3470 which is 3rd gen Ivy Bridge I believe.. is this some anomaly?
-
-
I downloaded the Microsoft microcode update as suggested by winactive, when I ran InSpectre before I installed the update it told me I was protected against Meltdown but not against Spectre. Now after installing it, it says I AM protected against Spectre but NOT against Meltdown.
And when I click on the "Enable Meltdown Protection" button (via Administrator) and run it again it still says the same.thing.
My CPU is an i5-3470 which is 3rd gen Ivy Bridge I believe.. is this some anomaly?
If you click the 'Enable Meltdown Protection' button (which is a 'Disable Meltdown Protection' button when it's enabled) you must be running InSpectre with Admin privileges and reboot to switch it on or off.
-
OK thanks I shall try that when I've finished what I'm doing, seems weird that it took away the Meltdown protection which was already in place though.