Windows 10: Windows Client Guidance against speculative execution vulnerabilities

Page 34 of 48 FirstFirst ... 24323334353644 ... LastLast
  1.    3 Weeks Ago #331

    Hi,

    dencal said: View Post
    Could this all be "False News".....scaremongering in a bid to increase the sale or upgrading of computers???

    Not one recorded infiltration.....it makes you think huh!!!....food for thought.
    Even the latest processors are vulnerable so upgrading to that won't help either.
    In the mean time Intel is revising its cpus but they're not avaible as yet.

    Personally I do not worry too much about this particular vulnerability as I see no reason for panic.

    Cheers,
      My ComputersSystem Spec


  2. Posts : 404
    Win10 x64 Pro -2 desktops, 1 laptop
       3 Weeks Ago #332

    dencal said: View Post
    Could this all be "False News".....scaremongering in a bid to increase the sale or upgrading of computers???

    Not one recorded infiltration.....it makes you think huh!!!....food for thought.
    I don't think the vendors need to do any scaremongering. There is enough news flying around - false and true - that users are asking the vendors for help. The vendors don't need any help.

    But the reports of the vulnerabilities - the reports that seem to be from authentic sources - all say that these vulnerabilities (especially Spectre) are difficult to exploit. It's not surprising that there have been no reports of exploitation ... yet.

    These are scary vulnerabilities because they are hardware based. They effect a huge number of computers. Spectre doesn't appear to have a software-based solution and a huge number of computers have old motherboards that aren't going to get BIOS upgrades. Those computers (which include two of mine) are going to remain vulnerable. But that doesn't mean that our computers are likely to become infected. First, the malware has to be developed (and it probably will be). Then we have to let our computers become infected. Good web hygiene is still our best protection.
      My ComputerSystem Spec


  3. Posts : 1,265
    WinX Pro x64 IP current
       3 Weeks Ago #333

    roy111 said: View Post
    I ran some tests as suggested in this pages and it seems i'n not protected from bugs:

    Suggested actions:

    * Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.


    Attachment 174256


    my pc is a bit old (i think 2011/2012) and there is no firmware update in asus support, am i out of option? shoud i buy a new one?

    thanks!
    See fdegrove's reply below - sums it up perfectly.

    dencal said: View Post
    Could this all be "False News".....scaremongering in a bid to increase the sale or upgrading of computers???

    Not one recorded infiltration.....it makes you think huh!!!....food for thought.
    Interesting idea - but cryptocurrency mining has already caused a massive spike in higgh end graphics arrays and power supplies, so I don't see the need to do this any further.

    Also, this was discovered by several sets of researchers, working together as groups but also independently researching the idea, and they've published the findings in various journals - the PoC is also active, I believe at GitHub (I think).

    The media hype is just that - hype - something to get a sensational byline in and add to the FUD - but the vulnerabilities are real, if not easily usable like a Trojan horse or Ransomeware by criminal elements (yet).

    fdegrove said: View Post
    Hi,



    Even the latest processors are vulnerable so upgrading to that won't help either.
    In the mean time Intel is revising its cpus but they're not avaible as yet.

    Personally I do not worry too much about this particular vulnerability as I see no reason for panic.

    Cheers,
    Bingo - there is no reason to panic - but there is definitely good reason to keep your systems monitored, to try to get a definitive answer from your OEM about whether your legacy machine has a fix in the works or not, and to keep your OS and AV software as up to date a s possible.

    1 sure fix for these vulnerabilities - take your machine offline permanently - and that means no more USB sticks attached to it, no network cables, no Wi-Fi, nothing - then you're sure you won't be attacked by anything. But that is the same as with all malware, so....

    pokeefe0001 said: View Post
    I don't think the vendors need to do any scaremongering. There is enough news flying around - false and true - that users are asking the vendors for help. The vendors don't need any help.

    But the reports of the vulnerabilities - the reports that seem to be from authentic sources - all say that these vulnerabilities (especially Spectre) are difficult to exploit. It's not surprising that there have been no reports of exploitation ... yet.

    These are scary vulnerabilities because they are hardware based. They effect a huge number of computers. Spectre doesn't appear to have a software-based solution and a huge number of computers have old motherboards that aren't going to get BIOS upgrades. Those computers (which include two of mine) are going to remain vulnerable. But that doesn't mean that our computers are likely to become infected. First, the malware has to be developed (and it probably will be). Then we have to let our computers become infected. Good web hygiene is still our best protection.
    ^^^^ this.
      My ComputersSystem Spec


  4. Posts : 2,638
    W10 Pro + W10 Preview
       3 Weeks Ago #334

    So if its not Fake News.....the only conclusion must be...... it was stupid and nave for those responsible to expose these weaknesses to the whole wide world rather than reveal and sell them directly to the makers of the hardware concerned.....thus at least giving them time to try and find a fix.

    Its a bit like telling a burglar "you may not have a key, but if you know when they are away on holiday"....easy pickings.
      My ComputersSystem Spec

  5.    3 Weeks Ago #335

    Hi,

    1 sure fix for these vulnerabilities - take your machine offline permanently - and that means no more USB sticks attached to it, no network cables, no Wi-Fi, nothing - then you're sure you won't be attacked by anything. But that is the same as with all malware, so....
    Precisely. Anything connected to the net is vulnerable to hacking. Hacking most wi-fi gear is surprisingly easy. From thermostats to fridges, whatever. Endusers aren't even aware of how exposed they are.
    A malicious person can even shutdown powergrids remotely etc.
    It's high time users of domotica gear are made aware of this because it seems no one reads the bl**dy manuals any more and changes the factory wi-fi passwords or so it seems.

    So if its not Fake News.....the only conclusion must be...... it was stupid and nave for those responsible to expose these weaknesses to the whole wide world rather than reveal and sell them directly to the makers of the hardware concerned.....thus at least giving them time to try and find a fix.
    I respectfiully disagree. I'm glad the vulnerability was leaked. CPU manufacturers have been made aware of it since about mid last year.
    Now that it's public knowledge they're forced to take action.
    Intel has listed all the cpu's they're going to work on and that includes cpus from decades ago. So even if OEMs don't provide bios updates for older machines you could still load corrective microcode onto the cpu that machine runs on.

    Cheers,
      My ComputersSystem Spec


  6. Posts : 404
    Win10 x64 Pro -2 desktops, 1 laptop
       3 Weeks Ago #336

    fdegrove said: View Post
    So even if OEMs don't provide bios updates for older machines you could still load corrective microcode onto the cpu that machine runs on.
    I would guess that is beyond most users. It's certainly beyond me. A motherboard contains a lot more than just the cpu so I assume the BIOS contains a lot more than just the cpu microcode. I can picture many ways I could brick a computer trying to upgrade the cpu microcode - a lot more ways to brick it than to get it right.
      My ComputerSystem Spec


  7. Posts : 2,638
    W10 Pro + W10 Preview
       3 Weeks Ago #337

    fdegrove said: View Post
    I respectfiully disagree. I'm glad the vulnerability was leaked. CPU manufacturers have been made aware of it since about mid last year.
    Now that it's public knowledge they're [I]forced to take action.
    Cheers,
    Your above opinion is dependant on the hope that billions of computers will not be affected, or that Countries vital infrastructure are not held to ransom.
      My ComputersSystem Spec


  8. Posts : 1,265
    WinX Pro x64 IP current
       3 Weeks Ago #338

    dencal said: View Post
    So if its not Fake News.....the only conclusion must be...... it was stupid and nave for those responsible to expose these weaknesses to the whole wide world rather than reveal and sell them directly to the makers of the hardware concerned.....thus at least giving them time to try and find a fix.

    Its a bit like telling a burglar "you may not have a key, but if you know when they are away on holiday"....easy pickings.
    Completely inaccurate analogy. If you read through the thread, and particularly my posts early on, you'll see the timeline for how the vulnerability was discovered - from speculation to research to the reveal to Intel to the public reveal.

    Most vulnerabilities have a 90 day time period in which the researchers are asked (and usually comply with) to give the OEM software developers and / or hardware developers time to issue a fix. In this case, I don't actually know if more time was requested, but the reveal came 6 months after initial disclosure to Intel.

    And the Linux kernel had to be patched - this is not just a Windows and Intel issue. Similarly, Apple had to patch MacOS (or whatever it is called now) for Intel machines as well.

    I urge you to read this thread in its entirety again - a lot of your recent comments are either incorrect speculation or pure outright FUD, and if you ignore the media hype and focus on the pure information in this thread (and the non-media links that I and others have provided) you'll get a much better understanding of what the vulnerability is, how it was discovered, and the complete timeline from beginning to disclosure last month.

    In addition, fdegrove's comment below are spot on.

    fdegrove said: View Post

    I respectfiully disagree. I'm glad the vulnerability was leaked. CPU manufacturers have been made aware of it since about mid last year.
    Now that it's public knowledge they're forced to take action.
    Intel has listed all the cpu's they're going to work on and that includes cpus from decades ago. So even if OEMs don't provide bios updates for older machines you could still load corrective microcode onto the cpu that machine runs on.

    Cheers,
    Exactly. In my case, my eVGA motherboard is waiting on a BIOS that may never make it out - because, although Intel has given a timeline (and already, I believe) provided updated microcode for those CPUs, they haven't done [B]squat/B] to provide OEM board manufacturers with BIOS source code for legacy board - my board, for example, is based upon the combination of the 58 chipset and the ICH10R chipset - both Intel chipsets. But eVGA has stated very clearly that unless they can get the source code for this (and other 'legacy') series of boards, they cannot issue a new BIOS for these boards.

    So, the ball is still in Intel's court on these legacy machines.

    fdegrove said: View Post
    Hi,



    Precisely. Anything connected to the net is vulnerable to hacking. Hacking most wi-fi gear is surprisingly easy. From thermostats to fridges, whatever. Endusers aren't even aware of how exposed they are.
    A malicious person can even shutdown powergrids remotely etc.
    It's high time users of domotica gear are made aware of this because it seems no one reads the bl**dy manuals any more and changes the factory wi-fi passwords or so it seems.
    LMFAO. My mom called me up a few days ago to inform me that she saw a video where a car pulled into a neighborhood and then put up some device and it was able to download all the information from that household - in a matter of (seconds / minutes). I had to explain to her very patiently that that is why I maintain her network - because nothing is left as default. I use my own IP schema, my own LAN IPs and set up MAC address enforced static IPs, both wired and wireless. In addition, I MAC address force remote access, and have a whole slew of other things that I do to monitor her network.

    And don't get me started on my own network!

    But a bigger part of the problem here is that a lot of people purchase / lease equipment directly from their provider - which, at least in the past that I have seen, was the router password was the owner's phone number, particularly on DSL lines....that just ... confounded me. But even worse are the ones that allow 0 user intervention, completely controlling everything from their end....

    pokeefe0001 said: View Post
    I would guess that is beyond most users. It's certainly beyond me. A motherboard contains a lot more than just the cpu so I assume the BIOS contains a lot more than just the cpu microcode. I can picture many ways I could brick a computer trying to upgrade the cpu microcode - a lot more ways to brick it than to get it right.
    You're right on track.

    There was a user who somehow managed to hack the BIOS for my motherboard series (from eVGA, specifically, but I believe he also did other manufacturers) in order to replace the Intel RAID ROM that was a part of the BIOS because the last release BIOS was so old that the RAID ROM was woefully inadequate for use on modern setups, particularly with SSDs, IIRC. I thought that, based upon that, it should be a relatively easy fix to simply replace the microcode in the BIOS and push it out - but according to an eVGA engineer, no, they need the full source code to be able to push out new BIOSs. And I have my suspicions as to why that actually is....
      My ComputersSystem Spec

  9.    3 Weeks Ago #339

    pokeefe0001 said: View Post
    I would guess that is beyond most users. It's certainly beyond me. A motherboard contains a lot more than just the cpu so I assume the BIOS contains a lot more than just the cpu microcode. I can picture many ways I could brick a computer trying to upgrade the cpu microcode - a lot more ways to brick it than to get it right.
    Microsoft might eventually offer the CPU microcode update through Windows Update. They've used Windows Update in the past to push out microcode updates for Intel processors.

    https://support.microsoft.com/en-us/...te-for-windows
      My ComputerSystem Spec


  10. Posts : 31,086
    Triple boot - Win 10 Pro, Win 10 Pro Insider (2) - (and a sprinkling of VMs)
       3 Weeks Ago #340

    Ground Sloth said: View Post
    Microsoft might eventually offer the CPU microcode update through Windows Update. They've used Windows Update to push out microcode updates for Intel processors in the past.

    https://support.microsoft.com/en-us/...te-for-windows
    On my Surface Pro 3 (MS lappy), it always has come thru WU.
      My ComputersSystem Spec


 
Page 34 of 48 FirstFirst ... 24323334353644 ... LastLast

Related Threads
The PowerShell script execution policies enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies: Execution Policy Description ...
Source: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer - Microsoft Edge Dev Blog See also update: Cumulative Update KB4056892 Windows 10 v1709 Build 16299.192 - Windows 10 Forums
Source: Google Online Security Blog: Disclosing vulnerabilities to protect users
Windows 10 - Need some guidance on recovery in Installation and Upgrade
One of my spare Windows 10 machines is on life support. I must have clobbered it somehow when I was tweaking the multiple display settings ( to incorporate a HDMI projector). It actually worked fine all week, but today, when I tired to set it...
Read more: http://www.zdnet.com/article/microsoft-offers-it-guidance-to-prepare-for-windows-as-a-service/
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 14:44.
Find Us