Windows Client Guidance against speculative execution vulnerabilities

roy111 said:

I ran some tests as suggested in this pages and it seems i'n not protected from bugs:

Suggested actions:

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.


Attachment 174256


my pc is a bit old (i think 2011/2012) and there is no firmware update in asus support, am i out of option? shoud i buy a new one?

thanks!

See fdegrove's reply below - sums it up perfectly.

dencal said:

Could this all be "False News".....scaremongering in a bid to increase the sale or upgrading of computers???

Not one recorded infiltration.....it makes you think huh!!!....food for thought.

Interesting idea - but cryptocurrency mining has already caused a massive spike in higgh end graphics arrays and power supplies, so I don't see the need to do this any further.

Also, this was discovered by several sets of researchers, working together as groups but also independently researching the idea, and they've published the findings in various journals - the PoC is also active, I believe at GitHub (I think).

The media hype is just that - hype - something to get a sensational byline in and add to the FUD - but the vulnerabilities are real, if not easily usable like a Trojan horse or Ransomeware by criminal elements (yet).

fdegrove said:

Hi,



Even the latest processors are vulnerable so upgrading to that won't help either.
In the mean time Intel is revising its cpus but they're not avaible as yet.

Personally I do not worry too much about this particular vulnerability as I see no reason for panic.

Cheers,

Bingo - there is no reason to panic - but there is definitely good reason to keep your systems monitored, to try to get a definitive answer from your OEM about whether your legacy machine has a fix in the works or not, and to keep your OS and AV software as up to date a s possible.

1 sure fix for these vulnerabilities - take your machine offline permanently - and that means no more USB sticks attached to it, no network cables, no Wi-Fi, nothing - then you're sure you won't be attacked by anything. But that is the same as with all malware, so....

pokeefe0001 said:

I don't think the vendors need to do any scaremongering. There is enough news flying around - false and true - that users are asking the vendors for help. The vendors don't need any help.

But the reports of the vulnerabilities - the reports that seem to be from authentic sources - all say that these vulnerabilities (especially Spectre) are difficult to exploit. It's not surprising that there have been no reports of exploitation ... yet.

These are scary vulnerabilities because they are hardware based. They effect a huge number of computers. Spectre doesn't appear to have a software-based solution and a huge number of computers have old motherboards that aren't going to get BIOS upgrades. Those computers (which include two of mine) are going to remain vulnerable. But that doesn't mean that our computers are likely to become infected. First, the malware has to be developed (and it probably will be). Then we have to let our computers become infected. Good web hygiene is still our best protection.

^^^^ this.

So if its not Fake News.....the only conclusion must be...... it was stupid and naïve for those responsible to expose these weaknesses to the whole wide world rather than reveal and sell them directly to the makers of the hardware concerned.....thus at least giving them time to try and find a fix.

Its a bit like telling a burglar "you may not have a key, but if you know when they are away on holiday"....easy pickings.

fdegrove said:

I respectfiully disagree. I'm glad the vulnerability was leaked. CPU manufacturers have been made aware of it since about mid last year.
Now that it's public knowledge they're [I]forced to take action.
Cheers,

Your above opinion is dependant on the hope that billions of computers will not be affected, or that Countries vital infrastructure are not held to ransom.

dencal said:

So if its not Fake News.....the only conclusion must be...... it was stupid and naïve for those responsible to expose these weaknesses to the whole wide world rather than reveal and sell them directly to the makers of the hardware concerned.....thus at least giving them time to try and find a fix.

Its a bit like telling a burglar "you may not have a key, but if you know when they are away on holiday"....easy pickings.

Completely inaccurate analogy. If you read through the thread, and particularly my posts early on, you'll see the timeline for how the vulnerability was discovered - from speculation to research to the reveal to Intel to the public reveal.

Most vulnerabilities have a 90 day time period in which the researchers are asked (and usually comply with) to give the OEM software developers and / or hardware developers time to issue a fix. In this case, I don't actually know if more time was requested, but the reveal came 6 months after initial disclosure to Intel.

And the Linux kernel had to be patched - this is not just a Windows and Intel issue. Similarly, Apple had to patch MacOS (or whatever it is called now) for Intel machines as well.

I urge you to read this thread in its entirety again - a lot of your recent comments are either incorrect speculation or pure outright FUD, and if you ignore the media hype and focus on the pure information in this thread (and the non-media links that I and others have provided) you'll get a much better understanding of what the vulnerability is, how it was discovered, and the complete timeline from beginning to disclosure last month.

In addition, fdegrove's comment below are spot on.

fdegrove said:

I respectfiully disagree. I'm glad the vulnerability was leaked. CPU manufacturers have been made aware of it since about mid last year.
Now that it's public knowledge they're forced to take action.
Intel has listed all the cpu's they're going to work on and that includes cpus from decades ago. So even if OEMs don't provide bios updates for older machines you could still load corrective microcode onto the cpu that machine runs on.

Cheers,

Exactly. In my case, my eVGA motherboard is waiting on a BIOS that may never make it out - because, although Intel has given a timeline (and already, I believe) provided updated microcode for those CPUs, they haven't done [B]squat/B] to provide OEM board manufacturers with BIOS source code for legacy board - my board, for example, is based upon the combination of the 58 chipset and the ICH10R chipset - both Intel chipsets. But eVGA has stated very clearly that unless they can get the source code for this (and other 'legacy') series of boards, they cannot issue a new BIOS for these boards.

So, the ball is still in Intel's court on these legacy machines.

fdegrove said:

Hi,



Precisely. Anything connected to the net is vulnerable to hacking. Hacking most wi-fi gear is surprisingly easy. From thermostats to fridges, whatever. Endusers aren't even aware of how exposed they are.
A malicious person can even shutdown powergrids remotely etc.
It's high time users of domotica gear are made aware of this because it seems no one reads the bl**dy manuals any more and changes the factory wi-fi passwords or so it seems.

LMFAO. My mom called me up a few days ago to inform me that she saw a video where a car pulled into a neighborhood and then put up some device and it was able to download all the information from that household - in a matter of (seconds / minutes). I had to explain to her very patiently that that is why I maintain her network - because nothing is left as default. I use my own IP schema, my own LAN IPs and set up MAC address enforced static IPs, both wired and wireless. In addition, I MAC address force remote access, and have a whole slew of other things that I do to monitor her network.

And don't get me started on my own network!

But a bigger part of the problem here is that a lot of people purchase / lease equipment directly from their provider - which, at least in the past that I have seen, was the router password was the owner's phone number, particularly on DSL lines....that just ... confounded me. But even worse are the ones that allow 0 user intervention, completely controlling everything from their end....

pokeefe0001 said:

I would guess that is beyond most users. It's certainly beyond me. A motherboard contains a lot more than just the cpu so I assume the BIOS contains a lot more than just the cpu microcode. I can picture many ways I could brick a computer trying to upgrade the cpu microcode - a lot more ways to brick it than to get it right.

You're right on track.

There was a user who somehow managed to hack the BIOS for my motherboard series (from eVGA, specifically, but I believe he also did other manufacturers) in order to replace the Intel RAID ROM that was a part of the BIOS because the last release BIOS was so old that the RAID ROM was woefully inadequate for use on modern setups, particularly with SSDs, IIRC. I thought that, based upon that, it should be a relatively easy fix to simply replace the microcode in the BIOS and push it out - but according to an eVGA engineer, no, they need the full source code to be able to push out new BIOSs. And I have my suspicions as to why that actually is....

Ground Sloth said:

Microsoft might eventually offer the CPU microcode update through Windows Update. They've used Windows Update to push out microcode updates for Intel processors in the past.

https://support.microsoft.com/en-us/...te-for-windows

On my Surface Pro 3 (MS lappy), it always has come thru WU.