Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

I couldn't get the scripts to run despite running as admin and importing stuff as suggested by the Microsoft output. Probably wouldn't have told me anything useful anyway.

My MoBo is a few years old and I haven't bothered checking for BIOS updates for a while. i.e. if it ain't broke, don't fix it. But I'll be looking out for changes from now.
 
pcas1986 said:
I couldn't get the scripts to run despite running as admin and importing stuff as suggested by the Microsoft output. Probably wouldn't have told me anything useful anyway.

My MoBo is a few years old and I haven't bothered checking for BIOS updates for a while. i.e. if it ain't broke, don't fix it. But I'll be looking out for changes from now.
Click to expand...


Need to change the execution policy from restricted to remotesigned as below, then change back to restricted when finished running the script

Code: 
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32> get-executionpolicy
Restricted
PS C:\WINDOWS\system32> get-executionpolicy -list

        Scope ExecutionPolicy
        ----- ---------------
MachinePolicy       Undefined
   UserPolicy       Undefined
      Process       Undefined
  CurrentUser       Undefined
 LocalMachine      Restricted


PS C:\WINDOWS\system32> set-executionpolicy remotesigned

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): y
PS C:\WINDOWS\system32> get-executionpolicy
RemoteSigned
PS C:\WINDOWS\system32>
 
pcas1986 said:
The questions I have now are:

1. Is it the O/S that has to manage this?
2. Can it be fixed within the processor logic?
3. Do we have to wait for new processors before buying a new PC?
Click to expand...

From https://www.theregister.co.uk/2018/01/05/spectre_flaws_explained/

1 & 2 & 3
CERT in its January 3 vulnerability note for one of the two Spectre CVEs said the solution is replace CPU hardware, noting, "Underlying vulnerability is caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware."
Click to expand...

There are no "fixed" CPU's to drop in place of the vulnerable ones.

1
There are partial software solutions. The OS one is to handle the Meltdown issue and has been issued, Spectre is still to be fixed and some steps are being taken but nobody has a full answer to it.

In other words: to protect yourself from Spectre Variant 1 attacks, you need to rebuild your applications with countermeasures. These defense mechanisms are not generally available yet. To protect yourself from Spectre Variant 2 attacks, you have to use a kernel with countermeasures, and if you're on a Skylake or newer core, a microcode update, too. That microcode is yet to ship. It's not particularly clear, through all the noise and spin this week, which kernels have been built and released with countermeasures, if any.
Click to expand...
 
The most important part of the FAQ at the bottom of the article is this:

[h=4]What should I do to protect my systems and information?[/h]
End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any available updates as soon as practical. Following good security practices protect against malware in general will also help to protect against possible exploitation of these analysis methods. Some of these include:


  • Maintain control of your computing environment
  • Regularly check for and apply available firmware/driver updates
  • Use hardware and software firewalls
  • Turn off unused services
  • Maintain appropriate user privileges
  • Keep security software up to date
  • Avoid clicking on unknown links
  • Avoid re-using passwords across sites
My take is this is a non-issue for home users. If we do what we're supposed to do all along by using proper antivirus/malware protection, keep the drivers and patches up-to-date, then what's the problem?

The ones to be concerned are big system vendors and datacenters such as Amazon, Google, Microsoft, etc.

The whole shebang reminds me of some of the many other very obtuse security flaws such as those found in the now obsolete Autodesk .flc files. If the user had an animation setup with a totally black screen and clicked in the upper left corner near their screen bezel, he may trigger a vulnerability which would allow access to the file. Ok.

As was said previously if some dweeb security expert was so concerned about the security, why in bloody heck did he blab it to the world? He should have worked quietly with the vendors who could then release patches instead of exposing the flaw so the hackers now have the keys to the backdoor in their hands.




 
JCitron said:
As was said previously if some dweeb security expert was so concerned about the security, why in bloody heck did he blab it to the world? He should have worked quietly with the vendors who could then release patches instead of exposing the flaw so the hackers now have the keys to the backdoor in their hands.
Click to expand...


Apparently they didn't, it appears one of the Linux Kernel developers commented the fix and what it was for in the kernel code, being open source any one of a lot of distro devs had that code and naturally would look at it before compiling it for their distro and it was bound to discussed, which is probably how it got leaked.

Lot of confusion going on as well with people thinking the Intel Management Engine fix from a couple of months ago is the one for Spectre and Meltdown and wondering why the Powershell script is saying they are still at risk! arghh! and people trying to get it for AMD processors when it's got nothing to do with AMD, what a mess.

For anyone who has not installed the Windows update patch please go and read the known issues first here https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 to avoid screwing up your system or getting failed installs.

Copied below:
SymptomWorkaround
Update installation may stop at 99% and may show elevated CPU or disk utilization if a device was reset using the Reset this PC functionality after installing KB4054022.Note This workaround uses c:\temp and the x64 architecture as examples. Update these examples as appropriate for your environment.


  1. Download the appropriate version of KB4054022 for your device architecture from the Microsoft Update Catalog to c:\temp. Then run the commands in the steps below from the administrative command prompt.
  2. Expand the .msu file that you downloaded in step 1.

    mkdir c:\temp
    expand -f:* windows10.0-kb4054022-x64.msu c:\temp
  3. End the existing TrustedInstaller processes and install KB4054022 using the Deployment Image Servicing and Management tool.

    taskkill /f /im tiworker.exe
    taskkill /f /im trustedinstaller.exe
    dism /online /add-package /packagepath:c:\temp\Windows10.0-KB4054022-x64.cab
  4. (Optional) Delete the CBS logs from the Windows Logs directory.

del /f %windir%\logs\cbs\*.log​

Microsoft is working on a resolution and will provide an update in an upcoming release.
Windows Update History reports that KB4054517 failed to install because of Error 0x80070643.Even though the update was successfully installed, Windows Update incorrectly reports that the update failed to install. To verify the installation, select Check for Updates to confirm that there are no additional updates available.

You can also type About your PC in the Search box on your taskbar to confirm that your device is using OS Build 16299.125.

Microsoft is working on a resolution and will provide an update in an upcoming release.
When calling CoInitializeSecurity, the call will fail if passing RPC_C_IMP_LEVEL_NONE under certain conditions.Microsoft is working on a resolution and will provide an update in an upcoming release.
Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY.Contact your Anti-Virus AV to confirm that their software is compatible and have set the following REGKEY on the machine
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”

How to get this update

This update will be downloaded and installed automatically from Windows Update. To get the standalone package for this update, go to the Microsoft Update Catalog website.
 
Last edited:
The Meltdown issue was disclosed to Intel etc in June 2017 hence why Microsoft were testing the fix as part of the Windows 10 Insider program (public beta testing) in October 2017 and Apple in November.
Every company involved had ample time to get the fixes ready and tested before it became public knowledge. Indeed given how many companies knew, it is surprising that the public only became aware 6 days before the planned marketing departments coordinated news releases.
 
Last edited:
Interesting source of the leak, and not the usual suspected path!

I've had no problems installing the KB4054517 update, which came down in December - 12 December to be exact along with updates for MS Office as well.

I can see the confusion, though it does affect the latest Rysen processors from AMD as well as others. I think the whole industry is confused including the vendors as they scramble to come up with fixes. It's like someone pulled the rock off an ant nest and the bugs are scrambling to safety.

I think that once the dust settles, we'll find very little has changed if anything at all. After applying the latest patches, my system has performed the same as it has all along at least as far I can tell.
 
I believe that the major concern in all this is the Android OS system. Android is nearly 90% of the mobile phone market by way of sales. In that millions do their banking and exchange other personal information daily on their phone. However, there seems to be lack of information in regard to what versions of the operating system will get the update securing the phones.

It is being reported that only device's running Android 4.3 and above will be updated, but their seems to be much confusion between Google and the manufacturers as various companies give different information.

Best advise at the moment would seem to be that if you are running a phone with an Android version below 5.0 check to see if it has received the update. If not restrict what you carryout on the device.
Bill
 
Last edited:
Of more concern to me is the newly discovered leak from under our kitchen sink!

Rob.
 
JCitron said:
....I think the whole industry is confused including the vendors as they scramble to come up with fixes. It's like someone pulled the rock off an ant nest and the bugs are scrambling to safety.
Click to expand...

I think you nailed it with that one John. If nothing else, its given the on-line computer experts something to talk about during the silly season.

JCitron said:
...
I think that once the dust settles, we'll find very little has changed if anything at all. After applying the latest patches, my system has performed the same as it has all along at least as far I can tell.
Click to expand...
As mentioned elsewhere, I managed to mess up my Win10 installation recently. I eventually reinstalled Windows and the boot up time increased dramatically but as I reloaded all my software it got slower and slower because of all the crap that thinks it needs to phone home, monitor my activities, or constantly check for updates that maybe come out once per year. The alleged 30% reduction is nothing compared to that.
 
Didn't think that vulnerabilities to Spectre and Meltdown would apply to GPUs, but today I updated my NVidia card with the latest WHQL drivers (390.65) which includes mitigations for a variant of Spectre.
Details here: https://www.anandtech.com/show/1227...ql-driver-includes-spectre-mitigation-updates

Didn't notice any difference in speed whilst running T:ANE - Still getting a steady 60FPS on moderately scenic routes with large numbers of AI consists going about their business with all of the Performance settings turned right up/ VS set to 'Full'.
My main concern will be when there are patches available for my Haswell-based Intel i7 4790K. These older generation CPUs are apparently impacted more than recent 6th and 7th generation ones.
 
Last edited:
PC_Ace said:
Didn't think that vulnerabilities to Spectre and Meltdown would apply to GPUs, but today I updated my NVidia card with the latest WHQL drivers (390.65) which includes mitigations for a variant of Spectre.
Details here: https://www.anandtech.com/show/1227...ql-driver-includes-spectre-mitigation-updates

...
Click to expand...

Interesting, I'll follow that up.

This morning I got an e-mail from Ashampoo, which is a company that sells utilities, and I have a few of their products. Their marketing can be a bit annoying but I put up with it.

They are offering a free utility to check if you are vulnerable to the Spectre or Meltdown problem and I tried it out. It seems I am vulnerable to Spectre but not Meltdown. Maybe I should call in James Bond. :D

The link to the test is https://www.ashampoo.com/uk/gbp/lpa/spectre-meltdown-cpu-checker and I think it is safe, and worked for me but, as always, run at your own risk. There is a link to a page suggesting what you can do about any vulnerabilities. Updating drivers, bios, browsers and having a decent virus checker are the usual safeguards.

Later I'll check my video drivers and run the test again if later drivers are available. What I'm really looking for is a BIOS update.
 
Yup, I've tolerated the spam from Ashampoo for many years now too 'cos, occasionally, they offer something worthwhile...
Agree that the main fix for a hardware-based kernel vulnerability is most likely going to be an OS and/or BIOS level revision/ update, though any susceptible application software still needs to be addressed via patches.

Edit Update: Just learned that, since the Meltdown error is baked into the architectural design of 64-bit Intel chips (dating back as far as the Penryn, Merom processors of 2006!) an OS fix - and not a BIOS fix - is the only effective way to resolve this issue.
Hopefully, new chip designs will not have this structural, speculative execution flaw affecting virtualisation, kernel and virtual memory.
 
Last edited:
Last edited:
Looks like the Asus motherboard bios updates are starting to come through. I just updated my Maximus viii Hero Alpha to v 3703 without any issue ....so far:confused:.
 
Asus Z370 and Z270 boards appear to have been done, Z170 boards have half been done, waiting on a Z170-P Bios here and a couple of others that probably won't get done for ages if they even do.
 
You must log in or register to reply here.
Back
Top