Live Updates

Live Updates: Intel Chip Flaw

19th January, 2018

(Update: January 19, 2018, 3:00 AM ET)

Datacentres, brace yourselves!
Modern datacenter switch architectures use various server processors and are at risk from Meltdown and Spectre flaws. The same applies for storage arrays and clustered storage servers.
Industry experts are speculating that the flaws will drive datacentres towards adopting cloud and enterprise solutions of non-Intel based servers. It is also expected that IT migration to cloud-based platform-as-a-service (PaaS) and software-as-a-service (SaaS) applications will take place soon.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 18, 2018, 9:00 AM ET)

Microsoft releases patches again
New updates have been released by Microsoft for Windows 10 after resolving the Intel chip flaw mitigation that caused some AMD systems to become unbootable. Users of AMD PC can also install these updates. A cumulative update for Windows 10 version 1709, aka Fall Creators Update, with the label KB4073290 brings the build number up to 16299.194.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 18, 2018, 5:00 AM ET)

Intel says patches might cause troubles
Intel VP Navin Shenoy said in a blog post that the recent patches released to mitigate the chip flaws might cause computers with newer chips to reboot more frequently. He also said firmware-updated PCs with Ivy Bridge, Sandy Bridge, Skylake, and even Intel’s most recent Kaby Lake processors are all affected.

Industrial systems, struggling to patch
Vendors of industrial systems have started responding to the Meltdown and Spectre flaws. Reportedly, at least 12 vendors have told ICS-CERT they use vulnerable processors. However, it is expected that this number will increase further.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 17, 2018, 6:00 AM ET)

Oracle issues patches
Oracle issued security patches that would protect devices from the Meltdown and Spectre flaws. The critical patch contains 237 new security fixes across several Oracle products.

VMware rolls back patches
VMware rolled back a recently-issued Intel microcode security upgrade, as updated systems were experiencing unexpected reboots when running the Intel firmware upgrade.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 16, 2018, 3:00 AM ET)

Apple sued over Intel chip flaws
A class action complaint has been filed against Apple in a U.S. district court in San Jose on behalf of anyone who purchased a device with an ARM-based processor designed by Apple--this includes Bionic chips ranging from A4 to A11 used in iPhone, iPad, iPod touch, and Apple TV models.
As per the complaint, Apple knew about the design defects since at least June 2017 but didn't disclose the same to public, putting their security in danger.

Federal response on the bugs
Federal officials are playing a pivotal role in supporting private companies and ensuring information sharing between government and private sector. This move by the Fed has been highly applauded by lawmakers and industry sources.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 15, 2018, 5:00 PM ET)

Phishing sites sending malware disguised as patches
Scammers are taking advantage of the fear around Meltdown and Spectre security vulnerabilities to launch phishing campaigns. A SSL-enabled website has been discovered sending malware pretending to be security updates for these flaws. Though the site is not affiliated with any legitimate or official government entity, it appears to be coming from the German Federal Office for Information Security (BSI).

There might be more flaws like Spectre!
The CEO of Arm Holdings, Simon Segars said that there might be more flaws like Spectre which haven't been discovered yet. It is possible that threat actors might find other ways to exploit systems which had otherwise been considered completely safe.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 14, 2018, 5:00 PM ET)

Where are Oracle patches?
Oracle is yet to comment on whether or not the Meltdown and Spectre flaws affect its SPARC hardware and x86 cloud. However, the company’s list of patches to be released on its quarterly patch dump due on Tuesday, January 16th lists around 97 products including Oracle X86 Servers, versions SW 1.x and SW 2.x.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 12, 2018, 5:00 AM ET)

Intel patches have bugs
Intel issued patches for the latest security vulnerabilities. However, bugs present in these updates can cause older Broadwell and Haswell processors to reboot more often than normal.
Intel stated that they have received reports of the bugs and are working towards mitigation. The company also requested its cloud computing customers to hold off installing patches until the bugs have been fixed.

No performance impact on Cloud
Google released a statement saying that mitigation released for Meltdown and Spectre flaws has shown no perceptible impact on cloud. No customer downtime or performance degradation was reported due to Google Cloud Platform’s Live Migration technology.

Sony Xperia released patches
Sony Xperia XA1 and the Xperia XA1 Plus received the January security patches in build numbers 40.0.A.6.189 and 48.0.A.1.131 respectively.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 11, 2018, 2:00 PM ET)

Microsoft releasing new round of firmware updates
Microsoft is releasing a set of Surface firmware updates to the Surface Book 2, Surface Laptop, Surface Studio, Surface Book, and Surface Pro 4. These updates include mitigation to security vulnerabilities and Microsoft security advisory 180002.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 11, 2018, 9:00 AM ET)

Vulnerable Chromebooks
Google has published a list of Chromebooks that are vulnerable to the two flaws. You can access the list of vulnerable devices here.

AdwCleaner faces issues, post applying patches
After installing the new Linux kernel with the KPTI backport, a 10% - 15% increase of CPU usage has been observed. As these servers do not take advantage of PCID, the variation in performance might not be as apparent.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 10, 2018, 10:00 AM ET)

Nvidia releases patches
Nvidia earlier claimed that it is unaffected by Meltdown vulnerability, but the company's GPUs were affected by Spectre flaw. Nvidia, however released security patches for the vulnerabilities in its latest set of graphics drivers.

Patches are available for GeForce graphics cards, and Quadro and NVS GPUs, running on Windows and Linux. Tesla and Grid driver updates are to be delivered later in January itself.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 10, 2018, 3:00 AM ET)

Servers are slowing down!
Even though Intel claimed only a 6% hit on performance in their CPUs, SYSmark tests assessing post-patch slowdown showed a range from 2% to 14%. Most of the consumer and business computing relies on cloud-based servers--which showed a slowdown in response time and increase in CPU utilization.

Are you a Windows admin? You NEED to read this!
Manufacturers have already released security patches for the Meltdown and Spectre flaws. Though these patches can mitigate threats from these vulnerabilities, long-term solutions involve fundamental changes to CPU design. However, to ensure the PCs in your business are safe, it is important to have a response plan.

Here are the four things that require your concern:
1) You might have to install firmware updates
Most security flaws can be patched through UEFI firmware and BIOS updates. Hence, keep a look-out for firmware updates to be installed. In case you are using third-party hardware, you will have to check beforehand whether your devices are eligible for a firmware update.
Follow the PC maker's support site for information about available updates.

2) Find and replace outdated harware
Have a strategy in place to detect older devices (even if they are only 4 years old), retire and replace them with newer, faster versions.

3) Always have a patching strategy
Test updates before installing them--this will help you check if the updates are causing any issues.

4) Examine your security infrastructure
Keep a check on your security software vendors, on how they are handling the updates. If you aren't satisfied with their actions and security policies, don't hesitate to report to senior executives. Also, re-examine your security infrastructure--that allows you to monitor for potential breaches and intrusions--if it is functioning properly.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 9, 2018, 4:00 PM ET)

Only a 6% hit!
Intel stated that security patches installed to its CPUs (8th Generation Core platforms with solid state storage) have only slowed down by 6% or less. Intel released this report based on their most recent PC benchmarking and noted that the performance impact shouldn't be significant for average computer users. Also, since any hindrance to performance will only take place when a device takes on specific tasks, common tasks such as accessing emails, writing in docs, or opening files shouldn't be affected.

Monero mining isn't affected
A spokesperson from Coinhive stated that patches issued for Meltdown vulnerabilities haven't affected Monero mining in the least. He also said that in his understanding, these security patches don't affect mining speed at all.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 9, 2018, 3:00 AM ET)

Microsoft pauses security patches
Microsoft has paused releasing of Meltdown and Spectre patches for AMD PCs after users reported of issues during PC boot up. The company is blaming AMD’s documentation for the unexpected problems.
Microsoft is working with AMD to fix the problems and will continue to release updates soon.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 8, 2018, 10:00 PM ET)

Intel creates a new group
Amid the bug crisis that's going on, Intel announced that the company is creating a new group--called Intel Product Assurance and Security--to focus on hardware security. Prominent executives have been reassigned to the group. A memo has been sent by CEO Brian Krzanich to all employees regarding the change.

Intel's CEO speaks about the issue
Speaking at Intel’s big CES keynote, CEO Brian Krzanich noted that the company expects to release security patches for more than 90% of the processors and products introduced in the past five years, within a week. He also expected the remaining updates to be released by the end of January.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 8, 2018, 5:00 AM ET)

Windows KB4056892 patch bricks AMD Athlon-powered machines
Users claim that the security update released by Microsoft Windows KB4056892 bricks some AMD-powered PCs. These PCs don't boot and are just displaying the Windows startup logo. After several failed boots, the PCs do a roll-back and display error 0x800f0845. Users also reported that re-installing Windows 10 also doesn't solve the problem. Also, since the fix doesn’t create a recovery point, roll-back in some cases is not accessible.
For now, users can only disable the Windows update and wait for a solution to be released by Microsoft.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 8, 2018, 1:00 AM ET)

WISeKey's Semiconductor products are immune!
WISeKey announced that their products are totally immune to the Meltdown and Spectre flaws. Chief Executive Officer and founder of the company, Carlos Moreira, commented that their security solutions have been specifically designed to render such attacks, ineffective.

Fortnite servers face downtime
Fortnite is facing issues with the latest CPU patches installed to fix the affected Intel CPUs. As the servers are heavily reliant on cloud services, the company is expecting further service issues. A developer from Fortnite added that they are working with their Cloud service providers to prevent further downtime.

HP going to release BIOS fixes
HP has not yet pushed BIOS fixes to tackle the two security bugs, however users are reporting that the company updated BIOS for some of their laptops on their website confirmed via a Powershell verification script to include a fix. Customers are advised to keep checking HP’s support website for updates to their BIOS.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 7, 2018, 9:00 AM ET)

Singapore Telcos moving fast
Telcos in Singapore, including Singtel, StarHub and M1, said that they are working furiously towards applying security patches for the recently discovered bugs. Major banks such as DBS Bank, OCBC Bank and UOB also remarked that they are installing all the software updates as part of their routine risk management process.
The companies urged all its users to update their systems asap.

Raspberry Pi, not vulnerable!
Good news to consumers, Raspberry Pi is not vulnerable to the Meltdown and Spectre flaws. Both the vulnerabilities exploit performance features, such as caching and speculative execution, to leak data via side-channel attacks. Since, Raspberry Pi uses particular ARM cores, they remain unaffected.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 6, 2018, 2:00 AM ET)

How's Red Hat dealing with this?
The Chief ARM Architect at Red Hat, Jon Masters assured that their updates follow Red Hat policy of security by default, and will be installed in systems after a thorough risk analysis. Reduction in performance will depend primarily on the workload of the machine.
He also noted that Meltdown and Spectre flaws are not as big a deal in the longer term as they are being made out. He said, the two vulnerabilities are architecture agnostic and Intel got a lot of unfair attention.

Qualcomm
Qualcomm confirmed that that its processors--including Arm-compatible Snapdragon system-on-chips and newly released Centriq server-grade processors--can be affected by the Meltdown and Spectre vulnerabilities. A spokesperson from the company reported that they are working towards releasing mitigation and requested users to update their systems regularly to install the security patches.

IBM
IBM noted that firmware updates will be released next week for its POWER CPUs.

-------------------------------------------------------------------------------------------------------------------------------------

(Update: January 5, 2018, 6:00 PM ET)

Cisco releases patches
In a statement, Cisco noted that attackers will have to run crafted code on an affected device, in order to exploit these flaws. Since, majority of Cisco products are closed systems, they don't allow custom code. However, few OS and CPU combinations used in some products might leave them vulnerable.
Users must note that Cisco products deployed as a virtual machine could be targeted by such attacks if the hosting environment is vulnerable. The company also recommended all its customers secure their virtual environment and ensure security patches are updated.

Ubuntu
The most popular Linux distribution, Ubuntu assured that they will release patches to these vulnerabilities by January 9th. The company was informed about the vulnerability in November 2017 and has been working on a fix ever since.

Users of the 64-bit x86 architecture (aka, amd64) can expect patched kernels, it’s unclear what will happen with 32-bit installs, though. The updates will be available for the Linux 4.13 HWE kernel on Ubuntu 17,10, for Linux 4.4 (and 4.4 HWE) on Ubuntu 16.04 LTS, for Linux 3.13 on Ubuntu 14.04 LTS, and for Linux 3.2 on Ubuntu 12.04 ESM; keep in mind that an Ubuntu Advantage license is required for Ubuntu 12.04 ESM because the release is past its end-of-life.


---------------------------------------------------------------------------------------------------------------------------------------

(Update: January 5, 2018, 12:00 PM ET)

Intel is facing class action suits
At least three class action lawsuits were released on Intel over Meltdown and Spectre, by owners of Intel CPU-based computers. Allegations have been made the Intel learned about the vulnerabilities several months ago and that the security patches released by Intel will affect computer performance.

Google published new coding technique
Called Retpoline, this is a new coding technique that can deploy and prevent Spectre attacks. Google alleges that it has negligible impact on performance when compared to other patches rolled out. The technique is described as a binary modification technique. Google has already deployed Retpoline for the Linux-based servers in private data centers.

How does it work: As per researchers, Retpoline creates a loop that doesn't get called in the actual code but keeps the CPU from entering speculative execution--a code optimization technique in all modern CPUs--the root cause of the Meltdown and Spectre attacks.

---------------------------------------------------------------------------------------------------------------------------------------

(Update: January 5, 2018, 10:00 AM ET)

Vivaldi
The company tweeted earlier today anticipating that Chromium will mitigate any potential exploit on the browser side. Meanwhile, users can also enable "Strict site isolation" by navigating to vivaldi://flags.
Strict site isolation is a security feature that would separates sites into different processes, thereby making exploiting hardware problems difficult.

Opera
Opera hoped to release browser updates with workarounds by the end of January. The company also urged its users to enable Strict site isolation until then.

---------------------------------------------------------------------------------------------------------------------------------------

(All that has been reported till January 5, 2018, 9 AM ET)

Vulnerabilities affecting almost all CPUs released since 1995!
Two vulnerabilities--dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715)--were found affecting every processor released since 1995. As per Google, these issues allow an unauthorized attacker to steal data which is currently processed on the computer, including passwords stored in a password manager or browser, personal files, emails, messages and confidential documents.
According to Google Project Zero researchers, vectors known for exploiting the flaws are identified as Bounds Check Bypass (CVE-2017-5753), Branch Target Injection (CVE-2017-5715) and Rogue Data Cache Load (CVE-2017-5754).

What systems are affected?
Affected systems include all major chipset vendors (Intel, AMD, ARM), all major operating systems (Windows, Linux, macOS, Android, ChromeOS), cloud providers (Amazon, Google, Microsoft), and application makers.

What's the difference between Meltdown and Spectre?
  • Meltdown is Intel-only and takes advantage of a privilege escalation flaw allowing kernel memory access from user space, meaning any secret a computer is protecting (even in the kernel) is available to any user able to execute code on the system.
  • Spectre applies to Intel, ARM, and AMD processors and works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space.


When were the bugs discovered
Jann Horn, a Project Zero researchers at Google first discovered the flaws, Meltdown and Spectre, based on previous academic research published by researchers from the Graz University of Technology, Cyberus Technology, and others. These bugs were reported to CPU vendors in June 2017.
Horn describes these issues as hardware bugs that will need both firmware patches from CPU vendors and software fixes from both OS and application vendors.

How were the bugs discovered?
Horn discovered that the actual flaws reside in a technique called speculative execution--a basic optimization technique that processors employ to carry out computations for data they speculate may be useful in the future. The purpose of speculative execution is to prepare computational results and have them ready if they're ever needed. If an application does not need the speculated data, the CPU just disregards it. This method is employed by all modern CPUs.
Horn discovered a way to use speculative execution to read data from the CPU's memory that should have not been available for user-level apps. Three flaws were discovered in the process and combined in two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715).



First public disclosure
Details of the flaw were planned to be released on 9th January, by both Intel and Google, after more security patches for these issues were developed. However, owing to the difficulty in detecting these intrusions, as it would not leave any traces in log files, researchers were forced to release early reports of the vulnerabilities on January 3rd.
Google already informed companies about Spectre flaw on 1 June 2017 and Meltdown flaw before 28 July 2017.

Mozilla, first to react
Researchers at Mozilla confirmed that Meltdown and Spectre CPU flaws can be exploited by embedding attack code via web content (for instance, through JavaScript files), and extract private information from users visiting a particular web page.

Details of the two vulnerabilities have already been shared with Mozilla in 2017, and by mid-November, Firefox 57 was released including workarounds. By reducing the precision of Firefox's internal timer functions, the attack’s efficiency can be reduced.

Statement released by Mozilla:
Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.

Specifically, in all release channels, starting with 57:
 - The resolution of performance.now() will be reduced to 20µs.
 - The SharedArrayBuffer feature is being disabled by default.



Microsoft issued patches
Even though Microsoft was holding back the patches until 9th January (on Patch Tuesday), early release of the report forced the company to roll out Windows security updates.
Systems using Windows 10 will get automatically updates with security patches, while Windows 7 and 8 users need to wait until patches are released.
These mitigations might impact performance, depending on various factors--such as the specific chipset in physical host and the workloads that are running.
Following server categories are at increased risk:
  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code

Problem with antivirus:
Few third-party antivirus applications registered incompatibility with the patches released, by making unsupported calls into Windows kernel memory, causing bluescreen errors. Hence, Microsoft released patches to devices running antivirus software from partners who have confirmed their software is compatible. Individuals using other antivirus products need to check if the product has been updated.

If you aren’t willing to search the antivirus product’s website, look for the following registry key on your system:
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

Intel
The company announced that security patches and firmware updates, for all types of Intel-based computer systems, have been released to secure against two major CPU bugs. However, Intel’s Itanium server chips and Atom processors remain unaffected. Users are encouraged to enable automatic updates of their operating systems.

ARM
ARM said that only its Cortex-A75 processors are affected by Meltdown and Spectre. Other products and future processors are not affected.
The company provided kernel patches for Linux users. Customers using other operating systems need to check with respective OS vendors.

AMD
The company claims that they are only affected by Spectre vulnerabilities (CVE-2017-5753 and CVE-2017-5715), and the issue will be addressed via OS updates made by system vendors.

Google
Mitigations for the issues have been released in various Google products. For few instances, users will have to take additional steps, such as patch/update the environment.


Apple
Apple released mitigation in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Safari is still susceptible to Spectre, and mitigations will be released in the coming days.


What is KAISER?
Researchers at the Graz University of Technology, in Austria--who specialized in side channel attacks--came up with a scheme to mitigate exploitation using systems using the data gleaned from the physical implementation of a system rather than a software flaw. This scheme, called KAISER, prevent computer processors in user applications from accessing kernel memory spaces, by separating kernel memory spaces in the processor cache.
Nevertheless, KAISER cannot be used as a general mitigation step against Spectre.

How do I ensure am safe?
Users are advised to make sure their software and firmware are up-to-date, now that manufacturers are releasing security patches to these issues. Additionally, make sure you follow cybersecurity practices--such as using a strong password, enabling two factor authentication on all accounts.

Don’t open multiple tabs!
Cert NZ director Rob Pope confirmed it was "theoretically possible" that if someone was using multiple tabs in a browser, an attacker might be able to use the Spectre vulnerability identified by Google via one of the tabs "to access information on other open tabs in the browser, for example internet banking information".