Live Updates: Intel Chip Flaw

(Update: May 24, 2018, 5:00 AM ET)

Intel's patches might slow down your system
Intel released mitigation for the recently disclosed CPU flaws, Variant 3a and Variant 4. The patch has already been made available for original equipment manufacturers (OEMs) and system software vendors. It is upto them whether or not to apply these patches. Intel also warned all users that these patches might result in slowing down of systems.

----------------------------------------------------------------------------------------------------------------------------

(Update: May 23, 2018, 4:30 AM ET)

Intel releasing patches
Intel is all set to release security patches for the two bugs disclosed recently. The two vulnerabilities—CVE-2018-3640, identified as Rogue System Register Read, and CVE-2018-3639, identified as Speculative Store Bypass—could potentially enable an attacker to read arbitrary system memory on a vulnerable system.

Source: http://www.eweek.com/security/intel-set-to-patch-two-new-meltdown-spectre-vulnerabilities

----------------------------------------------------------------------------------------------------------------------------

(Update: May 22, 2018, 4:30 AM ET)

Another Intel security flaw!
Yet another chip flaw has been discovered by security researchers at Microsoft and Alphabet’s Google. The newest chip problem, known as Speculative Store Bypass aka Variant 4, affects many chips from Intel, AMD and ARM holdings. The vulnerability isn't considered critical as web browser patches have already been issued to address the flaw.

Exploiting this vulnerability will give hackers access to sensitive information stored in system memory. Intel announced that it intends to issue a fix for Variant 4 in the coming weeks. ARM and AMD are also issuing patches for their respective chips.

----------------------------------------------------------------------------------------------------------------------------

(Update: May 17, 2018, 4:00 AM ET)

More Microsoft updates
The company rolled out Intel firmware updates with Windows 10 April 2018 Update (version 1803). The update, Windows 10 KB4100347 is only available for PCs with Intel processors and includes more mitigations for the Spectre Variant 2 vulnerability. The update gets automatically downloaded in PCs that have automatic updating in Settings. You can also download it from the Microsoft Update Catalog.

----------------------------------------------------------------------------------------------------------------------------

(Update: May 11, 2018, 4:00 AM ET)

AMD releases firmware patches
AMD has released motherboard updates to fix the Spectre exploits. Users don't have to download the updates, they are automatically released as a new BIOS that improves on the previous one.

Misinterpreted Intel documentation
Microsoft, Apple, Linux and some of the major operating system vendors apparently misinterpreted a Linux documentation about a hardware debugging feature. This led to users being left exposed to a critical flaw. Identified as CVE-2018-8897, the flaw was publicly reported on May 8, though impacted vendors were notified on April 30 and have already released patches.

----------------------------------------------------------------------------------------------------------------------------

(Update: May 7, 2018, 4:00 AM ET)

Asus patches vulnerabilities
Asus has released new firmware updates for several boards based on Intel's 9-series chipsets. Among those are socket LGA1150 motherboards for Intel's 4th generation Haswell and 5th generation Broadwell processors, such as the Z97-A/USB 3.1. Asus also has updated BIOSes available for its enthusiast X99 (socket LGA2011) motherboards like the ROG Strix X99 Gaming and ROG Rampage V Edition 10.

Source: https://www.pcgamer.com/asus-patches-older-intel-motherboards-to-protect-against-spectre-and-meltdown/

----------------------------------------------------------------------------------------------------------------------------

(Update: May 4, 2018, 4:00 AM ET)

Intel gears up to patch Spectre-ng
The eight new Spectre-like vulnerabilities as reported by C'T magazine will be disclosed by Intel in the near future. Intel classified four of these vulnerabilities as high risk. Even though the company hasn't directly addressed the vulnerabilities, it has confirmed the reservation of Common Vulnerabilities and Exposures (CVE) numbers. The Spectre Next Generation patches will supposedly be provided in two waves: The first in May and the second in August.

----------------------------------------------------------------------------------------------------------------------------

(Update: May 3, 2018, 5:30 AM ET)

Spectre-ng vulnerabilities
Security researchers have discovered eight new vulnerabilities that resemble Spectre. These new vulnerabilities are identified in Intel processors and are named Spectre-ng. While technical details are missing, the attack scenarios resemble close to what the Spectre vulnerabilities are. 

Did AMD ship vulnerability patches?
In March, CTS Labs released information on AMD's chip vulnerabilities, dubbed Ryzenfall, that are said to be present in the most basic aspects of the Ryzen and EPYC processors. Recently, CTS Labs expressed concerns about the lack of updates from AMD regarding these vulnerabilities.
Regarding the issue, AMD released a statement:
Within approximately 30 days of being notified by CTS Labs, AMD released patches to our ecosystem partners mitigating all of the CTS identified vulnerabilities on our EPYC™ platform as well as patches mitigating Chimera across all AMD platforms. These patches are in final testing with our ecosystem partners in advance of being released publicly. We remain on track to begin releasing patches to our ecosystem partners for the other products identified in the report this month. We expect these patches to be released publicly as our ecosystem partners complete their validation work.

Source: https://www.tomshardware.com/news/amd-vulnerability-patches-ecosystem-partners,36993.html

----------------------------------------------------------------------------------------------------------------------------

(Update: April 30, 2018, 5:30 AM ET)

Did Meltdown and Spectre really hurt Intel?
Intel reported its record first quarter revenue of 2018 of $16.1 billion, despite major setbacks due to the Meltdown and Spectre flaws. This is a 13% increase from the same quarter last year despite having one of the most massive security flaws in history. The company is raising its full-year revenue projections by $2.5 billion to $67.5 billion.

Chrome OS version 66
A new Chrome OS version was released completely mitigating the Meltdown flaw. Chrome OS 66 also gets the same ability to block automatically playing media. 

----------------------------------------------------------------------------------------------------------------------------

(Update: April 26, 2018, 4:00 AM ET)

Microsoft releases patches for Spectre v2
Two new Windows updates, meant to mitigate the Spectre v2 (CVE-2017-5715) vulnerability have been released by Microsoft. The first, KB4078407 is a Windows Update package that is available via the Microsoft Update Catalog; and the other, KB4091666 is for Intel users only and can be manually downloaded from the Microsoft Update Catalog portal.

Patch against Total Meltdown now
Security researchers have identified that the source code for the Total Meltdown vulnerability is now on GitHub, putting 64-bit versions of Win7 and Server 2008 R2 at risk. This flaw can be exploited in the wild, at any time. Users are advised to install all the 2018 updates, including KB 4100480, 4093108 or 4093118 patches to stay safe.

----------------------------------------------------------------------------------------------------------------------------

(Update: April 25, 2018, 5:00 AM ET)

Total Meltdown exploit code is on GitHub
The security vulnerability, Total Meltdown, introduced by Microsoft for 64-bit Win7 and Server 2008 R2 now has working proof-of-concept code and can be easily downloaded from GitHub. Even though no exploits have been registered in the wild, security researchers are speculating that it is only a matter of time before someone abuses the code.

----------------------------------------------------------------------------------------------------------------------------

(Update: April 20, 2018, 5:00 AM ET)

CrowdStrike declared itself a winner for unveiling MeltiKatz
For unveiling a new Meltdown exploit, dubbed MeltiKatz, CrowdStrike awarded itself the winner of the company’s 2018 Hacking Exposed Oscars. Even though the company didn't release technical specifications for MeltiKatz, the demo showcased various capabilities of the flaw.

Oracle fixes Spectre-like flaws
In its April security update, Oracle released security patches for lingering Spectre-like vulnerabilities in Solaris systems – specifically, CVE-2017-5753, also known as Spectre variant 1. Oracle's MySQL, the update will have patches for 33 flaws, of which, two are remotely exploitable (CVE-2018-2761 and CVE-2017-3737).

----------------------------------------------------------------------------------------------------------------------------

(Update: April 19, 2018, 3:00 AM ET)

Spectre conference at RSA
In the recent RSA conference, Kocher, an independent security researcher and consultant--who is one among the two people who discovered the Spectre flaws in 2017--shared his thoughts on the mitigation efforts and the vulnerability disclosure process. According to Kocher, the flaw is so deeply ingrained in modern processor design that it's virtually impossible to remove. "If you build a processor the way textbooks tell you to do it to make it fast, you're going to build an insecure processor as a consequence," he said.

Source:
https://searchsecurity.techtarget.com/news/252439395/Paul-Kocher-weighs-in-on-Spectre-flaws-vulnerability-disclosure

Chrome 66 has inbuilt mitigation for Meltdown and Spectre flaws
The new version 66 of Chrome, launched with Site Isolation, has inbuilt patches for a number of security vulnerabilities including the Meltdown and Spectre flaws. The new version also stopped trusting website certificates issued by Symantec before June 1, 2016.

----------------------------------------------------------------------------------------------------------------------------

(Update: April 18, 2018, 4:00 AM ET)

Graphics Power to detect malware
Following the catastrophe caused by Meltdown and Spectre flaws, Intel and Microsoft have implemented new techniques to use Graphic Power in order to detect malware in memory. One such feature is Accelerated Memory Scanning which taps into the processing power of the integrated GPUs found on many Intel chips. Microsoft will make use of Accelerated Memory Scanning by integrating it into the Windows Defender Advanced Threat Protection antivirus tool.

Source:
https://www.theinquirer.net/inquirer/news/3030315/intel-and-microsoft-will-use-graphics-power-to-detect-cyber-threats-in-memory

----------------------------------------------------------------------------------------------------------------------------

(Update: April 17, 2018, 5:00 AM ET)

Intel at RSA
Intel unveiled new features, at the ongoing RSA conference, designed to improve the efficiency of computers with security programs designed to detect and block hackers. The first feature--called advanced memory scanning--will be used in Advanced Threat Protection, a part of Microsoft's Windows Defender that seeks out hard-to-detect attacks as they happen on a computer system. The second Intel tool, called advanced platform telemetry, speeds up security programs that run on networking technology and will be used in a product called the Cisco Tetration Platform.

Source:
https://www.cnet.com/news/intel-our-chips-can-make-you-safer-no-really-spectre-meltdown-microsoft/

Broader silicon-level security improvements
Intel is also planning on revealing two threat detection enhancements and a cybersecurity education initiative as part of adding broader silicon-level security improvements to its processors.

----------------------------------------------------------------------------------------------------------------------------

(Update: April 12, 2018, 6:30 AM ET)

AMD's Spectre fixes
AMD notified that CPU firmware and Windows 10 patches are available to secure systems against Spectre security flaw. Users can now download these patches and BIOS updates, which coincided with Microsoft's April Patch Tuesday fixes. AMD said that its Spectre microcode updates date back to the first “Bulldozer” core products introduced in 2011.

----------------------------------------------------------------------------------------------------------------------------

(Update: April 5, 2018, 6:30 AM ET)

DARPA is trying to avoid flaws
The Defense Advanced Research Projects Agency is trying to develop new hardware security tools to catch and avoid flaws like Meltdown and Spectre before they are deployed. A contract has been drawn with the Tortuga Logic, as part of a DARPA hardware and firmware program that strives to make chips more secure at the “microarchitecture level.” 

Intel Microcode revision guidance
Intel has released a report on availability of microcode updates planned by the company. You can find the list of updates at:
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

----------------------------------------------------------------------------------------------------------------------------

(Update: April 4, 2018, 3:30 AM ET)

Intel to not address few flaws
A new microcode revision guidance has been released by Intel that reveals the company will not be able to address the chip flaws in all of its affected processors, as it is too tricky to remove v2 class of Spectre vulnerabilities. The guidance states, “..after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons.”

For more information, visit:
https://www.theregister.co.uk/2018/04/04/intel_says_some_cpus_with_spectre_v2_cant_be_fixed/

Core i9 laptop processor
Intel announced a new series of 8th generation desktop and laptop chips, including the flagship six-core i9-8950HK mobile CPU. As per the company, these laptops have a 29 percent improvement over the 7th generation Core i7, with a 41 percent FPS boost for games and 32 percent faster gameplay streaming and recording.
Source: https://www.techspot.com/news/73986-intel-announces-core-i9-laptop-processor-new-8th.html

----------------------------------------------------------------------------------------------------------------------------

(Update: April 3, 2018, 5:00 AM ET)

Total Meltdown vulnerability
Users who have installed the patches released by Microsoft for Meltdown mitigation on Intel 64-bit Windows 7/Server 2008 R2 computer are at the risk of a new vulnerability, called Total Meltdown (CVE-2018-1038). Microsoft has already patched the issue. However, users are requested to cross-refer the following patches:
  • KB 4056894 Win7/Server 2008 R2 January Monthly Rollup.
  • KB 4056897 Win7/Server 2008 R2 January Security-only patch.
  • KB 4073578 Hotfix for “Unbootable state for AMD devices in Windows 7 SP1. and Windows Server 2008 R2 SP1” bug installed in the January Monthly Rollup and Security-only patches.
  • KB 4057400 Win7/Server 2008 R2 Preview of the February Monthly Rollup.
  • KB 4074598 Win7/Server 2008 R2 February Monthly Rollup.
  • KB 4074587 Win7/Server 2008 R2 February Security-only patch.
  • KB 4075211 Win7/Server 2008 R2 Preview of the March Monthly Rollup.
  • KB 4091290 Hotfix for “smart card based operations fail with error with SCARD_E_NO_SERVICE” bug installed in the February Monthly Rollup.
  • KB 4088875 Win7/Server 2008 R2 March Monthly Rollup.
  • KB 4088878 Win7/Server 2008 R2 March Security-only patch.
  • KB 4088881 Win7/Server 2008 R2 Preview of April Monthly Rollup.

Apple going to dump Intel chips?
As per reports, Apple is panning to use processors designed by Apple and based on ARM technology. The report caused Intel shares to fall by over 9 percent.

Linux 4.16 released with security features
The Linux 4.16 kernel was released, marking the debut of the usercopy whitelisting patches to the mailine kernel. Usercopy whitelisting is designed to reduce the potential memory attack surface in Linux. Additionally, the OverlayFS filesystem is being extended in Linux 4.16 enabling it to be exported to a standard NFS (Network File System).

----------------------------------------------------------------------------------------------------------------------------

(Update: March 29, 2018, 6:00 AM ET)

Vulnerability in Microsoft patches
Microsoft had released mitigation updates for the Meltdown flaw a couple of months ago. Recently, security researchers have found a vulnerability in these patches that allowed any unprivileged application to read kernel memory. The vulnerability affects Windows 7 x64 and Windows 2008R2 with the January or February patches. Microsoft has already released patches to this flaw.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 28, 2018, 6:00 AM ET)

BranchScope vulnerability
A new side-channel attack, dubbed BranchScope, aimed at extracting information through the branch predictor has been discovered. The BranchScope vulnerability leverages the speculative execution capabilities foundmodern processor to circumvent memory protections implemented in the hardware and operating system level. This vulnerability is being considered in the same category as the Spectre vulnerability.

More information about the vulnerability (PDF link): http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

What is Intel saying about BranchScope?
After Meltdown and Spectre, Intel chips are now being targeted by a new vulnerability, dubbed BranchScope. Intel hosed down the paper describing the vulnerability and how it can be exploited. An Intel spokesperson remarked, "This presentation describes a previously known method to recover an RSA key from an enclave containing RSA crypto code that is vulnerable to a side channel exploit. This can be prevented by SGX application developers through utilization of an appropriate side channel attack-resistant crypto implementation inside the enclave."
Source:
https://www.theregister.co.uk/2018/03/28/intel_shrugs_off_new_sidechannel_attacks_on_branch_prediction_units_and_sgx/

----------------------------------------------------------------------------------------------------------------------------

(Update: March 27, 2018, 5:00 AM ET)

A jump in Intel stock
Intel's stock slumped in January this year, after the public disclosure of the Meltdown and Spectre flaws. However, shares have more than fully rebounded since. Intel's stock was up 6% yesterday, after the chip giant received an analyst upgrade.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 23, 2018, 5:00 AM ET)

Much less scary than Meltdown and Spectre
The new vulnerabilities found in AMD processors are, as per researchers, much less impactful when compared to Meltdown and Spectre flaws. Four separate vulnerabilities have been identified, and they are named Ryzenfall, Masterkey, Fallout, and Chimera--affecting processors based on AMD’s Zen microarchitecture.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 22, 2018, 4:00 AM ET)

AMD acknowledges patches
Spectre-like vulnerabilities were found in AMD's Ryzen and Epyc processors. AMD's chief technology officer, Mark Papermaster, in a statement said, "Security and protecting users' data is of the utmost importance to us at AMD and we have worked rapidly to assess this security research and develop mitigation plans where needed. These issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors."
Source:
https://community.amd.com/community/amd-corporate/blog/2018/03/21/initial-amd-technical-assessment-of-cts-labs-research

The company also revealed its plans of releasing fixes for these bugs.

Potential effects of Meltdown and Spectre on the Tech industry
  1. More expensive secure Cloud resources;
  2. Increase in need for evaluating software performance;
  3. Slower devices;
  4. Exploitation of unpatched hardware;
  5. Increase in Cloud adoption;
  6. Lack of trust in technology;
  7. Potential for mass exploitation of Cloud services.

For more information, visit:
https://www.forbes.com/sites/forbestechcouncil/2018/03/21/11-potential-effects-of-meltdown-and-spectre-on-the-tech-industry/#10b8dc57e44c

----------------------------------------------------------------------------------------------------------------------------

(Update: March 21, 2018, 3:30 AM ET)

Firmware updates for Surface Pro
Microsoft released firmware updates that address the Intel chip vulnerabilities for the newest Surface Pro models. The Wi-Fi-only Surface Pro (model 1796) and the Surface Pro LTE Advanced (model 1807) will receive two updates--one which is designed to mitigate the vulnerabilities and the other designed to improve battery life.

7 Spectre/Meltdown Symptoms
The chip flaws have set a major effect on computing. However, there are few impacts on organizations that security experts might not have considered as a major problem:
1) Delay in deployment of features;
2) Cloud computing will become more expensive;
3) Lack of trust on manufacturers;
4) Heightened scrutiny of security;
5) Refresh cycle crashes;
6) Companies delaying purchases will give rise to component shortage;
7) Budget crisis.

Source:
https://www.darkreading.com/risk/7-spectre-meltdown-symptoms-that-might-be-under-your-radar/d/d-id/1331299

----------------------------------------------------------------------------------------------------------------------------

(Update: March 20, 2018, 6:30 AM ET)

Chrome OS 65
Chrome OS 63 was released mid-December to patch Meltdown on newer Intel Chromebooks with kernels 3.18 and 4.4. This Kernel Page Table Isolation mitigation is now available on kernel 3.14 devices with version 65. Chrome OS 65 will be available on all devices over the next several days.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 19, 2018, 5:00 AM ET)

New chips
Intel reported that it designed chips that address the Meltdown and Spectre vulnerabilities. These chips will be shipped in the second half of 2018. Chief executive Brian Krzanich said in a statement, "As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical. Our goal is to offer not only the best performance, but also the best secure performance."

----------------------------------------------------------------------------------------------------------------------------

(Update: March 16, 2018, 5:00 AM ET)

New bug bounty
Microsoft is conducting a new bug bounty program offering up to $250,000 for bugs that are similar to the Meltdown and Spectre CPU flaws. Microsoft’s bounty will run until the end of the year, and it’s clearly designed to discover additional flaws in processor designs.

Intel CEO reveals hardware plans
Intel CEO Brian Krzanich revealed that the company’s next-generation “Cascade Lake” Xeon Scalable chips will have hardware changes that address the Meltdown and Spectre vulnerabilities.
“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Krzanich said. “Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors.” 
Source: https://www.digitaltrends.com/computing/intel-krzanich-hardware-plans-meltdown-spectre/

----------------------------------------------------------------------------------------------------------------------------

(Update: March 15, 2018, 5:00 AM ET)

Companies delay future patch rollouts
Barkly company released a new survey stating that 72% of organizations planned to slow future rollouts. This is the result of the long and frustrating Meltdown and Spectre patches. Majority of the respondents who participated in the survey revealed that they have purposefully held off on applying Meltdown and Spectre-related updates, and plan to do so only after testing for compatibility and performance issues.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 14, 2018, 5:00 AM ET)

New vulnerabilities in AMD
Security researchers claimed to have found several vulnerabilities in AMD's processors. According to CTS-Labs, AMD's Ryzen Workstation, Ryzen Pro, Ryzen Mobile, and EPYC processors are impacted by a total of 13 flaws. Of the 13 vulnerabilities, two of them have been dubbed Ryzenfall and Fallout, and allow hackers to install on-chip malware. These Spectre-like flaws are difficult to be detected using antivirus software.

More details on the vulnerabilities can be found at https://amdflaws.com/

Patch Tuesday
As part of it's Patch Tuesday, Microsoft released protections for the Meltdown vulnerability to x86 editions of Windows 7 and 8.1. In a blog post, the company also noted that it will continue providing updates for additional supported versions of Windows.
Microsoft also reverted its policy that the company will released patches for the Meltdown and Spectre vulnerabilities only to systems that had antivirus software installed.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 13, 2018, 5:00 AM ET)

Patches, rolling out
Intel has been updating microcode document with more patches aiming at mitigating the Meltdown and Spectre flaws. The chips that still need to be patched are all older than Sandy Bridge, including Intel’s 32nm Westmere parts (the first six-core CPUs based on Nehalem), the quad-core Nehalem architecture (Bloomfield, Lynnfield), and several mobile 32nm chips like Arrandale and Clarkdale.
Intel is also focusing on releasing patches for older processes, including Core 2 Quad and Core 2 Duo processors.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 12, 2018, 11:00 AM ET)

Spectre fixes
Intel has recently updated microcode revision guidance that indicates that most of its platforms are now protected against the Spectre attack. The company has moved beta updates for Sandy Bridge and Ivy Bridge processors to production. These include Xeon and Core processors for the two families. It also released revised production updates for Haswell Server EX Xeon, Haswell ULT, and Broadwell Server EX Xeon CPUs.

Today's the deadline
Today is the deadline for filing lead plaintiff motion in the class action filed on behalf of investors that purchased Intel Corporation securities. Law offices have reminded investors who have purchased securities between July 27, 2017 and January 4, 2018.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 9, 2018, 8:00 AM ET)

More details on Microsoft's driver security guidance
Microsoft released its new Driver Security Guidance for Windows--designed to help developers avoid issues associated with a driver being attacked--at the end of February. The guide aims at ensuring system architects, developers, and the test team work in cooperation towards creating more secure drivers.
The guide includes:
  • A driver security overview;
  • A driver security checklist;
  • Information on threat modeling for drivers;
  • The Windows security model for driver developers; and
  • How to use Microsoft’s Device Guard Readiness Tool to evaluate Hypervisor-protected Code Integrity (HVCI) driver compatibility.

Cisco's updates
The company has updated the Vulnerable Products table with estimated availability dates for the delivery of security patches in order to mitigate the Meltdown and Spectre flaws.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 6, 2018, 8:00 AM ET)

More about SgxPectre
This vulnerability is found to be exposing the contents of secure enclaves used in 6th generation and newer Intel processors. Initially, the original Spectre vulnerability relied on branch prediction and speculation to read kernel-level memory. This kept contents of SGX-protected secure enclaves safe. However, the new attack method combines the branch prediction and speculation attributes of Spectre with vulnerable code patterns in the existing SGX runtime libraries (Intel SGX SDK, Rust-SGX, and Graphene-SGX were named specifically by the researchers) to gain complete access to the contents of the secure enclave.

Source: https://www.techrepublic.com/article/spectre-like-attack-exposes-entire-contents-of-intels-sgx-secure-enclave/

----------------------------------------------------------------------------------------------------------------------------

(Update: March 5, 2018, 8:00 AM ET)

What should Entrepreneurs do?
The Meltdown and Spectre vulnerabilities can lurk anywhere, and have the potential to affect many systems. Hence, business owners must understand how to mitigate these vulnerabilities.
1) Keep devices updated: Make sure all the personal and professional devices--that are used to run your business--are updated with the latest OS.
2) Keep an eye out for suspicious activities and check thoroughly if your important accounts have been breached.
3) Change your account passwords regularly.
4) Keep an eye out for updates and work accordingly.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 2, 2018, 8:00 AM ET)

Microsoft starts re-issuing patches
Microsoft resumed releasing security mitigation for Meltdown and Spectre vulnerabilities for PCs, after its hardware partners have had time to evaluate the best ways fix the issue. Microsoft is taking a more cautious approach to issuing Windows patches that touch both the operating system and any Intel-based hardware. The company also announced that they have completed their validations and started to release microcode for newer CPU platforms.

New variant of Spectre attack
A new variant, called SgxPectre side-channel attack, can be used to access Intel's secure enclaves and view their memory. The attack affects programs with sensitive components protected by Intel's SGX or Software Guard Extensions enclaves.
SGX is available in newer Intel Core chips and allows developers to selectively isolate sensitive application code and data to run in their own execution environment.
You can find more info at: http://www.zdnet.com/article/new-spectre-attack-variant-can-pry-secrets-from-intels-sgx-protected-enclaves/

New patch for Spectre Type-2
Microsoft released a security patch for one of the Spectre vulnerabilities (CVE 2017-5715) via the Microsoft Update Catalog for those running Windows 10 Fall Creators Update and Windows Server Core with Skylake processor chips. Though the patch is based on Intel’s microcode patch (released on 21st February), it is customized exclusively for Windows.

----------------------------------------------------------------------------------------------------------------------------

(Update: March 1, 2018, 8:00 AM ET)

Intel's microcode update guidance
Intel recently released its microcode update guidance:
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf

Microsoft to host patches on its own site
Windows users no longer need to worry about receiving Spectre and Meltdown BIOS patches. Microsoft has begun providing updates via an archive on its site.
Generally, Intel doesn't directly ship security patches to end users. Instead, it uses its network of PC makers and motherboard vendors to distribute them. Until now, Microsoft has been responsible for patching Windows for the Intel CPU vulnerabilities. Now Microsoft will archive both its own patches and Intel's.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 28, 2018, 7:00 AM ET)

Intel releases mitigation for Broadwells and Haswells 
Intel released an update, as a mitigation for the chip vulnerabilities, for Haswell and Broadwell Xeons. Broadwell processors with CPUIDs 50662, 50663, 50664, 40671, 406F1, 306D4 and 40671, and Haswells numbered 306C3, 4066, 306F2, 40651 and 306C3 are to be updated with the patches.

How are these vulnerabilities going to affect future processors?
Researchers have speculated that future designs will need alternative implementations with security front-of-mind. Computational performance may have to take a back seat.
According to Cepulis, in the case of Spectre, it’s important to understand that it’s not just a hardware issue and [it] will require an ongoing discipline in the design of secure systems which needs to be addressed through both software and hardware.

Ref: https://insidehpc.com/2018/02/spectre-meltdown-affect-future-processors/

----------------------------------------------------------------------------------------------------------------------------

(Update: February 27, 2018, 3:00 AM ET)

Intel says it followed industry standards
Intel had been blamed for not reporting about the Meltdown and Spectre vulnerabilities to US authorities in prior. Intel, however, is stating that the reason behind not informing industry organisations and the US federal government of the flaws in its processors is because it was following the set industry reporting standards. These standards have been designed to protect systems until a patch to the flaws is released.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 23, 2018, 3:00 AM ET)

Intel didn't inform security officials
Current and former U.S. government cyber security officials have raised concerns that Intel didn't inform them regarding the Meltdown and Spectre flaws before they became public because the flaws potentially held national security implications. Intel retorted to these statements saying that the company think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities.

OpenBSD releases patch
OpenBSD released a patch for the Meltdown flaw, in the form of a Version 11 code update that separates user memory pages from the kernel's.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 21, 2018, 8:00 AM ET)

Intel's new Spectre fixes
Intel announced that it has released a new set of microcode updates as a mitigation against the Spectre vulnerability, for its 6th, 7th, and 8th generation Intel Core chips. Updates have been released for OEM customers and partners for Kaby Lake, Coffee Lake, and Skylake-based platforms.

Surface Pro 3 receives a firmware update
A new firmware update has been released by Microsoft for Surface Pro 3 devices. Users are advised to download the latest Firmware version v3.11.2350.0 to fix the Meltdown and Spectre issues.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 19, 2018, 3:00 AM ET)

Intel now facing 35 lawsuits
Intel Corp., is now facing a total of 35 lawsuits that are directly or indirectly related to the Meltdown and Spectre flaws. 30 of these lawsuits were filed by customers that generally represent users who claim to have been harmed by Intel’s actions or omissions in connection to the two vulnerabilities. Two lawsuits, seeking class-action status, represent shareholders alleging that the disclosure of the vulnerabilities in statements made by Intel were false or misleading. Three other lawsuits have been filed on behalf of shareholders in a California state court. As per these lawsuits, Intel executives or directors failed in their duties to shareholders by delaying disclosure of the breach.
One of the Class Actions was filed by the city of Providence who is demanding $5 billion.

Hardware changes won’t be enough
New attack paths discovered by researchers that take advantage of the Meltdown and Spectre flaws, show that hardware changes won't be able to stop these attacks.
More details at: https://arxiv.org/pdf/1802.03802.pdf

----------------------------------------------------------------------------------------------------------------------------

(Update: February 17, 2018, 9:00 AM ET)

Intel hit with 32 separate lawsuits
Intel disclosed in its annual report that the company is facing 30 lawsuits filed by customers and additional two lawsuits filed by shareholders, regarding the Meltdown and Spectre vulnerabilities. The suits have been filed both within the United States and abroad. Potential losses as a result of the litigation haven't been estimated yet.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 16, 2018, 3:00 AM ET)

MeltdownPrime and SpectrePrime
A new method to exploit the Meltdown and Spectre flaws to extract sensitive data has been discovered by security researchers. Three researchers who work at at Princeton University and Nvidia dubbed the new exploits as MeltdownPrime and SpectrePrime. These exploits rely on an attack called Prime+Probe that takes advantage of processor cache invalidations--a method of replacing or removing entries in the CPU’s cache.

More information on these exploits can be found at: https://www.digitaltrends.com/computing/princeton-nvidia-prime-meltdown-spectre/

----------------------------------------------------------------------------------------------------------------------------

(Update: February 15, 2018, 3:00 AM ET)

Intel bug-bounty
Intel is inviting security researchers to discover vulnerabilities like Meltdown and Spectre. The expanded bug bounty program offers up to US $250,000 for side-channel flaws until December 31st, this year. The bug-bounty program also has permanent bounties of up to US$10,000, US$30,000 and US$100,000 for critical flaws found in Intel software, firmware and hardware respectively.

New ways to exploit the flaws
Researchers found new ways of exploiting the chip flaws that go beyond the proof-of-concept stage. Hackers can launch attacks by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol, thereby compromising sensitive information like passwords.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 14, 2018, 3:00 AM ET)

Free tool for Meltdown and Spectre assessment
Microsoft has released a free tool--in the form of new capabilities in Windows Analytics--that would enable users to check if their PCs have been infected by the Meltdown and Spectre vulnerabilities. The new features include:
1) Anti-virus compatibility status
2) Windows OS security update status
3) Firmware status to check if the PC has been patched against the chip vulnerabilities.

The update is available to all the Windows 7, 8.1 and Windows 10 devices. To avail the changes, users are advised to update their CPU microcode (firmware) and the Windows operating system. Users are also advised to ensure their antivirus software is compatible with the free Windows Analytics service.

ASUSTOR is releasing patches
ASUSTOR announced that the company will be releasing ADM 3.0.5 and BIOS updates for the AS6302T and AS6404T this week in order to mitigate the chip vulnerabilities. Several other Asustor models are receiving an ADM update, including: AS3100, AS3200, AS5000, AS5100, AS6100, AS6200, AS6300, AS6400 and AS7000 series.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 12, 2018, 8:00 AM ET)

IBM releases patches
Finally, IBM has released security patches for the notorious Intel chip flaws on its Power server line, whilst adding protection from a new flaw affecting its Notes collaboration platform. These flaws were affecting IBM Notes 8.5.x and 9.0.x versions.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 12, 2018, 3:00 AM ET)

Sony Xperia XZ1 And XZ1 patched
Security patches have been released for Sony Xperia XZ1 and XZ1 Compact in version 47.1.A.12.75. The company is listed as the first companies to provide an update against Spectre and Meltdown.

Linux patches add huge load to CPUs
Netflix engineer, Brendan Gregg has established a new benchmark to assess the Linux kernel page table isolation (KPTI) patch released to mitigate the Meltdown vulnerability. Gregg concluded that these patches will increase an overhead of around 800%--under certain circumstances. The variables to watch are syscall numbers, whether the Linux kernel you use supports process-context identifiers (pcid - look for kernel 4.14 or later) and using huge pages so you have fewer pages to track. With the right tweaks, Gregg was able to substantially reduce the overheads the new code brought to Linux.

Source: https://www.theregister.co.uk/2018/02/12/meltdown_kpti_performance_analysis/

Check if your PC is safe
Even though companies are working relentlessly to ensure security against Meltdown and Spectre flaws, it is the responsibility of the users to make sure their PCs are properly patched.
You can find a list of major manufacturer pages to keep an eye on here: https://www.windowscentral.com/check-if-your-pc-has-been-patched-against-meltdown-and-spectre

----------------------------------------------------------------------------------------------------------------------------

(Update: February 9, 2018, 3:00 AM ET)

VMware releases mitigation
VMware released advises on how to mitigate the Intel chip flaws. The workarounds cover vCloud Usage Meter, Identity Manager (vIDM), vCenter Server, vSphere Data Protection, vSphere Integrated Containers and vRealize Automation (vRA).

The workarounds are listed here: https://www.vmware.com/security/advisories/VMSA-2018-0007.html

----------------------------------------------------------------------------------------------------------------------------

(Update: February 8, 2018, 3:00 AM ET)

Spectre microcode update for Skylake
Intel released a new security update for Skylake processors that gives operating systems the ability to protect against the Spectre flaw. This update is designed to allow OS take control over the branch predictor, thereby allowing them to prevent one process from influencing the predictions made in another process.
The updates come after Intel recommended its customers not to use the microcode fix for Broadwell and Haswell chips.

Xeon processors with built-in Spectre and Meltdown patches
Intel has released newest Xeon processors, Xeon D-2100, that comes with a built-in patches for the chip flaws. As per the company, the processors would also be supported by system software updates that protect customers from these flaws. The senior vice president and general manager of the Network Platforms Group at Intel, Sandra Rivera said, "The Intel Xeon D-2100 processor allows service providers and enterprises to deliver the maximum amount of compute intelligence at the edge or web tier while expending the least power."

Sony Xperia XZ Premium
A software update (47.1.A.12.75) was released by Sony for Xperia XZ Premium smartphone, that includes fixes for Meltdown and Spectre. The update has been released for the dual SIM version of the handset so far, and will be released for other versions soon.

Coretek Services avoiding patches
The health-care solution provider, Coretek Services is deliberately Spectre and Meltdown patches because of the multimillion-dollar cost of adding new hardware to overcome the up to 40% application workload hit to electronic health record systems.
"With a 40 percent reduction in CPU cycles based on Meltdown our customers would have to double their hardware footprint to implement the patch," said Brian Barnes, director of solution architecture at Coretek, a Farmington Hills, Mich., solution provider that has more than 100 health care customers grappling with the patch update issue. "A customer with 60 servers today would need 100 to 120 if they were to implement that patch. Most of our customers have put a freeze on the patch because they just don't have the capital budget to acquire the hardware to implement the patch."

Source: https://www.crn.com/news/security/300098961/coretek-hospitals-avoiding-spectre-meltdown-patches-because-of-performance-hit-high-cost-of-adding-new-hardware.htm


----------------------------------------------------------------------------------------------------------------------------

(Update: February 7, 2018, 2:00 AM ET)

Did DISA know about the Intel chip flaws?
When asked about how long did DISA (Defense Information Systems Agency) know about the vulnerabilities, the then-DISA chief Lt. Gen. Alan Lynn indicated that the Defense Department had known about the vulnerabilities before the general public.
His statements were, "I have to be careful about how much detail I get into in terms of how long. But we’ve known about it for a little while."

Source: http://www.defenseone.com/technology/2018/02/how-long-did-us-government-know-about-spectre-and-meltdown/145776/

A tool that can detect Meltdown-like vulnerabilities
SonicWall company announced that their Capture Cloud Platform’s new engine, Capture Cloud Real-Time Deep Memory Inspection (RTDMI) has the capabilities of detecting Meltdown-like vulnerabilities. The tool works by performing real-time deep memory inspections that can detect, and block, encrypted malware that exposes itself for less than 100 nanoseconds.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 6, 2018, 2:00 AM ET)

McAfee's count
While security researchers from Avast reported that their AV testing showed around 139 malware samples trying to exploit the Meltdown and Spectre flaws, researchers at McAfee are seeing more malware samples. Chief scientist at McAfee, Raj Samani, estimates the number of samples at over 400.

IGEL releases fixes
IGEL released fixed firmware images and updates. Users are advised to update these patches as soon as possible. Details of the released updates:
  • Partial Update for WES7 and WES7+ with fixes for Meltdown and Spectre (CVE-2017-5754, CVE-2017-5715, CVE-2017-5753) and mitigations for Internet Explorer
  • Windows 10 IoT Enterprise Private Build 4.01.140 with fixes for Meltdown and Spectre (CVE-2017-5754, CVE-2017-5715, CVE-2017-5753) and mitigations for Internet Explorer
  • IGEL OS 10 Private Build 10.03.550 with fixes for Meltdown (CVE-2017-5754) and Spectre version 2 (CVE-2017-5715), Firefox ESR 52.5 is not affected
  • LX (for UD-LX devices)
  • OS (for UDC3-converted devices and UD Pocket)

Patches can be downloaded from: https://www.igel.com/software-downloads/

End-to-end solutions needed
Intel, AMD and other companies have been striving to release security fixes--including galvanic and over-the-air (OTA) firmware patches--for the recently discovered flaws. However, these patches have been found to be slowing down the systems and giving way to many more issues.
The co-founder of NanoLock Security, Erez Kreiner stated that this software-only approach is short-sighted and ineffective. Erez also said that an end-to-end solution that secures the entire chain of vulnerability must be employed in such situations. Manufacturers must look ahead, try to anticipate the possible security threats and have hardware-based protections in place for the CPU and memory. Thus companies can prevent malicious software from causing havoc.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 5, 2018, 3:00 AM ET)

The count is 139
Tests by antivirus vendors detected around 139 different strains of malware samples--mostly recompiled versions of the proof-of-concept code--trying to exploit the Intel chip flaws.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 2, 2018, 3:00 AM ET)

Windows 10 Build 16299.214 
Microsoft has released a new Windows 10 update, 16299.214 to mitigate the Meltdown and Spectre flaws for unbootable AMD PCs. The update attempts to resolve the issues in KB4056892 that was pushed to users early January.

Automation products are vulnerable
ABB, Emerson, GE, Rockwell Automation, Schneider Electric and Siemens--several such automation and controls companies have reported that some of their products use microprocessors (CPUs) that could be affected by Meltdown and Spectre. Around 13 suppliers have already notified the US Government’s Industrial Control Systems Cyber Emergency Response Team (ICS-Cert) that some of their products rely on the affected processors.

----------------------------------------------------------------------------------------------------------------------------

(Update: February 1, 2018, 3:00 AM ET)

Intel names new technology chief
Amidst the controversies arising around Meltdown and Spectre flaws, Intel made a bevy of leadership changes. As part of the changes, Michael Mayberry has been named SVP and CTO effective immediately. Intel also announced that Leslie Culbertson was named EVP and GM of the Product Assurance and Security Group; Ann Kelleher was named SVP of the Technology and Manufacturing Group; and Matthew Smith was named SVP and chief human resources officer.

Malware detected trying to leverage Meltdown and Spectre
Security researchers are warning companies that the number of malware trying to exploit the chip flaws is increasing. According to experts at AV-TEST, Fortinet, and Minerva Labs, several individuals are experimenting with publicly released proof-of-concept (PoC) code for these security flaws. Around 119 malware samples have been detected so far.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 31, 2018, 4:00 AM ET)

MacXDVD Products survive patch tests
As per tests, MacXDVD products have not been impacted by the Meltdown and Spectre flaw patches. No slowdowns have been recorded.


Impact of the flaws for HPC
A team of researchers led by Nikolay Simakov at the Center For Computational Research at SUNY Buffalo fired up some HPC benchmarks and a performance monitoring tool derived from the National Science Foundation’s Extreme Digital (XSEDE) program to see the effect of the Spectre and Meltdown patches on how much work they could get done as gauged by wall clock time to get that work done.

Source: https://www.nextplatform.com/2018/01/30/reckoning-spectre-meltdown-performance-hit-hpc/

----------------------------------------------------------------------------------------------------------------------------

(Update: January 29, 2018, 9:00 AM ET)

Windows emergency patch
Microsoft released emergency Windows update disable Intel's troublesome microcode fix for the Spectre Variant 2 attack. The patch released by Intel caused rebooting and stability issues.

Source: http://www.zdnet.com/article/windows-emergency-patch-microsofts-new-update-kills-off-intels-spectre-fix/

----------------------------------------------------------------------------------------------------------------------------

(Update: January 29, 2018, 4:00 AM ET)

Intel updates
Intel informed its investors that the company is working relentlessly to tackle the security issues stemming from the Spectre and Meltdown flaws. Intel also said that it will release updated chips later this year to provide a more long-term solution. In its forward-looking statement, the company considered the possibility that it might continue to face product claims, litigation, and adverse publicity due to these vulnerabilities.

Linux 4.15
A new version of the Linux kernel, Linux 4.15, has been released to tackle the Meltdown and Spectre CPU design flaws. The kernel now also supports networking over Thunderbolt cables, has added a few features to make NVMe smoother and brought RAID 10 to Linux Soft RAID.

Intel warns Chinese firms
According to a report released by the Wall Street Journal, Intel warned few customers, including Chinese tech firms, about the Meltdown and Spectre flaws before reporting to the US Government. Intel did so to avoid potential damage to an extent.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 25, 2018, 3:00 AM ET)

US House of Representatives react to the flaws
Letters have been sent to Amazon, AMD, Apple, ARM, Google, Intel and Microsoft by four Republican members of the US House of Representatives, seeking answers to how the Meltdown and Spectre flaws were handled. The embargo is aimed at raising questions about whether it was effective and appropriate.
"While we acknowledge that critical vulnerabilities such as these create challenging tradeoffs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," the legislators say in their letters.
Source: https://www.theregister.co.uk/2018/01/25/house_reps_intel_meltdown_spectre/

Chrome 64
Chrome 64 contains fixes for the infamous CPU bugs. Google has updated the browser’s V8 Javascript engine to enable protection against side-channel attacks.

Flaw-free Intel chips arriving this year
Intel announced that it will be releasing chips without Meltdown and Spectre flaws this year. CEO Brian Krzanich announced that Intel would incorporate silicon-based changes into this year’s new processor designs to protect customers from the potential Meltdown and Spectre exploits.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 24, 2018, 4:00 AM ET)

Apple patches for older versions
Apple released patches for the Meltdown security vulnerability for older versions of Mac--including macOS Sierra and OS X El Capitan. The company announced that it is working on mitigations against Spectre for Macs.

Dell withdraws patches
Dell asked customers to avoid installing firmware patches released for Spectre flaw, as these patches were found creating unpredictable system behavior. The company also asked all users who have already deployed the BIOS update to revert back to a previous BIOS version to avoid system problems.
Dell isn't the only company to retract patches released for Meltdown and Spectre flaws. Lenovo announced last week that it had to withdraw some of the firmware patches it had issued because of stability concerns. 

----------------------------------------------------------------------------------------------------------------------------

(Update: January 23, 2018, 3:00 AM ET)

Stop installing Intel patches
Intel asked its customers to halt the patches it released to address two high-profile security vulnerabilities. Intel Executive Vice President Navin Shenoy disclosed the problem stating that patches released after months of development caused computers to reboot more often than normal and other "unpredictable" behavior. 
Source: http://intel.ly/2DsL9qz

----------------------------------------------------------------------------------------------------------------------------

(Update: January 22, 2018, 5:00 AM ET)

More class action lawsuits
Following the disclosure of the Meltdown and Spectre vulnerabilities, companies have been facing class action lawsuits. Apple and AMD have joined the list.

AMD: The lawsuits focus on the fact that AMD claimed that these vulnerabilities don't have any impact on their devices due to the architecture of its processors. However, AMD later admitted that the two vulnerabilities that allow Spectre attacks do affect its CPUs. The lawsuits alleged that AMD made false, misleading statements about the security flaw in Advanced Micro’s processor chips that renders them susceptible to hacking.

Apple: Plaintiffs claim that Apple had known about the flaws for a long time, but chose not to inform users or take prompt action against them.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 19, 2018, 3:00 AM ET)

Datacentres, brace yourselves!
Modern datacenter switch architectures use various server processors and are at risk from Meltdown and Spectre flaws. The same applies for storage arrays and clustered storage servers.
Industry experts are speculating that the flaws will drive datacentres towards adopting cloud and enterprise solutions of non-Intel based servers. It is also expected that IT migration to cloud-based platform-as-a-service (PaaS) and software-as-a-service (SaaS) applications will take place soon.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 18, 2018, 9:00 AM ET)

Microsoft releases patches again
New updates have been released by Microsoft for Windows 10 after resolving the Intel chip flaw mitigation that caused some AMD systems to become unbootable. Users of AMD PC can also install these updates. A cumulative update for Windows 10 version 1709, aka Fall Creators Update, with the label KB4073290 brings the build number up to 16299.194.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 18, 2018, 5:00 AM ET)

Intel says patches might cause troubles
Intel VP Navin Shenoy said in a blog post that the recent patches released to mitigate the chip flaws might cause computers with newer chips to reboot more frequently. He also said firmware-updated PCs with Ivy Bridge, Sandy Bridge, Skylake, and even Intel’s most recent Kaby Lake processors are all affected.

Industrial systems, struggling to patch
Vendors of industrial systems have started responding to the Meltdown and Spectre flaws. Reportedly, at least 12 vendors have told ICS-CERT they use vulnerable processors. However, it is expected that this number will increase further.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 17, 2018, 6:00 AM ET)

Oracle issues patches
Oracle issued security patches that would protect devices from the Meltdown and Spectre flaws. The critical patch contains 237 new security fixes across several Oracle products.

VMware rolls back patches
VMware rolled back a recently-issued Intel microcode security upgrade, as updated systems were experiencing unexpected reboots when running the Intel firmware upgrade.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 16, 2018, 3:00 AM ET)

Apple sued over Intel chip flaws
A class action complaint has been filed against Apple in a U.S. district court in San Jose on behalf of anyone who purchased a device with an ARM-based processor designed by Apple--this includes Bionic chips ranging from A4 to A11 used in iPhone, iPad, iPod touch, and Apple TV models.
As per the complaint, Apple knew about the design defects since at least June 2017 but didn't disclose the same to public, putting their security in danger.

Federal response on the bugs
Federal officials are playing a pivotal role in supporting private companies and ensuring information sharing between government and private sector. This move by the Fed has been highly applauded by lawmakers and industry sources.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 15, 2018, 5:00 PM ET)

Phishing sites sending malware disguised as patches
Scammers are taking advantage of the fear around Meltdown and Spectre security vulnerabilities to launch phishing campaigns. A SSL-enabled website has been discovered sending malware pretending to be security updates for these flaws. Though the site is not affiliated with any legitimate or official government entity, it appears to be coming from the German Federal Office for Information Security (BSI).

There might be more flaws like Spectre!
The CEO of Arm Holdings, Simon Segars said that there might be more flaws like Spectre which haven't been discovered yet. It is possible that threat actors might find other ways to exploit systems which had otherwise been considered completely safe.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 14, 2018, 5:00 PM ET)

Where are Oracle patches?
Oracle is yet to comment on whether or not the Meltdown and Spectre flaws affect its SPARC hardware and x86 cloud. However, the company’s list of patches to be released on its quarterly patch dump due on Tuesday, January 16th lists around 97 products including Oracle X86 Servers, versions SW 1.x and SW 2.x.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 12, 2018, 5:00 AM ET)

Intel patches have bugs
Intel issued patches for the latest security vulnerabilities. However, bugs present in these updates can cause older Broadwell and Haswell processors to reboot more often than normal.
Intel stated that they have received reports of the bugs and are working towards mitigation. The company also requested its cloud computing customers to hold off installing patches until the bugs have been fixed.

No performance impact on Cloud
Google released a statement saying that mitigation released for Meltdown and Spectre flaws has shown no perceptible impact on cloud. No customer downtime or performance degradation was reported due to Google Cloud Platform’s Live Migration technology.

Sony Xperia released patches
Sony Xperia XA1 and the Xperia XA1 Plus received the January security patches in build numbers 40.0.A.6.189 and 48.0.A.1.131 respectively.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 11, 2018, 2:00 PM ET)

Microsoft releasing new round of firmware updates
Microsoft is releasing a set of Surface firmware updates to the Surface Book 2, Surface Laptop, Surface Studio, Surface Book, and Surface Pro 4. These updates include mitigation to security vulnerabilities and Microsoft security advisory 180002.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 11, 2018, 9:00 AM ET)

Vulnerable Chromebooks
Google has published a list of Chromebooks that are vulnerable to the two flaws. You can access the list of vulnerable devices here.

AdwCleaner faces issues, post applying patches
After installing the new Linux kernel with the KPTI backport, a 10% - 15% increase of CPU usage has been observed. As these servers do not take advantage of PCID, the variation in performance might not be as apparent.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 10, 2018, 10:00 AM ET)

Nvidia releases patches
Nvidia earlier claimed that it is unaffected by Meltdown vulnerability, but the company's GPUs were affected by Spectre flaw. Nvidia, however released security patches for the vulnerabilities in its latest set of graphics drivers.

Patches are available for GeForce graphics cards, and Quadro and NVS GPUs, running on Windows and Linux. Tesla and Grid driver updates are to be delivered later in January itself.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 10, 2018, 3:00 AM ET)

Servers are slowing down!
Even though Intel claimed only a 6% hit on performance in their CPUs, SYSmark tests assessing post-patch slowdown showed a range from 2% to 14%. Most of the consumer and business computing relies on cloud-based servers--which showed a slowdown in response time and increase in CPU utilization.

Are you a Windows admin? You NEED to read this!
Manufacturers have already released security patches for the Meltdown and Spectre flaws. Though these patches can mitigate threats from these vulnerabilities, long-term solutions involve fundamental changes to CPU design. However, to ensure the PCs in your business are safe, it is important to have a response plan.

Here are the four things that require your concern:
1) You might have to install firmware updates
Most security flaws can be patched through UEFI firmware and BIOS updates. Hence, keep a look-out for firmware updates to be installed. In case you are using third-party hardware, you will have to check beforehand whether your devices are eligible for a firmware update.
Follow the PC maker's support site for information about available updates.

2) Find and replace outdated harware
Have a strategy in place to detect older devices (even if they are only 4 years old), retire and replace them with newer, faster versions.

3) Always have a patching strategy
Test updates before installing them--this will help you check if the updates are causing any issues.

4) Examine your security infrastructure
Keep a check on your security software vendors, on how they are handling the updates. If you aren't satisfied with their actions and security policies, don't hesitate to report to senior executives. Also, re-examine your security infrastructure--that allows you to monitor for potential breaches and intrusions--if it is functioning properly.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 9, 2018, 4:00 PM ET)

Only a 6% hit!
Intel stated that security patches installed to its CPUs (8th Generation Core platforms with solid state storage) have only slowed down by 6% or less. Intel released this report based on their most recent PC benchmarking and noted that the performance impact shouldn't be significant for average computer users. Also, since any hindrance to performance will only take place when a device takes on specific tasks, common tasks such as accessing emails, writing in docs, or opening files shouldn't be affected.

Monero mining isn't affected
A spokesperson from Coinhive stated that patches issued for Meltdown vulnerabilities haven't affected Monero mining in the least. He also said that in his understanding, these security patches don't affect mining speed at all.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 9, 2018, 3:00 AM ET)

Microsoft pauses security patches
Microsoft has paused releasing of Meltdown and Spectre patches for AMD PCs after users reported of issues during PC boot up. The company is blaming AMD’s documentation for the unexpected problems.
Microsoft is working with AMD to fix the problems and will continue to release updates soon.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 8, 2018, 10:00 PM ET)

Intel creates a new group
Amid the bug crisis that's going on, Intel announced that the company is creating a new group--called Intel Product Assurance and Security--to focus on hardware security. Prominent executives have been reassigned to the group. A memo has been sent by CEO Brian Krzanich to all employees regarding the change.

Intel's CEO speaks about the issue
Speaking at Intel’s big CES keynote, CEO Brian Krzanich noted that the company expects to release security patches for more than 90% of the processors and products introduced in the past five years, within a week. He also expected the remaining updates to be released by the end of January.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 8, 2018, 5:00 AM ET)

Windows KB4056892 patch bricks AMD Athlon-powered machines
Users claim that the security update released by Microsoft Windows KB4056892 bricks some AMD-powered PCs. These PCs don't boot and are just displaying the Windows startup logo. After several failed boots, the PCs do a roll-back and display error 0x800f0845. Users also reported that re-installing Windows 10 also doesn't solve the problem. Also, since the fix doesn’t create a recovery point, roll-back in some cases is not accessible.
For now, users can only disable the Windows update and wait for a solution to be released by Microsoft.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 8, 2018, 1:00 AM ET)

WISeKey's Semiconductor products are immune!
WISeKey announced that their products are totally immune to the Meltdown and Spectre flaws. Chief Executive Officer and founder of the company, Carlos Moreira, commented that their security solutions have been specifically designed to render such attacks, ineffective.

Fortnite servers face downtime
Fortnite is facing issues with the latest CPU patches installed to fix the affected Intel CPUs. As the servers are heavily reliant on cloud services, the company is expecting further service issues. A developer from Fortnite added that they are working with their Cloud service providers to prevent further downtime.

HP going to release BIOS fixes
HP has not yet pushed BIOS fixes to tackle the two security bugs, however users are reporting that the company updated BIOS for some of their laptops on their website confirmed via a Powershell verification script to include a fix. Customers are advised to keep checking HP’s support website for updates to their BIOS.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 7, 2018, 9:00 AM ET)

Singapore Telcos moving fast
Telcos in Singapore, including Singtel, StarHub and M1, said that they are working furiously towards applying security patches for the recently discovered bugs. Major banks such as DBS Bank, OCBC Bank and UOB also remarked that they are installing all the software updates as part of their routine risk management process.
The companies urged all its users to update their systems asap.

Raspberry Pi, not vulnerable!
Good news to consumers, Raspberry Pi is not vulnerable to the Meltdown and Spectre flaws. Both the vulnerabilities exploit performance features, such as caching and speculative execution, to leak data via side-channel attacks. Since, Raspberry Pi uses particular ARM cores, they remain unaffected.

----------------------------------------------------------------------------------------------------------------------------

(Update: January 6, 2018, 2:00 AM ET)

How's Red Hat dealing with this?
The Chief ARM Architect at Red Hat, Jon Masters assured that their updates follow Red Hat policy of security by default, and will be installed in systems after a thorough risk analysis. Reduction in performance will depend primarily on the workload of the machine.
He also noted that Meltdown and Spectre flaws are not as big a deal in the longer term as they are being made out. He said, the two vulnerabilities are architecture agnostic and Intel got a lot of unfair attention.

Qualcomm
Qualcomm confirmed that that its processors--including Arm-compatible Snapdragon system-on-chips and newly released Centriq server-grade processors--can be affected by the Meltdown and Spectre vulnerabilities. A spokesperson from the company reported that they are working towards releasing mitigation and requested users to update their systems regularly to install the security patches.

IBM
IBM noted that firmware updates will be released next week for its POWER CPUs.

-------------------------------------------------------------------------------------------------------------------------------------

(Update: January 5, 2018, 6:00 PM ET)

Cisco releases patches
In a statement, Cisco noted that attackers will have to run crafted code on an affected device, in order to exploit these flaws. Since, majority of Cisco products are closed systems, they don't allow custom code. However, few OS and CPU combinations used in some products might leave them vulnerable.
Users must note that Cisco products deployed as a virtual machine could be targeted by such attacks if the hosting environment is vulnerable. The company also recommended all its customers secure their virtual environment and ensure security patches are updated.

Ubuntu
The most popular Linux distribution, Ubuntu assured that they will release patches to these vulnerabilities by January 9th. The company was informed about the vulnerability in November 2017 and has been working on a fix ever since.

Users of the 64-bit x86 architecture (aka, amd64) can expect patched kernels, it’s unclear what will happen with 32-bit installs, though. The updates will be available for the Linux 4.13 HWE kernel on Ubuntu 17,10, for Linux 4.4 (and 4.4 HWE) on Ubuntu 16.04 LTS, for Linux 3.13 on Ubuntu 14.04 LTS, and for Linux 3.2 on Ubuntu 12.04 ESM; keep in mind that an Ubuntu Advantage license is required for Ubuntu 12.04 ESM because the release is past its end-of-life.


---------------------------------------------------------------------------------------------------------------------------------------

(Update: January 5, 2018, 12:00 PM ET)

Intel is facing class action suits
At least three class action lawsuits were released on Intel over Meltdown and Spectre, by owners of Intel CPU-based computers. Allegations have been made the Intel learned about the vulnerabilities several months ago and that the security patches released by Intel will affect computer performance.

Google published new coding technique
Called Retpoline, this is a new coding technique that can deploy and prevent Spectre attacks. Google alleges that it has negligible impact on performance when compared to other patches rolled out. The technique is described as a binary modification technique. Google has already deployed Retpoline for the Linux-based servers in private data centers.

How does it work: As per researchers, Retpoline creates a loop that doesn't get called in the actual code but keeps the CPU from entering speculative execution--a code optimization technique in all modern CPUs--the root cause of the Meltdown and Spectre attacks.

---------------------------------------------------------------------------------------------------------------------------------------

(Update: January 5, 2018, 10:00 AM ET)

Vivaldi
The company tweeted earlier today anticipating that Chromium will mitigate any potential exploit on the browser side. Meanwhile, users can also enable "Strict site isolation" by navigating to vivaldi://flags.
Strict site isolation is a security feature that would separates sites into different processes, thereby making exploiting hardware problems difficult.

Opera
Opera hoped to release browser updates with workarounds by the end of January. The company also urged its users to enable Strict site isolation until then.

---------------------------------------------------------------------------------------------------------------------------------------

(All that has been reported till January 5, 2018, 9 AM ET)

Vulnerabilities affecting almost all CPUs released since 1995!
Two vulnerabilities--dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715)--were found affecting every processor released since 1995. As per Google, these issues allow an unauthorized attacker to steal data which is currently processed on the computer, including passwords stored in a password manager or browser, personal files, emails, messages and confidential documents.
According to Google Project Zero researchers, vectors known for exploiting the flaws are identified as Bounds Check Bypass (CVE-2017-5753), Branch Target Injection (CVE-2017-5715) and Rogue Data Cache Load (CVE-2017-5754).

What systems are affected?
Affected systems include all major chipset vendors (Intel, AMD, ARM), all major operating systems (Windows, Linux, macOS, Android, ChromeOS), cloud providers (Amazon, Google, Microsoft), and application makers.

What's the difference between Meltdown and Spectre?
  • Meltdown is Intel-only and takes advantage of a privilege escalation flaw allowing kernel memory access from user space, meaning any secret a computer is protecting (even in the kernel) is available to any user able to execute code on the system.
  • Spectre applies to Intel, ARM, and AMD processors and works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space.


When were the bugs discovered
Jann Horn, a Project Zero researchers at Google first discovered the flaws, Meltdown and Spectre, based on previous academic research published by researchers from the Graz University of Technology, Cyberus Technology, and others. These bugs were reported to CPU vendors in June 2017.
Horn describes these issues as hardware bugs that will need both firmware patches from CPU vendors and software fixes from both OS and application vendors.

How were the bugs discovered?
Horn discovered that the actual flaws reside in a technique called speculative execution--a basic optimization technique that processors employ to carry out computations for data they speculate may be useful in the future. The purpose of speculative execution is to prepare computational results and have them ready if they're ever needed. If an application does not need the speculated data, the CPU just disregards it. This method is employed by all modern CPUs.
Horn discovered a way to use speculative execution to read data from the CPU's memory that should have not been available for user-level apps. Three flaws were discovered in the process and combined in two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715).



First public disclosure
Details of the flaw were planned to be released on 9th January, by both Intel and Google, after more security patches for these issues were developed. However, owing to the difficulty in detecting these intrusions, as it would not leave any traces in log files, researchers were forced to release early reports of the vulnerabilities on January 3rd.
Google already informed companies about Spectre flaw on 1 June 2017 and Meltdown flaw before 28 July 2017.

Mozilla, first to react
Researchers at Mozilla confirmed that Meltdown and Spectre CPU flaws can be exploited by embedding attack code via web content (for instance, through JavaScript files), and extract private information from users visiting a particular web page.

Details of the two vulnerabilities have already been shared with Mozilla in 2017, and by mid-November, Firefox 57 was released including workarounds. By reducing the precision of Firefox's internal timer functions, the attack’s efficiency can be reduced.

Statement released by Mozilla:
Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.

Specifically, in all release channels, starting with 57:
 - The resolution of performance.now() will be reduced to 20µs.
 - The SharedArrayBuffer feature is being disabled by default.



Microsoft issued patches
Even though Microsoft was holding back the patches until 9th January (on Patch Tuesday), early release of the report forced the company to roll out Windows security updates.
Systems using Windows 10 will get automatically updates with security patches, while Windows 7 and 8 users need to wait until patches are released.
These mitigations might impact performance, depending on various factors--such as the specific chipset in physical host and the workloads that are running.
Following server categories are at increased risk:
  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code

Problem with antivirus:
Few third-party antivirus applications registered incompatibility with the patches released, by making unsupported calls into Windows kernel memory, causing bluescreen errors. Hence, Microsoft released patches to devices running antivirus software from partners who have confirmed their software is compatible. Individuals using other antivirus products need to check if the product has been updated.

If you aren’t willing to search the antivirus product’s website, look for the following registry key on your system:
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

Intel
The company announced that security patches and firmware updates, for all types of Intel-based computer systems, have been released to secure against two major CPU bugs. However, Intel’s Itanium server chips and Atom processors remain unaffected. Users are encouraged to enable automatic updates of their operating systems.

ARM
ARM said that only its Cortex-A75 processors are affected by Meltdown and Spectre. Other products and future processors are not affected.
The company provided kernel patches for Linux users. Customers using other operating systems need to check with respective OS vendors.

AMD
The company claims that they are only affected by Spectre vulnerabilities (CVE-2017-5753 and CVE-2017-5715), and the issue will be addressed via OS updates made by system vendors.

Google
Mitigations for the issues have been released in various Google products. For few instances, users will have to take additional steps, such as patch/update the environment.


Apple
Apple released mitigation in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Safari is still susceptible to Spectre, and mitigations will be released in the coming days.


What is KAISER?
Researchers at the Graz University of Technology, in Austria--who specialized in side channel attacks--came up with a scheme to mitigate exploitation using systems using the data gleaned from the physical implementation of a system rather than a software flaw. This scheme, called KAISER, prevent computer processors in user applications from accessing kernel memory spaces, by separating kernel memory spaces in the processor cache.
Nevertheless, KAISER cannot be used as a general mitigation step against Spectre.

How do I ensure am safe?
Users are advised to make sure their software and firmware are up-to-date, now that manufacturers are releasing security patches to these issues. Additionally, make sure you follow cybersecurity practices--such as using a strong password, enabling two factor authentication on all accounts.

Don’t open multiple tabs!
Cert NZ director Rob Pope confirmed it was "theoretically possible" that if someone was using multiple tabs in a browser, an attacker might be able to use the Spectre vulnerability identified by Google via one of the tabs "to access information on other open tabs in the browser, for example internet banking information".





  • Share this blog:
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.