{"id":11002,"date":"2018-01-04T08:30:21","date_gmt":"2018-01-04T16:30:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/04\/news-4773\/"},"modified":"2018-01-04T08:30:21","modified_gmt":"2018-01-04T16:30:21","slug":"news-4773","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/01\/04\/news-4773\/","title":{"rendered":"Windows, Meltdown and Spectre: Keep calm and carry on"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 04 Jan 2018 08:13:00 -0800<\/strong><\/p>\n

I\u2019m increasingly skeptical of security holes that have their own logos and PR campaigns. Yesterday\u2019s sudden snowballing of disclosures about two groups of vulnerabilities, now known as Meltdown and Spectre, has led to enormous numbers of reports of varying quality, and widespread panic in the streets. In the case of Intel’s stock price, that’s more like blood in the streets.<\/p>\n

While it\u2019s true that both vulnerabilities affect nearly every computer made in the past two decades, it\u2019s also true that the threat \u2014 especially for plain-vanilla Windows users \u2014 isn\u2019t imminent. You should be aware of the situation, but avoid the stampede. The sky isn\u2019t falling.<\/p>\n

Here\u2019s how it all unwound. Back in June 2017, a security researcher named Jann Horn, working for Google\u2019s Project Zero team, discovered a way for a sneaky program to steal information from parts of a computer that are supposed to be off limits. Horn and Project Zero notified the major vendors \u2014 Google, of course, as well as Intel, Microsoft, Apple, AMD, Mozilla, the Linux folks, Amazon and many more \u2014 and a quiet effort began to plug the security holes without alerting \u201cthe bad guys.\u201d<\/p>\n

Although the Linux community leaked details, with the KAISER series of patches posted in October, few realized the enormity of the problem. By and large, people in the know agreed to keep it all quiet until Jan. 9 \u2014 this month\u2019s Patch Tuesday.<\/p>\n

On Monday, Jan. 1, the beans started spilling. An anonymous poster calling him\/herself Python Sweetness put it out in the open<\/a>:<\/p>\n

There is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads.<\/p>\n

John Leyden and Chris Williams at The Register <\/em>turned the leak into a gush <\/a>on Tuesday, with details about the effort to plug the Meltdown security hole:<\/p>\n

A fundamental design flaw in Intel’s processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.<\/p>\n

Programmers are scrambling to overhaul the open-source Linux kernel’s virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: These changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.<\/p>\n

By Wednesday, the Patch Tuesday gag was thrown to the wind, with a definitive statement <\/a>by Google\u2019s Project Zero, festooned with official logos (\u201cfree to use, rights waived, via CCO\u201d) and metric tons of ink followed. There are thousands of explainer articles circulating at the moment.<\/p>\n

If you need an overview, look at Catalin Cimpanu\u2019s essay in BleepingComputer<\/a> or\u00a0The New York Times<\/em> piece<\/a> from Cade Metz and Nicole Perlroth. The Times<\/em> says:<\/p>\n

The Meltdown flaw is specific to Intel, but Spectre is a flaw in design that has been used by many processor manufacturers for decades. It affects virtually all microprocessors on the market, including chips made by AMD that share Intel\u2019s design and the many chips based on designs from ARM in Britain.<\/p>\n

Those of you hating on Intel should note that there\u2019s plenty of blame to go around. That said, I still cast a jaundiced eye at CEO Brian Krzanich selling $24 million in INTC stock <\/a>on Nov. 29.<\/p>\n

Yesterday evening, Microsoft released Windows patches \u2014 Security-only Updates, Cumulative Updates, and Delta Updates \u2014 for a wide array of Window versions, from Win7 onward. See the Update Catalog<\/a> for details. (Thx, @Crysta). Note that the patches are listed with a \u201cLast Updated\u201d date of Jan. 4, not Jan. 3, the nominal release date. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). I\u2019ve been assured that the Win7 and 8.1 Monthly Rollups will come out next week on Patch Tuesday.<\/p>\n

The Win10 patch for Fall Creators Update, version 1709, contains other security fixes besides those related to Meltdown. The other Win10 patches appear to be Meltdown-only. Those of you running the beta version of Win10 1803, in the Insider Program, have already received the patches.<\/p>\n

BUT\u2026 you won\u2019t get any patches installed unless and until your antivirus software sets a specific registry key<\/a>. (It now appears as if the value of the key doesn\u2019t matter; just the presence of the registry entry turns on Meltdown protection. Thx, @abbodi86, @MrBrian.) If you\u2019re running third-party antivirus, it has to be updated before the Meltdown patch installer will run. It looks as if there are known problems with bluescreens for some antivirus products.<\/p>\n

There are also cumulative updates for Internet Explorer 11 in various versions of Win7 and 8.1 listed in the Update Catalog<\/a>. The fixes for Win10, and for Edge, are inside the respective Win10 cumulative updates. Microsoft has also released fixes for SQL Server 2016 and 2017.<\/p>\n

Note that the Windows Server patches are not<\/em> enabled by default. Those of you who want to turn on Meltdown protection have to change the registry<\/a>. (Thx @GossiTheDog<\/a>)<\/p>\n

Windows XP and Server 2003 don\u2019t yet have patches. No word on whether Microsoft will release those sooner or later.<\/p>\n

Kevin Beaumont, @GossiTheDog, is maintaining a list of antivirus products<\/a> and their Meltdown-related problems. On Google Docs, of course.<\/p>\n

With all the news swirling, you might feel inclined to get patched up right now. I say wait. There\u2019s a handful of facts that stand in the way of a good scare story:<\/p>\n

In addition, we have no idea how these rushed-to-market patches are going to clobber the billion or so extant Windows machines. I\u2019m already seeing a report of conflicts with Sandboxie on AskWoody<\/a>, and Yammer going offline <\/a>isn\u2019t reassuring.<\/p>\n

It\u2019s possible Microsoft\u2019s kernel team has pulled off another change-the-blades-while-the-blender-is-running feat. But it\u2019s also possible that we\u2019ll hear loud screams of pain from many corners today or tomorrow. The anticipated performance penalty may or may not pan out.<\/p>\n

There’s an enormous amount of official Microsoft documentation:<\/p>\n

Just about every hardware or software manufacturer you can name has its own warnings\/explanations posted. I found AMD’s response<\/a> (basically, Meltdown poses “near zero risk” on AMD chips) particularly enlightening. Reddit has a megathread<\/a> devoted specifically to the topic.<\/p>\n

Grab a box of popcorn and join us on the <\/em>AskWoody Lounge<\/em><\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 04 Jan 2018 08:13:00 -0800<\/strong><\/p>\n

\n
\n

I\u2019m increasingly skeptical of security holes that have their own logos and PR campaigns. Yesterday\u2019s sudden snowballing of disclosures about two groups of vulnerabilities, now known as Meltdown and Spectre, has led to enormous numbers of reports of varying quality, and widespread panic in the streets. In the case of Intel’s stock price, that’s more like blood in the streets.<\/p>\n

While it\u2019s true that both vulnerabilities affect nearly every computer made in the past two decades, it\u2019s also true that the threat \u2014 especially for plain-vanilla Windows users \u2014 isn\u2019t imminent. You should be aware of the situation, but avoid the stampede. The sky isn\u2019t falling.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10761],"class_list":["post-11002","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11002","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11002"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11002\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11002"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11002"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11002"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}