{"id":11551,"date":"2018-02-21T08:30:11","date_gmt":"2018-02-21T16:30:11","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/21\/news-5322\/"},"modified":"2018-02-21T08:30:11","modified_gmt":"2018-02-21T16:30:11","slug":"news-5322","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/02\/21\/news-5322\/","title":{"rendered":"Intel releases more Meltdown\/Spectre firmware fixes, Microsoft feints an SP3 patch"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 21 Feb 2018 07:56:00 -0800<\/strong><\/p>\n

One month ago today, Intel told the world<\/a> that their Meltdown\/Spectre patches were a mess. Their advice read something like, \u201cOoopsie. Those extremely important BIOS\/UEFI firmware updates we released a coupla weeks ago are causing Intel machines to drop like bungee cows. In spite of what we told you then, stop installing them now. And if you installed a bad BIOS\/UEFI patch, well golly, contact your PC manufacturer<\/a> to see if they know how to get you out of the mess.\u201d<\/p>\n

Intel now says it has released really new, really good firmware versions for most of its chips.<\/p>\n

Scanning the official Microcode Revision Guidance February 20, 2018<\/a> (pdf), you can see that Coffee Lake, Kaby Lake, Bay Trail and most Skylake chips are covered. On the other hand, Broadwell, Haswell, and Sandy Bridge chips still leave brown skid marks.<\/p>\n

Security Advisory INTEL-SA-00088<\/a> has been updated with this squib:<\/p>\n

We have now released new production microcode updates to our OEM customers and partners for Kaby Lake, Coffee Lake, and additional Skylake-based platforms. As before, these updates address the reboot issues last discussed here<\/a>, and represent the breadth of our 6th, 7th and 8th Generation Intel\u00ae Core\u2122 product lines as well as our latest Intel\u00ae Core\u2122 X-series processor family. They also include our recently announced Intel\u00ae Xeon\u00ae Scalable and Intel\u00ae Xeon\u00ae D processors for datacenter systems. \u00a0We continue to release beta microcode updates for other affected products<\/a> so that customers and partners have the opportunity to conduct extensive testing before we move them into production.<\/p>\n

Intel goes on to recommend basically the same stuff they recommended last time, with a specific call-out:<\/p>\n

The \u201cFor most users\u201d update is KB 4078130, the surprise Friday evening patch, released on Jan. 26, which I discussed<\/a> almost a month ago:<\/p>\n

On Friday night, Microsoft released a strange patch called KB 4078130<\/a> that \u201cdisables mitigation against Spectre, variant 2.\u201d The KB article goes to great lengths describing how Intel\u2019s the bad guy and its microcode patches don\u2019t work right:<\/p>\n

There aren\u2019t any details, but apparently this patch \u2014 which isn\u2019t being sent out the Windows Update chute \u2014 adds two registry settings that \u201cmanually disable mitigation against Spectre Variant 2\u201d<\/p>\n

Rummaging through the lengthy Microsoft IT Pro Guidance page<\/a>, there\u2019s an important warning:<\/p>\n

Customers who only install the Windows January and February 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January and February security updates, a processor microcode, or firmware, update is required. This should be available through your OEM device manufacturer.<\/p>\n

In what must be an amazing coincidence, last night Microsoft released a firmware update for the Surface Pro 3. It\u2019s currently available as a manual download (\u201cMSI format\u201d) for Surface Pro 3. I haven\u2019t seen it come down the Windows Update chute. Perhaps Microsoft is beta testing it once again. Per Brandon Records on the Surface blog<\/a>:<\/p>\n

We’ve released a new driver and firmware update for Surface Pro 3. This update includes new firmware for Surface UEFI which resolves potential security vulnerabilities, including Microsoft security advisory 180002<\/a>.<\/p>\n

This update is available in MSI format from the Surface Pro 3 Drivers and Firmware page<\/a> at the Microsoft Download Center.<\/p>\n

Except, golly, \u00a0the latest version of the patch on that page (as of 10 am Eastern US time) is marked \u201cDate Published 1\/24\/2018.\u201d The official Surface Pro 3 update history page<\/a> lists the last firmware update for the SP3 as being dated Oct. 27, 2017.<\/p>\n

And, golly squared, Microsoft Security Advisory 180002<\/a> doesn\u2019t even mention the Surface Pro 3. It hasn\u2019t been updated since Feb. 13. It links to the Surface Guidance to protect against speculative execution side-channel vulnerabilities<\/em> page, KB 4073065<\/a>, which doesn\u2019t mention the Surface Pro 3 and hasn\u2019t been updated since Feb. 2.<\/p>\n

You\u2019d have to be incredibly trusting \u2014 of both Microsoft and Intel \u2014 to manually install any <\/em><\/strong>Surface firmware patch at this point. Particularly when you realize that not one single Meltdown or Spectre-related exploit is in the wild. Not one.<\/p>\n

Thx Bogdan Popa Softpedia News<\/a>.<\/p>\n

Fretting over Meltdown and Spectre? Assuage your fears on the <\/em>AskWoody Lounge<\/em><\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Wed, 21 Feb 2018 07:56:00 -0800<\/strong><\/p>\n

\n
\n

One month ago today, Intel told the world<\/a> that their Meltdown\/Spectre patches were a mess. Their advice read something like, \u201cOoopsie. Those extremely important BIOS\/UEFI firmware updates we released a coupla weeks ago are causing Intel machines to drop like bungee cows. In spite of what we told you then, stop installing them now. And if you installed a bad BIOS\/UEFI patch, well golly, contact your PC manufacturer<\/a> to see if they know how to get you out of the mess.\u201d<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10761],"class_list":["post-11551","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11551"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11551\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11551"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}