Intel releases more Meltdown/Spectre firmware fixes, Microsoft feints an SP3 patch

[Karlston]

Intel says it has most -- but not all -- of the buggy Meltdown/Spectre firmware patches in order. While Microsoft announces but doesn’t ship a firmware fix for the Surface Pro 3.

Thinkstock

One month ago today, Intel told the world that their Meltdown/Spectre patches were a mess. Their advice read something like, “Ooopsie. Those extremely important BIOS/UEFI firmware updates we released a coupla weeks ago are causing Intel machines to drop like bungee cows. In spite of what we told you then, stop installing them now. And if you installed a bad BIOS/UEFI patch, well golly, contact your PC manufacturer to see if they know how to get you out of the mess.”

 

Intel now says it has released really new, really good firmware versions for most of its chips.

Intel chips covered, and those not covered

Scanning the official Microcode Revision Guidance February 20, 2018 (pdf), you can see that Coffee Lake, Kaby Lake, Bay Trail and most Skylake chips are covered. On the other hand, Broadwell, Haswell, and Sandy Bridge chips still leave brown skid marks.

 

Security Advisory INTEL-SA-00088 has been updated with this squib:

 

We have now released new production microcode updates to our OEM customers and partners for Kaby Lake, Coffee Lake, and additional Skylake-based platforms. As before, these updates address the reboot issues last discussed here, and represent the breadth of our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. They also include our recently announced Intel® Xeon® Scalable and Intel® Xeon® D processors for datacenter systems.  We continue to release beta microcode updates for other affected products so that customers and partners have the opportunity to conduct extensive testing before we move them into production.

Intel's recommendations

Intel goes on to recommend basically the same stuff they recommended last time, with a specific call-out:

• We continue to recommend that OEMs, cloud service providers, system manufacturers, software vendors, and end users stop deployment of previously released versions of certain microcode updates addressing variant 2 (CVE-2017-5715), as they may introduce higher-than-expected reboots and other unpredictable system behavior.

• We also continue to ask that our industry partners focus efforts on evaluating the beta microcode updates.

• For those concerned about system stability while we finalize these updated solutions, earlier this week we advised that we were working with our OEM partners to provide BIOS updates using previous versions of microcode not exhibiting these issues, but that also removed the mitigations for ‘Spectre’ variant 2 (CVE 2017-5715)

• Microsoft also provided two resources for users to disable original microcode updates on platforms exhibiting unpredictable behavior:

• For most users – An automatic update available via the Microsoft® Update Catalog which disables ‘Spectre’ variant 2 (CVE 2017-5715) mitigations without a BIOS update. This update supports Windows 7 (SP1), Windows 8.1, and all versions of Windows 10 - client and server

• For advanced users – Refer to the following Knowledge Base (KB) articles

• KB4073119: IT Pro Guidance

• KB4072698: Server Guidance

• Both of these options eliminate the risk of reboot or other unpredictable system behavior associated with the original microcode update and retain mitigations for ‘Spectre’ variant 1 and ‘Meltdown’ variant 3 until new microcode can be loaded on the system.

The “For most users” update is KB 4078130, the surprise Friday evening patch, released on Jan. 26, which I discussed almost a month ago:

On Friday night, Microsoft released a strange patch called KB 4078130 that “disables mitigation against Spectre, variant 2.” The KB article goes to great lengths describing how Intel’s the bad guy and its microcode patches don’t work right:

There aren’t any details, but apparently this patch — which isn’t being sent out the Windows Update chute — adds two registry settings that “manually disable mitigation against Spectre Variant 2”

Rummaging through the lengthy Microsoft IT Pro Guidance page, there’s an important warning:

Customers who only install the Windows January and February 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January and February security updates, a processor microcode, or firmware, update is required. This should be available through your OEM device manufacturer.

Microsoft firmware update for Surface Pro 3

In what must be an amazing coincidence, last night Microsoft released a firmware update for the Surface Pro 3. It’s currently available as a manual download (“MSI format”) for Surface Pro 3. I haven’t seen it come down the Windows Update chute. Perhaps Microsoft is beta testing it once again. Per Brandon Records on the Surface blog:

 

We've released a new driver and firmware update for Surface Pro 3. This update includes new firmware for Surface UEFI which resolves potential security vulnerabilities, including Microsoft security advisory 180002.

This update is available in MSI format from the Surface Pro 3 Drivers and Firmware page at the Microsoft Download Center.

Except, golly,  the latest version of the patch on that page (as of 10 am Eastern US time) is marked “Date Published 1/24/2018.” The official Surface Pro 3 update history page lists the last firmware update for the SP3 as being dated Oct. 27, 2017.

 

And, golly squared, Microsoft Security Advisory 180002 doesn’t even mention the Surface Pro 3. It hasn’t been updated since Feb. 13. It links to the Surface Guidance to protect against speculative execution side-channel vulnerabilities page, KB 4073065, which doesn’t mention the Surface Pro 3 and hasn’t been updated since Feb. 2.

 

You’d have to be incredibly trusting — of both Microsoft and Intel — to manually install any Surface firmware patch at this point. Particularly when you realize that not one single Meltdown or Spectre-related exploit is in the wild. Not one.

 

Thx Bogdan Popa Softpedia News.

 

Fretting over Meltdown and Spectre? Assuage your fears on the AskWoody Lounge.

 

Source: Intel releases more Meltdown/Spectre firmware fixes, Microsoft feints an SP3 patch (Computerworld - Woody Leonhard)

[steven36]

Quote

One month ago today, Intel told the world that their Meltdown/Spectre patches were a mess.

Linus Torvalds was the one who told Intel there patches were  a mess  and after they released  them to windows and peoples PCs  kept shutting down like a old Windows ME PC  that you had to keep restarting they fessed up after the fact .

 

Linus Torvalds: (Intel's) patches are COMPLETE AND UTTER GARBAGE

https://lkml.org/lkml/2018/1/21/192
 

Quote

 

Summary: Linus Torvalds has been reviewing patches submitted by Intel for Spectre and Meltdown in the Linux kernel. He seems to think the Intel patches don't fix the real issue, and instead make it look like Intel is fixing things, when really they are doing their best to minimize the hit on CPU efficiency, while not properly maximizing CPU security.

Now due to the closed nature of Windows & Mac OS we really don't know what kind of conversation Apple & Microsoft are having with Intel & what kind of patch Intel is delivering. At this moment I think both Apple & Microsoft should come out & shed some light on this issue.

 

 

 

Discussion here

https://www.reddit.com/r/apple/comments/7s5uo0/linus_torvalds_intels_patches_are_complete_and/

[banned]

realize that not one single Meltdown or Spectre-related exploit is in the wild. Not one.

 

It's going to be fun when the sploits do arrive, so I can say "noob couldn't even pwn an XP box".