Subject: General Tech | July 19, 2018 - 02:53 PM | Jeremy Hellstrom
Tagged: security, patch, intel management engine, Intel, IME
A bit before Christmas last year, Intel provided sysadmins with a lovely present, vulnerabilities in the on chip Intel Management Engine which you could not even tell if they had been used to breach your systems. Intel have now publicly released four advisories pertaining to the IME, so that interested parties can investigate for themselves. These were already released to system builders and patches released, after a quite a long delay. This is better late than never ... assuming you are not running anything older than a fourth generation Core processor.
"Now that Intel's advisory is public, it's clear that Chipzilla has known the particulars for some time, and has been privately working with computer manufacturers to push fixes ahead of disclosure. For example, Lenovo emitted firmware fixes in April, and Dell no later than June."
Here is some more Tech News from around the web:
- Apple confirms its new MacBook Pro keyboard has a 'membrane' to prevent dust borkage @ The Inquirer
- Windows 10 IoT Core Services unleashed to public preview @ The Register
- Intel's 9th-gen 'Coffee Lake S' processors could debut in August @ The Inquirer
- Analyzing Graphics Card Pricing: July 2018 @ TechSpot
- Fork it! Google fined €4.34bn over Android, has 90 days to behave @ The Register
Subject: General Tech | April 27, 2018 - 12:59 PM | Jeremy Hellstrom
Tagged: meltdown, microsoft, security, patch, Windows 7, server 2008 r2
Wasn't it hilarious when Microsoft released a patch for the Meltdown flaw that made things even worse by allowing write access to kernel memory as well as read access? Well, if you haven't the patch which fixes the patch in place you won't be laughing so hard today. The Register has seen proof of concept code which makes use of this flaw to elevate a DOS shell window to NT AUTHORITY\System from a user without admin privileges. Get yourself patched up, especially that Server 2008 instance!
"If you're not up-to-date with your Intel CPU Meltdown patches for Windows 7 or Server 2008 R2, get busy with that, because exploit code for Microsoft's own-goal flaw is available."
Here is some more Tech News from around the web:
- E-waste warrior slapped with 15-month sentence for flogging Windows restore discs @ The Inquirer
- Windows 10 April 2018 Update is Coming On April 30 @ Slashdot
- Google Updates: Apps gone free, Chrome gone curvy, Play Music... gone? @ The Inquirer
- Apple debugs debugger, nukes pesky vulns in iOS, WebKit, macOS @ The Register
- Ubuntu 18.04 LTS arrives with Gnome desktop, Kuberflow and Nvidia GPU acceleration @ The Inquirer
- In a touching Monty Python tribute today, Microsoft's Office 365 makes everything spam @ The Register
- Intel delays 10nm chips yet again as firm suffers 'yield issues' @ The Inquirer
- Noise from blast of gas destroys Digiplex data depot disk drives @ The Register
Subject: Processors | January 18, 2018 - 01:17 PM | Sebastian Peak
Tagged: update, spectre, security, restart, reboot, processor, patch, meltdown, Intel, cpu
The news will apparently get worse before it gets any better for Intel, as the company updated their security recommendations for the Spectre/Meltdown patches for affected CPUs to address post-patch system restart issues. Specifically, Intel notes that issues may be introduced in some configurations with the current patches, though the company does not recommend discontinued use of such updates:
" Intel recommends that these partners, at their discretion, continue development and release of updates with existing microcode to provide protection against these exploits, understanding that the current versions may introduce issues such as reboot in some configurations".
Image credit: HotHardware
The recommendation section of the security bulletin, updated yesterday (January 17, 2018), is reproduced below:
- Intel has made significant progress in our investigation into the customer reboot sightings that we confirmed publicly last week
- Intel has reproduced these issues internally and has developed a test method that allows us to do so in a predictable manner
- Initial sightings were reported on Broadwell and Haswell based platforms in some configurations. During due diligence we determined that similar behavior occurs on other products including Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake based platforms in some configurations
- We are working toward root cause
- While our root cause analysis continues, we will start making beta microcode updates available to OEMs, Cloud service providers, system manufacturers and Software vendors next week for internal evaluation purposes
- In all cases, the existing and any new beta microcode updates continue to provide protection against the exploit (CVE-2017-5715) also known as “Spectre Variant 2”
- Variants 1 (Spectre) and Variant 3 (Meltdown) continue to be mitigated through system software changes from operating system and virtual machine vendors
- As we gather feedback from our customers we will continue to provide updates that improve upon performance and usability
Intel recommendations to OEMs, Cloud service providers, system manufacturers and software vendors
- Intel recommends that these partners maintain availability of existing microcode updates already released to end users. Intel does not recommend pulling back any updates already made available to end users
- NEW - Intel recommends that these partners, at their discretion, continue development and release of updates with existing microcode to provide protection against these exploits, understanding that the current versions may introduce issues such as reboot in some configurations
- NEW - We further recommend that OEMs, Cloud service providers, system manufacturers and software vendors begin evaluation of Intel beta microcode update releases in anticipation of definitive root cause and subsequent production releases suitable for end users
Intel recommendations to end users
- Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied
- For PCs and Data Center infrastructure, Intel recommends that patches be applied as soon as they are available from your system manufacturer, and software vendors
- For data center infrastructure, Intel additionally recommends that IT administrators evaluate potential impacts from the reboot issue and make decisions based on the security profile of the infrastructure
Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop software updates that can help protect systems from these methods. End users and systems administrators should check with their operating system vendors and apply any available updates as soon as practical.
The full list of affected processors from Intel's security bulletin follows:
- Intel® Core™ i3 processor (45nm and 32nm)
- Intel® Core™ i5 processor (45nm and 32nm)
- Intel® Core™ i7 processor (45nm and 32nm)
- Intel® Core™ M processor family (45nm and 32nm)
- 2nd generation Intel® Core™ processors
- 3rd generation Intel® Core™ processors
- 4th generation Intel® Core™ processors
- 5th generation Intel® Core™ processors
- 6th generation Intel® Core™ processors
- 7th generation Intel® Core™ processors
- 8th generation Intel® Core™ processors
- Intel® Core™ X-series Processor Family for Intel® X99 platforms
- Intel® Core™ X-series Processor Family for Intel® X299 platforms
- Intel® Xeon® processor 3400 series
- Intel® Xeon® processor 3600 series
- Intel® Xeon® processor 5500 series
- Intel® Xeon® processor 5600 series
- Intel® Xeon® processor 6500 series
- Intel® Xeon® processor 7500 series
- Intel® Xeon® Processor E3 Family
- Intel® Xeon® Processor E3 v2 Family
- Intel® Xeon® Processor E3 v3 Family
- Intel® Xeon® Processor E3 v4 Family
- Intel® Xeon® Processor E3 v5 Family
- Intel® Xeon® Processor E3 v6 Family
- Intel® Xeon® Processor E5 Family
- Intel® Xeon® Processor E5 v2 Family
- Intel® Xeon® Processor E5 v3 Family
- Intel® Xeon® Processor E5 v4 Family
- Intel® Xeon® Processor E7 Family
- Intel® Xeon® Processor E7 v2 Family
- Intel® Xeon® Processor E7 v3 Family
- Intel® Xeon® Processor E7 v4 Family
- Intel® Xeon® Processor Scalable Family
- Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series
- Intel® Atom™ Processor C Series
- Intel® Atom™ Processor E Series
- Intel® Atom™ Processor A Series
- Intel® Atom™ Processor x3 Series
- Intel® Atom™ Processor Z Series
- Intel® Celeron® Processor J Series
- Intel® Celeron® Processor N Series
- Intel® Pentium® Processor J Series
- Intel® Pentium® Processor N Series
We await further updates and developments from Intel, system integrators, and motherboard partners.
Subject: General Tech | January 10, 2018 - 01:05 PM | Jeremy Hellstrom
Tagged: meltdown, spectre, security, antivirus, patch
If you are curious about the details behind the registry key that your Antivirus program needs to create in order to receive Windows Updates, The Register describes its purpose here. In essence, modern AV programs regularly access the kernel to look for suspicious activity and become quite upset when they are not allowed to access it after the patch places the kernel in isolation, upset enough to continually crash your computer. Ensuring your AV software has updated itself to ensure that this does not occur before allowed the Windows patch to install is a good thing, however there is a serious problem with the way Microsoft decided to deal with the situation. Until that key is present, you will not be able to install any new security patches; something which should be changed ASAP as it could help spread other infections simply because you had the temerity not to use Windows Defender.
"Microsoft's workaround to protect Windows computers from the Intel processor security flaw dubbed Meltdown has revealed the rootkit-like nature of modern security tools."
Here is some more Tech News from around the web:
- Spectre and Meltdown not a concern for mobile says Qualcomm @ Electronics Weekly
- Meltdown and Spectre Patches Bricking Ubuntu 16.04 Computers @ Slashdot
Subject: Storage | January 5, 2018 - 08:45 PM | Allyn Malventano
Tagged: RS4, RS3, patch, meltdown, KB4056892, cpu, 960 EVO, 900P, 850 EVO
While the Meltdown announcements and patches were in full swing, I was busily testing a round of storage devices to evaluate the potential negative impact of the Meltdown patch. Much of the testing we've seen has come in the form of Linux benchmarks, and today we saw a few come out on the Windows side of things. Most of the published data to date shows a ~20% performance hit to small random accesses, but I've noted that the majority of reviewers seem to be focusing on the Samsung 950/960 series SSDs. Sure these are popular devices, but when evaluating changes to a storage subsystem, it's unwise to just stick with a single type of product.
Test conditions were as follows:
- ASUS Prime Z270-A + 7700K
- C-States disabled, no overclock.
- ASUS MCE disabled, all other clock settings = AUTO.
- Intel Optane 900P 480GB (Intel NVMe driver)
- Samsung 960 EVO 500GB (Samsung NVMe driver)
- Samsung 850 EVO 500GB (Intel RST driver)
- NTFS partition.
- 16GB test file. Sequential conditioning.
- Remainder of SSD sequentially filled to capacity.
The first results come from a clean Windows Redstone 3 install compared to a clean Windows 10 Redstone 4 (build 17063), which is a fast ring build including the Meltdown patch:
The 960 EVO comes in at that same 20% drop seen elsewhere, but check out the 850 EVO's nearly 10% *increase* in performance. The 900P pushes this further, showing an over 15% *increase*. You would figure that a patch that adds latency to API calls would have a noticeable impact on a storage device offering extremely low latencies, but that did not end up being the case in practice.
Since the 960 EVO looked like an outlier here, I also re-tested it using the Microsoft Inbox NVMe driver, as well as by connecting it via the chipset (which uses the Intel RST driver). A similar drop in performance was seen in all configurations.
The second set of results was obtained later, taking our clean RS3 install and updating it to current, which at the time included the Microsoft roll-up 01-2018 package (KB4056892):
Note that the results are similar, though Optane did not see as much of a boost here. It is likely that some specific optimizations have been included in RS4 that are more beneficial to lower latency storage devices.
As a final data point, here's what our tests look like with software polling implemented:
The above test results are using an application method that effectively bypasses the typical interrupt requests associated with file transfers. Note that the differences are significantly reduced once IRQs are removed from the picture. Also note that kernel API calls are still taking place here.
Well there you have it. Some gain and some lose. Given that a far lower latency device (900P) sees zero performance hit (actually gaining speed), I suspect that whatever penalty associated with Meltdown could be easily optimized out via updates to the Windows Inbox and Samsung NVMe drivers.
Subject: General Tech | January 3, 2018 - 01:12 PM | Jeremy Hellstrom
Tagged: security, patch, kernel, Intel
Intel is having a lousy day after revealing a fundamental flaw in their architecture design; one not shared by AMD chips. It turns out that many common programs are able to read the protected memory sections of the chips kernel, something commonly known as a very bad thing. The flaw exists in both Linux and Windows and is serious enough that a patch has been released, which you should install.
However initial reports show the patch has a negative effect on performance, with a worst case scenario showing quite a performance delta. The thing to keep in mind is that we do not have many data points yet, more testing needs to be done to determine exactly how much performance degradation will be experienced. We will conduct our own testing here, with a focus on storage which could see the most degradation, especially the newly released Intel Optane. You can also expect that Amazon, Azure and other hosting companies will be releasing information on the effect this has on their systems, which will give us a good overall view of what this patch will do.
The easiest way to ensure you are not going to experience this issue is to pick up a Ryzen or Threadripper, of course. The Inquirer offers more insight here.
"A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug."
Here is some more Tech News from around the web:
- Windows 10 growth remains slow as Windows 7 dominates @ The Inquirer
- 7 Tech Predictions for 2018 @ TechSpot
- Windows 10's Edge vs Chrome: We're Faster and Win in Battery Face-off, Says Microsoft @ Slashdot
- iMac Pro teardown shows off Cupertino's engineering chops @ The Inquirer
- Kinect Is Really Dead Now, Basically @ Slashdot
Subject: General Tech | January 11, 2017 - 12:42 PM | Jeremy Hellstrom
Tagged: patch, oops, microsoft
If you game on multiple monitors and have noticed problems recently, with screens rendering with off clipping or not a timely manner you may want to look to Microsoft. It seems that KB3213986 which was released yesterday, may well be to blame. As there are no serious security updates contained in this particular patch you can feel safe uninstalling it, unless you really need two keyboards and a fingerprint touchscreen attached to your system. Cheers to The Guru of 3D for posting this first.
"Users may experience delayed or clipped screens while running 3D rendering apps (such as games) on systems with more than one monitor."
Here is some more Tech News from around the web:
- Windows 10 Creator's Build comes with 'better' privacy and 'no' targeted ads @ The Inquirer
- Citrix buys Unidesk for massive Microsoft Windows rollouts @ The Register
- Tiny Patch Tuesday after heavy Christmas for Microsoft security team @ The Inquirer
- The 3D printers of CES @ Hack a Day
- Juniper warns: Borked upgrade opens root on firewalls @ The Register
- Mint 18.1 review: Forget about Wayland and get comfy with the command line @ Ars Technica
Subject: General Tech | December 22, 2014 - 04:10 PM | Sebastian Peak
Tagged: patch, gpu performance, assassin's creed, assasins creed unity
The latest patch (version 1.4.0) for Assassin's Creed Unity was released on Friday, and the folks at HardOCP have posted a review with their perfomance findings today.
Spoiler alert: the performance numbers are better, but not by a lot. To quote the article's conclusion:
"Thanks to the recent patch 1.4.0 it is a little "less terrible," but it is still not very good. This game is poorly optimized, if at all, and performs worse than it should on the latest generation of video cards. Even with SLI you cannot maximize the graphics settings at 1440p with TXAA, one of the added NVIDIA features in the game. This is sad."
The post for Patch 4 on Steam lists these improvements:
- Performance & Stability: Frame rate drops, game crashes, lost progression
- Gameplay: Navigation, lock picking chests
- Online: Connectivity, matchmaking, companion app
The tested patch (which weighs in at 5.4GB) is the fourth one released in December, as Ubisoft attempts to mitigate some of the issues with a game that has only disappointed since launch. While overall improvements seen by the team at [H] were slight, the review does concede that patch "helped performance and image quality" and that "using the latest NVIDIA beta drivers...also helped performance in this game". However to fully enjoy the Assassin's Creed Unity experience they do recommend "a cold beer, or two".
Subject: General Tech | December 9, 2014 - 09:40 PM | Scott Michaud
Tagged: windows, windows 10, patch, patch tuesday
These are the sorts of things that will happen in prerelease software. Gabriel Aul, leader of the Data and Fundamentals Team at Microsoft and blogger for the Windows Insider Program, announced on Twitter that today's Windows Update for Internet Explorer may not install if Office is also install. The workaround is, if the update fails, to uninstall Office, apply the update, and then reinstall Office. Unfortunately, I am not able to give my personal experience because I use LibreOffice (I did not want to purchase a commercial license of Office).
I was not expecting to use this fail-bandaid image again, so soon.
If it wasn't an important security update, another option would be to wait for the next build. I know that, when I first installed Windows 10, I had a similar problem with a Defender update that continually failed. The install failure was fixed when I upgraded to Build 9860. The next version of Windows 10 is probably not too far away... … but this is a security update.
Hopefully this is one less thing to break when it hits full release next year.
Subject: General Tech | December 6, 2014 - 04:30 AM | Scott Michaud
Tagged: windows 10, windows, patch, microsoft
A few days ago, I attempted to install my Windows updates, but one failed. After complaining about the update not being accepted, it would ask you to restart your computer, where it would proudly proclaim that you have an update pending... ad infinitum. It apparently did the same for many others, including Paul Thurrott (who voiced his concerns on Twitter).
Some day (of silence) later, and a workaround has been voiced. As far as I can tell, it was originally discovered by a member of the community, but an Engineering General Manager at Microsoft suggested that Paul Thurrott try it, even though the GM's official workaround was slightly different.
Long story short, here are the steps:
- Go to Add or Remove Programs.
- Go to View installed updates.
- Search for KB3019269 and uninstall it. Do not restart.
- Search for KB3018943 and uninstall it. Do not restart.
- Search for KB3016725 and uninstall it. Do not restart.
- Search for KB3016656 and uninstall it. Restart your computer.
- Run Windows Update and install whatever it tells you to.
- I needed to do Step 7 twice.
- Reboot a second time.
When I did this procedure, Windows Update complained about a failed update. Retrying it, without rebooting, was successful however. If you experienced this problem, be prepared for a potential false error – the fix might have still been successful.
This was actually the second update to fail in the exact same way, the first being a Windows Defender patch from the initial Technical Preview release. That time, the problem went away when Microsoft released a new build and I updated to it. The same probably would be true when Microsoft replaces Build 9879 with whatever they have upcoming, albeit that is at least a month away. As far as I can tell, not a whole lot has changed.
Again, this is pre-release software. I will not knock Microsoft for it, especially since the update procedure is one of the key points of focus for the entire Technical Preview. The occasional failure is to be somewhat expected.