The cure worse than the disease; get your new patches or enjoy a total meltdown

Subject: General Tech | April 27, 2018 - 12:59 PM |
Tagged: meltdown, microsoft, security, patch, Windows 7, server 2008 r2

Wasn't it hilarious when Microsoft released a patch for the Meltdown flaw that made things even worse by allowing write access to kernel memory as well as read access?  Well, if you haven't the patch which fixes the patch in place you won't be laughing so hard today.  The Register has seen proof of concept code which makes use of this flaw to elevate a DOS shell window to NT AUTHORITY\System from a user without admin privileges.  Get yourself patched up, especially that Server 2008 instance!

stop-hitting-yourself-meme.jpg

"If you're not up-to-date with your Intel CPU Meltdown patches for Windows 7 or Server 2008 R2, get busy with that, because exploit code for Microsoft's own-goal flaw is available."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Intel Responds to Reboot Issues with Meltdown and Spectre Updates

Subject: Processors | January 18, 2018 - 01:17 PM |
Tagged: update, spectre, security, restart, reboot, processor, patch, meltdown, Intel, cpu

The news will apparently get worse before it gets any better for Intel, as the company updated their security recommendations for the Spectre/Meltdown patches for affected CPUs to address post-patch system restart issues. Specifically, Intel notes that issues may be introduced in some configurations with the current patches, though the company does not recommend discontinued use of such updates:

" Intel recommends that these partners, at their discretion, continue development and release of updates with existing microcode to provide protection against these exploits, understanding that the current versions may introduce issues such as reboot in some configurations".

meltdown_spectre.png

Image credit: HotHardware

The recommendation section of the security bulletin, updated yesterday (January 17, 2018), is reproduced below:

  • Intel has made significant progress in our investigation into the customer reboot sightings that we confirmed publicly last week
  • Intel has reproduced these issues internally and has developed a test method that allows us to do so in a predictable manner
  • Initial sightings were reported on Broadwell and Haswell based platforms in some configurations. During due diligence we determined that similar behavior occurs on other products including Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake based platforms in some configurations
  • We are working toward root cause
  • While our root cause analysis continues, we will start making beta microcode updates available to OEMs, Cloud service providers, system manufacturers and Software vendors next week for internal evaluation purposes
  • In all cases, the existing and any new beta microcode updates continue to provide protection against the exploit (CVE-2017-5715) also known as “Spectre Variant 2”
  • Variants 1 (Spectre) and Variant 3 (Meltdown) continue to be mitigated through system software changes from operating system and virtual machine vendors
  • As we gather feedback from our customers we will continue to provide updates that improve upon performance and usability

Intel recommendations to OEMs, Cloud service providers, system manufacturers and software vendors

  • Intel recommends that these partners maintain availability of existing microcode updates already released to end users. Intel does not recommend pulling back any updates already made available to end users
  • NEW - Intel recommends that these partners, at their discretion, continue development and release of updates with existing microcode to provide protection against these exploits, understanding that the current versions may introduce issues such as reboot in some configurations
  • NEW - We further recommend that OEMs, Cloud service providers, system manufacturers and software vendors begin evaluation of Intel beta microcode update releases in anticipation of definitive root cause and subsequent production releases suitable for end users

Intel recommendations to end users

  • Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied
  • For PCs and Data Center infrastructure, Intel recommends that patches be applied as soon as they are available from your system manufacturer, and software vendors
  • For data center infrastructure, Intel additionally recommends that IT administrators evaluate potential impacts from the reboot issue and make decisions based on the security profile of the infrastructure

Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop software updates that can help protect systems from these methods. End users and systems administrators should check with their operating system vendors and apply any available updates as soon as practical.

The full list of affected processors from Intel's security bulletin follows:

  • Intel® Core™ i3 processor (45nm and 32nm)
  • Intel® Core™ i5 processor (45nm and 32nm)
  • Intel® Core™ i7 processor (45nm and 32nm)
  • Intel® Core™ M processor family (45nm and 32nm)
  • 2nd generation Intel® Core™ processors
  • 3rd generation Intel® Core™ processors
  • 4th generation Intel® Core™ processors
  • 5th generation Intel® Core™ processors
  • 6th generation Intel® Core™ processors
  • 7th generation Intel® Core™ processors
  • 8th generation Intel® Core™ processors
  • Intel® Core™ X-series Processor Family for Intel® X99 platforms
  • Intel® Core™ X-series Processor Family for Intel® X299 platforms
  • Intel® Xeon® processor 3400 series
  • Intel® Xeon® processor 3600 series
  • Intel® Xeon® processor 5500 series
  • Intel® Xeon® processor 5600 series
  • Intel® Xeon® processor 6500 series
  • Intel® Xeon® processor 7500 series
  • Intel® Xeon® Processor E3 Family
  • Intel® Xeon® Processor E3 v2 Family
  • Intel® Xeon® Processor E3 v3 Family
  • Intel® Xeon® Processor E3 v4 Family
  • Intel® Xeon® Processor E3 v5 Family
  • Intel® Xeon® Processor E3 v6 Family
  • Intel® Xeon® Processor E5 Family
  • Intel® Xeon® Processor E5 v2 Family
  • Intel® Xeon® Processor E5 v3 Family
  • Intel® Xeon® Processor E5 v4 Family
  • Intel® Xeon® Processor E7 Family
  • Intel® Xeon® Processor E7 v2 Family
  • Intel® Xeon® Processor E7 v3 Family
  • Intel® Xeon® Processor E7 v4 Family
  • Intel® Xeon® Processor Scalable Family
  • Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series
  • Intel® Atom™ Processor C Series
  • Intel® Atom™ Processor E Series
  • Intel® Atom™ Processor A Series
  • Intel® Atom™ Processor x3 Series
  • Intel® Atom™ Processor Z Series
  • Intel® Celeron® Processor J Series
  • Intel® Celeron® Processor N Series
  • Intel® Pentium® Processor J Series
  • Intel® Pentium® Processor N Series

We await further updates and developments from Intel, system integrators, and motherboard partners.

Source: Intel

About that AV registry key needed for Meltdown and Spectre patches

Subject: General Tech | January 10, 2018 - 01:05 PM |
Tagged: meltdown, spectre, security, antivirus, patch

If you are curious about the details behind the registry key that your Antivirus program needs to create in order to receive Windows Updates, The Register describes its purpose here.  In essence, modern AV programs regularly access the kernel to look for suspicious activity and become quite upset when they are not allowed to access it after the patch places the kernel in isolation, upset enough to continually crash your computer.  Ensuring your AV software has updated itself to ensure that this does not occur before allowed the Windows patch to install is a good thing, however there is a serious problem with the way Microsoft decided to deal with the situation.  Until that key is present, you will not be able to install any new security patches; something which should be changed ASAP as it could help spread other infections simply because you had the temerity not to use Windows Defender.

windows-defender-scan-100017383-large.jpg

"Microsoft's workaround to protect Windows computers from the Intel processor security flaw dubbed Meltdown has revealed the rootkit-like nature of modern security tools."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Meltdown's Impact on Storage Performance - Really an Issue?

Subject: Storage | January 5, 2018 - 08:45 PM |
Tagged: RS4, RS3, patch, meltdown, KB4056892, cpu, 960 EVO, 900P, 850 EVO

While the Meltdown announcements and patches were in full swing, I was busily testing a round of storage devices to evaluate the potential negative impact of the Meltdown patch. Much of the testing we've seen has come in the form of Linux benchmarks, and today we saw a few come out on the Windows side of things. Most of the published data to date shows a ~20% performance hit to small random accesses, but I've noted that the majority of reviewers seem to be focusing on the Samsung 950/960 series SSDs. Sure these are popular devices, but when evaluating changes to a storage subsystem, it's unwise to just stick with a single type of product.

Test conditions were as follows:

  • ASUS Prime Z270-A + 7700K
    • C-States disabled,  no overclock.
    • ASUS MCE disabled, all other clock settings = AUTO.
  • SSDs:
    • Intel Optane 900P 480GB (Intel NVMe driver)
    • Samsung 960 EVO 500GB (Samsung NVMe driver)
    • Samsung 850 EVO 500GB (Intel RST driver)
  • Conditioning:
    • NTFS partition.
    • 16GB test file. Sequential conditioning.
    • Remainder of SSD sequentially filled to capacity.

The first results come from a clean Windows Redstone 3 install compared to a clean Windows 10 Redstone 4 (build 17063), which is a fast ring build including the Meltdown patch:

KASLR-IRQ2.png

The 960 EVO comes in at that same 20% drop seen elsewhere, but check out the 850 EVO's nearly 10% *increase* in performance. The 900P pushes this further, showing an over 15% *increase*. You would figure that a patch that adds latency to API calls would have a noticeable impact on a storage device offering extremely low latencies, but that did not end up being the case in practice.

Since the 960 EVO looked like an outlier here, I also re-tested it using the Microsoft Inbox NVMe driver, as well as by connecting it via the chipset (which uses the Intel RST driver). A similar drop in performance was seen in all configurations.

The second set of results was obtained later, taking our clean RS3 install and updating it to current, which at the time included the Microsoft roll-up 01-2018 package (KB4056892):

KASLR-IRQ2-.png

Note that the results are similar, though Optane did not see as much of a boost here. It is likely that some specific optimizations have been included in RS4 that are more beneficial to lower latency storage devices.

As a final data point, here's what our tests look like with software polling implemented:

KASLR-POLL2.png

The above test results are using an application method that effectively bypasses the typical interrupt requests associated with file transfers. Note that the differences are significantly reduced once IRQs are removed from the picture. Also note that kernel API calls are still taking place here.

Well there you have it. Some gain and some lose. Given that a far lower latency device (900P) sees zero performance hit (actually gaining speed), I suspect that whatever penalty associated with Meltdown could be easily optimized out via updates to the Windows Inbox and Samsung NVMe drivers.

It's a good day to be on an AMD kernel

Subject: General Tech | January 3, 2018 - 01:12 PM |
Tagged: security, patch, kernel, Intel

Intel is having a lousy day after revealing a fundamental flaw in their architecture design; one not shared by AMD chips.  It turns out that many common programs are able to read the protected memory sections of the chips kernel, something commonly known as a very bad thing.  The flaw exists in both Linux and Windows and is serious enough that a patch has been released, which you should install.

However initial reports show the patch has a negative effect on performance, with a worst case scenario showing quite a performance delta.  The thing to keep in mind is that we do not have many data points yet, more testing needs to be done to determine exactly how much performance degradation will be experienced.  We will conduct our own testing here, with a focus on storage which could see the most degradation, especially the newly released Intel Optane.  You can also expect that Amazon, Azure and other hosting companies will be releasing information on the effect this has on their systems, which will give us a good overall view of what this patch will do.

The easiest way to ensure you are not going to experience this issue is to pick up a Ryzen or Threadripper, of course.  The Inquirer offers more insight here.

2111767321001_5257424930001_5257417085001-th.jpg

"A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Multi-monitor gaming troubles? It might not be your driver

Subject: General Tech | January 11, 2017 - 12:42 PM |
Tagged: patch, oops, microsoft

If you game on multiple monitors and have noticed problems recently, with screens rendering with off clipping or not a timely manner you may want to look to Microsoft.  It seems that KB3213986 which was released yesterday, may well be to blame.  As there are no serious security updates contained in this particular patch you can feel safe uninstalling it, unless you really need two keyboards and a fingerprint touchscreen attached to your system.  Cheers to The Guru of 3D for posting this first.

MTS_spladoum-1444481-babyissues.jpg

"Users may experience delayed or clipped screens while running 3D rendering apps (such as games) on systems with more than one monitor."

Here is some more Tech News from around the web:

Tech Talk

Source: Guru of 3D

Assassin's Creed Unity: Now with Slightly Less Terrible Performance!

Subject: General Tech | December 22, 2014 - 04:10 PM |
Tagged: patch, gpu performance, assassin's creed, assasins creed unity

The latest patch (version 1.4.0) for Assassin's Creed Unity was released on Friday, and the folks at HardOCP have posted a review with their perfomance findings today.

1419218249XUmGfq1uoa_1_1.jpg

Spoiler alert: the performance numbers are better, but not by a lot. To quote the article's conclusion:

"Thanks to the recent patch 1.4.0 it is a little "less terrible," but it is still not very good. This game is poorly optimized, if at all, and performs worse than it should on the latest generation of video cards. Even with SLI you cannot maximize the graphics settings at 1440p with TXAA, one of the added NVIDIA features in the game. This is sad."

The post for Patch 4 on Steam lists these improvements:

  • Performance & Stability: Frame rate drops, game crashes, lost progression
  • Gameplay: Navigation, lock picking chests
  • Online: Connectivity, matchmaking, companion app

The tested patch (which weighs in at 5.4GB) is the fourth one released in December, as Ubisoft attempts to mitigate some of the issues with a game that has only disappointed since launch. While overall improvements seen by the team at [H] were slight, the review does concede that patch "helped performance and image quality" and that "using the latest NVIDIA beta drivers...also helped performance in this game". However to fully enjoy the Assassin's Creed Unity experience they do recommend "a cold beer, or two".

Source: HARDOCP

Windows 10 Update Installer May Break with Office Installed

Subject: General Tech | December 9, 2014 - 09:40 PM |
Tagged: windows, windows 10, patch, patch tuesday

These are the sorts of things that will happen in prerelease software. Gabriel Aul, leader of the Data and Fundamentals Team at Microsoft and blogger for the Windows Insider Program, announced on Twitter that today's Windows Update for Internet Explorer may not install if Office is also install. The workaround is, if the update fails, to uninstall Office, apply the update, and then reinstall Office. Unfortunately, I am not able to give my personal experience because I use LibreOffice (I did not want to purchase a commercial license of Office).

failpatch-windows-10.png

I was not expecting to use this fail-bandaid image again, so soon.

If it wasn't an important security update, another option would be to wait for the next build. I know that, when I first installed Windows 10, I had a similar problem with a Defender update that continually failed. The install failure was fixed when I upgraded to Build 9860. The next version of Windows 10 is probably not too far away... … but this is a security update.

Hopefully this is one less thing to break when it hits full release next year.

Windows 10 December 2014 Failed Update Workaround

Subject: General Tech | December 6, 2014 - 04:30 AM |
Tagged: windows 10, windows, patch, microsoft

A few days ago, I attempted to install my Windows updates, but one failed. After complaining about the update not being accepted, it would ask you to restart your computer, where it would proudly proclaim that you have an update pending... ad infinitum. It apparently did the same for many others, including Paul Thurrott (who voiced his concerns on Twitter).

failpatch-windows-10.png

Some day (of silence) later, and a workaround has been voiced. As far as I can tell, it was originally discovered by a member of the community, but an Engineering General Manager at Microsoft suggested that Paul Thurrott try it, even though the GM's official workaround was slightly different.

Long story short, here are the steps:

  1. Go to Add or Remove Programs.
  2. Go to View installed updates.
  3. Search for KB3019269 and uninstall it. Do not restart.
  4. Search for KB3018943 and uninstall it. Do not restart.
  5. Search for KB3016725 and uninstall it. Do not restart.
  6. Search for KB3016656 and uninstall it. Restart your computer.
  7. Run Windows Update and install whatever it tells you to.
  8. I needed to do Step 7 twice.
  9. Reboot a second time.

When I did this procedure, Windows Update complained about a failed update. Retrying it, without rebooting, was successful however. If you experienced this problem, be prepared for a potential false error – the fix might have still been successful.

This was actually the second update to fail in the exact same way, the first being a Windows Defender patch from the initial Technical Preview release. That time, the problem went away when Microsoft released a new build and I updated to it. The same probably would be true when Microsoft replaces Build 9879 with whatever they have upcoming, albeit that is at least a month away. As far as I can tell, not a whole lot has changed.

Again, this is pre-release software. I will not knock Microsoft for it, especially since the update procedure is one of the key points of focus for the entire Technical Preview. The occasional failure is to be somewhat expected.

Source: WinSupersite

Know someone who uses Kaspersky Internet Security that is having trouble today?

Subject: General Tech | March 11, 2013 - 02:27 PM |
Tagged: Kaspersky Labs, patch

It would seem that a single specially malformed IPv6 packet is enough to completely lock up a PC protected by several versions of Kaspersky Internet Security.  There is currently a private patch available for machines suffering from this issue and there will be an official patch pushed out in the very near future.  According to The Register this flaw was originally reported to Kaspersky in January but as they had not released a patch the original discoverer of the flaw has gone public, which was obviously what it took to get them to fix the issue.  If you run into problematic PCs over the next few days you might want to check for Kaspersky Labs software before you really get into troubleshooting.

Kaspersky-Internet-Security.jpg

"After receiving feedback from the researcher, Kaspersky Lab quickly fixed the error. A private patch is currently available on demand and an autopatch will soon be released to fix the problem automatically on every computer protected by Kaspersky Internet Security 2013."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register