Updated Firmware Available for 6th, 7th and 8th Generation Intel Core Processors

[Raevenlord]

Intel today shared in a blog post that they are deploying microcode solutions that have been developed and validated over the last several weeks. These updates aim to patch security vulnerabilities recently found in Intel processors, and will be distributed, mostly, via OEM firmware updates - users who want to have their system hardened against Spectre and Meltdown exploits will have to ensure that their system manufacturer of choice makes these microcode updates available. If they don't do it in a timely fashion, users have no choice but to be vocal about that issue - Intel has now done its part in this matter.

This is the second wave of Intel's patches to mitigate the Spectre and Meltdown vulnerabilities, after the first, hasty patch sent users on towards unstable, crashing systems and the inevitable update rollback. Security had already been reinstated, of sorts, for Intel's Skylake processors, but left users of any other affected Intel CPU family out in the cold. Here's hoping this is the one update that actually sticks after thorough testing and validation.



View at TechPowerUp Main Site

 

[Upgrayedd]

I'm on 4th gen and uninstalled the Win10 update. Ez fix.

 

[oxidized]

Am i the only one not giving a sh*t about this? Why should i worry for my security? Why would someone exploit these flaws to hack me?

 

[_JP_]

Meanwhile Haswell is still drifting trough mud...

 

[SL2]

Did you look at the pdf? Seems like a lot of updates are coming, at least for Sandy Bridge, Ivy Bridge, Haswell and Broadwell who currently are in beta.

Pretty much anything up to 10 years old is in there including Penryn and Wolfdale, although not in beta yet. Conroe is the newest CPU type that isn't mentioned.

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf

 

[R-T-B]

Why should i worry for my security? Why would someone exploit these flaws to hack me?

Because in the modern world, everyone's data has value. Yes, even you and your boring bank account.

 

[Arrakis9]

Time to fire up the ubu tool and make myself another modded bios, thanks Asus

 

[Space Lynx]

So basically I just wait for MSI to post a BIOS update for my Z370 motherboard (8700k)? Fine by, I am sure they will do it in a week or so. Hope they do anyway, would be nice to get out of the way before I do my next clean install in early March.

 

[oxidized]

Because in the modern world, everyone's data has value. Yes, even you and your boring bank account.

If i was a hacker or cracker or whatever you want, i wouldn't even bother to steal bank accounts or other stuff to someone like myself, i think everyone has been overreacting way too much about this, the only people who should really worry about are companies, even small ones, but "normal" people i think will risk next to nothing.

 

[R-T-B]

If i was a hacker or cracker or whatever you want, i wouldn't even bother to steal bank accounts or other stuff to someone like myself

No offense, but this is why you aren't.

 

[oxidized]

No offense, but this is why you aren't.

Also it's not like you'll find people who are able to exploit that in the apartment next to yours, it's a pretty hard thing to do, it took many years to be discovered, what makes you think that those few who know how it all works and how to exploit, will come and try to steal from "small fishes" like ourselves? Unless you own, or are part of some company, in that case you're very well excused.

 

[Aquinus]

No offense, but this is why you aren't.

Sorry but, servers are where the real money is at. Why do all that work to get into a personal machine when you can get into a server with an entire database full of information? Just remember, if you're trying to hit a hardware vulnerability with respect to memory visibility, the attacker is already on the machine. That's the important bit that needs to be understood.

 

[Prima.Vera]

To be honest I am more concerned about the performance impact those updates will bring.

 

[eidairaman1]

Am i the only one not giving a sh*t about this? Why should i worry for my security? Why would someone exploit these flaws to hack me?

Identity theft

 

[R-T-B]

Sorry but, servers are where the real money is at. Why do all that work to get into a personal machine when you can get into a server with an entire database full of information? Just remember, if you're trying to hit a hardware vulnerability with respect to memory visibility, the attacker is already on the machine. That's the important bit that needs to be understood.

Malware strains cast blanket nets. Since they depend on the user for infection, it often is not the malware writer doing the labor to set it up, so yes they are more likely to personally oversee an op on say a bank server, but they are not beyond writing malware to target the casual user. They can, will, and have. They are still interesting targets when brought in "fish net" style.

Also it's not like you'll find people who are able to exploit that in the apartment next to yours, it's a pretty hard thing to do, it took many years to be discovered, what makes you think that those few who know how it all works and how to exploit, will come and try to steal from "small fishes" like ourselves?

Explained above.

 

[oxidized]

Identity theft

Malware strains cast blanket nets. Since they depend on the user for infection, it often is not the malware writer doing the labor to set it up, so yes they are more likely to personally oversee an op on say a bank server, but they are not beyond writing malware to target the casual user. They can, will, and have. They are still interesting targets when brought in "fish net" style.



Explained above.

So in your opinion, someone who knows how to exploit spectre and meltdown, which are probably like dozens of people within the hundred, will risk it and waste time stealing personal data to someone like me? Wait aren't google and microsoft (and many others) doing that already? I think we live in a world nowadays, that if you don't want to risk being robbed of personal data and contents, you better not even look at PCs, smartphones, TVs, telephones, and internet connection of course.

 

[R-T-B]

So in your opinion, someone who knows how to exploit spectre and meltdown, which are probably like dozens of people within the hundred, will risk it and waste time stealing personal data to someone like me?

Yes. Many people like you, being the key distinction. Malware doesn't target one user.

Of course if you can keep your machine free of malware, you should be fine. But it is another vector, and quite a big one for that matter.

You are also massively underestimating the amount of people who can exploit this. With example exploits in the wild, I could probably code something.

I think we live in a world nowadays, that if you don't want to risk being robbed of personal data and contents, you better not even look at PCs, smartphones, TVs, telephones, and internet connection of course.

You are right that being at zero risk is a myth in this day and age. But you can and should understand your exploits if you are in IT, and more importantly, why these patches are important.

 

[eidairaman1]

So in your opinion, someone who knows how to exploit spectre and meltdown, which are probably like dozens of people within the hundred, will risk it and waste time stealing personal data to someone like me? Wait aren't google and microsoft (and many others) doing that already? I think we live in a world nowadays, that if you don't want to risk being robbed of personal data and contents, you better not even look at PCs, smartphones, TVs, telephones, and internet connection of course.

Id theft, they can steal your bank info/money/setup fake billing accounts, ruin your credit/Social Security etc in the U.S. Also there are lurkers here who could do it especially if a person were to piss them off.

 

[Space Lynx]

Identity theft

Too late for that, 144 million peoples infos are already in the Dark Web thanks to Equifax. lol I think they recently came out and said it was a lot more info stolen than just SSN and DoB and Addresses as well, lol. So yeah, worrying about that is like.. well I don't know a good analogy, but its too late to care anymore. Just have to have moinotr your credit report and pay for a Identity Theft Insurance is only thing you can do anymore, and I am doing both on a monthly basis.

 

[newtekie1]

Id theft, they can steal your bank info/money/setup fake billing accounts, ruin your credit/Social Security etc in the U.S. Also there are lurkers here who could do it especially if a person were to piss them off.

For the common user, Spectre and Meltdown pose little additional threat. To be exploited the attacker has to already have the ability to run admin level code on the machine, so at that point, why even waste time using the Spectre and Meltdown exploits? Why not just monitor activities and steal usernames and passwords as they are typed, or if people are stupid enough to store them in their browsers, just steal the browser save data directly? I mean, it's much easier than reading small chunks of memory and hoping they contain something useful. If the attacker is already to the point that they can freely execute code on your machine, if you've allowed them to get that far, you're already screwed.

 

[Space Lynx]

For the common user, Spectre and Meltdown pose little additional threat. To be exploited the attacker has to already have the ability to run admin level code on the machine, so at that point, why even waste time using the Spectre and Meltdown exploits? Why not just monitor activities and steal usernames and passwords as they are typed, or if people are stupid enough to store them in their browsers, just steal the browser save data directly? I mean, it's much easier than reading small chunks of memory and hoping they contain something useful. If the attacker is already to the point that they can freely execute code on your machine, if you've allowed them to get that far, you're already screwed.

It still would be nice if MSI updates their BIOS with it soon, since I am doing a new and sealed build - clean install everything new March 2nd

I always like to update everything fully before I do a clean install like this on a new build. and then run shutupten, apply all. and then never update anything for a year, and rinse and repeat every year. seems to work for me and i never have issues lol

 

[oxidized]

Id theft, they can steal your bank info/money/setup fake billing accounts, ruin your credit/Social Security etc in the U.S. Also there are lurkers here who could do it especially if a person were to piss them off.

Again, it's not something a hacker would waste his time on, not that level of hacker anyway, we're all tiny fishes in a pond, they aim to get the biggest fishes in the ocean.

I'd surely keep my performance instead of trading it for security i really don't need, not that kind and that level anyway.

 

[eidairaman1]

Again, it's not something a hacker would waste his time on, not that level of hacker anyway, we're all tiny fishes in a pond, they aim to get the biggest fishes in the ocean.

I'd surely keep my performance instead of trading it for security i really don't need, not that kind and that level anyway.

Good luck then

 

[TheinsanegamerN]

So in your opinion, someone who knows how to exploit spectre and meltdown, which are probably like dozens of people within the hundred, will risk it and waste time stealing personal data to someone like me? Wait aren't google and microsoft (and many others) doing that already? I think we live in a world nowadays, that if you don't want to risk being robbed of personal data and contents, you better not even look at PCs, smartphones, TVs, telephones, and internet connection of course.

Why do you have it stuck in your head they are targeting you specifically? You are just a number. One of many that will get infected if you are not patched.

See, the way it works is simple. Someone who knows hot to expoloit could then write malware that works via drive by attack. If they managed to infect a widely used platform like, say, google or facebook, then there are hundreds of millions of people, just like you, that would get infected.

Every single one of those people has at least a little money to loose, and spread around an entire planet, that is hundreds of millions that could be made, between bank accounts, identity theft, stolen credit cards, ece. Malware is often designed like a fishing net for a reason, after all.

They wont spend tons of time on just you. They will spend tons of time on an exploit that affects multiple millions of people, many just like you, and profit that way. You are no special snowflake, but you ARE a prime target, what with you "why would anybody bother with me" attitude.

but, you know what they say, "a fool and his money/identity"

 

[oxidized]

Why do you have it stuck in your head they are targeting you specifically? You are just a number. One of many that will get infected if you are not patched.

See, the way it works is simple. Someone who knows hot to expoloit could then write malware that works via drive by attack. If they managed to infect a widely used platform like, say, google or facebook, then there are hundreds of millions of people, just like you, that would get infected.

Every single one of those people has at least a little money to loose, and spread around an entire planet, that is hundreds of millions that could be made, between bank accounts, identity theft, stolen credit cards, ece. Malware is often designed like a fishing net for a reason, after all.

They wont spend tons of time on just you. They will spend tons of time on an exploit that affects multiple millions of people, many just like you, and profit that way. You are no special snowflake, but you ARE a prime target, what with you "why would anybody bother with me" attitude.

but, you know what they say, "a fool and his money/identity"

So what benefit could i possibly have patching these flaws on my computer, if the hackers, could hack my bank for example? Do you realize you basically agreed with me? It's not us who should be worrying for that, it's banks and other big sources of money and data ofc.