News Posts matching "Spectre"

Return to Keyword Browsing

SEC Warns Tech Execs Not to Trade Stock When Investigating Security Flaws

The United States Securities and Exchange Commission (SEC) came down hard on silicon valley executives trading company stock when their companies were investigating security or design flaws that could potentially bring down stock value; as something like that borders on insider-trading, a felony under US law. This comes in the wake of senior executives of credit rating company Equifax, and chipmaker Intel, dumping company stock while their companies were investigating security flaws in their products or services. Intel CEO Brian Kraznich raised quite a stink when reports emerged that he sold $39 million worth Intel stock while the company was investigating the Meltdown and Spectre vulnerabilities in its processors (which hadn't been made public while he dumped the stock).

The SEC has come up with a far-reaching new guideline to keep tech execs from exhibiting similar borderline-insider-trading behavior. "Directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," the new guideline reads. "There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve," said SEC Chairman Jay Clayton. "I have asked the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews. We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed."

Updated Firmware Available for 6th, 7th and 8th Generation Intel Core Processors

Intel today shared in a blog post that they are deploying microcode solutions that have been developed and validated over the last several weeks. These updates aim to patch security vulnerabilities recently found in Intel processors, and will be distributed, mostly, via OEM firmware updates - users who want to have their system hardened against Spectre and Meltdown exploits will have to ensure that their system manufacturer of choice makes these microcode updates available. If they don't do it in a timely fashion, users have no choice but to be vocal about that issue - Intel has now done its part in this matter.

This is the second wave of Intel's patches to mitigate the Spectre and Meltdown vulnerabilities, after the first, hasty patch sent users on towards unstable, crashing systems and the inevitable update rollback. Security had already been reinstated, of sorts, for Intel's Skylake processors, but left users of any other affected Intel CPU family out in the cold. Here's hoping this is the one update that actually sticks after thorough testing and validation.

Intel Expands Bug Bounty Program in Wake Of Spectre, Meltdown Flaws

(Editor's Note: This move by Intel aims to expand their bug-bounty program to specifically include side-channel attacks, such as those that can be leverage on the Spectre and Meltdown exploits. The company is also increasing the rewards it will give the researchers who find new flaws, a move that aims to employ the masses' knowledge and ingenuity to try and reach the hard-earned bonus at the end of the vulnerability - all while saving Intel much more money than it's paying to bug hunters.)

At Intel, we believe that working with security researchers is a crucial part of identifying and mitigating potential security issues in our products. Similar to other companies, one of the ways we've made this part of our operating model is through a bug bounty program. The Intel Bug Bounty Program was launched in March 2017 to incentivize security researchers to collaborate with us to find and report potential vulnerabilities. This, in turn, helps us strengthen the security of our products, while also enabling a responsible and coordinated disclosure process.

ASUSTOR Responds to Intel Meltdown and Spectre Vulnerabilities

ASUSTOR Inc. is releasing ADM to version 3.0.5 to fix the Meltdown security vulnerability in Intel CPUs. The models receiving an update are: AS3100, AS3200, AS5000, AS5100, AS6100, AS6200, AS6300, AS6400 and AS7000 series. For the AS6302T and AS6404T NAS devices, ASUSTOR is releasing a BIOS update to patch the Meltdown and Spectre vulnerabilities. Other x86 NAS will be patched as soon as Intel releases a patch.

For ASUSTOR's other models, they will be patched as soon as an updated Linux kernel is released. On non-Intel CPU models, ASUSTOR is also continuing to work with the other relevant CPU manufacturers. ASUSTOR takes security very seriously. When further information is released, customers will be informed through the appropriate channels.

Intel Deploys Microcode Update for Spectre Flaw on Skylake

In another step of our Spectre/Meltdown odyssey, Intel has started deployment of a fixed update for its Skylake processors, which aims to neuter chances of a malicious attacker exploiting the (now) known vulnerabilities. This update, which comes after a botched first update attempt that was causing widespread system reboots and prompted Intel to change its update guidelines, is only for the Skylake platform; other Intel CPUs' updates remain in Beta state, and there's no word on when they might see a final deployment.

The new microcode is being distributed to industry partners, so that they can include it in a new range of firmware updates that will, hopefully, end the instability and vulnerabilities present in current mobile and desktop Skylake implementations. Users of other Intel architectures will still have to wait a while longer before updates for their systems are certified by Intel, distributed to industry partners, and then trickle to end users via firmware updates.

Microsoft Issues Update to Rollback Intel Spectre, Meltdown Problematic Patches

Multiple reports pegged some issues on Intel's rapid-fire, microcode and software response towards addressing the Spectre and Meltdown vulnerabilities, with Intel themselves coming forward, admitting to the problems' existence, and urging users not to perform said updates. However, Intel's press release wasn't very clear on whether or not users would be able to rollback changes in order to recover their machines' stability. Microsoft has taken the matter into its own hands, via an out of band update for Windows, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 - "Branch target injection vulnerability."

In Microsoft's testing, this particular update is the one that the company has found to be associated the most with stability issues on host machines, and their out of band update seems to mitigate these completely. Microsoft is also adding the possibility for users to either disable or enable the troublesome mitigation themselves, manually, via registry changes. Microsoft seems to have taken the job of cleaning house on themselves, after Intel's apparent hasty move to restore security to systems based on their CPUs.

US Lawmakers to Pull Up Intel, ARM, Microsoft, and Amazon for Spectre Secrecy

In the wake of reports surrounding the secrecy and selective disclosure of information related to the Meltdown and Spectre vulnerabilities leading up to the eventual January 3 public release, US lawmakers are unhappy with leading tech firms Intel, Microsoft, ARM, Apple, and Amazon. The five companies, among a few unnamed others, are being pulled up by a house committee over allegations of selective access of vital information that caught many American companies off guard on the January 3rd. Barring a few tech giants, thousands of American companies were unaware, and hence unprepared for Meltdown and Spectre until January 3, and are now spending vast resources to overhaul their IT infrastructure at breakneck pace.

In letters such as this one, addressed to CEOs of big tech firms, lawmakers criticized the secrecy and selective disclosure of information to safeguard IT infrastructure, which has left thousands of American companies out in the lurch, having to spend vast amounts of money securing their infrastructure. "While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," they write.

Intel Warned China of Meltdown and Spectre Before the US Government

It's no surprise that leading Chinese tech companies have close associations with the Chinese Government and the PLA. Intel has waded into controversial waters as reports point to the chipmaker sharing information about its products' vulnerability to Meltdown and Spectre with Chinese tech companies before warning the United States Government, potentially giving the Chinese government either a head-start into securing its IT infrastructure, or exploiting that of a foreign government.

Lenovo and Alibaba were among the first big tech companies to be informed about Meltdown and Spectre; Lenovo is Intel's biggest PC OEM customer, while Alibaba is the world's largest e-commerce platform and cloud-computing service provider. Both companies are known to have close associations with the Chinese government. The United States Government was not part of the first group of companies informed about the deadly vulnerabilities.

Intel Processors to Have "In-silicon" Fixes to Meltdown and Spectre This Year

Intel, which benefited from the post-Q4 public-disclosure of Meltdown and Spectre vulnerabilities in its latest results, is hoping to mitigate its fallout on Q1-2018. The company, along with several other CPU designers, such as AMD and ARM, are firefighting the two devastating security vulnerabilities through OS kernel patches and CPU micro-code updates; which come at a slight expense of performance. In a bid to unnerve investors, company CEO Brian Krzanich announced that Intel is working on "in-silicon" fixes to Meltdown and Spectre.

An "in-silicon" fix would entail a major CPU micro-architecture design that's inherently immune to the two vulnerabilities and yet offers the benefits of modern branch-prediction and speculative execution. Krzanich says processors with in-silicon fixes to the two vulnerabilities will be released to market by the end of 2018.

Intel's Patch for Meltdown, Spectre "Complete and Utter Garbage:" Linus Torvalds

Linus Torvalds, creator of Linux, the most popular datacenter operating system, proclaimed Intel's patches for the recent Meltdown and Spectre CPU vulnerabilities "complete and utter garbage." Torvalds continues to work on the innermost code of Linux, and has been closely associated with kernel patches that are supposed to work in conjunction with updated CPU microcode to mitigate the two vulnerabilities that threaten to severely compromise security of data-centers and cloud-computing service providers.

Torvalds, in a heated public chain-mail with David Woodhouse, an Amazon engineer based out of the UK, called Intel's fix "insane" and questioned its intent behind making the patch "toggle-able" (any admin can disable the patch to a seemingly cataclysmic vulnerability, which can bring down a Fortune 500 company). Torvalds also takes issue with redundant fixes to vulnerabilities already patched by Google Project Zero "retpoline" technique. Later down in the thread, Woodhouse admits that there's no good reason for Intel's patches to be an "opt-in." Intel commented on this exchange with a vanilla-flavored potato: "We take the feedback of industry partners seriously. We are actively engaging with the Linux community, including Linus, as we seek to work together on solutions."

Intel Announces Root Cause of Meltdown, Spectre Patch Reboot Issue Identified

Intel has finally come around towards reporting on the state of the reboot issues that have been plaguing Intel systems ever since the company started rolling out patches to customers. These patches, which aimed to mitigate security vulnerabilities present in Intel's chips, ended up causing a whole slew of other problems for Intel CPU deployment managers. As a result of Intel's investigation, the company has ascertained that there were, in fact, problems with the patch implementation, and is now changing its guidelines: where before users were encouraged to apply any issued updates as soon as possible, the company now states that "OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior." A full transcription of the Intel press release follows.

Skyfall and Solace Could be the First Attacks Based on Meltdown and Spectre?

Out of the blue, a website popped up titled "Skyfall and Solace," which describes itself as two of the first attacks that exploit the Spectre and Meltdown vulnerabilities (it doesn't detail which attack exploits what vulnerability). A whois lookup reveals that the person(s) behind this website may not be the same one(s) behind the Spectre and Meltdown website. The elephant in the room, of course, is that the two attacks are named after "James Bond" films "Skyfall" and "Quantum of Solace." The website's only piece of text ends with "Full details are still under embargo and will be published soon when chip manufacturers and Operating System vendors have prepared patches," and that one should "watch this space for more." We doubt the credibility of this threat. Anyone who has designed attacks that exploit known vulnerabilities won't enter embargoes with "chip manufacturers and operating system vendors" who have already developed mitigation to the vulnerabilities.

AMD Is Served: Class Action Lawsuit Launched Over Spectre Vulnerabilities

Despite the grunt of the media's attention and overall customer rage having been thrown largely at Intel, AMD hasn't moved past the Spectre/Meltdown well, meltdown, unscathed. News has surfaced that at least two law firms have announced their intention of filing a class action lawsuit against AMD, accusing the company of not having disclosed their products' Spectre vulnerability, despite knowledge of said vulnerabilities.

AMD stated loud and clear that their processors weren't affected by the Meltdown flaw. However, regarding Spectre, AMD's terms weren't as clear cut. The company stated that its CPUs were vulnerable to the Spectre 1 flaw (patchable at a OS level), but said that vulnerability to Spectre 2's variant had "near-zero risk of exploitation". At the same time, the company also said that "GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors", adding that "While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat.

BSODs from Meltdown and Spectre Firmware Updates Are Spreading Like the Plague

Have you ever taken your car to the mechanic shop to fix one thing but end up breaking another? Well, that's how Intel CPU owners are feeling right now. Intel previously confirmed that their Meltdown and Spectre firmware updates are causing irritating reboots on systems with Broadwell and Haswell processors. After analyzing the latest customer reports, they are acknowledging that the updates are also causing BSODs on the Kaby Lake, Skylake, Ivy Bridge, and Sandy Bridge platforms. This shouldn't come as a shocker considering how both the Meltdown and Spectre exploits affect Intel processors over the past 20 years. The possibility of all platforms suffering from the same side effects is extremely high. Fear not, though, as Intel is already working on an updated microcode to fix the constant system reboots. Motherboard vendors should have the beta microcode for validation by next week. Expect a new BIOS revision for your motherboard soon.

Adding Insult to Injury: Fake Spectre, Meltdown Patch Pushes Malware to Users

A Malwarebytes report calls attention to the latest occurrence in the inevitable trend that that ensues a particular security vulnerability being given coverage by the media. As users' attention to the vulnerability is heightened, so is their search for a solution, for a way to reduce the risk of exposition. Hence, users search for patches; and hence, some fake patches surface that take advantage of the more distracted, or less informed, of those who really just want to be left at peace.

Case in point: Malwarebytes has identified a recently-registered domain that is particularly targeting German users (remember: you can be next; it's just a matter of Google translating the page for it be targeting you as well). The website is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors, and is affiliated with the German Federal Office for Information Security (BSI) - all good, right?

InSpectre Tool Determines Whether Your PC is Vulnerable to Meltdown and Spectre

During the whole Meltdown and Spectre turmoil, Microsoft released a PowerShell script that lets users assess their system to determine whether it's properly protected against the two CPU exploits. To say that Microsoft's method is non-intuitive is an understatement though. Their procedure involves punching in several lines of commands into the PowerShell prompt only to be presented with an end result of mumbo jumbo. For users who fancy a more straightforward approach, InSpectre might be exactly what the doctor would order. InSpectre is a small tool designed by none other than famous software engineer Steve Gibson to automate Microsoft's time-consuming procedure in a a single click. It also provides results that even non-tech-savvy users can comprehend. However, InSpectre not only scans the user's system but also allows him to enable or disable the Meltdown and Spectre protections.

AMD Confirms They are Affected by Spectre, too

The public disclosure on January 3rd that multiple research teams had discovered security issues related to how modern microprocessors handle speculative execution has brought to the forefront the constant vigilance needed to protect and secure data. These threats seek to circumvent the microprocessor architecture controls that preserve secure data.

At AMD, security is our top priority and we are continually working to ensure the safety of our users as new risks arise. As a part of that vigilance, I wanted to update the community on our actions to address the situation.

Intel AMT Security Issue Lets Attackers Bypass Login Credentials

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel's Active Management Technology (AMT) and potentially affects millions of laptops globally.

The security issue "is almost deceptively simple to exploit, but it has incredible destructive potential," said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."

Intel Releases CPU Benchmarks with Meltdown and Spectre Mitigations

It's safe to say that there's one thing that you don't mess around with, and that's performance. Enthusiasts don't spend hundreds of dollars on a processor to watch it underperform. Given the complicated nature of the Meltdown and Spectre vulnerabilities, Microsoft's so-called mitigations were bound to have an impact on processor performance. The million dollar question was: Just how much? The initial estimate was somewhere around 30%, but Intel, being optimistic as usual, expected the performance impact to be insignificant for the average user. They recently provided some preliminary benchmark results that looked quite convincing too. Well, let's take a look at their findings, shall we?

Intel measured the mitgations' impact on CPU performance using their 6th, 7th, and 8th Generation Intel Core processors but, more specifically, the i7-6700K, i7-7920HQ, i7-8650U, and i7-8700K. The preferred operating system used in the majority of the benchmarks was Windows 10, however, Windows 7 also made a brief appearance. Intel chose four key benchmarks for their testing. SYSmark 2014 SE evaluated CPU performance on an enterprise level simulating office productivity, data and financial analysis, and media creation. PC Mark 10, on the other hand, tested performance in real-world usage employing different workloads like web browsing, video conferencing, application start-up time, spreadsheets, writing, and digital content creation. 3DMark Sky Diver assessed CPU performance in a DirectX 11 gaming scenario. Lastly, WebXPRT 2015 measured system performance using six HTML5- and JavaScript-based workloads which include photo enhancement, organize album, stock option pricing, local notes, sales graphs, and explore DNA sequencing.

Intel Chip Flaw Meltdown Prompts Company Reorganization, Internal Security Group

Intel CEO Brian Kzarnich announced on Monday to its employees that as part of the company's continued strife towards better communication and consideration of its customers, the creation of a new internal group was necessary. The move comes after considerable media and tech industry turmoil after news broke out on Intel's 10-year product stack being almost completely vulnerable to some specific exploits. The Intel Product Assurance and Security group will be headed by Intel HR chief Leslie Culbertson, who will have on her team the former Vice President and General manager of Intel's New Technology Group, Josh Walden, who was, alongside Steve Smith, Intel Vice President and General Manager of its Data Center Engineering group, pulled from his current functions to work under Culbertson.

"It is critical that we continue to work with the industry, to excel at customer satisfaction, to act with uncompromising integrity, and to achieve the highest standards of excellences," Krzanich told employees in a memo Monday, obtained by The Oregonian/OregonLive. "Simply put, I want to ensure we continue to respond appropriately, diligently, and with a customer-first attitude."

Microsoft Halts Meltdown-Spectre Patches to AMD PCs as Some Turn Unbootable

Microsoft late-Monday halted Meltdown and Spectre security patches to machines running AMD processors, as complaints of machines turning unbootable piled up. Apparently the latest KB4056892 (2018-01) Cumulative Update causes machines with AMD processors (well, chipsets) to refuse to boot. Microsoft has halted distributing patches to PCs running AMD processors, and issued a statement on the matter. In this statement, Microsoft blames AMD for not supplying its engineers with the right documentation to develop their patches (while absolving itself of any blame for not testing its patches on actual AMD-powered machines before releasing them).

"Microsoft has reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates," said Microsoft in its statement. "After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown," it added. Microsoft is working with AMD to re-develop, test, and release security updates, on the double.

Update (09/01): AMD responded to this story, its statement posted verbatim is as follows.

NVIDIA GeForce 390.65 Driver with Spectre Fix Benchmarked in 21 Games

The Meltdown and Spectre vulnerabilities have been making many headlines lately. So far, security researchers have identified three variants. Variant 1 (CVE-2017-5753) and Variant 2 (CVE-2017-5715) are Spectre, while Variant 3 (CVE-2017-5754) is Meltdown. According to their security bulletin, NVIDIA has no reason to believe that their display driver is affected by Variant 3. In order to strengthen security against Variant 1 and 2, the company released their GeForce 390.65 driver earlier today, so NVIDIA graphics card owners can sleep better at night.

Experience tells us that some software patches come with performance hits, whether we like it or not. We were more than eager to find out if this was the case with NVIDIA's latest GeForce 390.65 driver. Therefore, we took to the task of benchmarking this revision against the previous GeForce 388.71 driver in 21 different games at the 1080p, 1440p, and 4K resolutions. We even threw in an Ethereum mining test for good measure. Our test system is powered by an Intel Core i7-8700K processor overclocked to 4.8 GHz, paired with G.Skill Trident-Z 3866 MHz 16 GB memory on an ASUS Maximus X Hero motherboard. We're running the latest BIOS, which includes fixes for Spectre, and Windows 10 64-bit with Fall Creators Update, fully updated, which includes the KB4056891 Meltdown Fix.

RISC-V Foundation Issues Statement on Spectre, Meltdown Exploits

Recent articles in the media have raised awareness around the processor security vulnerabilities named Meltdown and Spectre. These vulnerabilities are particularly troubling as they are not due to a bug in a particular processor implementation, but are a consequence of the widespread technique of speculative execution. Many generations of processors with different ISAs and from several different manufacturers are susceptible to the attacks, which exploit the fact that instructions speculatively executed on incorrectly predicted code paths can leave observable changes in micro-architectural state even though the instructions' architectural state changes will be undone once the branch prediction is found incorrect. No announced RISC-V silicon is susceptible, and the popular open-source RISC-V Rocket processor is unaffected as it does not perform memory accesses speculatively.

Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).

Intel Issues Updates to Protect Systems From Security Exploits

Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems -- including personal computers and servers -- that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.

Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.
Return to Keyword Browsing