Meltdown & Spectre

Margret

TCS Member
Thread starter
Top Cat
Joined
Jul 17, 2014
Messages
6,497
Purraise
8,927
Location
Littleton, CO
Hello, all.

Over the last few days, the world of technology has been rocked by the news that there are design flaws in virtually all Intel chips out there (anything manufactured since 1995) which leave them vulnerable to attack. All major Operating System vendors are offering patches; here's what I've been able to find out about these flaws (known as Meltdown and Spectre) and the available patches.

First, Frequently Asked Questions, or FAQs:
Meltdown and Spectre FAQ: Fix for Intel CPU flaws could slow down PCs and Macs

The latest overview I was able to find, and the status of patches: which are available, where to get them, etc.:
Meltdown and Spectre Fixes Arrive—But Don't Solve Everything

From January 4th, How to protect your devices from Meltdown and Spectre attacks:
[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

Statement from Microsoft about how your 3rd party anti-virus software may be blocking you from installing the patch:
Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus | ZDNet

More about the potential problems with 3rd party anti-virus software:
Microsoft warns patches for Meltdown, Spectre may clash with AV

There have been warnings that the patches may cause devices to run more slowly. However, this report says that those warnings seem to have been overblown:
Tech Titans Downplay Meltdown And Spectre Patches' Performance Hits

It's still early days. New chips will, of course, be manufactured without these flaws now that they're known, but it's highly unlikely that you'll be able to get your devices repaired; eventually you'll want to buy something new. If you're currently in the market for a new computer, tablet, or smartphone you may want to wait until a version with the new chipsets becomes available.

My intent is to continue posting information and links in this thread as they become available, and I would appreciate any information others have to share on this topic.

If you haven't gotten your security updates yet, please do so as soon as they become available. I just spent 45 minutes or so manually updating my Windows 7 laptop. You'll probably want to save all files and close all running programs before updating, as the update is almost certain to conclude with an instruction to restart your machine.

Just one more thing: Don't Panic! As of yet there are no known viruses attempting to take advantage of these flaws. You still have time to beat the bad guys to the punch.

Margret
 
Last edited:

arouetta

Slave of Bastet's acolytes
Top Cat
Joined
Mar 31, 2016
Messages
2,117
Purraise
2,891
Can you edit your post here and anywhere else you've posted to include that AMD and ARM (phones and tablets) CPUs are also affected by Spectre? Because you said Intel I initially thought I wouldn't have any problems since I have an AMD processor.
 

nansiludie

TCS Member
Top Cat
Joined
Mar 14, 2014
Messages
2,171
Purraise
1,213
This is OT but Margret Margret You seem most knowledgeable in computers. I have an old one I would like to sell, but am wondering how I might get all my personal information off of it? I was thinking of doing a complete system recovery/reboot. Would that do the trick?
 
  • Thread Starter Thread Starter
  • #5

Margret

TCS Member
Thread starter
Top Cat
Joined
Jul 17, 2014
Messages
6,497
Purraise
8,927
Location
Littleton, CO
Can you edit your post here and anywhere else you've posted to include that AMD and ARM (phones and tablets) CPUs are also affected by Spectre? Because you said Intel I initially thought I wouldn't have any problems since I have an AMD processor.
My initial post is no longer editable, but you're correct about that. The only products manufactured since 1995 that I know are not vulnerable because of these bugs are smart watches, and it may be just one brand of smart watches.

I apologize that my initial post was poorly worded. Actually, I was uncertain whether AMD and ARM are types of chips or manufacturers. :paperbag: I got most of my information from a Google search.

So that everyone knows up-front where I come from on computers, yes, I'm a computer geek. Unfortunately I'm a computer geek with a 10-year gap in my memory, from 2002-2012, due to a benign brain tumor. I've been working assiduously to fill in the computer blanks from that gap, but keeping track of manufacturers has not been high on my list. The last OS I remember having from before my brain tumor was Windows 3; I completely missed Windows Vista and Windows XP and beyond. I now have Windows 7, and am pretty much up to speed on it. I tried Windows 8, detested it, and upgraded to 8.1. I still detested it, so I reverted to 7, and I've resolutely avoided Windows 10, which has some separate security problems that Microsoft doesn't like to talk about. When I finally have to upgrade I may end up switching to Linux, but it will take a lot of support from my brother the electrical engineer and my computer club.

Margret
 
  • Thread Starter Thread Starter
  • #6

Margret

TCS Member
Thread starter
Top Cat
Joined
Jul 17, 2014
Messages
6,497
Purraise
8,927
Location
Littleton, CO
N nansiludie , all major brands of computers try to make it fairly easy to recover lost data. Mostly this is quite useful, but when you're selling a used computer it leaves you vulnerable because there are data recovery programs available that people can use to get hold of things like lists of passwords, PayPal statements, private text files where you were working out the wording of an emotionally vulnerable email to a family member, etc..

Give me a few days to talk with my brother and my computer club and I'll PM you about the best way to permanently erase data, but I can tell you up-front what my brother will say: "I'm not sure. We've always taken a hammer to our hard drives rather than re-sell them." :lol: Nevertheless, there are programs available to securely erase files by writing and re-writing nonsense data on top of them to the point where the original data can't be found. I'll need to know what kind of computer it is. PM me.

Margret
 

arouetta

Slave of Bastet's acolytes
Top Cat
Joined
Mar 31, 2016
Messages
2,117
Purraise
2,891
A factory reset isn't secure, the data is still there but the file tree was erased. Anyone good with computers can find the files without needing the file tree. The only real way is what Margret Margret said, a complete overwrite of every single bit.

As cheap as hard drives are these days you might want to consider lowering the asking price and selling it without the hard drive. A desk top is beyond easy to put a hard drive in, and a lot of laptops make the hard drive easy to access.
 

bodester413

TCS Member
Alpha Cat
Joined
Jan 26, 2016
Messages
397
Purraise
532
Location
Midwest USA
Cool. Thanks Margret. I was looking around yesterday trying to figure out what I needed to do. Updating Windows 7 was as far as I got. It looks like Microsoft should be releasing an update tomorrow for Windows 7. I'll check the Asus website and see if they have anything for the motherboard model my computer uses. I'll report back if I run into any weirdness installing the Windows update or the motherboard patch (If they have one yet for my system)
 
  • Thread Starter Thread Starter
  • #9

Margret

TCS Member
Thread starter
Top Cat
Joined
Jul 17, 2014
Messages
6,497
Purraise
8,927
Location
Littleton, CO
The Microsoft security update is already out; I manually installed it a couple of days ago. For what it's worth, I also have the free versions of MalwareBytes, Super AntiSpyware, and Spybot Search and Destroy (Spybot S&D), and none of them interfered with the update, nor have I been getting the Blue Screen of Death.

If Microsoft shows the update as unavailable it means that they've detected anti-viral software on your system that would cause BSOD from this update, so you may want to change your security arrangements. I haven't found a list of which programs cause this problem, and security companies are scrambling to fix it if their products do, but when I do see such a list I'll post it here.

Margret
 
  • Thread Starter Thread Starter
  • #10

Margret

TCS Member
Thread starter
Top Cat
Joined
Jul 17, 2014
Messages
6,497
Purraise
8,927
Location
Littleton, CO
Regarding which 3rd party security products will work with the security update from Microsoft, see this article: Windows Meltdown-Spectre fix: How to check if your AV is blocking Microsoft patch | ZDNet I note that their list doesn't include all 3rd party security programs available, so there are still a lot we don't know about.

I also note that Microsoft advises that in addition you need a firmware patch from the maker of your machine. These should be available for free, whether or not your machine is still under warranty, but I can't promise that. As for finding them, check the manufacturer of your machine and go to their website.

Edit: Excellent overview article, focusing primarily on Windows but it also goes into the history of these bugs, and has a lot of links: Windows, Meltdown and Spectre: Keep calm and carry on
I note that it states that there are no manufacturers who have the firmware updates available. I also note that it says these flaws were discovered last June but had been kept quiet so that patches could be built without alerting the bad guys, but that someone leaked information prematurely. And that the CEO of Intel sold off $24 million dollars of his Intel stock in November, which sounds a heck of a lot like insider trading to me.

Margret
 
Last edited:

bodester413

TCS Member
Alpha Cat
Joined
Jan 26, 2016
Messages
397
Purraise
532
Location
Midwest USA
I ran Windows 7 update and it let me install the monthly rollup kb 4056894 with the meltdown fix. Rebooted and everything seems fine so far. I use Microsoft Security Essentials, Superantispyware free and Spyware Blaster.

If it helps any these are my computers specs:
Windows 7 sp1 home premium
Intel Core i3 2100 processor
Asus P8H61-M motherboard

This didn't effect my computer, but apparently some systems that use older AMD processors get an error after installing kb 4056894. The thread lists known AMD processors that have trouble and links to some other threads on different websites that talk about the same problem. Link below.

STOP: 0x000000C4 after installing KB4056894 - 2018-01 Security Monthly Quality Rollup for WIndows 7 for x64
 
  • Thread Starter Thread Starter
  • #12

Margret

TCS Member
Thread starter
Top Cat
Joined
Jul 17, 2014
Messages
6,497
Purraise
8,927
Location
Littleton, CO
Good research, bodester413 bodester413 . It enabled me to double-check that the update I installed was, indeed the correct one.

So, in addition to Microsoft Security Essentials and Windows Defender (both available for free from Microsoft), we now have 4 third party security programs that we know won't interfere: MalwareBytes Free, Superantispyware free, Spybot S&D free, and Spyware Blaster, as well as the ones listed in the article at Windows Meltdown-Spectre fix: How to check if your AV is blocking Microsoft patch | ZDNet

I've never used Spyware Blaster, but I know the other three to be excellent products and highly recommend them if anyone is worried that the products they're already using may be problematic.

Not specific to Meltdown and Spectre, general security rules for all users of all systems:
  • Never click on any link in an email sent to you by an unknown person. Some emails will say they come from someone in your contacts list, but when you hover your cursor over the name of the sender, or right click on it, you can see the actual email address. I've even gotten spam that says it comes from me, but is not from any email address that I use. (And, yes, I do occasionally send email to myself; it's an easy way to transfer some information between devices. Never identity theft info or passwords, however.)
  • Never, never, NEVER give out your password, your exact date of birth, your mother's maiden name, your social security number (for U.S. citizens), or other potential identity theft information except to someone with a genuine need to know. Some sites offer contests that will ask for your DOB, presumably because they need to restrict their contest to people 18 and older. That is not a genuine need to know. They may need your age (or, better yet, an age range), but they don't need your DOB for that. If that is a requirement for entering the contest, don't enter.
  • Legitimate sites from which you may shop (Amazon, eBay, PayPal, etc.) will never send you an email asking you to "verify" your account by providing either identity theft information or password information. Any such email is a phishing expedition; forward it to the appropriate email address of the company that's being spoofed.
  • When installing free software from online (I have a lot of that), I don't care how much of a computer illiterate you are or think you are: Don't click on the button that says "Recommended installation" or something of that sort. Instead click on the button that says "For Advanced users," even if it makes you feel like you're masquerading as something you aren't. Then turn down all offers of other software, toolbars for your browser, etc.. If you click on the "Recommended" installation those will all be installed for you, without your consent, and some of them contain really nasty stuff.
  • As a general rule, when installing free software from online it's safer to get it from the developer's website than from a third party website, like CNet.
  • Also as a general rule, avoid installing toolbars. Some of them will do things like reset your home page or your preferred search engine; some of them will actually hijack your browser entirely.
  • Some websites require cookies to run properly. Most browsers will have a setting that allows you to accept the cookies, but delete them when you close the browser. This setting can give you the best of both worlds - cookies to make the website run properly, but no cookies saved permanently to be a security risk. Be aware, however, that when browsers close unexpectedly most of them offer a "Restore Session?" option when you bring them back up, which does use cookies. This means that cookies aren't deleted when the browser closes unexpectedly. You can use this to your advantage to give you a one-time save of your cookies, by using Windows Task Manager (Windows specific, I know) to close your browser instead of clicking on the "x" in the top right corner.
  • If you want to avoid being tracked online, use DuckDuckGo as your preferred search engine (DuckDuckGo). It will also give you better results than Google on most searches, a higher percentage of relevant hits.
Hope this is helpful.

Margret
 
Last edited:
  • Thread Starter Thread Starter
  • #13

Margret

TCS Member
Thread starter
Top Cat
Joined
Jul 17, 2014
Messages
6,497
Purraise
8,927
Location
Littleton, CO
Latest updates:

Microsoft has announced that all future security updates are dependent on any 3rd party antivirus software having set a particular BIOS switch: Windows Meltdown patch: No more security updates for your PC if your AV isn't compatible (Note: This article also contains a link to a list of 3rd party AV vendors which will tell you which ones are compliant. I was unable to get the link to display here, so get it from the article.)

How to check whether your Win 10 PC remains vulnerable: How to check if your PC is protected from the Meltdown and Spectre exploits (Note: This article contains links to the needed firmware updates, so everyone should read it, no matter what OS you have.)

Since Microsoft's security updates rolled out, machines that got the update and also have either an AMD processor or an AMD video chip have been suffering from the blue screen of death, and standard efforts to recover the machines haven't been working. (Microsoft explains [of course] that this is AMD's fault for giving them inaccurate information.) Microsoft has yanked the buggy patch, but it isn't clear to me how you're supposed to remove it from your computer if all you can get is a blue screen. Perhaps someone else here can gather more from this article than I can: Microsoft yanks buggy Windows Meltdown/Spectre patches for AMD computers (Note: This article also contains speculation that the free versions of various 3rd party AV programs may not set the necessary BIOS switch for future security updates, and states that it's important to update any 3rd party AV software you use to the latest version, not just the latest virus definitions.)

For now, this is all I have. I'm off to get the latest version of Malwarebytes Free and update my firmware.

Margret
 
Last edited:

bodester413

TCS Member
Alpha Cat
Joined
Jan 26, 2016
Messages
397
Purraise
532
Location
Midwest USA
Oh man....I checked for a bios update for my motherboard......The last one was from 2014. I hope Asus goes back more than a few years......I built my computer in 2011.......arghhh...

Well that sucks. From that article about Microsoft yanking buggy updates it sounds like using system restore doesn't even help a lot of the time.
 
Top