Intel Releases Microcode Update

[AnonymousGuy]

1 minute ago, AshleyAshes said:

Never heard of industrial and corporate espionage or sabotage?  The attract vector very well COULD be someone in the physical location.  When you say there is 'a very low chance' what you are also saying is 'There is a chance'.

If your physical security is compromised then you're already fucked regardless of an exploit like this.  Hell the desktop will probably have a "passwords.txt" file and network shares wide open.

[Donut417]

1 minute ago, Matu20 said:

So why is this bug so important now? It's been there for years and suddenly every third news topic is about that.

Because this is the first time we have heard about it. I dont think any knew about it till now. 

[AshleyAshes]

1 minute ago, AnonymousGuy said:

If your physical security is compromised then you're already fucked regardless of an exploit like this.  Hell the desktop will probably have a "passwords.txt" file and network shares wide open.

You realise that you are literally trying to make an argument for 'Make security 'good enough' and then don't try any harder' right?  Like, you are now 'That Guy'.  Think about that.

[Matu20]

2 minutes ago, Donut417 said:

Because this is the first time we have heard about it. I dont think any knew about it till now. 

Yeah, but it's like a week old news now. And still keeps going.

[Donut417]

Just now, Matu20 said:

Yeah, but it's like a week old news now. And still keeps going.

This is probably about as bad as the Equifax hack. In terms of how wide spread. Or even more so, because it affects every one across the world. 

[Matu20]

57 minutes ago, Donut417 said:

This is probably about as bad as the Equifax hack. In terms of how wide spread. Or even more so, because it affects every one across the world. 

I understand that, but there is nothing we can do, so why bother covering every little move of it?

[dalekphalm]

1 hour ago, AnonymousGuy said:

The only attack vector, I'm saying, would basically be someone physically sitting in front of these machines.  Even if they're connected to the internet, which is unlikely due to the difficulty I describe, there's a very low chance they're even running a browser capable of loading the scripts that would be needed to deliver one of these exploits.  Not to mention why would anyone even be browsing the internet from a machine that old?

I don't think you're considering all the ramifications of this.

 

Can you guarantee that a piece of malware wouldn't be able to intrude into the computer using a network vector, instead of a browser vector? While it's unlikely that a P2 CPU is running a modern browser, many of them are likely Internet connected, or Intranet connected, both of which could still be attack vectors.

 

Even though the risk might be "comparably low", it's still there, and a LOT of businesses still run these types of systems in critical equipment.

[Donut417]

3 minutes ago, Matu20 said:

I understand that, but there is nothing we can do, so why bother covering every little move of it?

Um. Intel has released a Microcode update and Microsoft has released an Update on its end as well for the Meltdown bug, so something is being done. And While we the end users cant do anything. Businesses tend to have army's of lawyers, which any dispute that happens will happen in the courts. Intel will do what it can to minimize the damage this has, no only to its business but also to its reputation. 

 

5 minutes ago, dalekphalm said:

Even though the risk might be "comparably low", it's still there, and a LOT of businesses still run these types of systems in critical equipment.

That has me thinking about how many US government systems are affected. I mean up till recently the Nuclear Missile Silo's ran on machines that used 5 1/4 disks. 

[leadeater]

15 hours ago, NumLock21 said:

Didn't Win10 include linux built in or something. Maybe I can use that to update.

It's got a Linux subsystem but I don't think you'll be able to use that to do the microcode update, just doesn't seem likely to me.

[Jito463]

4 hours ago, Sniperfox47 said:

Just to be clear, it's not something where you just update it and it's good. The update needs to be either embedded into the UEFI or BIOS of your motherboard so it can be loaded into your processor when it powers on, or it needs to be patched into the CPU at runtime every time the system is rebooted.

From what I've read, that's my understanding as well.  The microcode update must be run on every startup, which means it needs to be launched via the OS that you're running.  Even if you dual boot Windows and Linux, it would only help with the Linux side.  Since these patches are Linux only, it won't work to update Windows (not to the best of my knowledge, anyway).

 

Besides, I'm pretty sure these microcode updates are only for the performance hit mitigation, rather than any actual fixes.

[TetraSky]

16 hours ago, TetraSky said:

So, how do I know if it's installed or not?
I followed the steps to install it through VMware CPU Microcode Update Driver, it said it was successful with 0 error, but, how do I check that.

In HWiNFO, I get this : 
Microcode Update Revision:  7

Alright, you guys are going to laugh at this.

1- Was able to confirm it did work and it's patched. (previous update revision was 4)

2- It fixed my issue with my 4k monitor having issue on boot, flashing on and off on the bios. (YAY!)
3- fucking broke the start menu.

 

Yup, my start menu is broken now, for the first time ever, I get to experience the bullshit that is Windows 10 menu not working.(not only that, while I can right click on the start menu, it doesn't work anymore any opened window or applications in the task bar, the notification center also doesn't work)

This can't be a coincidence, it literally started doing this after the very first boot after patching the microcode. Rebooting does not not help, did sfc /scannow, no issues found...
So lets just say I'm having a ton of fun right now trying to fix it... damn it.

[NumLock21]

5 hours ago, Sniperfox47 said:

Just to be clear, it's not something where you just update it and it's good. The update needs to be either embedded into the UEFI or BIOS of your motherboard so it can be loaded into your processor when it powers on, or it needs to be patched into the CPU at runtime every time the system is rebooted.

Same with that recent Intel ME update. After updating the ME, I wanted to check out if that update was actually a bios level or just on the OS. Cause if it's OS that means every time I formatted my OS, I have to reapply that ME update. After updating the ME, I did a clean install of Win10, ran the ME update check to see if it's still patched or not and it says it's patched.

[Sniperfox47]

2 hours ago, Jito463 said:

From what I've read, that's my understanding as well.  The microcode update must be run on every startup, which means it needs to be launched via the OS that you're running.  Even if you dual boot Windows and Linux, it would only help with the Linux side.  Since these patches are Linux only, it won't work to update Windows (not to the best of my knowledge, anyway).

 

Besides, I'm pretty sure these microcode updates are only for the performance hit mitigation, rather than any actual fixes.

The Microcode update is for the Spectre Variant 2 fix. That requires a Microcode update to cover it. Further info can be found here: https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

 

Also Windows does have Microcode patching support. Here's an example of a hotfix that includes a Microcode patch: https://support.microsoft.com/gl-es/help/2493989/microcode-update-for-intel-processors-in-windows-7-or-in-windows-serve

 

25 minutes ago, NumLock21 said:

Same with that recent Intel ME update. After updating the ME, I wanted to check out if that update was actually a bios level or just on the OS. Cause if it's OS that means every time I formatted my OS, I have to reapply that ME update. After updating the ME, I did a clean install of Win10, ran the ME update check to see if it's still patched or not and it says it's patched.

The ME update *MUST* be done in UEFI because the Intel Management Engine firmware is part of the UEFI and is heavily write protected once you boot since the ME is such a time bomb.

 

The Spectre Variant-2 fix is CPU Microcode. This is the firmware that the CPU uses to configure itself. Because the CPU itself has no non-volatile memory, it gets stored in the Motherboard UEFI so that it's always there and available.

 

With the Microcode updates you have two options. You can get an updated UEFI with the Microcode integrated. Then it's default, independent of the OS, and "always applies". Or you can patch in a newer Microcode from inside the OS, but because the CPU has only volatile memory, and the UEFI is read only, it's lost on reboot and must be reapplied (usually automatically at boot time) each time the OS is started.

[NumLock21]

23 minutes ago, Sniperfox47 said:

The Microcode update is for the Spectre Variant 2 fix. That requires a Microcode update to cover it. Further info can be found here: https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

 

Also Windows does have Microcode patching support. Here's an example of a hotfix that includes a Microcode patch: https://support.microsoft.com/gl-es/help/2493989/microcode-update-for-intel-processors-in-windows-7-or-in-windows-serve

 

The ME update *MUST* be done in UEFI because the Intel Management Engine firmware is part of the UEFI and is heavily write protected once you boot since the ME is such a time bomb.

 

The Spectre Variant-2 fix is CPU Microcode. This is the firmware that the CPU uses to configure itself. Because the CPU itself has no non-volatile memory, it gets stored in the Motherboard UEFI so that it's always there and available.

 

With the Microcode updates you have two options. You can get an updated UEFI with the Microcode integrated. Then it's default, independent of the OS, and "always applies". Or you can patch in a newer Microcode from inside the OS, but because the CPU has only volatile memory, and the UEFI is read only, it's lost on reboot and must be reapplied (usually automatically at boot time) each time the OS is started.

Don't know why, but the ME update varies from manufacture to manufacture. Some are actual bios updates, while others is just a ME driver update.

[Bit_Guardian]

4 hours ago, AshleyAshes said:

You realise that you are literally trying to make an argument for 'Make security 'good enough' and then don't try any harder' right?  Like, you are now 'That Guy'.  Think about that.

It would help if security engineers didn't make things as difficult as possible from a programming and management perspective. Have you ever compared ASP .NET MVC's security framework against Java Spring or GoLang's? Microsoft actually makes security easy and intuitive from a webapp perspective (which is hilariously ironic).