Slyguy

Level 43
Well, there are those that do argue that Windows 10 is a full on infection. :X3:
Another thing.. I just realized the true extent of the time/hassle/money savings Chromebook brings me.. Not only is the need to purchase any security software totally gone, but I can eliminate the extra work each time I refresh the systems and run all of the privacy tools, batch files and go through setting it all back up again. Even better. No more need for all of the 'stuff' I like to use such as Start10 and Fences.

Frankly, I begin to wonder if all of the theater surrounding Windows is serving to feed a beast, billions of dollars in security junk, extra tools and add-ons? Where will that industry go when their placebos are no longer needed? Research indicates ChromeOS is almost doubling it's growth each year and has 60% of the EDU market. My son says our entire school district converted to ChromeOS and reduced their IT and software purchase costs by half.
 
5

509322

Another thing.. I just realized the true extent of the time/hassle/money savings Chromebook brings me.. Not only is the need to purchase any security software totally gone, but I can eliminate the extra work each time I refresh the systems and run all of the privacy tools, batch files and go through setting it all back up again. Even better. No more need for all of the 'stuff' I like to use such as Start10 and Fences.

Frankly, I begin to wonder if all of the theater surrounding Windows is serving to feed a beast, billions of dollars in security junk, extra tools and add-ons? Where will that industry go when their placebos are no longer needed? Research indicates ChromeOS is almost doubling it's growth each year and has 60% of the EDU market. My son says our entire school district converted to ChromeOS and reduced their IT and software purchase costs by half.
It's just a matter of time before the trouble starts. The miscreants will be along shortly to start messing with your peace of mind on Chromebook. Once the threshold is crossed and they notice it. So enjoy it while the enjoyment can be had.

It's not like they never messed with it in the past. It was just that it was never lucrative for them at the time. Now it will become a financial target as Chrome OS becomes more widely adopted.

Chromebook is still off the radar. Within a few years probably not.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Just updated my Asus Transformer (2 GB + Z3750) - 11-12% performance loss and my wife's Yoga 520 (4 GB + 4415U) - 19-20% loss. Gues the people with powerfull CPU's suffer the most.
 
5

509322

Just updated my Asus Transformer (2 GB + Z3750) - 11-12% performance loss and my wife's Yoga 520 (4 GB + 4415U) - 19-20% loss. Gues the people with powerfull CPU's suffer the most.
Some are stating slowdowns while others show system benchmark increases after the patch. It is too early to establish patterns. Could be specific models, could be specific CPUs, could be per manufacturer, specific builds, etc.

I wouldn't be surprised if a lot of what was initially reported gets revised.
 

Slyguy

Level 43
Intel is funny.. They are FLOODING the press release, syndicate and news mirrors/feeds with 'new release' information today. Likely in attempt to push their Meltdown fiasco to the back page.

Intel is really something else...
 

LASER_oneXM

Level 35
Verified
i found a short summary of all facts:
source(pcgamer.com): What you need to know about the Meltdown and Spectre CPU exploits | PC Gamer


The impact could be more far-reaching than any previous exploit.

2018 is starting off to be a bad year for AMD, ARM, and Intel—mostly Intel. Researchers revealed earlier this week that all CPUs made in the last two decades are vulnerable to hardware-based exploits that aren’t easy to fix, especially without significant performance penalties. Initially, there was just one exploit, based on Intel’s CPU architecture and the ability to execute instructions in a speculative manner, that is, essentially out of order. This helps modern CPUs in significant ways, and is a fundamental part of CPU design.

Unfortunately, two primary attacks based on these fundamental CPU design principles have come to light, one significantly more serious than the other: Meltdown and Spectre. Here’s what you need to know about each.


What are Meltdown and Spectre?

Fundamentally, both exploits use somewhat similar core concepts. All modern processors use various features and techniques, including out-of-order execution (OOOE), branch prediction, and speculative execution to improve performance. However, all of these have the potential to execute code that shouldn't be allowed. The hardware guarantees that the final result will be correct, flushing any results from code that shouldn't have run. The problem is that there are side effects of the OOOE and speculative execution, where they can cause changes to the cache state, and then cache attacks can be used to try and pull 'secrets' (data from RAM) out of the cache.

Will Meltdown and Spectre impact my home PC?
Directly, both Meltdown and Spectre won’t really impact your PC any more than a random virus. There are thousands of viruses circulating at any given time, and if you already practice safe computing, you shouldn't be impacted by anything trying to leverage the Meltdown and Spectre vulnerabilities. If you get a virus on your home PC, it's already compromised, and Meltdown and Spectre don't really make the risk any worse.


The main concern revolves around the fix, which is reported to cause a significant slowdown in specific high I/O tasks. Games are generally more GPU bound than they are CPU bound and do not make many or any direct kernel calls at all, so even if the fix impacts you, the performance degradation will likely be small and unnoticeable. Initial benchmarks using Linux and Windows indicate very little change (less than three percent) in performance for common tasks, with data compression (eg, 7-zip) being one of the hardest hit. Gaming benchmarks saw no difference.

The greater risk is for anyone using cloud services. Meltdown as an example is able to read all memory contents on a system from a virtual machine (VM), without breaking any of the security protocols. But unless you’re running a server farm at home, with tenants that might try stealing data from other tenants, you should be fine.

Does Meltdown and Spectre affect gaming services?

Any company that fully controls its hardware should be relatively safe from attack. So if all of Steam's servers, as an example, are only running Steam VMs, there's little risk. The same goes for any other provider. The main concern is with services that rent or lease time on servers that may be running processes from other companies.
Which companies are at most risk from Meltdown and Spectre?

Any company providing or using cloud hosting services should be patched against these attacks as soon as possible. That includes large providers like Amazon AWS, Google Cloud Platform, Microsoft Azure, and many others. Any server that runs VMs from multiple users could have data leak from one VM to another, if it's not patched. This is particularly problematic for smaller hosting services that run sometimes hundreds of smaller websites via containers, and the fixes could be very costly for such providers.
What can I do?

The primary worry should be with websites and services that you use—how secure are they, and have they put measures into place to protect your data? The answer to those questions may not always be immediately available, unfortunately. For home PCs and laptops, you should update with the latest security patches to Windows, macOS, and Linux. For most of our readers, Windows is the primary OS, and patches are available for Windows 10, Windows 8.1, and Windows 7.


Windows 10 users should check for update KB4056892 and install it. However, official government advisors indicate that updating the operating system isn't enough, and that low-level firmware (BIOS and CPU microcode) is required.
Do Meltdown and Spectre affect AMD CPUs?
AMD claims that its CPU architecture is immune to the attacks, though this statement may have been made prematurely. Because exploits have different variants, current analyses only show that AMD CPUs are safe against the current version of Meltdown, which focuses primarily on Intel’s architecture. The Meltdown paper has the following statement:


"We also tried to reproduce the Meltdown bug on several ARM and AMD CPUs. However, we did not manage to successfully leak kernel memory with the attack described in Section 5, neither on ARM nor on AMD. The reasons for this can be manifold. First of all, our implementation might simply be too slow and a more optimized version might succeed.
Does having an anti-virus help protect me against Meltdown and Spectre?

Yes and no. Anti-virus vendors are updating their products to look out for viruses that utilize Meltdown and Spectre exploits. So if you have an anti-virus—Windows's built in Windows Defender counts—that is updated, you can feel a little easier knowing that your PC is safer, for now.


However, an anti-virus is just local protection. Meltdown and Spectre does the most damage to large scale company's that provide services that you might use every day: banks, streaming services, e-commerce, gaming, etc. If that sounds like everything to you, it is. Microsoft, Google, Amazon and others are rushing to implement fixes for Meltdown, but Spectre is going to take a bit more analysis.

The best thing to do right now is make sure Windows is updated. Google also stated that it would release a new version of Chrome on January 23 that blocks against Meltdown. Intel is working on patching its CPU lineup through microcode updates that you will probably see from your motherboard vendor.
 

LASER_oneXM

Level 35
Verified
source (washingtonpost.com): Huge security flaws revealed — and tech companies can barely keep up


The flaws, announced this week and dubbed Meltdown and Spectre, flow from designs that allowed computers to operate more quickly and efficiently. Though it’s not clear whether hackers have exploited these flaws, security experts say attacks would be relatively easy to develop and could allow the theft of private information such as passwords, credit card numbers, private corporate data and other information stored in computers or smartphones. Such attacks, the experts add, would likely not leave any trace that could be detected.
“This is the most significant security news we’ve had in the last 10 years,” said Avi Rubin, a computer science professor at Johns Hopkins University specializing in health-care security. “Some of the mitigations are going to be extremely expensive. I think this is the real deal.”


Though the patches issued in recent days and weeks should largely protect users against Meltdown — which exploits a flaw mainly in Intel microchips — companies have long struggled to successfully distribute such fixes to all of their users. The patches, meanwhile, are likely to cause computers, smartphones and other devices from Apple, Dell and other PC makers to operate more slowly, though it’s not clear whether the difference will be noticeable to users.


Experts consider Spectre — which affects AMD, Arm and Intel chips — more difficult for hackers to exploit but also harder to fix through software patches.


For both flaws, a total fix will require the redesign, production and distribution of new computer chips — a process that experts say is likely to take many years to complete.

Security experts said it was impossible to know whether hackers had used the two software flaws to steal data, though it’s possible given that rumors of the flaws had been circulating for several months within the security community.

“It gave lots of people time to do things with it,” said Jake Williams, president of Rendition InfoSec and a former National Security Agency employee. “I’m not worried about NSA. I’m worried about everybody else.”

Current and former U.S. officials also said the NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas. The agency often uses computer flaws to break into targeted machines, but it also has a mandate to warn companies about particularly dangerous or widespread flaws so that they can be fixed.
The bigger risk may be criminal hackers. Cybersecurity researcher Matt Tait said he first learned about Meltdown last week. With about a day of work, he was able to develop a functioning example of how the vulnerability could work. He said it’s impossible to know whether malicious hackers have deployed Meltdown because the flaw creates no record of the intrusion.

“The reality is we don’t know,” said Tait, a senior cybersecurity fellow at the Robert S. Strauss Center at the University of Texas at Austin. “Now that the vulnerability has been made public, we should expect this being exploited in the wild in the next few days.”

It’s common for researchers to withhold public disclosure of a security flaw until companies can create patches to protect users. But the delay for Meltdown and Spectre was unusually long because of the difficulty of trying to remedy hardware problems and the complexity of working across affected companies.

Of particular concern, however, are the risks to cloud servers, which often carry the information of multiple customers on a single machine, making them potentially vulnerable to attacks such as Meltdown.


Dozens of large companies have moved volumes of data from company-owned data centers into remote computers that are owned and managed by Amazon.com, Microsoft, Google and other technology companies. Amazon is the largest player in the cloud computing industry. (Amazon’s owner, Jeffrey P. Bezos, owns The Washington Post.)


In the last year alone, Costco, Hulu, General Electric, Kohl’s and PayPal are among the companies that have signed on with major cloud providers. Google chief executive Sundar Pichai has said growing his company’s cloud computing service is among his top priorities.


While companies, particularly banks and health-care institutions, have long expressed concern about letting other companies house their most sensitive data, many have warmed to the idea. Some have said that technology companies are actually better equipped to make major investments in security and in enhancing the performance of data-processing software, but news of major security flaws threatens to make companies reconsider.


Experts say that for ordinary computer and smartphone users, the main priority should be keeping their software updated.


Buying new computers without the hardware flaw is impractical and expensive, even for deep-pocketed companies and government agencies.

“The costs alone are insane,” said Tony Cole, vice president and global government chief technology officer at FireEye. He estimated that a global overhaul would amount to trillions of dollars in new expenses. “It would be mind-boggling if everyone tried.”
 

Vasudev

Level 30
Verified
I tested this 'Intel Fails Patch' on two machines, one is a spare gaming rig, the other is a Zotac Mini-PC with an Intel CPU.

Ryzen 5 1500X Light Gaming Rig
Before patch:
CPU - 998 (Ryzen 5 1500X)
GPU - 883 (1070 GTX FTW)
After patch:
CPU - 918
GPU - 818

That's a full 8% loss in performance. That's significant, virtually the difference between a full CPU upgrade.

Next machine is a Zotac Mini-PC with an Intel N3150 CPU.
Before patch:
CPU - 188
GPU - 107
After patch:
CPU - 188
GPU - 107

So clearly, this patch did nothing to impact the N3150, but had an impact on my Ryzen.. So whats up with that?
What are those random numbers? Are they scores from Cinebench or Geekbench?
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Some are stating slowdowns while others show system benchmark increases after the patch. It is too early to establish patterns. Could be specific models, could be specific CPUs, could be per manufacturer, specific builds, etc.

I wouldn't be surprised if a lot of what was initially reported gets revised.
35% sounds spectecular and when you put "according to specialist up to 35%" you are not even lying as a journalist, so I think you have a point.
 

Gandalf_The_Grey

Level 24
Verified
Unfortunately it's no fud, Have this problem with the old Dell AMD powered desktop my parents still use.
From Neowin:
Microsoft is temporarily pausing Windows updates to AMD processors impacted by the issue.
Microsoft has stated that it is working directly with AMD to resolve the issue, and that it will be resuming Windows security updates "as soon as possible".
Here's why some AMD systems are failing to boot after installing Microsoft's patches
 
Last edited:

LASER_oneXM

Level 35
Verified
source (bleepingcomputer.com):Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key

Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches.

According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches.

The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry.

The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.

Registry key dictates if users are eligible for future updates
According to Microsoft's latest policy changes, this registry key has now become a permanent check of the Windows Update process and will prevent all further updates, not just the Meltdown and Spectre patches.

The Redmond-based OS maker has asked antivirus companies to create this registry key because it detected during testing that some AV products caused Windows computers to enter a Blue Screen of Death (BSOD) error state that prevented subsequent boot-ups.
Registry key might cause issues down the line
Beaumont has been keeping track of antivirus products that create the registry key, AV products that ask users to create the registry key manually, and antivirus software that has not yet received updates and is currently incompatible with the Windows Meltdown and Spectre patches.

It's Bleeping Computer's belief that a large part of the Windows userbase is probably not affected by this "registry key requirement."

But if in the following months users should notice that their Windows computer is not receiving any security updates, the first place they need to look at is their antivirus.

They should also take a look over Beaumont's list and make sure their current antivirus is compatible with the Meltdown and Spectre patches to be safe.

Users should give their AV a little bit more time
By stopping all Windows security updates until antivirus products or users set the registry key, Microsoft is basically saying two things: (1) users either choose to stop receiving Windows security updates and stay with their current antivirus or (2) they ditch their current incompatible antivirus for one that supports the crucial fixes for Meltdown and Spectre.

Users shouldn't hurry to drop their current antivirus just yet. In statements last week, Microsoft said that antivirus companies might take a while before releasing updates and advised users to have patience. The updates are very complex and not your typical one-line source code fixes.