Troubleshoot Shoud I Invest on new Cpu or Laptop??

D

Deleted member 65228

So can it be done? Yes. But there are a whole lot of big IFs in the way before a bad guy could actually get any usable data. Plus it is important to point out there is no evidence anywhere this flaw has ever been exploited.
These flaws have been exploited. Project Zero from the Google team have developed Proof-Of-Concept's among other researchers who were responsible for identifying the problems and replicating them after the news broke out. There are even alleged PoC source code's being soon released. The likelihood is that the vulnerabilities have indeed been exploited by someone out there, but not in general in-the-wild malware, but a targeted attack which is likely to be unknown of.

Despite the recent news and who discovered what, a Polish researcher who also once developed a rootkit via the hyper-visor technology (built into CPU's for many years - Intel/AMD have their own implementations) was investigating speculative referencing as early as 2010. I do not know if she got anywhere with real exploitation, but she did find some things out at the time. I doubt she was too far off from succeeding a PoC attack if she hadn't given up with it, and if I recall, she did forward her findings to vendors but didn't release a paper because there were no known attacks in the wild using attacks on such features.

If a researcher can exploit them, so can a criminal who's good enough. And the real criminals out there who aren't being caught or are un-heard of, those are the ones who'd be capable of exploiting such vulnerabilities. Properly executed targeted attacks where there is real interest going on. But of course there's a fine line between criminals like this, and the ones developing standard malware going into the wild and aimed at usual businesses/Home users.
 
  • Like
Reactions: Deletedmessiah
Upvote 0
D

Deleted member 65228

Does sandboxing the browser solve the problem?
Google have a Site Isolation feature which is experimental under Chrome and Microsoft have released patches for Microsoft Edge, likely the same story for other mainstream browsers. It should enhance protection against recent vulnerabilities like Meltdown. None of these software-based mitigations will make the attack vector for Meltdown disappear but it's a good start. As for Spectre, software developers are updating their products to make it trickier to deploy Spectre exploitation with them (e.g. design of the software internally, internal security enhancements like blocking of code execution which is arbitrary, updates to how checks are made, etc.).
 
Upvote 0

Digerati

Level 7
Verified
Mar 2, 2017
318
I've not said that the vulnerability is due to Windows, you're putting words into my mouth; the vulnerability is present in the hardware. I merely said that the original poster should use a Chromebook with ChromeOS unless they really need to use Windows, because Windows is a lot less safer in terms of available attack vectors.
Oh, so this is just another biased opportunistic bash at Microsoft. I get it. :(

FTR, Windows is safe if (1) the user keeps it current, (2), the user uses an able anti-malware solution and keeps it current, and (3) the user is not click-happy on unsolicited links, popups, downloads, and attachments.

These flaws have been exploited. Project Zero from the Google team have developed Proof-Of-Concept's among other researchers who were responsible for identifying the problems and replicating them after the news broke out.
:( That's not exploitation. That's just proving (in a laboratory setting) the flaw exists. Exploitation is where a bad guy has hacked into on on-line system and exploited the flaw.

Please, stop spreading FUD.
 
  • Like
Reactions: roger_m
Upvote 0

Slyguy

Level 44
Jan 27, 2017
3,322
It is bad for those servers affected, but it is not nearly as widespread as first reported. To exploit this bug, the server needs to be running VM (virtual machines)

That is incorrect and therefore not sound advice. The problem is NOT with Windows. It is with the hardware and Chromebooks still contain Intel devices. But, AMD processors are affected too! See The Inquirer: Intel, ARM and AMD all affected by security-bypassing, kernel-bothering CPU bugs and The Hacker News: Meltdown and Spectre CPU Flaws Affect Intel, ARM, AMD Processors. While the initial strain of Meltdown only affected certain Intel processors other variants of the same problem affect AMD as well.

First, in the enterprise/corporate world a server is a server, whether it is a VM or a Physical server, it's server. The vast majority of the enterprise/corporate world runs on VM's (Servers) so we really do not differentiate between physical hardware servers and virtual ones, we simply refer to them as 'servers'. Those VM's for all intents and purposes - are servers - they're running 2008R2, 2012, whatever and are licensed like servers and performing roles. It is very rare for a company to buy a physical server and just run a few roles on that physical server itself, it is very common to run multiple VM's with isolated roles - that's best practice. So yes, it is as widespread as people are making it out to be because in the enterprise/corporate world most things function on servers (VMs if you like to call them that). It's not uncommon to have a 150-250 worker company operating on 15+ VM's (servers) on say 4 physical servers. (but we call them servers...)

If you know how these resources are allocated then you know roles are measured out based on specific parameters. You also know that resources are finite and often tightly constrained. (more often than not) So you know even a 5% impact can have significant repercussions when you are running a physical server with 4 VMs (servers) on it. All 5 of those have to be patched, then you amortize that slowdown over 5 layered systems and the impact becomes rather pronounced. In terms of security since 'servers are servers', containment is lost between servers. That's a HUGE problem.

As for Chromebooks I think the inference wasn't that a Chromebook would fix Intel issues. Many Chromebooks come with Intel chips, many do not and many argue they are better without Intel.. But the reality is the nature of ChromeOS is vastly more secure and less chatty than Windows can ever be and Google is spot-on for finding and patching before things become a problem. In fact it is BETTER to not have an Intel Chromebook IMO.. I just purchased a case of them for the home on the refresh that was pushed up a few months because of this intel fiasco and I elected to not buy Intel Chromebooks. Primarily because other chipsets have clear advantages running Googleplay Apps which are now native to ChromeOS, Intel has lackluster Android App functionality. Also the N series is less than thrilling for Intel. So you have many choices, a variety of ARM Heterogeneous chips, Rockchip, etc.. Chromebook fixes a lot of things, not just the security of your device. After all, if you have any doubt just Powerwash your CB. In fact, why not Powerwash your CB every weekend just to be safe? It's just a couple of hotkeys and you are back to baseline and ready to go. Windows pretty much sucks unless you game or have special programs that require it.

No, Windows is not safe. I guess it 'could' in theory be made safe if you totally break it. Maybe. I doubt it and in some cases have proved the difficulty of securing Windows, even behind thousands of dollars in advanced security and APT appliances.. Sorry.
 
Upvote 0

Digerati

Level 7
Verified
Mar 2, 2017
318
No, Windows is not safe.
No OS is 100% safe 100% of the time.

But to suggest Windows is not safe is just more FUD. If Windows was as unsafe as now you also apparently want us to believe, virtually all of the 1.5 billion Windows users in the world today, including the 500+ million Windows 10 users would all be infected. And that is just not the case.
 
  • Like
Reactions: roger_m
Upvote 0

Slyguy

Level 44
Jan 27, 2017
3,322
No OS is 100% safe 100% of the time.

But to suggest Windows is not safe is just more FUD. If Windows was as unsafe as now you also apparently want us to believe, virtually all of the 1.5 billion Windows users in the world today, including the 500+ million Windows 10 users would all be infected. And that is just not the case.

Times are changing. Security protocols today are quickly proving to be inadequate. I'm not referring just to the security theater of Windows Security Products, but the whole field in general. It's evolved faster than anyone can keep up and the threats are varied and more extensive. The leak of state sponsored malware repositories doesn't help. Meltdown and Spectre don't help. But what is being made ever more clear by the day is the fallacy of security in a Windows environment.

Sure, I can put Windows boxes with AD controlled Standard User Accounts on a network of vlans. Toss a name brand endpoint antivirus on them. Enforce security policies across the board with gp pushes. Toss a Fortigate 200E on the gateway, drop a FortiSandbox APT on the network and enforce security fabric compliance and vulnerability scans and be 'fairly' secure. But as time goes on, this isn't proving to be the panacea everyone thought as more and more slips through what amounts to an inherently insecure OS by design.

Let's not neglect the elephant in the room with Windows.. All of those third party apps, security products, cleanup tools, uninstallers, browsers, text viewers and other crap. ALL of that increases the threat surface. Even something as benign as Ccleaner can broaden your risk as history seems to have shown. That's where ChromeOS comes in, you can dispense with all of that crap - in fact installing all of that useless crap isn't an option and doesn't full fill any purpose even if you could. Which itself not only lowers the threat surface dramatically, it closes off almost all of the remaining attack vectors. No OS is safe 100% of the time but Windows isn't safe even 50% of the time.
 
Upvote 0
D

Deleted member 65228

Oh, so this is just another biased opportunistic bash at Microsoft. I get it. :(
:love::love::love:

No, this isn't an 'opportunistic bash at Microsoft'. I happen to be a fan of Microsoft's work, but that doesn't mean I agree it is more secure than alternatives which I choose not to use for various reasons. Unless the original poster truly needs to use Windows, then I will advise them to use a Chromebook for their own good. So you really don't get it.

FTR, Windows is safe if (1) the user keeps it current, (2), the user uses an able anti-malware solution and keeps it current, and (3) the user is not click-happy on unsolicited links, popups, downloads, and attachments.
:love::love::love:

As I said, you really don't get it. We'll go back to the previous post and hopefully this time you'll 'get it' as you like to say.

a Chromebook will provide less attack vectors generally speaking

Read the above quote. It's a small quote so you shouldn't have a problem reading it, but I can break it down into bullet points for you if that's better.

1. Due to how Chromebook's are designed, there is less for an attacker to potentially exploit.
2. Due to how Chromebook's are designed, there is less for an attacker to potentially exploit.
3. Due to how Chromebook's are designed, there is less for an attacker to potentially exploit.

There are three very nice points. How does this sorcery work? Well when you install software on your system, more vulnerabilities are introduced. No software is vulnerability-proof, it's only a matter of time before they are found - new vulnerabilities are being found on a daily basis and thankfully there is an extremely large community of security researchers who put time and effort into finding them early-on, typically in exchange for a nice reward bonus with bug bounty which motivates people a bit more usually. Now, when you take a system and you cut off a large majority of what is available, you also cut off all the vulnerabilities that the content which originally existed brought to the table.

When we look at a Chromebook, it is designed to be used for different purposes than a typical machine running an operating system like Windows. You don't go onto the internet and download executable content - you install applications from Google Play which is still not completely safe but this is also optional. The typical standard drive-by-download attacks which occur in the wild? Less vulnerable for a Chromebook due to how they work and how they are used. If all you need to do is some web-browsing, online chats, accessing banking accounts, then a Chromebook is perfectly fine because you cut off a shed load of attack vectors and also operate on a machine which is more secure even in a situation where you make a stupid mistake. Before you put words in my mouth, I'm not saying that a Chromebook is invincible to attackers - this is simply not true and there are still attack vectors like malicious Android applications on the Google Play Store which can be used on a Chromebook, malicious browser extensions for Google Chrome which can infiltrate on user data among many others - however you're not going to be affected by many things which you can however be affected by on a traditional Windows machine, which also tend to be quite common.

I don't use a Chromebook, it won't work for me very well because I will hardly use it due to what I need to do on my system. Just because I'm a Windows user doesn't mean I have to agree that Microsoft do the best job with security, and due to the work I do, I know for a fact that Windows is not as secure as a Chromebook when you take into account the reduced attack vectors. Reduced attack vectors or not, an individual can be attacked through any of the attack vectors which are present and thus reduced attack vectors compared to an alternate doesn't guarantee invincibility, but reduced attack vectors does make the the environment safer from a technical point of view. When you patch a vulnerability, you're closing an attack vector; when you're using a machine which has reduced attack vectors, there is a decreased chance that an attacker may be able to exploit the system, because the attack vector being targeted may not be present. In terms of a Chromebook, the difference in attack vector is huge.

That's not exploitation. That's just proving (in a laboratory setting) the flaw exists. Exploitation is where a bad guy has hacked into on on-line system and exploited the flaw.
Exploitation is when you abuse a weakness, it doesn't have to be by an attacker with malicious intent in a real-life scenario. When someone discovers a flaw in an implementation of a product and exploits it for experimental purposes, that is exploitation of the found vulnerability.

A good person could exploit a shop-keeper's mind to get away with a free Apple and bottle of water so they can drop it off to a homeless guy who is living on the street in the cold with lack of food and water. Whether this individual is considered "good" or "bad" is down to you, but regardless of your opinion on how he is, he'd still be exploiting. It doesn't matter if he's a "good" or "bad" person. Exploitation is exploitation.

Whether it is by an attacker to gain additional leverage to do something they shouldn't have been able to do before (e.g. privilege escalation)/ease execution of an operation which is a bit more evasive than the originally supported method of doing something/other examples I am sure you will think of, or under a laboratory environment for proof-of-concept demonstration purposes to help the vendor/improve your own skill-set is another story.

If I am helping a friend out who has been infected with ransomware, and I discover a vulnerability which allows me to access the decryption key (e.g. RSA-2048 private key) because the sample's process is yet to terminate and instead it's aimlessly still running despite it's operation having been completed, and forgot to free the buffer in-memory within it's address space which is where the private key is present, and I then exploit this vulnerability (exploitation is using a flaw as an advantage - a vulnerability is flaw - and in this scenario I would be abusing this weakness within the ransomware sample) to retrieve the decryption key and recover the contents of the critical and personal affected files on my friends system, are you seriously telling me this is not valid exploitation of a vulnerability because I would not be the "bad guy"?

:love:
 
Last edited by a moderator:
Upvote 0

Vasudev

Level 32
Verified
Nov 8, 2014
2,109
Thank you for all your reply actually I forgot to mention one thing I have a core 2 duo processor laptop and I am thinking to upgrade that because it is pretty old and have performance drop but after seeing this I step back so will I wait for a year ??
Wait for a couple of months and see how these issues play out. Then spend the money wisely. Anyway new CPUs from Blue and red team will be out in few months and check reviews and afterwards buy them. Most review sites will emphasize on these exploits on new CPUs.
 
Upvote 0

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,053
So as we all come to know about the biggest flaws spectra and meltdown on Intel processor is it good time to buy latest Gen processor or laptop with latest 8th gen processor in it share your thoughts.
Even if you don't buy Intel, some unreleased CPUs / SoCs are also affected.

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.
Source: Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown
 
Upvote 0

Digerati

Level 7
Verified
Mar 2, 2017
318
Times are changing. Security protocols today are quickly proving to be inadequate
Oh? Then how is it the number of infected systems continue to decrease? How is it the amount of malware in the wild keeps going down?

There certainly are very serious problems out there but who are the primary targets? It is no longer the general consumers but rather corporations and organizational networks - where, ironically, professional IT security folks are on staff.
Exploitation is when you abuse a weakness, it doesn't have to be by an attacker with malicious intent in a real-life scenario. When someone discovers a flaw in an implementation of a product and exploits it for experimental purposes, that is exploitation of the found vulnerability.
Fine, if that is how you want to define it, go ahead. The fact remains, and the intent of my point, which you know very well, is there is no evidence this CPU flaw has been exploited by bad guys on systems that have been deployed out in the real world.

The rest of your tag-team arguments are indeed just opportunistic Microsoft bashing (despite your denials). This thread is about SUPRA's concern over the CPU flaws. These flaws are in Intel, AMD and ARM processors (not Windows!!!!) but you two have decided to go way OT on a Microsoft bashing rampage. That's sad.
 
  • Like
Reactions: roger_m
Upvote 0

Slyguy

Level 44
Jan 27, 2017
3,322
There certainly are very serious problems out there but who are the primary targets? It is no longer the general consumers but rather corporations and organizational networks - where, ironically, professional IT security folks are on staff.

The rest of your tag-team arguments are indeed just opportunistic Microsoft bashing (despite your denials). This thread is about SUPRA's concern over the CPU flaws. These flaws are in Intel, AMD and ARM processors (not Windows!!!!) but you two have decided to go way OT on a Microsoft bashing rampage. That's sad.

Corporation/Enterprise targets can be ancillary to consumers. In large part, that's the point of an attack against a corporation is to leverage their IP and that IP is usually filled with consumer/client assets. However what we often see are consumers becoming collateral damage to corporate attacks. Also we're seeing this becoming a huge issue with BYOD where consumers are bringing targeted threats into a corporate ecosystem allowing a compromise. It's a complex issue that impacts everyone.

The complexities of the threats, the varied/blended vectors and overall lack of security concerns by certain vendors, recklessness of our Intel organizations, are all collecting into a perfect storm. Windows is ill-prepared for the modern threat landscape and it's becoming woefully evident with each passing day. Windows is still an acceptable OS, I use it for gaming but let's not for a minute think it's secure and safe in any form by educating a user on what not to run and installing a basic AV. That's delusional speak. These aren't the old days bro where you can install Spybot Tea Timer and be a hero.

ChromeOS perfect? No. Secure? Very. The worst you are going to get on it is an Android App that causes annoyance or a bad extension in chrome. Nothing Ctrl + Shift + Alt + R won't fix in 20-25 seconds (Powerwash). There is a reason the EDU market is now 60% ChromeOS and will likely be virtually the entire EDU market in 5 years or less. Do yourself a favor - if Aunt Sue needs a laptop toss her a Chromebook and show her how to use it.
 
Upvote 0

Digerati

Level 7
Verified
Mar 2, 2017
318
but let's not for a minute think it's secure and safe in any form by educating a user on what not to run and installing a basic AV. That's delusional speak. These aren't the old days bro where you can install Spybot Tea Timer and be a hero.
Now that's just silly. Is Tea Timer even around? No one here said that would be adequate. Who's being delusional now?

If what you claim were remotely true, where are the 100s of millions of Windows users that must be infected today? It is you who are delusional if you think Windows and specifically Windows 10 is as unsafe as you make it out to be. And sadly, it is you doing a disservice by spreading this FUD.

If people left Windows alone and let it run with its default settings instead of dinking with settings they have no clue about, and if they weren't click happy on unsolicited links, odds are greatly in their favor they they can run for years and years unscathed by badguys.

Of course, you'll deny that because that's what you do. But this thread is not about bashing Windows, despite your continuing effort to make it so.

I'm done here. Good day.
 
Upvote 0

RoboMan

Level 32
Verified
Content Creator
Jun 24, 2016
2,195
I certainly find useless to do this. Security companies have already started to release updates to help Microsoft patch the vulnerabilities and allow them to successfully patch without issues. Sooner or later, antivirus vendors will help the matter with new updates and/or modules. Just have Windows Update set on automatic and protect yourself with useful software. :)
 
Upvote 0

DeepWeb

Level 25
Verified
Jul 1, 2017
1,418
Not because of that, but if your computer is old, I would consider an upgrade by the end of this year or next year. AMD announced they might be able to produce 7nm CPUs for regular consumers by the end of this year. This is a big deal. It should use far less power and might finally put AMD ahead of Intel even for only short time.
 
Upvote 0

Slyguy

Level 44
Jan 27, 2017
3,322
Not because of that, but if your computer is old, I would consider an upgrade by the end of this year or next year. AMD announced they might be able to produce 7nm CPUs for regular consumers by the end of this year. This is a big deal. It should use far less power and might finally put AMD ahead of Intel even for only short time.

Agreed. If your regular update cycle is due, make the change. For me, I cycle out all gear after 3-4 years. That includes smart phones, tablets, laptops and desktops. So I was just past the 3 year marker when all of this came down so that was an added catalyst to all of it. For most people, just go with the flow..
 
Upvote 0

Slyguy

Level 44
Jan 27, 2017
3,322
If people left Windows alone and let it run with its default settings instead of dinking with settings they have no clue about, and if they weren't click happy on unsolicited links, odds are greatly in their favor they they can run for years and years unscathed by badguys.

I thought this was funny. I grabbed this machine from one of my techs today. (I work at a larger managed IT services firm - MSP) UTM Firewall on the network, paid, well rated AV on the desktops. Domain environment with restricts, AD, Radius, managed updates/patching, updated firmware, no Java or other junk installed.. Simple average joe that uses the computer daily for general browsing, quickbooks, etc. Chrome with uBlock as the browser. Nothing else. "odds are greatly in their favor they they can run for years and years unscathed by badguys".. Nope.

Would you look at that? Would you! That's after EEK, Zemana and ADW Cleaner have already been executed and allowed to perform removals.

Capture.png
 
Upvote 0

jetman

Level 8
Verified
Jun 6, 2017
398
Personally, I dont think its a very good time to buy a new PC.

1. If you wait for the next generation of Intel/AMD chips they should be protected against Spectre and meltdown without the need for patches which might slow down their performance.
2. Hopefully the cost of SSDs will start to fall. At the moment many new PCs seem to have a mix of HDDs and lower capacity SSDs. This is obviously a transitional period and soon all computers will come with SSDs.
 
Upvote 0

Faybert

Level 23
Verified
Malware Tester
Jan 8, 2017
1,249
Personally, I dont think its a very good time to buy a new PC.

1. If you wait for the next generation of Intel/AMD chips they should be protected against Spectre and meltdown without the need for patches which might slow down their performance.
2. Hopefully the cost of SSDs will start to fall. At the moment many new PCs seem to have a mix of HDDs and lower capacity SSDs. This is obviously a transitional period and soon all computers will come with SSDs.
I agree, I had plans to buy a new machine later this month, but after all this, I'll wait for the right moment, now is not the time.
 
  • Like
Reactions: amico81
Upvote 0

Slyguy

Level 44
Jan 27, 2017
3,322
Personally, I dont think its a very good time to buy a new PC.

1. If you wait for the next generation of Intel/AMD chips they should be protected against Spectre and meltdown without the need for patches which might slow down their performance.
2. Hopefully the cost of SSDs will start to fall. At the moment many new PCs seem to have a mix of HDDs and lower capacity SSDs. This is obviously a transitional period and soon all computers will come with SSDs.

Or HDD/SSD hybrids are used by some better manufactures, low end PC makers are still using HDD's..

NVME/m.2 is how all new performance systems are built. It's sort of accepted when you build or order a decent rig you have an m.2 drive in it due to the low prices of them. I doubt Intel can re-engineer that quick, it likely won't be until the i10 line before all of this is fixed. Ryzen's seem like the way to go now, for Chromebooks, Rockchip or Microtek Heteros are not vulnerable and the way to go.

So if you have a potato being made into a super potato by the Meltown/Spectre, it's not a bad time to buy if you go with those options - especially with non-Intel folks looking to exploit this with sales and price reductions. But I wouldn't be buying an Intel for awhile (if at all).
 
Last edited:
Upvote 0
Top