Language Selection

English French German Italian Portuguese Spanish

Hardware Security Fiasco: The Latest

Filed under
Hardware
Security
  • Windows 10 Cumulative Update KB4056892 (Meltdown & Spectre Fix) Fails to Install

    Microsoft rolled out Windows 10 cumulative update KB4056892 yesterday as an emergency patch for systems running the Fall Creators Update in an attempt to fix the Meltdown and Spectre bugs affecting Intel, AMD, and ARM processors manufactured in the last two decades.

    But as it turns out, instead of fixing the two security vulnerabilities on some computers, the cumulative update actually breaks them down, with several users complaining that their systems were rendered useless after attempting to install KB4056892.

    Our readers pointed me to three different Microsoft Community threads (1, 2, 3) where users reported cumulative update KB4056892 issues, and in every case the problem appears to be exactly the same: AMD systems end up with a boot error before trying a rollback and failing with error 0x800f0845.

  • Linus Torvalds says Intel needs to admit it has issues with CPUs

    Linux creator Linus Torvalds has had some harsh words for Intel in the course of a discussion about patches for two [sic] bugs that were found to affect most of the company's processors.

  • We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare

    In the wake of The Register's report on Tuesday about the vulnerabilities affecting Intel chips, Chipzilla on Wednesday issued a press release to address the problems disclosed by Google's security researchers that afternoon.

    To help put Intel's claims into context, we've annotated the text. Bold is Intel's spin.

  • When F00F bug hit 20 years ago, Intel reacted the same way

    A little more than 20 years ago, Intel faced a problem with its processors, though it was not as big an issue as compared to the speculative execution bugs that were revealed this week.

  • Meltdown, Spectre and the Future of Secure Hardware

    Meltdown and Spectre are two different—but equally nasty—exploits in hardware. They are local, read-only exploits not known to corrupt, delete, nor modify data. For local single user laptops, such as Librem laptops, this is not as large of a threat as on shared servers—where a user on one virtual machine could access another user’s data on a separate virtual machine.

    As we have stated numerous times, security is a game of depth. To exploit any given layer, you go to a lower layer and you have access to everything higher in the stack.

  • KPTI — the new kernel feature to mitigate “meltdown”
  • Astounding coincidence: Intel's CEO liquidated all the stock he was legally permitted to sell after learning of catastrophic processor flaws
  • Intel CEO sold all the stock he could after Intel learned of security bug

     

    While an Intel spokesperson told CBS Marketwatch reporter Jeremy Owens that the trades were "unrelated" to the security revelations, and Intel financial filings showed that the stock sales were previously scheduled, Krzanich scheduled those sales on October 30. That's a full five months after researchers informed Intel of the vulnerabilities. And Intel has offered no further explanation of why Krzanich abruptly sold off all the stock he was permitted to.

CentOS Linux Receives

  • CentOS Linux Receives Security Updates Against Meltdown and Spectre Exploits

    Free Red Hat clone CentOS Linux has received an important kernel security update that patches the Meltdown and Spectre exploits affecting billions of devices powered by modern processors.

  • Ubuntu will fix Meltdown and Spectre by January 9th

    Ubuntu, perhaps the most popular Linux distribution, on the desktop, which has multitudes of other distributions depending on it to send out security updates, has announced that it will update the kernels of all supported releases in order to mitigate the newly publicly disclosed Meltdown and Spectre vulnerabilities, by January 9th.

  • Check This List to See If You’re Still Vulnerable to Meltdown and Spectre [Updated]

    Security researchers revealed disastrous flaws in processors manufactured by Intel and other companies this week. The vulnerabilities, which were discovered by Google’s Project Zero and nicknamed Meltdown and Spectre, can cause data to leak from kernel memory—which is really not ideal since the kernel is central to operating systems and handles a bunch of sensitive processes.

    Intel says that it’s working to update all of the processors it has introduced in the last few years. “By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years,” the company said in a statement today.

  • Meltdown and Spectre CPU Flaws Expose Modern Systems to Risk

    After a rollercoaster day of speculation on Jan. 3 about a severe Intel chip flaw, Google's Project Zero research team revealed later that same day details about the CPU vulnerabilities.

    The CPU flaws have been branded as Meltdown and Spectre and have widespread impact across different silicon, operating system, browser and cloud vendors. The Meltdown flaw, identified as CVE-2017-5754, affects Intel CPUs. Spectre, known as CVE-2017-5753 and CVE-2017-5715, impacts all modern processors, including ones from Intel, Advanced Micro Devices and ARM.

  • Major Intel Kernel flaw may impact performance across Linux, Windows and Mac OS

    New reports have surfaced suggesting that there might be a major security flaw with Intel processors launched in the last decade. The harsh part is that patching the issue might slow down the performance of the CPU by up to 30 percent. Intel hasn't put out an official statement yet, but Linux Kernel patches are being pushed out to all users.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Linux 4.17-rc7

So this week wasn't as calm as the previous weeks have been, but despite that I suspect this is the last rc. This week we had the whole "spectre v4" thing, and yes, the fallout from that shows up as part of the patch and commit log. But it's not actually dominant: the patch is pretty evenly one third arch updates, one third networking updates, and one third "rest". The arch updates are largely - although not exclusively - spectre v4. The networking stuff is mostly network drivers, but there's some core networking too. And "the rest" is just that - misc drivers (rdma, gpu, other), documentation, some vfs, vm, bpf, tooling.. The bulk of it is really pretty trivial one-liners, and nothing looks particularly scary. Let's see how next week looks, but if nothing really happens I suspect we can make do without an rc8. Shortlog appended as usual. Go out and test. Read more

Today in Techrights

Libre Hardware

  • Flash your Libre Firmware with a Libre Programmer
    Whether or not you personally agree with all the ideals of the Free Software Foundation (FSF), you’ve got to give them credit: they don’t mess around. They started by laying the groundwork for a free and open source operating system, then once that dream was realized, started pushing the idea of replacing proprietary BIOS firmware with an open alternative such as Libreboot. But apparently, even that’s not enough, as there’s still more freedom to be had. We’re playing 4D Libre Chess now, folks. [...] Luckily, the FSF has just awarded the Zerocat Chipflasher their “Respects Your Freedom” certification, meaning every element of the product is released under a free license for your hacking enjoyment.
  • Coreboot Picks Up Support For Another Eight Year Old Intel Motherboard
    If by chance you happen to have an Intel DG41WV motherboard, it's now supported by mainline Coreboot so you can free the system down to the BIOS. The DG41WV motherboard comes from the LGA-775 days with an Intel G41 Eaglelake chipset back when DDR3-1066 was great, motherboards topped out with 4GB of RAM, four USB 2.0 ports were suitable, and motherboard PCBs were much less fashionable. The DG41WV was a micro-ATX board and a decent choice for the times to pair with a CPU like the Core 2 Duo or Core 2 Quad.

Events: KubeCon, openSUSE Conference 2018 and Hacker Summer Camp 2018

  • Diversity, education, privilege and ethics in technology
    And that is the ultimate fraud: to make the world believe we are harmless little boys, so repressed that we can't communicate properly. We're so sorry we're awkward, it's because we're all somewhat on the autism spectrum. Isn't that, after all, a convenient affliction for people that would not dare to confront the oppression they are creating? It's too easy to hide behind such a real and serious condition that does affect people in our community, but also truly autistic people that simply cannot make it in the fast-moving world the magical rain man is creating. But the real con is hacking power and political control away from traditional institutions, seen as too slow-moving to really accomplish the "change" that is "needed". We are creating an inextricable technocracy that no one will understand, not even us "experts". Instead of serving the people, the machine is at the mercy of markets and powerful oligarchs. A recurring pattern at Kubernetes conferences is the KubeCon chant where Kelsey Hightower reluctantly engages the crowd in a pep chant: When I say 'Kube!', you say 'Con!' 'Kube!' 'Con!' 'Kube!' 'Con!' 'Kube!' 'Con!' Cube Con indeed... I wish I had some wise parting thoughts of where to go from here or how to change this. The tide seems so strong that all I can do is observe and tell stories. My hope is that the people that need to hear this will take it the right way, but I somehow doubt it. With chance, it might just become irrelevant and everything will fix itself, but somehow I fear things will get worse before they get better.
  • openSUSE Conference 2018
    This year openSUSE conference was held in Prague and, thanks to both my employer and openSUSE conference organizers, I've been able to spend almost a full day there. I've headed to Prague with a Fleet Commander talk accepted and, as openSUSE Leap 15.0 was released Yesterday, also with the idea to show an unattended ("express") installation of the "as fresh as possible" Leap 15.0 happening on GNOME Boxes. The conference was not so big, which helped to easy spot some old friends (Fridrich Strba, seriously? Meeting you after almost 7 years ... I have no words to describe my happiness on seeing you there!), some known faces (as Scott, with whom I just meet at conferences :-)) and also meet some people who either helped me a lot in the past (here I can mention the whole autoyast team who gave me some big support when I was writing down the autoinst.xml for libosinfo, which provides the support to do openSUSE's express installations via GNOME Boxes) or who have some interest in some of the work I've been doing (as Richard Brown who's a well-know figure around SUSE/openSUSE community, a GNOME Boxes user and also an enthusiastic supporter of our work done in libosiinfo/osinfo-db).
  • Hacker Summer Camp 2018: Prep Guide
    For those unfamiliar with the term, Hacker Summer Camp is the combination of DEF CON, Black Hat USA, and BSides Las Vegas that takes place in the hot Las Vegas sun every summer, along with all the associated parties and side events. It’s the largest gathering of hackers, information security professionals and enthusiasts, and has been growing for 25 years. In this post, I’ll present my views on how to get the most out of your 2018 trip to the desert, along with tips & points from some of my friends.