Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

Apple have also relaeased broswer (Safari) mitigations for Safari, as well December’s Meltdown mods.

https://support.apple.com/en-us/HT208394

Interestingly, they comment on performance impact...

Wrt meltdown...

Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

Wrt Spectre

Our current testing indicates that the Safari mitigations have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, and tvOS. watchOS is unaffected by Spectre.

[banger]

@Ronski I found a thread last night which explained the results of the script. The second results (VA shadowing) is the Meltdown bug which Windows has patched in software and accounts for the slight slow down. The first results are for Spectre (branch target injection) and it seems to be fully patched a microcode or BIOS update is required. Most browsers have mitigation for spectre installed but as spectre is not in the wild no one really knows.

[burakkucat]

For those of us whose OS makes use of a Linux kernel, there is another utility available which will analyse the status of the kernel currently in use.

https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh

Just go to the above location, right-click to select all and then save as spectre-meltdown-checker.sh

Set the execution bit in the file mode (chmod +x spectre-meltdown-checker.sh) and invoke the utility.

[Ronski]

Thanks Banger.

Is there a site that explains in plain English what the risks are and how easy it is to be compremised?

[banger]

Not that I have seen Ronski and I have been doing a lot of reading. There is a lot of confusion about my setup a Core 2 Duo E8400 some saying it is not affected but the script says I need a BIOS update.

What I have done so far is Windows update on Win 10 switched to firefox and implemented site isolation on firefox and chrome to stop javascript from nicking memory contents of other processes (Spectre) whereas Meltdown is protected by OS update. I think that is the most you can do at the moment until Intel comes out with something.

[roseway]

For those of us whose OS makes use of a Linux kernel... etc

Debian has patched its kernels for the Meltdown vulnerability, but hardware support is needed to protect against Spectre.

[Weaver]

I suppose selectively disabling javascript might help a bit, unacceptable sometimes obviously. Or you could have another browser, one in a VM, with none of your secrets in it, so no data to steal.

Isn't there a tool to make it easier to turn of javascript in Firefox ?

Wish there were a selective-disable-js thing for Safari ios. You can turn the whole thing off globally, but even that is quite fiddly, but that's all there is. Even an easily accessible button to flick it off/on would be an improvement, but having a per-site thing or even better also a per url (with regex) thing would be great. Is there such a thing as a Safari ios “add-in API” for developers now? To build new plug-ins/add-in modules to enhance it? I have no idea if that might make it possible to do such a thing.

[sevenlayermuddle]

Debian has patched its kernels for the Meltdown vulnerability, but hardware support is needed to protect against Spectre.

Odd, I have never known a hardware problem that can’t be avoided by software. Especially as other software suppliers seem to have coped?   

[banger]

Spectre is not totally patched in Windows without hardware microcode also from what I have read.

[roseway]

Spectre is not totally patched in Windows without hardware microcode also from what I have read.

Yes, that's my understanding too.

[Ronski]

I use Firefox ESR on my main PC. Only thing I could find was this

https://support.mozilla.org/en-US/questions/1198249

[sevenlayermuddle]

I think we are nit picking over whether a firmware/microcode fix is a hardware change.   I would say it is not, especially if there is a mechanism whereby it can be updated by end users.   

In any case, I have not heard Apple talk about firmware updates.    But they may have ways of silently sneaking in a firmware update part of an OS update, having the advantage that they know the precice hardware environment.   Or perhaps, providing you know the exact hardware configuration, as Apple do, more effective mitigation can be provided in OS and Application software?

[roseway]

It's my understanding that microcode is supplied by the hardware manufacturer, and so it's not in the power of the OS or application software developers to fix the Spectre vulnerability completely. They may be able to mitigate it in various ways, but they are dependent on the CPU manufacturers for a complete fix (assuming that it's possible).

[sevenlayermuddle]

My understanding is that CPU firmware is published by the CPU manufacturer, but that they will only provide updates to the PC manufacturers rather directly to than end users.   The PC manufactures then push it out to end users, I assume they will have some proprietary tools for installing it - similar perhaps to a BIOS update.

In the case of Apple, the OS vendor and PC manufacturer are one and the same, which may make things easier.   I see no technical reason it could not be incorporated into Apple’s usual software update channel, though I do not know if that would be too complicated, or if they have actually done so, in this or any other case.

When I saw mention of hardware support being needed, I had visions of board-level chip swapping, hence my puzzled response.   And my alarm too, as Apple customers are generally not meant to swap chips.   I can cope with a solution that involves new firmware/microcode, which is most certainly, in my book, still ‘only software’.

[roseway]

Sorry if I alarmed you.

I referred to it as a hardware solution because it depends on the CPU manufacturer providing the necessary microcode for their devices. The way it works in the Linux world is that the CPU manufacturers make their microcode updates available to Linux distro producers, and the latter can package them in OS upgrades. The microcode isn't permanently stored in the CPU, but is loaded at boot time.