Major flaw in millions of Intel chips -- (Spectre & Meltdown)

[Pete!]

Meltdown is mitigated by the January Microsoft Windows Updates (on 64-bit systems; but NOT on 32-bit systems).
However, Spectre requires the CPU/firmware (BIOS/UEFI) update from your PC's manufacturer!

Updated UEFI:... still vulnerable to Spectre.
I wasn't expecting much, I was going from a 2013 version, to a 2014 version, (long before this was on anyone's radar).
Unless Dell is going to throw us all under the bus, they still have some work to do.

[ky331]

Yes, it'll have to be a brand-new 2018 BIOS update, that addresses Meltdown/Spectre.

[winchester73]

Winchester:   Can you confirm the Ashampoo-tool results via the PowerShell Script, or by running SpecuCheck (from a Command/DOS prompt)?

This is a ThinkPad T440s.  A new Lenovo BIOS has not been offered.

SpecuCheck attached:

[Aaron Hulett]

Microsoft hasn't offered me the OS patch yet. I've gone and grabbed it myself and am manually installing it.

[ky331]

Not sure what to make of this... it's certainly reporting that your current CPU microcode is supporting Branch Prediction Mitigations... yet you say there was no BIOS update ????

For what it's worth, Lenovo HAS released a new BIOS update for the T440s, sometime between 12/18/17 and 1/4/18, version GJET96WW (2.46).   Can you check your BIOS to see what version you have?

[winchester73]

I downloaded that BIOS last month ...

https://pcsupport.lenovo.com/us/en/downloads/ds035965

I mis-read your earlier Lenovo post, thought there was another BIOS update that had come out and was pulled.   ???

[ky331]

Lenovo pulled SOME --- but not ALL --- of their recently released BIOS updates.   Apparently your T440s update was "safe", and not pulled.   So you indeed have the newest, safe BIOS update which protects you from Spectre.

The update for my Lenovo is not expected to become available until February.   I have no idea on the ETA for any of my other systems (HP/DeLL).

[winchester73]

That leads to an interesting question. ThinkPads are easy to update using their included utility. What about IdeaPads, Yogas, and other systems that don't have such an easy way to update. How will folks with those know there is a firmware update, let alone where to go and how to install it?

[ky331]

Lenovo has prepared an informative site for the Meltdown/Spectre vulnerabilities:
https://support.lenovo.com/us/en/solutions/len-18282

By scrolling down, and clicking on the appropriate system (e.g., ThinkPad), the user should be able to find out about the availablity of an appropriate patch for their particular model.

[On a weird note, that page displays correctly on some of my computers, but has its data suppressed on others... I'm still trying to figure out why... presumably some security setting/program toggled too-high.]

[Corrine]

The Spectre Meltdown CPU checker shows protected for Meltdown but need BIOS update for Spectre. 

Power Shell results have the same result:

Speculation control settings for CVE-2017-5715 [branch target injection]

"Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True"

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.

Only only one problem with that.  HP doesn't have an update for my old system HP HDX X18-1099UX Premium Notebook PC.  In fact, it doesn't even have software/drivers for Windows  8 or Windows 10 -- only for Vista (the original OS) and Windows 7.

[winchester73]

By scrolling down, and clicking on the appropriate system (e.g., ThinkPad), the user should be able to find out about the availablity of an appropriate patch for their particular model.

That's all well and good for someone like you or me who is diligent about updates, patches, etc ... what about the masses out there who aren't paying attention, don't care, assume all is well, just want to turn the computer on and use it, aren't tech savvy, etc?

[ky331]

Intel admits security patches have bugs that cause surprise reboots
https://www.bizjournals.com/sanjose/news/2018/01/12/intel-meltdown-spectre-patches-reboot-flaw-amd.html

Santa Clara-based Intel Corp. is quietly urging its biggest data center customers to hold off on installing the company's latest security patches for the Spectre and Meltdown chip flaws, because the patches have bugs that could cause unexpected system reboots, The Wall Street Journal reports.

In a public post Thursday, Intel executive Navin Shenoy confirmed the issue, saying "a few customers" running Intel's older Broadwell and Haswell chips had experienced higher-than-normal system reboots.

[winchester73]

Funny you mention that, I've had 2 BSOD (at least that I've noticed, who knows what happens when I'm not sitting at the laptop) in the past few days.

SYSTEM_SERVICE_EXCEPTION Win32kbase.sys

DRIVER_IRQL_NOT_LESS_OR_EQUAL netwbw02.sys

(Side note ... I wish there was a way to turn off the annoying sound made while the 'report' is being generated)

[Corrine]

Via Twitter, https://twitter.com/Garyw_/status/951903598258028545:

Dell also pulled their meltdown and spectre patches for their 13th gen servers. They were up for about 24 hours - no word as to why but I think that various patches are causing major issues.

[techie]

There patching a hardware design flaw with a software patch. Why am I not surprised there having issues? This is a feeble attempt, to try and limit liability.

What are the results so far?

1) Processors that not longer function at there advertised speed.
2) System crashes.
3) Millions, if not Billions of servers and systems with a major security issue.