Intel Kernel Bug

[Frank Dernie]

I am going to disable JavaScript for the time being. I tried a moment ago but this site obviously uses it so I put it back on for a moment.
It was a long time ago but a security specialist brought in to check our work system advised to never use Java or Bluetooth, neither were adequately secure in his opinion.
I certainly keep bluetooth off on my phone unless I need it.

 

[DonH56]

My company distributes some Java-based tools and our SW team says is a support and security nightmare... Glad I am an analog guy so don't have to deal with that stuff ('cept when surfing, natch).

 

[amirm]

To be clear, Java and Javascript are different things, despite the naming convention. Disabling Java is fine as very few things use it (Room Eq Wizard unfortunately uses it).

Disabling Javascript will break a lot of things online. It is in massive use. I suspect the browser patches are already there or if not, will be shortly forthcoming.

 

[Cosmik]

Something tells me there will be warehouses full of unsold computers and chips. Who would buy a new one now unless they really had to?

 

[Soniclife]

I disconnect from the internet when not using it and have never put anything important on a phone.

Don't let apple, google etc hear you say that, they will start pushing for some sort of 1984 / Black mirror you must be connected at all times law .

 

[Soniclife]

Don't panic, https://www.computerworld.com/artic...tdown-and-spectre-keep-calm-and-carry-on.html

I've spent part of the day at work trying to calm down management from panic patching of all the servers, and take a more measured approach, however for home users I think the following is sensible.

Patch your OS, update your browsers.
Use some sort of anti virus.
Use an ad-blocker in your browser. Unless you knowingly visit the dogier parts of the internet most malware get in from avert redirects, something like uBlock Origin will work well as a first line of defence.
If you use chrome consider turning on site isolation, https://support.google.com/chrome/answer/7623121?hl=en-GB

 

[Soniclife]

I am going to disable JavaScript for the time being. I tried a moment ago but this site obviously uses it so I put it back on for a moment.

If you really want to do this use the No Script extension in the browser, be prepared to spend a lot of time allowing sites to use it, till you get bored and remove it.

 

[Sal1950]

https://audiosciencereview.com/foru...ode-for-audio-playback.1466/page-2#post-60129
Maybe that's the big update I just posted on the Windows thread?
On my second reboot now on 48 % complete.

 

[Soniclife]

https://audiosciencereview.com/foru...ode-for-audio-playback.1466/page-2#post-60129
Maybe that's the big update I just posted on the Windows thread?
On my second reboot now on 48 % complete.

Mine was single reboot, your's sounds more like the creators edition update.

 

[Sal1950]

Mine was single reboot, your's sounds more like the creators edition update.

Yep, it was.
Welcome to the Fall Creators Update

 

[Wombat]

I have read before this that weaknesses in Java have provided an access conduit for nasties.

Edit: I just saw the post explaining that Java is not JavaScript.

 

[Deleted member 65]

Asus just released new BIOS for my newly built SilentPC based on latest generation Intel i7-8700 CPU.

Never seen a BIOS release updating CPU Microcode before.

" Version 0606 2018/01/04 8.23 MBytes
ROG STRIX Z370-E GAMING BIOS 0606
"1. Update CPU Microcode

2. Improve system compatibility and stability"

Edit: Some research reveals that this BIOS update togeter with MS latest patch adresses the Meltdown&Spectre issue.

"Windows Vulnerability CPU Meltdown Patch Benchmarked"

http://www.guru3d.com/articles-pages/windows-vulnerability-cpu-meltdown-patch-benchmarked,1.html

 

[Wombat]

MS update KB 4056894 installed itself today on my Win 7 laptop.

https://www.computerworld.com/artic...-signals-early-abbreviated-patch-tuesday.html

 

[Cosmik]

There are other types of computer 'cross-contamination' that seem to jar with my understanding of how things should be. The main one is IP targeting where you are planning a surprise present for someone in your household and adverts for it begin popping up on the recipient's PC!

Some other slightly odd ones are:

• Spotify shows you what someone else is listening to on the same account. I'm not complaining about this, but you could imagine the occasional embarrassing situation where someone's guilty pleasures become broadcast to someone they would rather not know about it (the classical music scholar who listens to nothing but Abba, the social justice warrior who enjoys Bernard Manning routines).
• Chromecast could be dangerous. Pick the wrong one in the list or forget to turn it off and whatever you are looking at gets broadcast onto the living room TV.
• There was an issue a while ago where previous contents of graphics card memory could briefly pop up on the screen when the graphics mode changed - even after the user had logged off.

 

[Wombat]

Historically the pursuit of profit hasn't given much weight to collateral damage unless controlling regulation is created and enforced. Even then there are escape routes for the transgressors and the common-wealth pays the price.

 

[CuteStudio]

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

Allows rogue code full kernel access, potentially giving hackers access to "everything" on your PC (like passwords etc.) It is in the HW and has been since ca. 2007. OS patches are out and/or coming but potentially with big performance hits.

Ok, some facts about this security issue that don't seem to be appreciated:

1. The bug only allows a purpose built program to read kernel memory, it can only read it, it cannot write or execute.
2. You actually have to have the rogue code running on your PC in the first place, not very likely - any code to do that will be government (NSA/CIA) code already there. As an interesting caveat - either this was a known exploit that the alphabet agencies used OR they didn't know and are by definition useless and failed to protect us. Neither choice is a good one. It's revealing that a string of holes have been exposed and fixed after 'Vault7'.
3. Javascript is managed code and as far as I'm aware is unable to read machine memory (unless it's buggy) so it should isolate you. Same with any Java and .Net program - which includes Android apps interestingly enough. I'd expect security on these technologies to be tightened too as they are a virtual machine barrier to your real machine.
   
   Here's some info about browser updates to tighten them up:
   http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html
   
   So I'd avoid using Win10 for browsing for a while but the risk is far lower for other platforms.
   If you have Win10 install VirtualBox and Debian and use Firefox to browse from that.

So no need for immediate panic, make sure your browser is up to date and update when convenient. It's mainly going to be used to harvest passwords and Bitcoin wallets and is a bigger security rick for cloud and server farm services where you are more likely to have a program running on a few servers to do a bit of harvesting.

Personally I'm not convinced that there will be big slowdowns, more likely is that hasty patches will break stuff.

 

[CuteStudio]

Yep, it was.
Welcome to the Fall Creators Update

Ironically that update has a new feature that makes the PC more susceptible to the meltdown bug.
http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html

So carry on updating past it.

 

[amirm]

If you use chrome consider turning on site isolation, https://support.google.com/chrome/answer/7623121?hl=en-GB

I just enabled this and it was very easy and quick. So far it has not broken anything so I suggest doing it. It takes a few seconds to do. Go to:

chrome://flags/#enable-site-per-process

On a new tab. And the first option that shows up is Site Isolation. Simply click Enable and you are done.

 

[Sal1950]

I just enabled this and it was very easy and quick. So far it has not broken anything so I suggest doing it. It takes a few seconds to do. Go to:

chrome://flags/#enable-site-per-process

On a new tab. And the first option that shows up is Site Isolation. Simply click Enable and you are done.

Done also, thanks. That made it super simple.
I don't as a rule run chrome anymore. The huge amount of integration with all things Google made me a bit nervous so I went back to Firefox as my daily browsers in both Linux and Windows. Played a bit with the Firefox spin-off Waterfox but don't see any of the claimed loading speed gains. Maybe my PC isn't resolving enough?

 

[Soniclife]

Done also, thanks. That made it super simple.
I don't as a rule run chrome anymore. The huge amount of integration with all things Google made me a bit nervous so I went back to Firefox as my daily browsers in both Linux and Windows. Played a bit with the Firefox spin-off Waterfox but don't see any of the claimed loading speed gains. Maybe my PC isn't resolving enough?

Similar is also available for firefox, see https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/ it might be on by default now as I belive firefix was patched for what they could do against this the other day.