BIOS Updates to Patch CPU Flaws
FYI...
BIOS Updates to Patch CPU Flaws
- http://www.securityweek.com/device-m...atch-cpu-flaws
Jan 15, 2018 - "Acer, Asus, Dell, Fujitsu, HP, IBM, Lenovo, Panasonic, Toshiba and other device manufacturers have started releasing BIOS updates that should patch the recently disclosed Spectre and Meltdown vulnerabilities.
The flaws exploited by the Meltdown and Spectre attacks, tracked as CVE-2017-5715, CVE-2017-5753and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access sensitive data. Billions of PCs, servers, smartphones and tablets using processors from Intel, AMD, ARM, IBM and Qualcomm are affected...
(Much more detail at the URL above.)
> https://www.sans.org/newsletters/newsbites/xx/3#1
"CPU Patches - (January 9, 10, & 11, 2018)
Some vendor patches for the Spectre and Meltdown CPU vulnerabilities have been causing problems for users. Microsoft said that systems running incompatible anti-virus products would not receive any further updates; anti-virus vendors must confirm compatibility by setting a registry key. Linux has released microcode to address the CPU problems for certain processors. Canonical had to release a new patch after Ubuntu Xenial 16.04 users reported that the first fix rendered their systems unable to boot. Google says it applied patches for the flaws last year and that they have not slowed down its cloud services.
The patches are complicated and some require steps beyond just clicking install to complete the mitigation. They are also changing rapidly as issues surface and are resolved. Test not only for stability after application but also for performance impact.
There are patches and then there are PATCHES. It is pretty clear that software/firmware PATCHES for Spectre/Meltdown are complex and will, at a minimum, have performance impact. They will require significantly more QA testing than routine monthly Microsoft vulnerability Tuesday patches, probably even more than quarterly Oracle CPU PATCHES. Spinning up production environments (with obfuscated data) on IaaS services has enabled many organizations to increase depth of patch/PATCH testing while minimizing increases in time to patch. But, shielding, mitigation and monitoring will be needed in the interim..."
- http://www.zdnet.com/article/microso...-meltdown-fix/
Jan 10, 2018
- https://www.computerworld.com/articl...hich-ones.html
Jan 11, 2018
> https://www.askwoody.com/2018/reaffi...t-ms-defcon-2/
"...Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it."
