'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

[back2themoon]

With this new vulnerability; Microsoft sent their "patch fix KB4056892" which both computer owners installed, restarted their computers and got an ugly surprise. Their computers won't boot now. This is why these two computers are down at my neighbor's shop.

Perhaps it's related to the known incompatibility of the patch with several security software. A particular registry key needs to be present. Updated compatibility list here.

Security software needs to be compatible and updated BEFORE installing the patch. Windows Update won't offer it otherwise, not sure what happens when installing the patch manually.

[Tomaso]

Personally, I've always disabled my AV program before installing Windows updates.
It just seems like a sensible precaution.

[Night Wing]

Since I use 64 bit Windows 7 as my backup operating system, I went to the Microsoft Update Catalog and downloaded the security only KB4056897 patch to my Desktop.

http://www.catalog.update.microsoft.com ... =KB4056897

I didn't install the patch though. I'm going to wait about a week and see if this patch update causes any problems from other 64 bit Windows 7 users first. If all goes well from other users, then I'll disable my antivirus program and install the patch on my experimental Windows 7 hard drive. And then I'll cross my fingers and hope the hard drive re-starts/re-boots the computer and brings me back to my Desktop.

If things "go south", I'll re-format the hard drive and re-load Windows 7 back onto it.

BTW, if this patch works, as an insurance policy I also transferred this patch to three thumb/flash drives just in case I would have to re-install Windows 7 again, for whatever reason, on any of my four windows hard drives.

[John connor]

Why I don't use updates. Haven't used them since 98se. Not been hacked, no malware, none of that fear mongering BS. I just knew that the update would mess up people's computers. Because I know quality control at M$ is out the Window.

Here's a nice lone running list I have been collecting on update BS.


https://forums.anandtech.com/threads/i- ... e.2491444/

https://forums.anandtech.com/threads/wi ... k.2491473/

https://forums.anandtech.com/threads/wi ... m.2489532/

https://forums.anandtech.com/threads/wi ... n.2489403/

https://forums.anandtech.com/threads/od ... e.2489266/

https://forums.anandtech.com/threads/wi ... s.2489213/

https://forums.anandtech.com/threads/wi ... t.2489857/

https://forums.anandtech.com/threads/is ... e.2492601/

https://forums.anandtech.com/threads/wi ... t-38625961

https://www.computerforum.com/threads/i ... ff.240871/

[Tomaso]

Intel facing class-action lawsuits over Meltdown and Spectre bugs:
https://www.theguardian.com/technology/ ... -computer/

Three separate class-action lawsuits have been filed by plaintiffs in California, Oregon and Indiana seeking compensation, with more expected.
All three cite the security vulnerability and Intel’s delay in public disclosure from when it was first notified by researchers of the flaws in June.
Intel said in a statement it “can confirm it is aware of the class actions but as these proceedings are ongoing, it would be inappropriate to comment”.

[John connor]

No wonder why the CEO pulled his stock.

[back2themoon]

Guess we can also add game consoles to the mix. What are 'evil hackers' going to steal though, high-score tables?

[Night Wing]

Another reason I'm not in any hurry to install this update in any of my four Windows 7 hard drives is because of what I do with my computers and I'll explain below.

I have three browser but only use two of them mostly. They are in order of preference: Pale Moon, SeaMonkey, Firefox ESR.

1) I do not not store user names or passwords within any browser. I login manually via the keyboard to everything.
2) I do not sync any of my devices either (I have four computers).
3) I do not have any Cloud accounts.
4) I do not do any financial business over the internet (no banking, no brokerage, no credit card transactions, etc). I use a land line telephone to conduct this type of business.
5) I do not do any medical business over the internet (no physicians appointments, no medical portals, etc). I use the same land line telephone.
6) I do not do any governmental business over the internet (no Social Security, no IRS, no county or city jury duty, etc). Again, the same land line telephone.
7) I do not own a smartphone, just an old fashioned 7 year old flip style cell phone which is never connected to the internet.
8) I do not own a tablet so this vulnerability can't affect me.

This is why I am in no hurry to install the patch in any of my four Windows 7 hard drives.

In linux Mint 18.3 (Sylvia) Xfce, I would have to install a different kernel. I'm using in Mint, kernel (4.10.0-38). I have been advised to change to a 4.13.0 kernel. However, in the 4.13 series, there are four different kernels. Basically, 4.13.0-16, 4.13.0-17, 4.13.0-19 and (4.13.0-21). If I choose the wrong kernel, my linux hard drive may not boot. So I've decided to leave well enough alone because of what I do with my browsers in linux which are the same things I (would) do in Windows since I mostly use Linux.

When Linux Mint 19.0 (Tara) in Xfce is publicly released in June of 2018, Mint 19 (which reaches end of life (EOL in April of 2023) will automatically choose the correct 4.13.0 kernel for me for all of my 5 linux hard drives so I won't have to guess. And this is why I am in no rush to fix this vulnerability via any patches since "the sky is not falling in on me".

[yereverluvinuncleber]

Why I don't use updates. Haven't used them since 98se. Not been hacked, no malware, none of that fear mongering BS. I just knew that the update would mess up people's computers. Because I know quality control at M$ is out the Window.

John Connor - My systems have been hacked just the once, properly hacked. I'm still unsure as to how. So, don't assume that because it hasn't happened to you (it may have done and you may not know) that it won't happen. For a long while I supported PCs and many that came in had been infected/hacked. The possibility exists and the reality is that it happens.

My own personal infection almost certainly came through an exploit that allowed read access to files. I have always tried to avoid using all Microsoft products except the o/s to prevent higher privilege access to system resources but somehow a script/program accessed my system was able to do some file access. It looked for Filezilla passwords which it knew were stored in plaintext in a set location. It infected 40 of my Joomla sites with penis enlargement links...

All sites had to be rebuilt from backups.

Filezilla at that time took any password you entered to access a site and stored it, even if you hadn't told it to - it stored the passwords and did so in plain text in an XML file. It didn't bother to obfuscate/hash or provide you with an option to prevent this. The developer refused to change this default behaviour even when he was informed that his program was acting as a trojan horse for malware devs to exploit. It had been used as a well-known hack exploit for thousands of malware injections for years. His response was "you should use a secure o/s instead of Windows".

I have tried to damage filezilla's reputation ever since as I was so unimpressed by that devs appalling attitude, ignoring suggestions to tighten his ship even though he knew it was a point of failure and exploit. The point is that despite even the best intentions any software can give your system vulnerabilities, you can be infected and if you take no precaution you may not know you have already been hacked.

PS. On a separate instance at a different time, someone tried to transfer thousands from my wife's account and they were able to use her password on online banking with a major UK bank. It was only stopped as the transaction was so strange the bank closed her account. We still don't know how they took her password as she only entered it ever through supposedly secure school computers... An example of an unknown exploit.

IT happens!

[yereverluvinuncleber]

Still the question remains: Are the Palemoon developers implementing the same timer blurring that the Firefox devs are doing? I've only seen an response to one of the potential changes that being that the shared array component hasn't been implemented on PM so it is already, in effect, disabled.

IS PM safe to use and can the second change help mitigate a drive-by exploit?

IS the change coming?

[Isengrim]

Still the question remains: Are the Palemoon developers implementing the same timer blurring that the Firefox devs are doing? I've only seen an response to one of the potential changes that being that the shared array component hasn't been implemented on PM so it is already, in effect, disabled.

IS PM safe to use and can the second change help mitigate a drive-by exploit?

IS the change coming?

viewtopic.php?f=1&p=131437

Pale Moon already set the granularity for the performance timers sufficiently coarse in Oct 2016 when it became clear that this could be used to perform hardware-timing based attacks and fingerprinting.

[John connor]

Why I don't use updates. Haven't used them since 98se. Not been hacked, no malware, none of that fear mongering BS. I just knew that the update would mess up people's computers. Because I know quality control at M$ is out the Window.

John Connor - My systems have been hacked just the once, properly hacked. I'm still unsure as to how. So, don't assume that because it hasn't happened to you (it may have done and you may not know) that it won't happen. For a long while I supported PCs and many that came in had been infected/hacked. The possibility exists and the reality is that it happens.

My own personal infection almost certainly came through an exploit that allowed read access to files. I have always tried to avoid using all Microsoft products except the o/s to prevent higher privilege access to system resources but somehow a script/program accessed my system was able to do some file access. It looked for Filezilla passwords which it knew were stored in plaintext in a set location. It infected 40 of my Joomla sites with penis enlargement links...

All sites had to be rebuilt from backups.

Filezilla at that time took any password you entered to access a site and stored it, even if you hadn't told it to - it stored the passwords and did so in plain text in an XML file. It didn't bother to obfuscate/hash or provide you with an option to prevent this. The developer refused to change this default behaviour even when he was informed that his program was acting as a trojan horse for malware devs to exploit. It had been used as a well-known hack exploit for thousands of malware injections for years. His response was "you should use a secure o/s instead of Windows".

I have tried to damage filezilla's reputation ever since as I was so unimpressed by that devs appalling attitude, ignoring suggestions to tighten his ship even though he knew it was a point of failure and exploit. The point is that despite even the best intentions any software can give your system vulnerabilities, you can be infected and if you take no precaution you may not know you have already been hacked.

PS. On a separate instance at a different time, someone tried to transfer thousands from my wife's account and they were able to use her password on online banking with a major UK bank. It was only stopped as the transaction was so strange the bank closed her account. We still don't know how they took her password as she only entered it ever through supposedly secure school computers... An example of an unknown exploit.

IT happens!

I don't know what you have there or how you run things, but I run a pretty tight ship.

I don't understand why you mention Joomla. That' isn't an OS. And if you use Joomla, that is a hackers paradise. Stay far, far away from it. It's no better than Wordpress which seems to have a far amount of holes, unless you use certain security plugins, proper server configuration and a WAF. mod_security included.

I wouldn't use Filezilla. I use Winscp.

[yereverluvinuncleber]

Joomla has nothing to do with it. That was the result, please read again, insert Drupal if it makes it more valid for you. If not then just forget that bit...

Of course you may or may not be using filezilla, I use WINSCP - but that's not the point!

If you don't get what I was trying to say there won't be much point in explaining... I'm sure you DO get it. You are a native English speaker so I am sure you do really.

[John connor]

I'm sure you DO get it.

No, I don't actually. I was talking and responding about Winblows constant update madness and how they seem to cause more problems than they are worth, and you are talking about website software. This isn't a language barrier.


As far as I'm concerned, the only updates worth installing are criticals. But with 10, you're SOL on that endeavor. 10 made the consumer Redmond's little cash cow, and that's a big understatement. If I could only play my games in Linux...

[yereverluvinuncleber]

Possible trolling? That might explain it. Read again and if it makes no sense discard and forget I posted.

[John connor]

Possible trolling? That might explain it. Read again and if it makes no sense discard and forget I posted.

What the... I am responding to you and you accuse me of being a troll? Good grief. Trolls don't engage in conversation. They deflect and.. troll. I'm done here.

Now because you called me a troll, some mod is gonna come around and hand me a yet another unwarranted Warning.

[John connor]

Here's a good read if anyone is interested. https://www.schneier.com/blog/archives/ ... mel_1.html

[Thehandyman1957]

If I could only play my games in Linux...

Off-topic:
Now there is the understatement of the year. Truly, one of the biggest hurdles for me and Linux.
I can do a lot of things in Linux but I hate the idea of having to shut down my machine just to go
play a game. Sadly, VM just don't do it.

Post by "yereverluvinuncleber"
Possible trolling?

Could you please explain? I don't see any trolling activity here.

[John connor]

I can do a lot of things in Linux but I hate the idea of having to shut down my machine just to go
play a game.

Off-topic:
Yeah, unfortunately I don't think there is enough incentive for Linux users who can port the game or the game developers to make the game work in Linux. Not only that, but Origin and Steam are big Windows players (no pun intended). So there's that.

I mostly play older games though. My main game is FSX and BF2 with the AIX mod. I do have BF3, but I got pissed off that I was spraying a couple players and they didn't go down. I was told they had some "perks" or something. I promptly uninstalled.

[Thehandyman1957]

Here's a good read if anyone is interested. https://www.schneier.com/blog/archives/ ... mel_1.html

Thanks. Some of the best of it was the comments. Makes me realize that this is way bigger than most realize and
truly over my head in magnitudes.