Because Microsoft. Also, there are no real exploits in the wild yet, so they’re taking their sweet time, I suppose.
You can download it directly. Just google that KB I posted above. I had to do that for my Surface Book.
This is quite an impactful patch. As there are no exploits out in the wild, I suggest waiting for your OS vendor to push the patch to you.
Load times are dependent on large disk reads. Each disk read syscall is hurt by a small amount with these patches, but the time it takes to wait for the HDD or even SDD to actually fetch the data is a lot larger. Therefore, load times are already bottlenecked on the disk and the new slowdown is usually immaterial. I/O syscalls which read from cache or do local (loopback) networking are a lot faster for each syscall so the fixed overhead from the new patches hits them a lot harder, which is where the big performance hit benchmarks are coming from.
So this is the holy grail for state-level actors, right? I mean, if the NSA knew about this before, it basically opened up everyone’s PCs to them for years, I imagine.
And if they didn’t know about it before, I assume they are feverishly working on an exploit with the hopes that foreign powers don’t update all their machines quickly.
It’s speculation. There’s a good chance that the NSA might have been aware of this flaw for a long time now. There’s also the chance that it somehow evaded them. We’ll never know for sure.
Intel says that it has issued updates for 90% of its processors of the past 5 years, with more to come. Although, I’m not sure how these (supposedly) microcode updates are supposed to be distributed? My machine is Dell, and they’re notorious about not providing firmware updates for older machines. I did notice that Dell did update its digital delivery software yesterday.
Also, Intel says these updates make their CPUs “immune” (their word, not mine) to Meltdown and Spectre
MacOS, iOS, and Windows are all regularly updated. Windows is particularly aggressive about this. The performance impact is a bummer but meltdown won’t be a problem there. Spectre is another matter, but that attack vector will be open for years to come.
Attentive readers will note that I left a major consumer OS out of that list above-- Android. There are many millions of Android devices that will never be updated. They run ARM SoCs so they aren’t vulnerable to meltdown, but will never get any Spectre mitigation.
IOT devices aren’t updated either but both meltdown and spectre are local exploits so that largely doesn’t matter. Android is a monstrous problem.
CPU microcode updates can be delivered via windows update, but if it requires a BIOS update that has to come from your computer or motherboard’s manufacturer.
Tux Racer?
So, according to Apple, they’re only fixing High Sierra (MacOS 10.13) and not Sierra (10.12). So it’s time to upgrade?
I was hoping to put it off, because of all the backups and checking in case the upgrade goes south (and in case all my apps don’t work).
Thanks for this, saved me having to look around for it myself or open a ticket with VMWare. I ended up spending the entire day yesterday updating all of my ESXi hosts. Super fun, but I hadn’t done it for a really long time so probably it was time anyway.
So far no differences far as I can tell post-patch in my VDI or server environment.
Coolio, note the patches mitigate VM-VM exploits. The VMware patches have negligible performance impact on the hypervisor itself, but guest OS’s still need to be patched to avoid exploits within the guests themselves and performance impacts may be more likely to come from them and be highly dependent on workload. I expect that will likely end up including the VMware appliances (VC, Horizon View/Connection Broker, etc, etc), but this is still under investigation by VMware.
So it seems Apple is only updating iOS 11. How worried should I be about my devices that can’t get iOS 11? Should I take them off the internet?
Dell posted an advisory. They’re releasing BIOS updates for a ton of machines, This list will grow.
Here’s a good rundown of the latest patches and such:
Looks like Microsoft is only patching some people for now. Anti-virus is breaking too many things, though many of the AV vendors will have it patched and then the MS patch will auto-apply sometime next week.
It looks like all of the main browsers are getting patches for JavaScript which both add noise and reduce resolution on timers as well as disabling some cross-thread communication buffers.
It seems like all of us computer user owe a big thank you Google Project Zero team for finding the bugs and quietly working both the CPU vendors and the OS guys to get this fixed before it had a serious impact.
Really all the tech giants have the resource to put a team like this together but it seems like only Alphabet guys are actually doing it. But maybe I’m wrong?
There were unrelated teams that discovered it simultaneously.
Who reported Meltdown?
Meltdown was independently discovered and reported by three teams:
Jann Horn (Google Project Zero),
Werner Haas, Thomas Prescher (Cyberus Technology),
Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology)
Who reported Spectre?
Spectre was independently discovered and reported by two people:
Jann Horn (Google Project Zero) and
Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)Thanks, I find it so strange that with speculative execution being part of Intel microarchitecture, since the P6/Pentium II. That bug was discovered independently at nearly the same time. I also remember one of the really smart Intel Field Application Engineers asking the design engineers in the 90s, "Hey what happens when you speculatively execute level 0 protected code, but you don’t have permission to execute it, and being told hey don’t worry we got it figured out.
I thought I read somewhere that this side channel attack (at least the Spectre variant) had been theorized for a while but it’s only now that people were able to make actual working examples of it. There was some paper about a year ago in the general direction so my guess is these teams started working on it after that paper and all had an “oh shit” moment pretty close to each other.