Sunday, 21 October, 2018

Security flaws put virtually all Intel, AMD devices at risk, warn researchers

Melissa Porter | 09 January, 2018, 01:00

Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows. Computers with AMD processors are affected by Spectre, although it is significantly more hard to exploit than Meltdown.

To download Microsoft's patch on your own, you have to manually set the Windows registry key on your computer.

By now Windows users should have received the patches Microsoft released yesterday to plug the widespread Meltdown bug and its companion Spectre, which expose most computers and phones to speculative execution side-channel attacks that affect chips from Intel, AMD, and Arm.

Microsoft has warned users that its patches for the unsafe Meltdown CPU bug won't reach them if their third-party antivirus hasn't been updated to support this week's Windows security update.

"Microsoft has been working closely with antivirus software partners to ensure all customers receive the January Windows security updates as soon as possible".

Intriguingly, in AMD's response to Google Project Zero's findings, the chip maker downplayed the effects of the Meltdown and Spectre flaws on its processors. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact. The Windows 10 flavor of the patch (KB4056892) is also causing bootup problems for some users with AMD-based systems. Customers with these platforms can install Microsoft Security Essentials.

AMD's CPUs may have been immune to Meltdown and Spectre, but it turns out they are not immune to Microsoft's patch for the same. The "frustrated" user, for example, reports that beyond that laptop, one desktop with a different AMD chip and three laptops with Intel chips have successfully updated.

Apple announced on Friday that it is about to release a patch for its Safari web browser on iPhone, iPad and Mac.

"Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available".

Most unpatched PCs and servers are susceptible to hackers exploiting the Meltdown and Spectre vulnerabilities to extract sensitive information such as passwords, although Microsoft says it is unaware of the flaws being used in attacks to date.