Linked by Thom Holwerda on Tue 9th Jan 2018 18:03 UTC

From Microsoft's blog:

Last week the technology industry and many of our customers learned of new vulnerabilities in the hardware chips that power phones, PCs and servers. We (and others in the industry) had learned of this vulnerability under nondisclosure agreement several months ago and immediately began developing engineering mitigations and updating our cloud infrastructure. In this blog, I'll describe the discovered vulnerabilities as clearly as I can, discuss what customers can do to help keep themselves safe, and share what we've learned so far about performance impacts.

The basic gist here is this: the older your processor and the older your Windows version, the bigger the performance impact will be. Windows 10 users will experience a smaller performance impact than Windows 7 and 8 users, and anyone running Haswell or older processors will experience a bigger impact than users of newer processors.

Permalink for comment 652733
To read all comments associated with this story, please click here.
RE[2]: Disable KPTI
by jasutton on Wed 10th Jan 2018 18:55 UTC in reply to "RE: Disable KPTI"
Member since:

Your analogy doesn't really pan out in this instance. At least in the USA, your home most likely has at most 2 locks on each external door: one on the knob and a dead bolt. The one on the knob is much less secure than the dead bolt, as it is relatively easy to use a plastic card to bypass, making the deadbolt the only real thing preventing most people from entering your house.

In computer security, we have layers upon layers of different security controls, but none of them are treated like the ineffectual "knob lock" I mentioned on a typical US home. Once a security control has been compromised to the point of having an easily-used bypass, it's just not considered a security control anymore.

What I think the OP was saying was that these kinds of attacks assume that the attacker already had the ability to execute code on the victim's system. Many systems which will be unquestioningly patched simply aren't in a position to need the patch. For instance, if you have a large cluster of servers on the interior of a closed network with many security controls ("dead bolts" in the house analogy) governing access to said network, then you might reasonably be willing to forego these patches in order to retain the computational abilities of your cluster.

If, however, you run a system in which there are fewer controls governing access, and the likelihood of someone being able to gain user-level access to the system is higher, then these patches are much more valuable. As we've seen, they've already demonstrated attacks orchestrated via JavaScript, so desktop users are among those that should be deploying these patches regardless.

Reply Parent Score: 3