
Progress Continues on Firmware Updates - taspeotis
https://newsroom.intel.com/news/security-issue-update-progress-continues-firmware-updates/
======
randomdrake
The 85% number sounded really odd and specific.

Turns out the 85% number is quoted from the "Top 30 Targeted High Risk
Vulnerabilities" published in 2015[1], which came from Public Safety Canada's
"Top 4 Strategies to Mitigate Targeted Cyber Intrusions" also from 2015[2],
which came from the Australian Signals Directorate's report "Top four
mitigation strategies to protect your ICT system" from 2012[3], which says
(emphasis mine):

"At least 85% of _the intrusions that ASD responded to in 2011_ involved
adversaries using unsophisticated techniques that would have been mitigated by
implementing the Top 4 mitigation strategies as a package."

A far cry from "as many as 85 percent of all targeted attacks" quoted from
Intel in 2018.

[1] - [https://www.us-cert.gov/ncas/alerts/TA15-119A](https://www.us-
cert.gov/ncas/alerts/TA15-119A)

[2] - [https://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/tp-
str...](https://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/tp-strtgs-
en.aspx)

[3] -
[https://www.asd.gov.au/publications/protect/top_4_mitigation...](https://www.asd.gov.au/publications/protect/top_4_mitigations.htm)

------
vbernat
Intel says the identified stability issues only affect Broadwell and Haswell
while they also affect Skylake and IvyBridge.

The microcode updates are also made available to only very few channels and
vendors. In turn, vendors are not making the updates available to customers.
As an example, SuperMicro didn't release publically an updated BIOS.

So, one month after the end of the embargo, Intel is working very hard to
ensure people cannot get properly protected.

~~~
cesarb
For Linux, the microcode updates are also available at
[https://downloadcenter.intel.com/download/27337/Linux-
Proces...](https://downloadcenter.intel.com/download/27337/Linux-Processor-
Microcode-Data-File) or similar (oddly, that's the 20171117 version, I recall
seeing the 20180108 version there earlier, but can't find it now; in any case,
that newer version is still available at
[https://pagure.io/microcode_ctl](https://pagure.io/microcode_ctl)).
Distributions usually install that microcode update package so that it's
activated early in the Linux kernel startup: if you see "microcode updated
early to revision [...]" as the first line of your dmesg output, it's that
mechanism doing its work.

~~~
sverige
Apparently the 20180108 version is faulty, so they rolled it back to 20171117.
I have Manjaro on one of my laptops where the auto update mechanism keeps
failing to complete the rollback because the installed version is newer. Good
thing the only thing I use that for is to watch videos.

~~~
cesarb
Luckly for you, the consensus from the kernel developers seems to be that
these firmwares are only problematic if the new anti-Spectre features they
expose to the kernel are actually used. The current upstream kernel doesn't
use them, and the next upstream kernel will have a blacklist of the
problematic firmware versions, so unless you distro patched the kernel to use
these features without the blacklist, you should be safe.

------
trendia
Intel says, "Intel continues to work closely with industry partners to protect
customers against the security exploits disclosed by Google Project Zero."

Linus Torvalds says, "They do literally insane things. They do things that do
not make sense ... The patches do things that are not sane. WHAT THE F*CK IS
GOING ON?"

~~~
viraptor
While Linus is not wrong about the kernel patches, this article is about
microcode updates. Completely different thing.

------
mahrain
It's strange they roll back these updates (microcode and BIOS updates) on all
platforms. My HP Elitebook received a BIOS update after which the Microsoft
powershell scripts reported the laptop as Patched (and working normally),
then, last week a new BIOS update making the laptop vulnerable again.

------
ramshanker
How long before we see an Intel Ad "Natively resistant against Spectre &
Meltdown vulnerability"?

~~~
wmf
I think that goes against the rules of marketing. It's more likely that
they'll brand the fixes as something like Intel® Protected Speculation
Technology™ (PST).

~~~
retSava
Haha, yeah. Checked up on the HP laptop referenced in another HN frontpage
link, and the HP description on size used "thinness", not "thickness" which
everybody on the planet would use, except marketers ;)

(not native English-speaker though, so happy to be corrected)

(edit: spelling)

