Tag Archives: bug bounty

Responding to the Meltdown and Spectre Vulnerabilities

Please scroll down for more updates to this original post.
Earlier in January updates for Linux, Apple and Windows were made available to work towards addressing the 3 security vulnerabilities collectively known as Meltdown and Spectre.

Why should these vulnerabilities be considered important?
I’ll provide a brief summary of the two categories of vulnerabilities:

Meltdown (CVE-2017-5754): This is the name of the vulnerability discovered that when exploited by an attacker could allow an application running with standard privileges (not root or elevated privileges) to read memory only intended for access by the kernel.

Spectre (Variant 1: CVE-2017-5753 ; Variant 2: CVE-2017-5715): This is a category of two known vulnerabilities that erode the security boundaries that are present between applications running on a system. Exploitation can allow the gathering of information from applications which could include privileged information e.g. usernames, password and encryption keys etc. This issue can be exploited using a web browser (e.g. Apple Safari, Mozilla Firefox, Google Chrome, Microsoft Edge (or IE) by using it to record the current time at very short intervals. This would be used by an attacker to learn which memory addresses were cached (and which weren’t) allowing the attacker to read data from websites (violating the same-origin policy) or obtain data from the browser.

Browser vendors have responded by reducing the precision of JavaScript timing and making it more unpredictable while other aspects of JavaScript timing (using the SharedArrayBuffer feature) have been disabled.

More in-depth (while still being less technical) descriptions of these issues are available here , here and here.

How can I protect myself from these vulnerabilities?
Since these vulnerabilities are due to the fundamental architecture/design of modern CPUs; it is not possible to fully address them. Instead a combination of software fixes and microcode updates (defined) is more a viable alternative than re-designing the established architecture of modern CPUs.

In-depth lists of updates available from multiple vendors are available here and here. I would suggest glancing at the affected vendors and if you own a device/product from them; checking if you are affected by these vulnerabilities. A list of BIOS (defined) updates from multiple vendors are available here. Google Chrome has a Site Isolation mode that can mitigate these vulnerabilities which will be more comprehensively addressed in Chrome version 64 scheduled for release last this month.

At this time my systems required updates from Google, Mozilla, Microsoft, Apple, VMware, Asus, Lenovo and Nvidia. Many of many existing desktops are unlikely to receive microcode and BIOS updates due to be more than 3 years old. However my Windows 10 laptop has received a BIOS update from the manufacturer.

Are there disadvantages to installing these updates?
While these updates increase security against these vulnerabilities; performance issues and stability issues (Intel and AMD) after the installation of these updates have been reported. These vary in severity but according to Intel and Microsoft the updates will be refined/optimised over time.

Benchmarks (for desktops) made available by TechSpot show negligible impact on most tasks that would stress a CPU (defined). However any work that you perform which makes of large files e.g. databases may be significantly impacted by the performance impact these updates have when accessing files on disk (mechanical and solid state). For laptops the slowdown was felt across almost all workload types. Newer and older silicon were inconsistently impacted. At times even some Intel 8th generation CPUs were impacted more than 5th generation CPUs.

Details of the anticipated performance impact for Linux, Apple macOS (and iOS) and Windows are linked to. Further reports of reduced performance from Intel and Apple devices have also been recorded. Further details of a feature known as PCID (Process-Context Identifiers) within more recent CPUs which will help reduce the performance impact are provided here. For Intel CPUs, 4th generation Core CPUs and later should include it but any CPU manufactured after 2011 should have it (one of my CPUs; a Core i7 2600K has this feature, verified using Sysinternals Coreinfo). A full list of Intel CPUs affected by these vulnerabilities is here.

With the widely reported stability and performance issues present it is your decision if you install the necessary updates now or wait until further refinements. If you experience issues, please report them to the manufacturers where possible and within online forums if not. More refined updates will only be created if a need to do so is established.

I’m in the process of updating my systems but will benchmark them before and after each updates to determine an impact and make a longer term decision to keep the updates or uninstall them until further versions become available. I’ll update this post as I gather more results.

Update: 16th January 2018:
A newly released free utility from Gibson Research (the same website/author as the well-known ShieldsUp firewall tester) named InSpectre can check if your Windows system has been patched against Meltdown and Spectre and can give an indication of how much the performance of your system will be affected by installing and enabling the Windows and/or the BIOS updates.

Please note: I haven’t tried this utility yet but will this weekend (it will help with the tests I’m carrying out (mentioned above). I’ll update this post when I have tried out this utility.

Thanks again.

Update: 24th January 2018:
As promised I gathered some early results from a selection of CPUs and the results for all but recent CPUs are evidence they will experience a potentially noticeable performance drop:

CPUs supporting PCID (obtained using Sysinternals Coreinfo):
Intel Core i7 Extreme 980X @ 3.33 GHz
Intel Core i7 2600K @ 3.8 GHz
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ

CPUs supporting INVPCID (obtained using Sysinternals Coreinfo):
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ

Explanations of the purpose and relevance of the PCID and INVPCID CPU instructions are available from this Ars Technica article. The results from InSpectre only show positive results when both PCID and INVPCID are present backing up the observations within the above linked to Ars Technica article (that the updates take advantage of the performance advantages of these instructions when both are present).

The results from InSpectre back up these findings by stating that the 980X and 2600K will not deliver high performance protection from Meltdown or Spectre. Since my PCs are mainly used for more CPU intensive tasks (rather than disk intensive) e.g. games and Folding@Home; I still don’t expect too much of a performance decrease. The older CPUs are due for replacement.

You may ask; “why am I so concerned with the performance impact of these updates?” The answer is that significant time and investment has been made into the above systems for them to perform at peak performance for the intended tasks I use them for. Performance and security are both very important to me and I believe there should only be a small trade off in performance for better security.

My next step will be to benchmark the CPU, hard disk and GPU of each system before and after installing each update. I will initially do this for the 6500U and 2600K systems and provide these results. The categories of updates are listed below. I will keep you informed of my findings.

Thank you.
Update 1: Software updates from Microsoft for Meltdown and Spectre
Update 2: Firmware update (where available)
Update 3: Nvidia / AMD GPU driver update

Update: 13th February 2018:
Sorry for the long delay (I was travelling again for my work). The above benchmarking is now taking place and I will make the results available as soon as possible. Thanks for your understanding.

Update: 27th February 2018
Earlier last week Intel made available further microcode updates for more CPUs. These updates seek to address variant 2 of the Spectre vulnerability (CVE-2017-5715). Updates are now available for the CPUs listed below.

As before, please refer to the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems. Further information for corporate system administrators containing details of the patching process is available within this link (PDF):

  • Kaby Lake (Intel 7th Generation Core CPUs)
  • Coffee Lake (Intel 8th Generation Core CPUs)
  • Further Skylake CPUs (Intel 6th Generation Core CPUs)
  • Intel Core X series (Intel Core i9 CPUs e.g. in the 7900 and 7800 model range)
  • Intel Xeon Scalable (primarily targeted at data centres)
  • Intel Xeon D (primarily targeted at data centres)

Information on patches now available for OpenBSD and FreeBSD are located within the following links:

OpenBSD mailing list
The Register: OpenBSD Patch now Available

FreeBSD Wiki
Softpedia: Spectre and Meltdown mitigations now available

Update: 1st April 2018
As vendors have responded to these vulnerabilities; updates have been released for many products. I will describe these updates in more detail below. Apologies if I have omitted any, this isn’t intentional but the list below should still be useful to you:

Google ChromeOS:
Following the release of ChromeOS 64 in February which provided updates against the Meltdown and Spectre vulnerabilities, ChromeOS 65 includes further mitigations against these vulnerabilities including the more efficient Retpoline mitigation for Spectre variant 2.

Sony Xperia:
In late February Sony made available updates which include mitigations for Meltdown and Spectre for their Xperia X and Xperia X Compact phones which brings the build number to 34.4.A.2.19

Microsoft Issues Microcode Updates:
As previously mentioned when this blog post was first published; updates for the Meltdown and Spectre vulnerabilities are made up of software updates, microcode updates and firmware (BIOS updates) and GPU drivers.

Due to the complexity of updating the firmware of computer systems which is very specific and potentially error prone (if you apply the wrong update to your device it can render it useless, meaning it will need to be repaired/replaced (which is not always possible) Microsoft in early March began to issue microcode driver updates (as VMware describes they can be used as substitutes for firmware updates). Microcode updates have been issued in the past to address CPU reliability issues when used with Windows.

Intel Firmware Updates:
As with previous microcode updates issued by Intel in late February; these updates seek to resolve variant 2 of the Spectre vulnerability (CVE-2017-5715).

While Intel has issued these updates; they will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

Unfortunately not all systems will receive these updates e.g. most recent system was assembled in 2014 and has not received any updates from the vendor; the vendor has issued updates on their more recent motherboards. Only my 2016 laptop was updated. This means that for me; replacing the systems gradually is the only means of addressing variant 2 of the Spectre vulnerability.

Intel’s updates are for the Broadwell (5th generation CPUs i.e. 5000 series) and Haswell (4th generation CPUs i.e. 4000 series).

Microsoft Surface Pro:
Earlier this week Microsoft released firmware updates for their Surface Pro which mitigate the Meltdown and Spectre vulnerabilities. This link provides further details and how to install the updates.

Microsoft Issues Further Security Update on the 29th March:
As noted in my separate post; please refer to that post for details of a security update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit that resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of those Windows versions.

Microsoft Offers Bug Bounty for Meltdown and Spectre vulnerabilities:
Microsoft have announced bug bounties from $5000 to $250,000 to security researchers who can locate and provide details of exploits for these vulnerabilities upon Windows, Azure and Microsoft Edge.

If such a programme is successful it could prevent another instance of needing to patch further related vulnerabilities after the issues have been publicly disclosed (defined). This is sure to assist the system administrators of large organisations who currently in the process of deploying the existing updates or who may be testing systems on a phased basis to ensure performance is not compromised too much.

Further details are available from this link.

Update: 6th April 2018
Earlier this week, Intel issued a further progress update for the deployment of further microcode for their CPUs.

A further 5 families of CPUs have now completed testing and microcode updates are available. These families are:

    • Arrandale
    • Clarkdale
    • Lynnfield
    • Nehalem
    • Westmere

However a further 9 families will not receive such updates for the reasons listed below. Those families are:

      • Micro-architectural characteristics that preclude a practical implementation of features mitigating [Spectre] Variant 2 (CVE-2017-5715)
      • Limited Commercially Available System Software support
      • Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.


      • Bloomfield
      • Clarksfield
      • Gulftown
      • Harpertown Xeon
      • Jasper Forest
      • Penryn
      • SoFIA 3GR
      • Wolfdale
      • Yorkfield

This announcement from Intel means my Intel Core i7 Extreme 980X (from 2010) won’t receive an update. This system isn’t used very much on the internet and so the impact is limited. I am hoping to replace this system in the near future too.


Please review the updated PDF made available by Intel (I can upload the PDF to this blog if Intel place it behind an account which requires sign in. At this time the PDF link still works).

As before; please monitor the websites for the manufacturer of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems.

Thank you.

BranchScope Vulnerability Disclosed:
In a related story; four security researchers from different universities responsibly disclosed (defined) a new side channel attack affecting Intel CPUs. This attack has the potential to obtain sensitive information from vulnerable systems (a similar result from the existing Meltdown and Spectre vulnerabilities).

Further details of this attack named “BranchScope” are available in this Softpedia article and this paper from the researchers. Within the above article Intel responded to this attack stating that this vulnerability is similar to known side channel and existing software mitigations (defined) are effective against this vulnerability. Their precise wording is provided below.

Thank you.

An Intel spokesperson has provided the following statement:

“We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.”

Update: 13th April 2018
AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Thank you.

Malwarebytes Releases Security Update For Consumer Products

As originally discussed in a previous blog post, Malwarebytes last Friday made available a security update for their Anti-Malware product used by consumers. The update brings it to version 2.2.1.

While Malwarebytes originally mentioned that the products client had more than one vulnerability, the release notes of v2.2.1 only mention one vulnerability being resolved.

In order to resolve the reported vulnerability(ies), please install the updated version of Malwarebytes Anti-Malware (available from the above v2.2.1 link) as soon as possible. Automatic upgrades will take place later this week.

Thank you.

Malwarebytes Announces Upcoming Security Update / Bug Bounty Programme

Update: 20th March 2016:
A more recent blog post provides details of the now released security update.

Thank you.

Original Post
On Wednesday of last week the anti-malware organization Malwarebytes published a blog post to inform it’s customers that they are working to resolve several security vulnerabilities responsibly disclosed (defined) to them.

The well-known Google security researcher Tavis Ormandy disclosed these issues to them in November 2015. Malwarebytes is currently working to have an updated version of it’s anti-malware product version 2.2.1 available in the next 3 to 4 weeks.

If you are a Malwarebytes business or consumer customer/or make use of their free anti-malware software please monitor the Malwarebytes blog for announcements as well continuing to keep your Malwarebytes product up to date in order to be protected against these security issues. Users of the Premium version of Malwarebytes can enable self-protection in mitigate (protect against) these issues until the appropriate update is made available. Further details of how to enable this security feature are available here.

Malwarebytes also took the opportunity within the above mentioned blog post to announce their Bug Bounty program. This should ensure that such vulnerabilities are disclosed and resolved sooner in the future. Further details of their bug bounty program are available here.

I will update this post when version 2.2.1 of Malwarebytes is made available.

Thank you.

Microsoft Extends Bug Bounty Program to ASP.NET and .NET Core

In late October Microsoft extended it’s Bug Bounty for security vulnerabilities within it’s Core CLR (Common Language Runtime), the execution engine for .Net Core, and ASP.Net (both technologies are open source and currently in late beta testing). These technologies are used to build web applications and in the implementation of websites.

As with previous bug bounties security researchers will be rewarded financially for discovering and responsibly disclosing (defined) these flaws to Microsoft. Their submissions need to include both a functioning exploit and a high quality white-paper. The newly extended bounty program which includes the above mentioned technologies will run from the 20th of October 2015 until the 20th of January 2016.

I’m very pleased to see that Microsoft continues to extend their bug bounty program to include the fundamental frameworks used to create web apps and websites. Any successful submissions will not only benefit the researchers but all of the customers who use and will use these technologies in the future.

Bounties for Online Services, Microsoft Edge and Internet Explorer 11 Technical Preview have been paid out in the past illustrating the success of such programs which benefits everyone.

Further details of the bug programme for ASP.NET and .NET Core are available within the following links:

Microsoft Bounty Programs Expansion – .NET Core and ASP.NET Beta Bounty
Microsoft Bounty Programs
Microsoft CoreCLR and ASP.NET 5 Beta Bug Bounty Program Terms

Thank you.

Microsoft Announces Edge (formerly Spartan) Bug Bounty

Following on from the success of the bug bounty program for Internet Explorer (IE) 11 in 2013 Microsoft has now created a bug bounty for the upcoming web browser; Spartan to be bundled with Windows 10.

The Project Spartan bug bounty programme will last for 2 months (this is double the length that the bounty programme for Internet Explorer 11 lasted). Further details of the success of the IE 11 bug bounty programme are provided in this blog post.

I’m very excited about this bug bounty since the IE 11 bug bounty made an excellent, worthwhile impact in 2013 and earlier this year flaws found in IE’s newest defenses were demonstrated to Microsoft earning a group of three researchers $125,000. I really hope that flaws are found since like the Pwn2Own competition any flaws found will make a widely used application more secure for all of its users. I will provide details of any flaws found on this blog.

Aside: What is Spartan and why does it matter?

Update: 30th April 2015: Microsoft confirmed yesterday that Edge is the new name of its browser for Windows 10.

Spartan (this is a code name, its final name has not yet been announced) will replace Internet Explorer 11 as the default web browser of Windows 10 for all but enterprise customers who wish to use legacy web applications or internal websites that rely on functionality only available in Internet Explorer 8 and older IE versions. Spartan may receive its final name at the upcoming Build conference next week, but this is uncertain right now.

For non-enterprise customers Spartan will be the default, lightweight and standards compliant web browser that is set to be used by the vast majority of people who upgrade to Windows 10 (assuming they choose Spartan over alternatives such as Mozilla Firefox, Google Chrome, Opera etc.). For the first time in many years code has been removed from Microsoft’s web browser to remove features that are no longer needed e.g. document modes, VBScript to name but a few. Further details on the changes made to the rendering engine and how IE will be available for enterprise customers are available in two separate blog posts, here and here.

Update: 8th May 2015:
Microsoft have provided more details in a blog post of the changes being made to the rendering engine of Edge, the features being removed (with explanations of why they are no longer needed) as well as detailing how many lines of code have been removed.

While Spartan will replace IE, IE will still be with us for quite some time to come, however only more recent versions are set to still receive security updates as of January 2016 (most systems will run IE 9 or later). With the scheduled end of support for Windows Server 2003 in July 2015, IE 6 will no longer receive security updates (without a paid for custom support agreement with Microsoft). If IE 11 receives the standard 10 years of support (5 standard + 5 extended support), IE 11 will be with us until late in 2023.

Further details on the changes to the versions of IE that will be supported in January 2016 can be found within the following link:

Microsoft slashes IE support, sets ‘huge’ edict for Jan. 2016

Update: 10th November 2015:
The honor roll for Microsoft Edge and Internet Explorer 11 (while they were both in their Technical Preview stages) has been updated to include a large number of security researchers who successfully submitted bugs in 2013 and 2015. By doing so they make every person using these widely used browsers more secure. Their work is much appreciated. Very well done to them!

Thank you.