Multiple reports pegged some issues on Intel's rapid-fire, microcode and software response towards addressing the Spectre and Meltdown vulnerabilities, with Intel themselves coming forward, admitting to the problems' existence, and urging users not to perform said updates. However, Intel's press release wasn't very clear on whether or not users would be able to rollback changes in order to recover their machines' stability. Microsoft has taken the matter into its own hands, via an out of band update for Windows, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 - "Branch target injection vulnerability."

In Microsoft's testing, this particular update is the one that the company has found to be associated the most with stability issues on host machines, and their out of band update seems to mitigate these completely. Microsoft is also adding the possibility for users to either disable or enable the troublesome mitigation themselves, manually, via registry changes. Microsoft seems to have taken the job of cleaning house on themselves, after Intel's apparent hasty move to restore security to systems based on their CPUs.

In the wake of reports surrounding the secrecy and selective disclosure of information related to the Meltdown and Spectre vulnerabilities leading up to the eventual January 3 public release, US lawmakers are unhappy with leading tech firms Intel, Microsoft, ARM, Apple, and Amazon. The five companies, among a few unnamed others, are being pulled up by a house committee over allegations of selective access of vital information that caught many American companies off guard on the January 3rd. Barring a few tech giants, thousands of American companies were unaware, and hence unprepared for Meltdown and Spectre until January 3, and are now spending vast resources to overhaul their IT infrastructure at breakneck pace.

In letters such as this one, addressed to CEOs of big tech firms, lawmakers criticized the secrecy and selective disclosure of information to safeguard IT infrastructure, which has left thousands of American companies out in the lurch, having to spend vast amounts of money securing their infrastructure. "While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," they write.

It's no surprise that leading Chinese tech companies have close associations with the Chinese Government and the PLA. Intel has waded into controversial waters as reports point to the chipmaker sharing information about its products' vulnerability to Meltdown and Spectre with Chinese tech companies before warning the United States Government, potentially giving the Chinese government either a head-start into securing its IT infrastructure, or exploiting that of a foreign government.

Lenovo and Alibaba were among the first big tech companies to be informed about Meltdown and Spectre; Lenovo is Intel's biggest PC OEM customer, while Alibaba is the world's largest e-commerce platform and cloud-computing service provider. Both companies are known to have close associations with the Chinese government. The United States Government was not part of the first group of companies informed about the deadly vulnerabilities.

Intel, which benefited from the post-Q4 public-disclosure of Meltdown and Spectre vulnerabilities in its latest results, is hoping to mitigate its fallout on Q1-2018. The company, along with several other CPU designers, such as AMD and ARM, are firefighting the two devastating security vulnerabilities through OS kernel patches and CPU micro-code updates; which come at a slight expense of performance. In a bid to unnerve investors, company CEO Brian Krzanich announced that Intel is working on "in-silicon" fixes to Meltdown and Spectre.

An "in-silicon" fix would entail a major CPU micro-architecture design that's inherently immune to the two vulnerabilities and yet offers the benefits of modern branch-prediction and speculative execution. Krzanich says processors with in-silicon fixes to the two vulnerabilities will be released to market by the end of 2018.

Linus Torvalds, creator of Linux, the most popular datacenter operating system, proclaimed Intel's patches for the recent Meltdown and Spectre CPU vulnerabilities "complete and utter garbage." Torvalds continues to work on the innermost code of Linux, and has been closely associated with kernel patches that are supposed to work in conjunction with updated CPU microcode to mitigate the two vulnerabilities that threaten to severely compromise security of data-centers and cloud-computing service providers.

Torvalds, in a heated public chain-mail with David Woodhouse, an Amazon engineer based out of the UK, called Intel's fix "insane" and questioned its intent behind making the patch "toggle-able" (any admin can disable the patch to a seemingly cataclysmic vulnerability, which can bring down a Fortune 500 company). Torvalds also takes issue with redundant fixes to vulnerabilities already patched by Google Project Zero "retpoline" technique. Later down in the thread, Woodhouse admits that there's no good reason for Intel's patches to be an "opt-in." Intel commented on this exchange with a vanilla-flavored potato: "We take the feedback of industry partners seriously. We are actively engaging with the Linux community, including Linus, as we seek to work together on solutions."

Intel has finally come around towards reporting on the state of the reboot issues that have been plaguing Intel systems ever since the company started rolling out patches to customers. These patches, which aimed to mitigate security vulnerabilities present in Intel's chips, ended up causing a whole slew of other problems for Intel CPU deployment managers. As a result of Intel's investigation, the company has ascertained that there were, in fact, problems with the patch implementation, and is now changing its guidelines: where before users were encouraged to apply any issued updates as soon as possible, the company now states that "OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior." A full transcription of the Intel press release follows.

Out of the blue, a website popped up titled "Skyfall and Solace," which describes itself as two of the first attacks that exploit the Spectre and Meltdown vulnerabilities (it doesn't detail which attack exploits what vulnerability). A whois lookup reveals that the person(s) behind this website may not be the same one(s) behind the Spectre and Meltdown website. The elephant in the room, of course, is that the two attacks are named after "James Bond" films "Skyfall" and "Quantum of Solace." The website's only piece of text ends with "Full details are still under embargo and will be published soon when chip manufacturers and Operating System vendors have prepared patches," and that one should "watch this space for more." We doubt the credibility of this threat. Anyone who has designed attacks that exploit known vulnerabilities won't enter embargoes with "chip manufacturers and operating system vendors" who have already developed mitigation to the vulnerabilities.

Despite the grunt of the media's attention and overall customer rage having been thrown largely at Intel, AMD hasn't moved past the Spectre/Meltdown well, meltdown, unscathed. News has surfaced that at least two law firms have announced their intention of filing a class action lawsuit against AMD, accusing the company of not having disclosed their products' Spectre vulnerability, despite knowledge of said vulnerabilities.

AMD stated loud and clear that their processors weren't affected by the Meltdown flaw. However, regarding Spectre, AMD's terms weren't as clear cut. The company stated that its CPUs were vulnerable to the Spectre 1 flaw (patchable at a OS level), but said that vulnerability to Spectre 2's variant had "near-zero risk of exploitation". At the same time, the company also said that "GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors", adding that "While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat.

Have you ever taken your car to the mechanic shop to fix one thing but end up breaking another? Well, that's how Intel CPU owners are feeling right now. Intel previously confirmed that their Meltdown and Spectre firmware updates are causing irritating reboots on systems with Broadwell and Haswell processors. After analyzing the latest customer reports, they are acknowledging that the updates are also causing BSODs on the Kaby Lake, Skylake, Ivy Bridge, and Sandy Bridge platforms. This shouldn't come as a shocker considering how both the Meltdown and Spectre exploits affect Intel processors over the past 20 years. The possibility of all platforms suffering from the same side effects is extremely high. Fear not, though, as Intel is already working on an updated microcode to fix the constant system reboots. Motherboard vendors should have the beta microcode for validation by next week. Expect a new BIOS revision for your motherboard soon.

A Malwarebytes report calls attention to the latest occurrence in the inevitable trend that that ensues a particular security vulnerability being given coverage by the media. As users' attention to the vulnerability is heightened, so is their search for a solution, for a way to reduce the risk of exposition. Hence, users search for patches; and hence, some fake patches surface that take advantage of the more distracted, or less informed, of those who really just want to be left at peace.

Case in point: Malwarebytes has identified a recently-registered domain that is particularly targeting German users (remember: you can be next; it's just a matter of Google translating the page for it be targeting you as well). The website is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors, and is affiliated with the German Federal Office for Information Security (BSI) - all good, right?

During the whole Meltdown and Spectre turmoil, Microsoft released a PowerShell script that lets users assess their system to determine whether it's properly protected against the two CPU exploits. To say that Microsoft's method is non-intuitive is an understatement though. Their procedure involves punching in several lines of commands into the PowerShell prompt only to be presented with an end result of mumbo jumbo. For users who fancy a more straightforward approach, InSpectre might be exactly what the doctor would order. InSpectre is a small tool designed by none other than famous software engineer Steve Gibson to automate Microsoft's time-consuming procedure in a a single click. It also provides results that even non-tech-savvy users can comprehend. However, InSpectre not only scans the user's system but also allows him to enable or disable the Meltdown and Spectre protections.

The public disclosure on January 3rd that multiple research teams had discovered security issues related to how modern microprocessors handle speculative execution has brought to the forefront the constant vigilance needed to protect and secure data. These threats seek to circumvent the microprocessor architecture controls that preserve secure data.

At AMD, security is our top priority and we are continually working to ensure the safety of our users as new risks arise. As a part of that vigilance, I wanted to update the community on our actions to address the situation.

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel's Active Management Technology (AMT) and potentially affects millions of laptops globally.

The security issue "is almost deceptively simple to exploit, but it has incredible destructive potential," said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."

It's safe to say that there's one thing that you don't mess around with, and that's performance. Enthusiasts don't spend hundreds of dollars on a processor to watch it underperform. Given the complicated nature of the Meltdown and Spectre vulnerabilities, Microsoft's so-called mitigations were bound to have an impact on processor performance. The million dollar question was: Just how much? The initial estimate was somewhere around 30%, but Intel, being optimistic as usual, expected the performance impact to be insignificant for the average user. They recently provided some preliminary benchmark results that looked quite convincing too. Well, let's take a look at their findings, shall we?

Intel measured the mitgations' impact on CPU performance using their 6th, 7th, and 8th Generation Intel Core processors but, more specifically, the i7-6700K, i7-7920HQ, i7-8650U, and i7-8700K. The preferred operating system used in the majority of the benchmarks was Windows 10, however, Windows 7 also made a brief appearance. Intel chose four key benchmarks for their testing. SYSmark 2014 SE evaluated CPU performance on an enterprise level simulating office productivity, data and financial analysis, and media creation. PC Mark 10, on the other hand, tested performance in real-world usage employing different workloads like web browsing, video conferencing, application start-up time, spreadsheets, writing, and digital content creation. 3DMark Sky Diver assessed CPU performance in a DirectX 11 gaming scenario. Lastly, WebXPRT 2015 measured system performance using six HTML5- and JavaScript-based workloads which include photo enhancement, organize album, stock option pricing, local notes, sales graphs, and explore DNA sequencing.

Intel CEO Brian Kzarnich announced on Monday to its employees that as part of the company's continued strife towards better communication and consideration of its customers, the creation of a new internal group was necessary. The move comes after considerable media and tech industry turmoil after news broke out on Intel's 10-year product stack being almost completely vulnerable to some specific exploits. The Intel Product Assurance and Security group will be headed by Intel HR chief Leslie Culbertson, who will have on her team the former Vice President and General manager of Intel's New Technology Group, Josh Walden, who was, alongside Steve Smith, Intel Vice President and General Manager of its Data Center Engineering group, pulled from his current functions to work under Culbertson.

"It is critical that we continue to work with the industry, to excel at customer satisfaction, to act with uncompromising integrity, and to achieve the highest standards of excellences," Krzanich told employees in a memo Monday, obtained by The Oregonian/OregonLive. "Simply put, I want to ensure we continue to respond appropriately, diligently, and with a customer-first attitude."

Microsoft late-Monday halted Meltdown and Spectre security patches to machines running AMD processors, as complaints of machines turning unbootable piled up. Apparently the latest KB4056892 (2018-01) Cumulative Update causes machines with AMD processors (well, chipsets) to refuse to boot. Microsoft has halted distributing patches to PCs running AMD processors, and issued a statement on the matter. In this statement, Microsoft blames AMD for not supplying its engineers with the right documentation to develop their patches (while absolving itself of any blame for not testing its patches on actual AMD-powered machines before releasing them).

"Microsoft has reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates," said Microsoft in its statement. "After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown," it added. Microsoft is working with AMD to re-develop, test, and release security updates, on the double.Update (09/01): AMD responded to this story, its statement posted verbatim is as follows.

The Meltdown and Spectre vulnerabilities have been making many headlines lately. So far, security researchers have identified three variants. Variant 1 (CVE-2017-5753) and Variant 2 (CVE-2017-5715) are Spectre, while Variant 3 (CVE-2017-5754) is Meltdown. According to their security bulletin, NVIDIA has no reason to believe that their display driver is affected by Variant 3. In order to strengthen security against Variant 1 and 2, the company released their GeForce 390.65 driver earlier today, so NVIDIA graphics card owners can sleep better at night.

Experience tells us that some software patches come with performance hits, whether we like it or not. We were more than eager to find out if this was the case with NVIDIA's latest GeForce 390.65 driver. Therefore, we took to the task of benchmarking this revision against the previous GeForce 388.71 driver in 21 different games at the 1080p, 1440p, and 4K resolutions. We even threw in an Ethereum mining test for good measure. Our test system is powered by an Intel Core i7-8700K processor overclocked to 4.8 GHz, paired with G.Skill Trident-Z 3866 MHz 16 GB memory on an ASUS Maximus X Hero motherboard. We're running the latest BIOS, which includes fixes for Spectre, and Windows 10 64-bit with Fall Creators Update, fully updated, which includes the KB4056891 Meltdown Fix.

Recent articles in the media have raised awareness around the processor security vulnerabilities named Meltdown and Spectre. These vulnerabilities are particularly troubling as they are not due to a bug in a particular processor implementation, but are a consequence of the widespread technique of speculative execution. Many generations of processors with different ISAs and from several different manufacturers are susceptible to the attacks, which exploit the fact that instructions speculatively executed on incorrectly predicted code paths can leave observable changes in micro-architectural state even though the instructions' architectural state changes will be undone once the branch prediction is found incorrect. No announced RISC-V silicon is susceptible, and the popular open-source RISC-V Rocket processor is unaffected as it does not perform memory accesses speculatively.

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).

Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems -- including personal computers and servers -- that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.

Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.