Close

Register Now!

To Get More Info and Daily Reward.

Please login or register.
Pages: [1] 2 3 ... 5   Go Down

Author Topic: Meltdown and Spectre patch Mitigations  (Read 38406 times)

0 Members and 2 Guests are viewing this topic.

iced107Topic starter

  • CORPORAL
  • ****
  • Offline Offline
  • Posts: 13

MSI,

Is there a plan to release firmware or bios updates to assist in mitigating the Meltdown and Spectre attacks that have come out recently, which affects all modern day processors since '95.

https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/
https://spectreattack.com/
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002#ID0EMGAC

I assume your security team is already aware of this since this has been huge news lately.  MIcrosoft is pushing out mitigations for their browsers and OS's as well as other vendors as well, but I haven't seen MSI comment on this yet and the only true way to mitigate this attack is by patching. Additionally making things harder is the fact that Spectre can be exploited remotely via javascript in browsers, and there are no ways to detect the attack. Firmware, bios, browser, and OS updates seems to be the best way to mitigate, but all of them have to be updated.

Appreciate any feedback.

Thanks
Logged

flobelix

  • MSIHQ Red Rockets Team Member
  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 27159
  • 微星科技
    • Afterburner New Features Introduction | MSI
« Reply #1 on: 04-January-18, 17:55:12 »

Moved to Anything under the sun as bios/firmware can't help. It is a cpu/OS problem. MSI makes neither of both.
Logged
MSI X299 Gaming M7 ACK (MS-7A90) Bios 1.5
Core i7 7820X @ 4200.95 MHz (42 * 100.02 MHz, fixed all cores), 1.088v
Corsair H110 Liquid CPU Cooler
32GB (4 x 8GB) Corsair CMK32GX4M4C3000C15R @ 1500 MHz (DDR4-3000), 15-17-17-35-2t 1.35v
MSI Radeon RX Vega 64 WAVE 8G
256GB Samsung 830 SSD + 2TB Seagate Firecuda SSHD
Corsair HX1200i • +12V: 100A • +3.3V: 30A • +5V: 30A
Windows 10 Pro
Cooler Master Masterbox 5 MSI Edition

iced107Topic starter

  • CORPORAL
  • ****
  • Offline Offline
  • Posts: 13
« Reply #2 on: 04-January-18, 18:03:05 »

That's not entirely correct. Other PC Vendors have released Bios updates

https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw

"If you own a Windows-powered PC or laptop, the best thing to do right now is ensure you have the latest Windows 10 updates and BIOS updates from Dell, HP, Lenovo, or one of the many other PC makers."
Logged

flobelix

  • MSIHQ Red Rockets Team Member
  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 27159
  • 微星科技
    • Afterburner New Features Introduction | MSI
« Reply #3 on: 04-January-18, 18:18:28 »

Aha, how do you know other vendors have released bios versions??? Which bios versions are you talking of? What has changed? It is a general advice and a mix up with the Intel ME vulnerability issue which is a different problem already solved in most bios versions. 
Logged
MSI X299 Gaming M7 ACK (MS-7A90) Bios 1.5
Core i7 7820X @ 4200.95 MHz (42 * 100.02 MHz, fixed all cores), 1.088v
Corsair H110 Liquid CPU Cooler
32GB (4 x 8GB) Corsair CMK32GX4M4C3000C15R @ 1500 MHz (DDR4-3000), 15-17-17-35-2t 1.35v
MSI Radeon RX Vega 64 WAVE 8G
256GB Samsung 830 SSD + 2TB Seagate Firecuda SSHD
Corsair HX1200i • +12V: 100A • +3.3V: 30A • +5V: 30A
Windows 10 Pro
Cooler Master Masterbox 5 MSI Edition

negruv1

  • PRIVATE FIRST CLASS
  • ***
  • Offline Offline
  • Posts: 7
« Reply #4 on: 04-January-18, 18:46:02 »

Intel article :
Intel and Its Partners have Made Significant Progress in Deploying Updates as Software Patches and Firmware Updates
Lenovo BIOS update from 27 December specifically mentions CVE-2017-5715, aka "Spectre"
Logged

iced107Topic starter

  • CORPORAL
  • ****
  • Offline Offline
  • Posts: 13
« Reply #5 on: 04-January-18, 19:04:12 »

Dells update

https://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=MXXTN

Enhancements
- Enhancement to address CVE-2017-5715 (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715) details to be published January 2018.

Thats one of the spectre CVE's
Logged

sniperdoc

  • PRIVATE FIRST CLASS
  • ***
  • Offline Offline
  • Posts: 9
« Reply #6 on: 04-January-18, 20:08:24 »

Will there be a BIOS update for Intel-based motherboards from MSI regarding these flaws and if so, when will it be available?

For those interested:
https://www.bleepingcomputer.com/news/security/google-almost-all-cpus-since-1995-vulnerable-to-meltdown-and-spectre-flaws/

I suggest any Intel users to go and follow these steps here:
https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe

Microsoft should be putting out an update for Windows soon, if it hasn't already. But, mobo vendors need to be distributing firmware updates to provide complete protection.
Logged

Nichrome

  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 14888
« Reply #7 on: 04-January-18, 20:10:58 »

Please ask MSI: >>How to contact MSI.<<
And don't spread unnecessarily any panic. As far as I can read, the vulnerability was there since 1995, and so far I am fine with all my Intel based systems...
Logged
I only take responsibility for what I say, not for what you understand.  Any posts are my own views!

Nichrome

  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 14888
« Reply #8 on: 04-January-18, 20:15:45 »

That means I should chase Intel to release a fix for my Pentium IV system, right?
I guess we have to expect another tons of panicked users that hasn't been affected since 1995 according to "article".
Logged
I only take responsibility for what I say, not for what you understand.  Any posts are my own views!

sniperdoc

  • PRIVATE FIRST CLASS
  • ***
  • Offline Offline
  • Posts: 9
« Reply #9 on: 04-January-18, 20:16:48 »

Hmmm unnecessary panic. Okay.

Do a little bit more reading before minimizing my post. The flaw has existed, but wasn't known to be possibly exploitable until several university's security researchers wrote papers on it between 2005 and 2017. Azure environment was already being patched 3 months ago and was moved up to critical status by Microsoft as of last night and they have removed the voluntary application window for their customers and started applying fixes immediately.

So, unnecessary panic, no. Critical information and needed fix, yes.

Also, I would love to ask Support directly, but since they need my blood type, first-born, social and genetic code identifier before I can actually create a ticket and I'm not actually at my personal PC to look at all the needed information, I figure it would be easier to address it publicly. This IS a public issue, not just a localized problem.
Logged

flobelix

  • MSIHQ Red Rockets Team Member
  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 27159
  • 微星科技
    • Afterburner New Features Introduction | MSI
« Reply #10 on: 04-January-18, 21:14:13 »

For MSI Support:

>>How to contact MSI.<<

MSI can only be contacted the way already shown. No complaining will change that nor will your posting here speed anything up.
Logged
MSI X299 Gaming M7 ACK (MS-7A90) Bios 1.5
Core i7 7820X @ 4200.95 MHz (42 * 100.02 MHz, fixed all cores), 1.088v
Corsair H110 Liquid CPU Cooler
32GB (4 x 8GB) Corsair CMK32GX4M4C3000C15R @ 1500 MHz (DDR4-3000), 15-17-17-35-2t 1.35v
MSI Radeon RX Vega 64 WAVE 8G
256GB Samsung 830 SSD + 2TB Seagate Firecuda SSHD
Corsair HX1200i • +12V: 100A • +3.3V: 30A • +5V: 30A
Windows 10 Pro
Cooler Master Masterbox 5 MSI Edition

iced107Topic starter

  • CORPORAL
  • ****
  • Offline Offline
  • Posts: 13
« Reply #11 on: 04-January-18, 22:09:18 »

That means I should chase Intel to release a fix for my Pentium IV system, right?
I guess we have to expect another tons of panicked users that hasn't been affected since 1995 according to "article".

Well, considering Intel is planning to patch 90% of their processors that came out in the past 5 years, there is concern to an extent. Data centers and cloud providers like amazon, azure, etc. are going to be at biggest risk to the meltdown attack, while normal or regular pc users are at risk to the spectre attack given its ability to be executed remotely - particularly through javascript.

And there are PoC's out there demonstrating both attacks.

For those interested, SANS had a webinar today covering the attacks. It's pretty good coverage for meltdown, but not so much for spectre.

https://www.sans.org/webcasts/meltdown-spectre-understanding-mitigating-threats-106815

Google's Project Zero team's paper
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

But judging by the responses on here, MSI has no plans to issue BIOS updates. Is that correct?
Logged

weirdwitch

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 3
« Reply #12 on: 05-January-18, 02:16:33 »

It's really disconcerting that moderators here are willing to speak so authoritatively about something they very obviously don't understand.

Genuine question, how do you spend so much time on a forum about computer hardware while understanding nothing about it?
Logged

sniperdoc

  • PRIVATE FIRST CLASS
  • ***
  • Offline Offline
  • Posts: 9
« Reply #13 on: 05-January-18, 02:41:20 »

MSI can only be contacted the way already shown. No complaining will change that nor will your posting here speed anything up.

First off, thank you for the previous moderator putting my (and other similar posts) into a the "this is where threads go to die" area. Much appreciated.
Secondly, nowhere was I complaining. I had a simple question.
Thirdly, I do love how MSI is drowning out legitimate and critical forum posts by placing them in an area just about no one reads.

It has nothing to do with speeding things up, it has nothing to do with complaining. It has everything to do with wanting a solid answer from MSI. The way their ticket system works is by loading the user down with so many required fields that they just give up and don't follow through. ALSO, it keeps all this Spectre and Meltdown talk on the down-low so people won't bug MSI.

I'll make sure to post this publicly on facebook and other social media sites so that people know to question their business with MSI.

Thanks again for nothing.

Just moderators being moderators... I get it... Good ole boy club.
Logged

loomeh

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 2
« Reply #14 on: 05-January-18, 02:49:28 »

weirdwitch I could not agree more.
Logged

sniperdoc

  • PRIVATE FIRST CLASS
  • ***
  • Offline Offline
  • Posts: 9
« Reply #15 on: 05-January-18, 02:56:20 »

It's really disconcerting that moderators here are willing to speak so authoritatively about something they very obviously don't understand.

Genuine question, how do you spend so much time on a forum about computer hardware while understanding nothing about it?
I wanted to say that...

It is VERY obvious they aren't reading the articles and reading the research. Instead, they move these threads from legitimate areas, i.e. Motherboards, and place it in the "graveyard" where this information isn't getting much coverage unless people are searching for it. This information needs to be disseminated not hidden. Shame on the mods.

For those wanting more information and verification if they're protected, please check out my OP: https://forum-en.msi.com/index.php?topic=297718.msg1677014#msg1677014

FYI... I posted the URL for the attached 1st screenshot in my OP and moderators obviously couldn't be bothered with reading. Hopefully my cliff note screenshots helps them understand.

I am putting in a formal complaint with MSI. This is absurd behavior. Especially Nichrome, I already tried educating him, but I see that's pointless since he essentially buried my OP about this and he couldn't give a rats arse about it. "The ego is strong with this one..."

Also, if Nichrome or the other moderator on here actually bothered to read and follow simple directions, they would have seen that Microsoft themselves specifically stated that there will need to be a BIOS/Firmware update (see 2nd screenshot).
Logged

Nichrome

  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 14888
« Reply #16 on: 05-January-18, 08:53:00 »

Educating Nichrome, sounds like a plan for life..
I am aware not everyone likes the way I say things (plain and simple), but please be aware this forum has rules. So >>Please read and comply with the Forum Rules.<<


Today we have received an information from MSI:

-----
The company is well aware of the issue, and where possible, will be releasing a fix for motherboards as soon as possible.
Older chipsets may need more time to wait, as it's up to Intel to release required resources.
No ETA given.
-----
If you'd wish to receive any further info, then you need to contact MSI directly: >>How to contact MSI.<<


Maybe I will point couple things out:
We moderators do not work for MSI or any other large PC company, therefore we have no access to internal information unless provided by our contact. We are users like you (which you should know if you read the forum rules).
We can in no way release a patch for you.
We are aware of the issue, but what can WE do? Users come, users go. Some panic, some don't care. Recently everyone was panicked about Intel ME vulnerability, but I have not heard yet of successful hacker attacks on those specific users.. and patches were released, so all happy at the end.
According to the article the bug was there since 1995, so if hackers were to get your sensitive information, they would have already got it.

Yes, we are all aware of this, and that's all we can do right now. Now it's down to MSI, Intel, Microsoft and probably other companies to patch the issue.

Also, let me fix 1 thing: you are right, thread will be in motherboards section. Merged with other threads about meltdown and spectre.

Edit:
Little side note: MSI already applied the fix to some 300 series motherboards. No ETA again for when it goes public, but seems like pretty soon.
Logged
I only take responsibility for what I say, not for what you understand.  Any posts are my own views!

heather_uk

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 4
« Reply #17 on: 05-January-18, 11:07:01 »

I got a pretty unhelpful reply to my email where I asked "Will you be releasing a bios update for the GT70 2QD for the newly found intel security flaw?"

Their reply:
Quote
Your system isn't supported by Windows 10, and there won't be a Intel Management Engine BIOS update for your system as it only supports Windows 7 and Windows 8 64 bit.

I have no idea what windows 10 has to do with anything, plus I never mentioned the OS in my email.

The flaw affects the processor not the OS.

I have a laptop that is only a few years old and this is the reply I get?!
Logged

Nichrome

  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 14888
« Reply #18 on: 05-January-18, 11:11:37 »


I have a laptop that is only a few years old and this is the reply I get?!
For notebook related questions, including Meltdown and Spectre bug, please post in: >>Notebook section<<
It's a separate department and have different schedules which are not covered in this area.
Logged
I only take responsibility for what I say, not for what you understand.  Any posts are my own views!

heather_uk

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 4
« Reply #19 on: 05-January-18, 11:13:51 »

For notebook related questions, including Meltdown and Spectre bug, please post in: >>Notebook section<<
It's a separate department and have different schedules which are not covered in this area.

Yeah I know but this is an active topic so I just thought I would reply. The notebook section doesn't get many replies, probably because there are pages of pinned topics for some reason.

Plus this thread was posted in another forum first then moved here... It applies to ALL products not just desktops as its a processor security flaw. So technically I am in the right place and the thread has just been moved to the wrong forum...
Logged

flobelix

  • MSIHQ Red Rockets Team Member
  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 27159
  • 微星科技
    • Afterburner New Features Introduction | MSI
« Reply #20 on: 05-January-18, 13:20:48 »

Ask AMD. As MSI needs an Intel firmware for the Intel platform bios there is no way for an AMD platform bios fixing such issues without AMD doing something. As AMD denies a hardware problem MSI can't do anything.
Logged
MSI X299 Gaming M7 ACK (MS-7A90) Bios 1.5
Core i7 7820X @ 4200.95 MHz (42 * 100.02 MHz, fixed all cores), 1.088v
Corsair H110 Liquid CPU Cooler
32GB (4 x 8GB) Corsair CMK32GX4M4C3000C15R @ 1500 MHz (DDR4-3000), 15-17-17-35-2t 1.35v
MSI Radeon RX Vega 64 WAVE 8G
256GB Samsung 830 SSD + 2TB Seagate Firecuda SSHD
Corsair HX1200i • +12V: 100A • +3.3V: 30A • +5V: 30A
Windows 10 Pro
Cooler Master Masterbox 5 MSI Edition

buddyw53

  • STAFF SERGEANT
  • *
  • Offline Offline
  • Posts: 91
« Reply #21 on: 05-January-18, 13:34:24 »

Ask AMD. As MSI needs an Intel firmware for the Intel platform bios there is no way for an AMD platform bios fixing such issues without AMD doing something. As AMD denies a hardware problem MSI can't do anything.
Check the AMD statement: https://www.amd.com/en/corporate/speculative-execution

They say they are affected, although the risk is small and hasn't been demonstrated.  In a world of nation-state supported hackers looking for any way possible to compromise systems there is a very powerful implicit 'YET' subtending a statement like that.  

While I understand there is no 'FIX' for this short of replacing CPU hardware the next best would be the lowest level possible.  Browsers are being patched, OS's will too and that's all OK for a "MITIGATION" but micro-code or BIOS sure seems the next "best" possible.   And since AMD says it will have small impact to performance and that we're to look to our system vendors for updates that suggests to me they'll be providing the necessary updates to them.

I'm running an AMD house and don't really care about Intel's problems.

So what will it be? Can anyone actually ask MSI engineering...or maybe the product line managers...before this spins into a PR debacle?
Logged

Nichrome

  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 14888
« Reply #22 on: 05-January-18, 13:42:42 »

So when will it be? Can anyone actually ask MSI engineering...or maybe the product line managers...before this spins into a PR debacle?
Not sure if you read what I have said previously, as well as what Flobelix said:
If Intel and/or AMD does not release a patch (microcode) for motherboard manufacturers, then what MSI (and Asus, Gigabyte, EVGA etc etc) can patch their BIOS with? They cannot apply a microcode update that they do not have...

So far we know Intel is for sure affected, and therefore Intel takes steps to fix things.
Logged
I only take responsibility for what I say, not for what you understand.  Any posts are my own views!

iced107Topic starter

  • CORPORAL
  • ****
  • Offline Offline
  • Posts: 13
« Reply #23 on: 05-January-18, 14:09:58 »

According to the article the bug was there since 1995, so if hackers were to get your sensitive information, they would have already got it.

You clearly don't understand the difference between it being there and it being disclosed.


I'm glad MSI is going to do something about this. And judging by the responses here from the mods, which clearly shows they do not understand the impact of these exploits or vulnerabilities, I called MSI last night just to get a straight answer. They said they would reach out to corporate and should have a response in the next few days.

Let me be absolutely clear - if you want to choose to operate a product that is vulnerable to an attack, that is your prerogative. However, the rest of us, want to secure our computers. To mitigate these attacks, patches are required on the hardware, software, and bios levels. There is no way around this. And seeing as how the Spectre attack can be weaponized via javascripts in browsers, its extremely realistic to expect these attacks to show up in exploit kits in the near future.

Coming off as arrogant and condescending does nothing to help your cause in this cause, and only makes you look even worse to the rest of us who have been researching this attack. I personally am glad you do not work for MSI in any capacity, because you sure would be giving their public relations a black eye.
Logged

iced107Topic starter

  • CORPORAL
  • ****
  • Offline Offline
  • Posts: 13
« Reply #24 on: 05-January-18, 14:14:13 »

Ask AMD. As MSI needs an Intel firmware for the Intel platform bios there is no way for an AMD platform bios fixing such issues without AMD doing something. As AMD denies a hardware problem MSI can't do anything.


Spectre effects ALL processors * INCLUDING AMD AND ARM *

Meltdown is only confirmed to affect Intel, as noted by the researchers in their white paper. 

https://meltdownattack.com/meltdown.pdf

6.4 Limitations on ARM and AMD We also tried to reproduce the Meltdown bug on several ARM and AMD CPUs. However, we did not manage to successfully leak kernel memory with the attack described in Section 5, neither on ARM nor on AMD. The reasons for this can be manifold. First of all, our implementation might simply be too slow and a more optimized version might succeed. For instance, a more shallow out-of-order execution pipeline could tip the race condition towards against the data leakage. Similarly, if the processor lacks certain features, e.g., no re-order buffer, our current implementation might not be able to leak data. However, for both ARM and AMD, the toy example as described in Section 3 works reliably, indicating that out-of-order execution generally occurs and instructions past illegal memory accesses are also performed.
Logged

rossogr

  • CORPORAL
  • ****
  • Offline Offline
  • Posts: 15
« Reply #25 on: 05-January-18, 14:17:18 »

Today we have received an information from MSI:

-----
The company is well aware of the issue, and where possible, will be releasing a fix for motherboards as soon as possible.
Older chipsets may need more time to wait, as it's up to Intel to release required resources.
No ETA given.
-----

Maybe I will point couple things out:
We moderators do not work for MSI or any other large PC company, therefore we have no access to internal information unless provided by our contact. We are users like you (which you should know if you read the forum rules).
We can in no way release a patch for you.
We are aware of the issue, but what can WE do? Users come, users go. Some panic, some don't care. Recently everyone was panicked about Intel ME vulnerability, but I have not heard yet of successful hacker attacks on those specific users.. and patches were released, so all happy at the end.
According to the article the bug was there since 1995, so if hackers were to get your sensitive information, they would have already got it.

Yes, we are all aware of this, and that's all we can do right now. Now it's down to MSI, Intel, Microsoft and probably other companies to patch the issue.

Also, let me fix 1 thing: you are right, thread will be in motherboards section. Merged with other threads about meltdown and spectre.

Edit:
Little side note: MSI already applied the fix to some 300 series motherboards. No ETA again for when it goes public, but seems like pretty soon.

Since these are the official MSI forums your answers so far about the issue are simply unacceptable and unprofessional, you may not work for MSI but you are a moderator on the official forums, not on a fun page, your responses should be accurate and responsible.  Security issues are no joke or something trivial.  The meltdown and spectre vulnerability were announced past few days and information about these was disclosed very recently.  It's a very serious design flaw and could be exploited in the near future. It's your right not to care what happens to your machines but it's important for everyone else who cares to take the necessary steps to safeguard the sensitive data of his own or others. Every manufacturer and software related entity right now are rushing to find a solution, since a fix that can cover every case cannot exist nor is easy, MSI is doing the same as you have seen, replying nothing happened  to my old machines or the problem isn't related to motherboard makers exposes not only you, as unsufficient for the task, but also harms MSI.

Everyone else who is looking for a solution to the vulnerability that has been discosed:

Apply the patches that linux distributions have issued and the patches that microsoft urgently pushed on 3rd of January.  Microsoft also provides a powershell scirpt that checks the system. It is important to run it because even if you patch your machine it may not be enough, in my case it's not and further patching is needed for the spectre vulnerability, possibly a bios update to my x99a motherboard, which was the reason I visited the forum. Also note that your installed antivirus must be updated because if it's not the mircosoft patch won't be pushed on your machine to protect your pc from bsod that will occur otherwise. The powershell script just checks the system and reports status, it doesn't fix anything.
Logged

buddyw53

  • STAFF SERGEANT
  • *
  • Offline Offline
  • Posts: 91
« Reply #26 on: 05-January-18, 14:27:12 »

...
I'm glad MSI is going to do something about this. And judging by the responses here from the mods, which clearly shows they do not understand the impact of these exploits or vulnerabilities, I called MSI last night just to get a straight answer. They said they would reach out to corporate and should have a response in the next few days.

... I personally am glad you do not work for MSI in any capacity, because you sure would be giving their public relations a black eye.
i'm fully aware that AMD's board partners are at the mercy of AMD for the code (micro-code or AGESA or whatever) before they can update the BIOS.  I was just looking for that kind of reassurance from the mods that engineering is 1)aware of the issues and 2)working with AMD engineering for fixes.  Thank you for providing this much info at least!

We seem to be at the mercy of the mods for information of this sort, and they seem to be kept at arms length or maybe just as mushroom-y as the rest of us.  But what's even scarier is that MSI might be relying on them to give feedback on how the users are coping with their hardware especially in the context of emergent issues,  and they're just passing us all off as a bunch of clueless jerks.
Logged

Xeroxxx

  • SERGEANT
  • *****
  • Offline Offline
  • Posts: 28
« Reply #27 on: 05-January-18, 14:43:41 »

@Nichrome
Thanks for your update in this thread: https://forum-en.msi.com/index.php?topic=297762.0

However I couldn't wait and updated the microcode in the bios myself. Updating the BIOS to an official one as soon as its been released.
Logged

jero-dol

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 4
« Reply #28 on: 05-January-18, 14:46:07 »

In fact, it would seems that the security patch is already out for a number of msi products (correct me is I'm wrong).
For exemple I have a gt72 6qd dominator g, and when I go to service and select my product, there is a patch named "Intel ME FW Update Tool"

Would it be that this is the patch?

The descrition is :
"Intel® Management Engine Critical Firmware Update for Security Vulnerabilities (Intel SA-00086)
 Refer to the update guide to patch security vulnerabilities for your system."
Logged

Xeroxxx

  • SERGEANT
  • *****
  • Offline Offline
  • Posts: 28
« Reply #29 on: 05-January-18, 14:48:58 »

In fact, it would seems that the security patch is already out for a number of msi products (correct me is I'm wrong).
For exemple I have a gt72 6qd dominator g, and when I go to service and select my product, there is a patch named "Intel ME FW Update Tool"

Would it be that this is the patch?

The descrition is :
"Intel® Management Engine Critical Firmware Update for Security Vulnerabilities (Intel SA-00086)
 Refer to the update guide to patch security vulnerabilities for your system."

The Intel Management Engine has nothing to do with Meltdown and Spectre. It requires an update of the Microcode nothing else.

However updating the Management Engine with this would be nice too.
Logged

SonicAndSmoke

  • PRIVATE FIRST CLASS
  • ***
  • Offline Offline
  • Posts: 6
« Reply #30 on: 05-January-18, 14:50:25 »

Today we have received an information from MSI:

-----
The company is well aware of the issue, and where possible, will be releasing a fix for motherboards as soon as possible.
Older chipsets may need more time to wait, as it's up to Intel to release required resources.
No ETA given.
-----

Great to hear that, good news.

Recently everyone was panicked about Intel ME vulnerability, but I have not heard yet of successful hacker attacks on those specific users.. and patches were released, so all happy at the end.

As you've brought this point to the table: my MSI X299 SLI Plus still hasn't received a bios update against the ME vulnerability. When will an update finally get released by MSI? Or does MSI skip the "old" ME update v11.11.50.1422 for X299 and goes straight to the upcoming Meltdown/Spectre ME update?
Logged
i7 7800X
MSI X299 SLI Plus
2x 8 GB Corsair DDR4 3000 CL15
EVGA GeForce GTX 1070 FTW
EVGA SuperNova 650 G2

Nichrome

  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 14888
« Reply #31 on: 05-January-18, 14:55:52 »

As you've brought this point to the table: my MSI X299 SLI Plus still hasn't received a bios update against the ME vulnerability. When will an update finally get released by MSI? Or does MSI skip the "old" ME update v11.11.50.1422 for X299 and goes straight to the upcoming Meltdown/Spectre ME update?
Not quite sure. I'll see if I can find out.
Logged
I only take responsibility for what I say, not for what you understand.  Any posts are my own views!

darkhawk

  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 11126
« Reply #32 on: 05-January-18, 15:10:45 »

To everyone :
First off, see : >>Please read and comply with the Forum Rules.<<
Everyone might be unhappy, anxious, and generally not pleased about these issues. But that does not exist you to act improper to others or to the moderators. Calm down, be patient. This is the warning for everyone here.

Second, MSI's official statement that we were given as moderators has been passed on above. This is what we know, and have been told. We cannot make it come quicker or provide more information than that, because that is all we know. Our understanding is that they are working diligently on it for current platforms, and older (ie no longer produced) platforms will follow shortly after. No, we do not have a more exact time line.

If this isn't satisfactory for you as a user, the best we can suggest is to contact MSI directly via their support : >>How to contact MSI.<<

If you are that entirely concerned about the exploit, unplug the PC from the internet until a fix is available. Outside of that, use good internet practices to ensure you won't be affected. 

Personally, I do not worry at all. I don't go to enough questionable sites to worry about it.

Moral here : keep calm, be patient, and we will provide more info when we have it.
Logged
MSI GS73VR 6RF
I7 6700HQ
16 GB DDR4
GTX1060 6GB

MSI X370 SLI Plus
Ryzen 5 1500X
16 GB DDR4
R9 290X
GTX1050Ti

rossogr

  • CORPORAL
  • ****
  • Offline Offline
  • Posts: 15
« Reply #33 on: 05-January-18, 15:40:20 »

The vulnerabilities have nothing to do with best practices or visiting questionable sites, it's a hardware vulnerability, not a software or o.s vulnerability, please try to read and educate yourself before posting/responding, even as a non MSI employee what you write could be perceived as official announcements since there is a title under your nickname.

For example:

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

I came to see whether MSI announced plans for a future bios update, noone is trying to hurry anything, I presume most of us are looking for related information about their hardware.
Logged

gdobos76

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 1
« Reply #34 on: 05-January-18, 16:45:39 »

Great to hear that, good news.

As you've brought this point to the table: my MSI X299 SLI Plus still hasn't received a bios update against the ME vulnerability. When will an update finally get released by MSI? Or does MSI skip the "old" ME update v11.11.50.1422 for X299 and goes straight to the upcoming Meltdown/Spectre ME update?

Same here, no ME fix for B85-G43...

I hope they will make  a Meltown fix for this MB too, because Meltdown/Spectre got much more publicity as the ME vulnerablity
Logged

RemusM

  • Memory Expert
  • LIEUTENANT COLONEL
  • *
  • Offline Offline
  • Posts: 2130
    • Necromanthus
« Reply #35 on: 05-January-18, 16:46:05 »

Folks,
Your OS, browser and apps are already full of all kind of adware and (official) spyware.
:lol_anim:
Talking about Meltdown and Spectre:
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
1) This is not a bug or a flaw in Intel products.
2) Intel believes these exploits do not have the potential to corrupt, modify or delete data.
3) Intel is not currently aware of any malware based on these exploits

So ... :stop:
Logged

Mainboard: HC85
Processor: Zilog Z80 3.5MHz
System RAM: 48KB
Video RAM: 16KB (only 6912 bytes are used for Pixel Shader effects)
Video Card: integrated (16 colors)
PSU: 5V/3A
OS: BASIC Spectrum Sinclair

note: NO overclocking!

rossogr

  • CORPORAL
  • ****
  • Offline Offline
  • Posts: 15
« Reply #36 on: 05-January-18, 17:56:20 »

My o.s, browser and apps are not full of malware or adware.

1. It is a design flaw.

2. The problem with these exploits is not that it corrupts, modify or deletes data but they might give access to sensitive data like passwords for example. Intel's annoucement is a damage control announcement and in no case says there is a problem, on the contrary they say: "We have begun providing software and firmware updates to mitigate these exploits. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any updates as soon as they are available."



3. Noone is aware of any malware based on these exploits it was disclosed this week, everyone is worried what will happen in the future.  Vulnerability is not easy to fix because it's a hardware vulnerablility.
Logged

sniperdoc

  • PRIVATE FIRST CLASS
  • ***
  • Offline Offline
  • Posts: 9
« Reply #37 on: 05-January-18, 19:55:41 »

Since these are the official MSI forums your answers so far about the issue are simply unacceptable and unprofessional, you may not work for MSI but you are a moderator on the official forums, not on a fun page, your responses should be accurate and responsible.  Security issues are no joke or something trivial.  The meltdown and spectre vulnerability were announced past few days and information about these was disclosed very recently.  It's a very serious design flaw and could be exploited in the near future. It's your right not to care what happens to your machines but it's important for everyone else who cares to take the necessary steps to safeguard the sensitive data of his own or others. Every manufacturer and software related entity right now are rushing to find a solution, since a fix that can cover every case cannot exist nor is easy, MSI is doing the same as you have seen, replying nothing happened  to my old machines or the problem isn't related to motherboard makers exposes not only you, as unsufficient for the task, but also harms MSI.

Everyone else who is looking for a solution to the vulnerability that has been discosed:

Apply the patches that linux distributions have issued and the patches that microsoft urgently pushed on 3rd of January.  Microsoft also provides a powershell scirpt that checks the system. It is important to run it because even if you patch your machine it may not be enough, in my case it's not and further patching is needed for the spectre vulnerability, possibly a bios update to my x99a motherboard, which was the reason I visited the forum. Also note that your installed antivirus must be updated because if it's not the mircosoft patch won't be pushed on your machine to protect your pc from bsod that will occur otherwise. The powershell script just checks the system and reports status, it doesn't fix anything.
OMG, THANK YOU.

This comment is to any of the moderators that have been working on this and the merged threads...

Please understand not a single one of us asked YOU or the forum staff to provide fixes. We asked a simple question that could have been responded to with "We apologize, but we do not know. We are not in direct contact with actual MSI staff and have not been informed of anything at this point. We will try relay your concerns to the appropriate people, and you can also put in a ticket for your device with MSI support."

Instead, visitors were/are met with, essentially, "Don't spread rumors/panic, why bother, doesn't concern you, etc" (overall general hostility). If anyone has ever worked in technical support, they'll tell you immediately that you put the visitor on the defensive, which will translate into an offensive. This whole "respect" towards moderators goes to an instant downward spiral and can throw egg in MSI's face.

Hence, why I had no problem posting this entire thread, as an image, to MSI's facebook page and make it even more public.

The fact of the matter is, this IS important, this DOES affect everyone and MSI ALSO makes AMD based motherboards. Yes, while the reference BIOS changes will ultimately have to come from Intel/AMD, we are still dependent on MSI to do their due diligence in following up with the CPU vendors.

You guys ARE the moderators. SOMEONE made you a moderator. It probably was an MSI staffer. So, just because you're not "employed by MSI" you are their front-line defense. So, this doesn't alleviate you from your responsibilities to act respectfully and responsibly.

Thank you for putting this thread back into Motherboards and changing the way you respond back to people. Very much appreciated.

I don't know if you guys have the power to edit comments or add a header on this post, but if you can, to reduce unnecessary responses regarding IntelME vs the actual issue at hand, I'd add a note stating that this thread is NOT about the IntelME exploit.

Again, thank you.
Logged

sqrly1

  • PRIVATE FIRST CLASS
  • ***
  • Offline Offline
  • Posts: 9
« Reply #38 on: 05-January-18, 22:19:34 »

May I suggest a sticky on this subject giving the most up to date information available to the moderators?

Even better would be MSI assigning an actual PR employee for this matter as it is a very serious security flaw that everyone who owns an MSI motherboard is affected by.
Logged
Cooler Master Elite 430 Mid Tower
 MSI Z87-GD65 GAMING Intel Motherboard (Gen 3 PCIe)
 Intel i7-4790K Devil's Canyon Quad-Core 4.0 GHz LGA 1150
 16GB Corsair Dominator Platinum 1866MHZ (2x8)
 MSI GTX 980Ti GAMING 6G
 Crucial MX200 mSATA 250GB (System)
 Western Digital WD1001FALS 1TB (Games)
Western Digital WD40EZRX 4TB (Data)
Western Digital WD40EZRZ 4TB (Media)
Corsair Hydro Series H60 Liquid CPU Cooler
 Thermaltake TR2 TR-700MS PSU
Logitech Z-5500 5.1 w/10" sub (505W)
 Win 7x64 Pro / Win 10x64 Pro
 Turbo enabled but no other OC.

darkhawk

  • Global Moderator
  • *****
  • Offline Offline
  • Posts: 11126
« Reply #39 on: 06-January-18, 06:42:22 »

The vulnerabilities have nothing to do with best practices or visiting questionable sites, it's a hardware vulnerability, not a software or o.s vulnerability, please try to read and educate yourself before posting/responding, even as a non MSI employee what you write could be perceived as official announcements since there is a title under your nickname.

For example:

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

I came to see whether MSI announced plans for a future bios update, noone is trying to hurry anything, I presume most of us are looking for related information about their hardware.

I see you ignored everything I wrote.

One last time. See >>Please read and comply with the Forum Rules.<<

Has nothing to do with knowledge, and clearly your attitude and ego are the problem. Keep it in check.

As far as the practices? They're still valid. Unless you've already been attacked. I'm not particularly aware of any malware or malicious software that actively takes advantage of this yet. So that easily makes the recommendations still valid. Either way, it's a recommendation. Ignore it if you don't like it. Much like you've been ignoring moderators warnings.
Logged
MSI GS73VR 6RF
I7 6700HQ
16 GB DDR4
GTX1060 6GB

MSI X370 SLI Plus
Ryzen 5 1500X
16 GB DDR4
R9 290X
GTX1050Ti

RemusM

  • Memory Expert
  • LIEUTENANT COLONEL
  • *
  • Offline Offline
  • Posts: 2130
    • Necromanthus
« Reply #40 on: 06-January-18, 08:29:07 »

My o.s, browser and apps are not full of malware or adware.

1. It is a design flaw.
2. ...
3. ...

They are.
The spyware starts with your antivirus, Google Chrome, Facebook, ... etc
Meltdown and Spectre are nothing compared with what you already have (and you have no idea about)
And those (1,2,3) are quotes from Intel.
Read that article again ( more carefully this time).
:gg:
Logged

Mainboard: HC85
Processor: Zilog Z80 3.5MHz
System RAM: 48KB
Video RAM: 16KB (only 6912 bytes are used for Pixel Shader effects)
Video Card: integrated (16 colors)
PSU: 5V/3A
OS: BASIC Spectrum Sinclair

note: NO overclocking!

t1_75

  • SERGEANT
  • *****
  • Offline Offline
  • Posts: 43
« Reply #41 on: 06-January-18, 10:45:06 »

MSI,

Is there a plan to release firmware or bios updates to assist in mitigating the Meltdown and Spectre attacks that have come out recently, which affects all modern day processors since '95.

https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/
https://spectreattack.com/
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002#ID0EMGAC

I assume your security team is already aware of this since this has been huge news lately.  MIcrosoft is pushing out mitigations for their browsers and OS's as well as other vendors as well, but I haven't seen MSI comment on this yet and the only true way to mitigate this attack is by patching. Additionally making things harder is the fact that Spectre can be exploited remotely via javascript in browsers, and there are no ways to detect the attack. Firmware, bios, browser, and OS updates seems to be the best way to mitigate, but all of them have to be updated.

Appreciate any feedback.

Thanks

Thanks so much for posting this question. I have the same question.

I also cannot find as customer any official communication from MSI about when their products recieve -->>> (Quote) "Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation."(statement intel/microsoft, jan 2018).

It would be great if a clutter free topic would exist in the MSI forums, containing all information about this, including statements from MSI when and what they are doing to provide updated bios/firmware per motherboard. (seems more efficient to me than that all customers have to contact MSI individualy to seek this information).
Logged

91akun

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 4
« Reply #42 on: 06-January-18, 13:40:28 »

Thanks so much for posting this question. I have the same question.

I also cannot find as customer any official communication from MSI about when their products recieve -->>> (Quote) "Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation."(statement intel/microsoft, jan 2018).

It would be great if a clutter free topic would exist in the MSI forums, containing all information about this, including statements from MSI when and what they are doing to provide updated bios/firmware per motherboard. (seems more efficient to me than that all customers have to contact MSI individualy to seek this information).
The official statement of MSI was already been given by @Nichrome which is :

-----
The company is well aware of the issue, and where possible, will be releasing a fix for motherboards as soon as possible.
Older chipsets may need more time to wait, as it's up to Intel to release required resources.
No ETA given.
-----

Hence we just have to wait for the fix, bothering moderators here won't make it available sooner; and probably bothering MSI support won't either.
So just be patient and check your product bios/firmware update page and maybe this thread, I'm sure users will post here whenether a fix is available for their product line.
Logged
Product: 
MSI GP62MVR-7RF Leopard Pro
i5 7300HQ - 16GB RAM - GTX 1060 3GB - 250GB Samsung 960 EVO NVME SSD + 1TB HDD
Windows 10 Fall Creators update + Linux Mint Cinnamon 18

max78

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 4
« Reply #43 on: 06-January-18, 14:33:19 »

They are.
The spyware starts with your antivirus, Google Chrome, Facebook, ... etc
Meltdown and Spectre are nothing compared with what you already have (and you have no idea about)

Uh ok... clearly you have no idea about the impact and magnitude of the discussed vulnerabilities. If you have installed insecure crap on your system I feel sorry for you, but that does not stop the rest of us from expecting a fix.
Logged

max78

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 4
« Reply #44 on: 06-January-18, 14:42:06 »

Since these are the official MSI forums your answers so far about the issue are simply unacceptable and unprofessionall

I could not agree more. I am wondering if MSI really supports this unprofessional behaviour, I would have expected them to have some kind of selection process that ensures that people with official functions on their forums habe a minimum level of maturity and can keep their egos in check.

This thread is currently the first hit that comes up when you Google "msi spectre meltdown", and having to read mod statements like "And don't spread unnecessarily any panic. As far as I can read, the vulnerability was there since 1995, and so far I am fine with all my Intel based systems.."  really is a disgrace to MSI as a brand.
Logged

RemusM

  • Memory Expert
  • LIEUTENANT COLONEL
  • *
  • Offline Offline
  • Posts: 2130
    • Necromanthus
« Reply #45 on: 06-January-18, 14:54:49 »

Uh ok... clearly you have no idea about the impact and magnitude of the discussed vulnerabilities

At this moment, the Meltdown and Spectre impact and magnitude are close to ZERO.
On the other hand, you are close to be banned.
;-))
Logged

Mainboard: HC85
Processor: Zilog Z80 3.5MHz
System RAM: 48KB
Video RAM: 16KB (only 6912 bytes are used for Pixel Shader effects)
Video Card: integrated (16 colors)
PSU: 5V/3A
OS: BASIC Spectrum Sinclair

note: NO overclocking!

91akun

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 4
« Reply #46 on: 06-January-18, 15:05:41 »

I could not agree more. I am wondering if MSI really supports this unprofessional behaviour, I would have expected them to have some kind of selection process that ensures that people with official functions on their forums habe a minimum level of maturity and can keep their egos in check.

This thread is currently the first hit that comes up when you Google "msi spectre meltdown", and having to read mod statements like "And don't spread unnecessarily any panic. As far as I can read, the vulnerability was there since 1995, and so far I am fine with all my Intel based systems.." really is a disgrace to MSI as a brand.
I agree with you about "mod statements like "And don't spread unnecessarily any panic." and I was at first reading this like ":censored: is this even the official forum?" But after thinking about it (after all these mods are not official PR, just tools of MSI to cover non-existant official public statements and help users about random stuff) I think that while their response might be inappropriate sometimes, that's not their responsibility to take all the hate from MSI's inability to provide an appropriate response to a vulnerability in a record time; After all they're not developers of BIOSes and firmwares for MSI, not even public representatives.
Logged
Product: 
MSI GP62MVR-7RF Leopard Pro
i5 7300HQ - 16GB RAM - GTX 1060 3GB - 250GB Samsung 960 EVO NVME SSD + 1TB HDD
Windows 10 Fall Creators update + Linux Mint Cinnamon 18

karserasl

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 3
« Reply #47 on: 06-January-18, 17:01:10 »

At this moment, the Meltdown and Spectre impact and magnitude are close to ZERO.
On the other hand, you are close to be banned.
;-))


WOW.. i am stunned by your ignorance.. I mean, how can somebody as illiterate as you in these topics, actually giving advice to others..

Please, do us a favor and delete your account instead. Your idiocy is astonishing.

And also reading all the moderators replies, i will contact MSI just to complain about you. You guys/gals are BEYOND unprofessional, infact so much so, that i will never buy another MSI product. Its like you are here to harm MSI instead.
Logged

ytkuser

  • SERGEANT
  • *****
  • Offline Offline
  • Posts: 28
« Reply #48 on: 06-January-18, 17:14:25 »

Guys and girls be patient i called MSI Support the assured me they are working on it, they are focusing on newer boards then will go to the older boards that they can patch understand they can't get everything if something is from 1995 i highly doubt you will get a patch but if you are within the last 3 years or even 2012 or 2014 on up i bet you will get one, i have a MSI Z77A-G45 i bought it from amazon  the end of 2015 i got a i yr warranty it was just up end of 2016 , they told me i will get a update for it when i talked to him on the phone it will come but will be in the later as they are doing all there new boards first.
Logged
system spec:
Home built pc. 
Case Evermax 
OS win: 10 pro 
Cpu: Intel Core I7-3770 @ 3.4 GHZ
Motherboard: Z77A-G45
Memory: 8 Gigs 
Graphics card: Gigabyte Geforce GTX-750TI OC edition
Optical: Pioneer Blue ray drive/writer
Speakers: THX Logitech with 10 in sub
Recording: Snowball Ice by Blue Microphone
Hard drive: i have 2--> Seagate 1 TB Drives
Psu Antec NeoEco 620 Watt
KYB: SteelSeries Apex Gaming Keyboard
Mouse: Steelseries Sensei

smash0r

  • PRIVATE E-2
  • **
  • Offline Offline
  • Posts: 1
« Reply #49 on: 06-January-18, 20:28:03 »

Imagine my surprise, upon signing up for an account at the official MSI forums to look for a fix for the most dire security threat to the computer industry ever - to see this thread.  How in god's name is a company putting these uninformed people in front of their customers?  Temp fix - wait and get no information through official channels.  Permanent fix - don't buy MSI when this is figured out at the hardware/chipset level so you don't get completely hosed by some internet hero next time something goes down.

This is simply the most unprofessional ridiculous response to an actual security threat that I have *ever* seen and I've been doing this for a very long time.

If the rules do not allow for customers to get timely information in these forums - make them a fan forum, remove them from the msi domain and let them continue running the way they are - which is a place to be avoided.
Logged
Pages: [1] 2 3 ... 5   Go Up