Personal computing discussed

Moderators: renee, Flying Fox, Thresher

 
paul343
Gerbil
Topic Author
Posts: 11
Joined: Mon Jul 02, 2007 6:43 pm
Location: Victoria, BC Canada
Contact:

ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 8:35 pm

Perhaps an easy question for many, but apparently not for me... and I am seeking your opinion...

I have an ASUS 97-A with a Haswell i5 4460. Not the fastest for most I guess, but works just fine for our uses, and really doesn't need to be replaced based on performance.

I am however concerned that the lack of a new BIOS (and apparent lack of upcoming update) is unsafe for banking and any other usage that requires a password. We therefore have stopped using the computer in question and now try to only use the Surface Pro 4 for anything that needs a password.

Am I overreacting?

Is this now time to upgrade even though the system has no other issues?

Thanks for your thoughts,

Paul
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 8:58 pm

The main Spectre-based vulnerability that is of concern for home users is the ability of malicious JavaScript code to read arbitrary memory in your web browser's process. This could potentially allow a malicious bit of JavaScript from a malicious/compromised site to read sensitive data intended for another site. AFAIK, aside from this JavaScript vulnerability, other (known) Spectre exploitation vectors require that the system already have been compromised through some other means (in which case all bets are off anyway).

You can defend against the JavaScript vulnerability by enabling Chrome's "site-per-process" experimental feature; I've done this, and haven't noticed any negative side effects. The upcoming Chrome 64 will enable Spectre mitigations by default.

Current versions of Firefox apparently attempt defend against Spectre-style side-channel attacks by reducing the resolution of the timers available from JavaScript. But this mitigation is already known to be imperfect (the original description of the Spectre attack describes a possible method for defeating it).

Bottom line: IMO Chrome 63 with "site-per-process" isolation enabled, or Chrome 64 (when available) seems to be a reasonable defense if the microcode patch isn't available for your system. Alternatively, close all browser windows/tabs, launch a fresh instance of your web browser to do anything sensitive, and make sure you close all browser windows when you're done; this will give you the approximate equivalent of Chrome's site isolation mode, albeit in a much more inconvenient way.
Nostalgia isn't what it used to be.
 
paul343
Gerbil
Topic Author
Posts: 11
Joined: Mon Jul 02, 2007 6:43 pm
Location: Victoria, BC Canada
Contact:

Re: ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 9:14 pm

Thanks just brew it,

I couldn't seem to sift that out of all of the internet info myself, much appreciated.

Paul
 
bthylafh
Maximum Gerbil
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 9:14 pm

Chrome 64's out now - I just upgraded to it.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 9:22 pm

bthylafh wrote:
Chrome 64's out now - I just upgraded to it.

Ahh, yes. Indeed it is. Must've just been released in the past day or so; installing it now.
Nostalgia isn't what it used to be.
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 9:53 pm

I'd note that Edge and IE11 also contain Spectre specific JS mitigations.

The Spectre and Meltdown kernel vulnerabilities do not change the risk profile for end users. In fact I'd even go so far as to argue disabling the kernel protections and regaining performance doesn't increase risk for this audience. You're in the same positions before the revelation of these flaws as you are today.

Generally speaking that is:
1. Patch remote code execution flaws
2. Use a hardened browser
3. Be careful what you download and run.

If you fail in those steps, the bad guys will be able to do terrible things. Those terrible things don't need the Spectre and Meltdown flaws to succeed. For example: RAT.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 10:19 pm

Ryu Connor wrote:
I'd note that Edge and IE11 also contain Spectre specific JS mitigations.

No doubt; they've got some pretty huge incentives to fix this. I live in the Linux world (with a bit of OS X) at the day job these days, and run Linux on my personal desktop/laptop. So I'm not as up-to-date on stuff that isn't cross-platform.

Ryu Connor wrote:
The Spectre and Meltdown kernel vulnerabilities do not change the risk profile for end users. In fact I'd even go so far as to argue disabling the protections and regaining performance doesn't increase risk for this audience. You're in the same positions before the revelation of these flaws as you are today.

Yeah, I've pretty much been saying this since shortly after this dumpster fire ignited. The kernel-level stuff is mainly a concern for shared hosting and VPS service providers. You need to be able to execute your own code on the system to exploit, and since it's a data leakage issue, you need to be running on the same physical hardware as the sensitive data you're trying to exfiltrate.

Sandboxed JS in a web browser is a special case (since you're explicitly running untrusted code that the browser is supposed to protect you from), and is THE case that is of most concern to end users.

Ryu Connor wrote:
Generally speaking that is:
1. Patch remote code execution flaws
2. Be careful what you download and run.

If you fail to do either of those steps, the bad guys will be able to do terrible things. Those terrible things don't need the Spectre and Meltdown flaws to succeed.

Yup. As a desktop or mobile user, once you've mitigated the JS vulnerability, the rest of Meltdown/Spectre requires a pre-existing compromise of the system (whether technical or socially engineered) to be a significant risk.
Nostalgia isn't what it used to be.
 
paul343
Gerbil
Topic Author
Posts: 11
Joined: Mon Jul 02, 2007 6:43 pm
Location: Victoria, BC Canada
Contact:

Re: ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 10:44 pm

Great info, thanks all!

Just one thing... Are the "remote code execution flaws" patched through the MS updates?

Pardon my lack of knowledge on this...

Cheers,

Paul
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 10:57 pm

paul343 wrote:
Just one thing... Are the "remote code execution flaws" patched through the MS updates?

Partly. Remote code execution vulnerabilities can exist in any poorly written code that handles data from an untrusted source. So, for example, a media player, 3rd party web browser, or local e-mail client can be vulnerable. If you're using 3rd party applications, MS updates will only protect you if the vulnerability is in a MS-supplied library/API that is used by the application; if the issue is in the application itself, then the application vendor is responsible for patching any holes.
Nostalgia isn't what it used to be.
 
paul343
Gerbil
Topic Author
Posts: 11
Joined: Mon Jul 02, 2007 6:43 pm
Location: Victoria, BC Canada
Contact:

Re: ASUS Z-97-A No planned BIOS Update Spectre

Wed Jan 24, 2018 11:49 pm

Awesome,

I believe I understand now, and at the very least know much more than I did before I asked.

Thank you,

Paul
 
evilpaul
Gerbil
Posts: 61
Joined: Mon Jan 11, 2010 6:59 pm

Re: ASUS Z-97-A No planned BIOS Update Spectre

Sun Mar 18, 2018 11:26 pm

I just use Edge to browse my bank's site and nothing else. :D
 
JustAnEngineer
Gerbil God
Posts: 19673
Joined: Sat Jan 26, 2002 7:00 pm
Location: The Heart of Dixie

Re: ASUS Z-97-A No planned BIOS Update Spectre

Mon Mar 19, 2018 5:56 am

The initial batch of updates came out quickly, but some of them have been much slower to appear. My Gigabyte GA-Z170N-Gaming 5 just got a patched UEFI BIOS two weeks ago.
· R7-5800X, Liquid Freezer II 280, RoG Strix X570-E, 64GiB PC4-28800, Suprim Liquid RTX4090, 2TB SX8200Pro +4TB S860 +NAS, Define 7 Compact, Super Flower SF-1000F14TP, S3220DGF +32UD99, FC900R OE, DeathAdder2
 
srg86
Gerbil Team Leader
Posts: 262
Joined: Tue Apr 25, 2006 7:57 am
Location: Madison, WI

Re: ASUS Z-97-A No planned BIOS Update Spectre

Mon Mar 19, 2018 7:51 am

paul343 wrote:
Am I overreacting?


Waaaayyy overreacting, but it is understandable. I have the same motherboard and the last BIOS (which I sill need to upgrade to anyway) was from 2015.

But I'm not too worried, as your Operating System should be able to load the new microcode as well. I've just switched to openSUSE Tumbleweed and it on boots installs the latest (fixed) spectre microcode, so in that reguard I'm good. Not sure about the status of Windows though.
Intel Core i7 4790K, Z97, 16GB RAM, 128GB m4 SSD, 480GB M500 SSD, 500GB WD Vel, Intel HD4600, Corsair HX650, Fedora x64.
Thinkpad T460p, Intel Core i5 6440HQ, 8GB RAM, 512GB SSD, Intel HD 530 IGP, Fedora x64, Win 10 x64.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On