fbpx

Microsoft issues emergency Windows patch to disable Intel’s buggy Spectre fix

meltdown-spectre-malware

If your Windows PC seems buggier than usual after the recent round of Spectre patches, you might want to download this.

By   Senior Editor, PCWorld

If you’ve noticed any unexpected reboots or PC instability as a result of the recent Spectre patches, there’s a solution: Microsoft has issued an emergency Windows patch that rolls back the recent Spectre mitigations.

Confused? It’s a bit complicated. After the intial Spectre and Meltdown vulnerabilites were disclosed, both Intel and Microsoft hustled out patches to mitigate the problem. Unfortunately, Intel’s latest microcode updates—and the BIOS updates from PC makers based upon them—were themselves buggy, causing instability, reboots, and data loss in some PCs.

Microsoft’s latest patch (KB4078130) allows people with affected systems to download the patch via the Microsoft Update Catalog, which disables the mitigations for the “Spectre variant 2.”

Note that the patch notes specifically state that you should run this patch “if you are running an impacted device” (emphasis ours). In other words, if your system is working normally, don’t bother downloading this patch. This is what Microsoft calls an “out of band” patch, and it doesn’t appear that it will be made available via Windows Update, either.

Why should you consider it? Intel has warned previously that the faulty patch can sometimes cause data loss and corruption, and Microsoft is saying the same: “Our own experience is that system instability can in some circumstances cause data loss or corruption,” the patch notes state.

There’s another wrinkle, though. As part of the patch, Microsoft is allowing users to edit the Windows registry to toggle the mitigations on or off. (Instructions are here.) It’s possible to toggle Microsoft’s patch off, and then, when Intel solves its own patching problem, re-enable it. That scenario is actually what Microsoft recommends—again, only if you’ve noticed system instability and want to take action against it.

Toggling the mitigations on and off is also a feature of the latest InSpectre utility.

As Bleeping Computer noted, system makers such as Dell and HP also advise rolling back their own BIOS patches to an earlier version, which they’re redeployed. It’s all horrendously confusing for consumers and IT organizations alike. Fortunately, at least, there haven’t been any public cases of these vulnerabilities being exploited, Microsoft says.

What should you do? There’s no one-size-fits-all answer to this question. But we can tell you what we’re doing: if a PC is working as expected, we’re leaving it patched and in place. If you’re backing up your data (to Remote Backup Services or an external drive) chances are your most crucial data will be saved in case your system goes down unexpectedly. Obviously, install Microsoft’s emergency Windows patch if you’re running into system issues. There’s no perfect solution—if you’re more paranoid than we are, feel free to deploy the patch even if your PC hasn’t hiccuped.

Amazon has created a new computing platform that will future-proof your home

AP/Elaine Thompson

Amazon has created a new computing platform that will future-proof your home

Steve-Kovach

By Steve Kovach

Amazon is in a better position than any other company to dominate ambient computing, the concept that everything in your life is computerized and intelligent.
Amazon’s Alexa platform continues to get better while remaining open to third parties, unlike Apple’s Siri.
Buying into Alexa now will future-proof your home.

Almost four years ago, New York Times tech columnist Farhad Manjoo wrote out a strategy to keep all your technology future-proof in a rapidly evolving environment.

His advice still holds up.

Use Apple hardware for your smartphone and PC. Use Google services for things like email, calendar, and maps. Buy all your digital music, movies, and TV shows from Amazon.

Of course, there are caveats to all of these suggestions, but you’ll future-proof yourself nicely by following them. Amazon’s media can (usually) play on all your devices, no matter what company makes them. Google is not only the best at digital services, it’s also platform agnostic. You don’t have to be an Android user to get the most out of Google. And Apple still makes the best phones, tablets, and PCs you can buy.

But I think it’s time to add one more category to the list: ambient computing, or the concept that there can be a layer of intelligence powering everything in your home from your lights to your thermostat. Many see this as a new phase of computing where our technology works for us automatically. We’re in the early days of ambient computing, but there’s already a clear front-runner powering its future: Amazon Alexa.

Right now, Alexa is great at answering basic questions or playing music from streaming services like Spotify. It’s also laying the foundation for an Alexa-powered smart home as more and more accessories make themselves compatible with Amazon’s platform. Even better, Alexa lets you control all your smart home accessories with your voice, which is a lot more convenient than poking around your iPhone to turn your lights on.

I gave it a try a few weeks ago, starting small by connecting most of my lighting. I bought a bunch of Wemo smart plugs for all the lamps in my apartment. (My apartment doesn’t have a lot of built-in lighting, so I have lamps all over the place instead.) After setting each plug up, I fired up the Alexa app and added the Wemo skill. A few seconds later, I was able to control all my lights with my voice.

Now I’m obsessed with the idea of Amazonifying the rest of my home. I have an Apple TV, but I plan to make the change to the new Amazon Fire TV 4K instead since I can control it with Alexa. (“Alexa, play ‘The Good Place’ on Netflix.”) Instead of a Nest camera, I’m going to buy Amazon’s new security camera, which will let me beam the feed to my phone, Fire TV, or Echo Show. (“Alexa, show me what’s happening in the living room.”)

You get the idea.

No other platform is better poised to dominant ambient computing. It’s not going to happen tomorrow, or even next year, but Amazon has done an incredible job of laying the foundation for something much more profound beyond just playing your favorite Pandora station with an Alexa command.

So what is that foundation? Here are the four key advantages that will propel Amazon to dominate ambient computing.

Alexa is everywhere
During CES this year, I was shocked at how many companies decided to integrate Alexa into their products. Toyota and Ford cars. Kholer bathtubs. Whirlpool ovens and dishwashers. And a bunch of third-party speakers.

Ambient computing needs a voice assistant to be ubiquitous in order to be successful. If you call for “Alexa” and it’s not there to do what you want, it has failed. Amazon’s head start getting Alexa into everything, everywhere will help it maintain its lead.

Alexa is open
Part of the reason why Alexa is showing up everywhere is because Amazon turned it into an open platform that anyone can build into. But it’s not just physical appliances. Services and apps can build into Alexa, making it easy to add a layer of voice controls to their stuff.

It’s the opposite approach rivals like Apple take, which is why devices like the HomePod feel like a wasted opportunity to take on Amazon’s dominance. Siri is limited to Apple’s own services and a few other third-party categories like messaging and to-do list apps. It’s unlikely Apple will want to go against its DNA and completely open up Siri.

Amazon dominates the smart speaker market
Amazon already owns two-thirds of the smart speaker market, with Google playing catch up. It’s likely going to be a two-horse race between the two companies, with Amazon consistently in the lead. The large install base of Echo and Alexa-powered smart speakers provides greater incentive for people to build into Alexa first as opposed to rivals.

Alexa keeps getting better
When the Echo first launched back in 2014, it couldn’t do much more than play streaming music from Amazon and help you buy stuff from the company’s online store.

You know what’s coming next.

Over the years, the Echo has become immensely more powerful and capable. It can stream music from a variety of music services. You can use it to call an Uber or order a pizza from Domino’s. It can even make phone calls. Amazon has done a spectacular job at improving the Echo over time. These are speakers you’re likely to keep in your home for several years before replacing or upgrading them.

Buying one now guarantees you’ll be ready to go for whatever Alexa learns to do next. And, more importantly, it’ll make sure your technology remains future-proof.

From: The Business Insider
Image: AP/Elaine Thompson

These are the Samsung Galaxy S9 and S9+

samsung_galaxy_s9_and_s9_plus

By EVAN BLASS @EVLEAKS

Having opted against what would have been an uncharacteristic debut at the recent Consumer Electronics Show in Las Vegas — in teaser capacity or otherwise — Samsung is now gearing up to launch the 2018 versions of its flagship Galaxy S lineup in a much more traditional fashion, just prior to Barcelona’s Mobile World Congress. These are the Samsung Galaxy S9 and Galaxy S9+ (pictured top, left to right).

As VentureBeat reported previously, more than screen dimensions will separate the two models this year (the Galaxy S8 and S8+, in contrast, are nearly identical save for their Super AMOLED display diagonals). However, as this year is mostly a component upgrade following a comprehensive redesign in 2017, neither the 5.8-inch S9 nor the 6.2-inch S9+ will be significant departures from their predecessors.

Even in an industry built on iterative upgrades, these stand out as adhering closely to the existing script.

Powered by Qualcomm Snapdragon 845 in the U.S. and China, and Samsung’s own Exynos 9810 systems-on-chip in the rest of the world, the first differentiator between the S9 siblings (codenamed Star and Star 2) lies in their memory configurations: 6GB of RAM and 128GB of internal storage for the S9+, but the same 4GB/64GB pairing as last generation for the standard S9. With this distribution of basic components, Samsung is making it more difficult for users, some of whom may even want a smaller screen, to choose the basic S9 without additional trade-offs.

As the Unpacked invitation suggests, the main highlight for both the Galaxy S9 and Galaxy S9+ will be refreshed imaging hardware and software — a notion confirmed by two people briefed on Samsung’s plans. Besides motion-detected, “super slow-mo” video capture (rapid movement triggers 480fps recording at 720p), both devices are said to feature variable aperture on their primary 12-megapixel cameras. It’s a mechanical adjustment that switches between f/2.4 and smallest-in-class f/1.5.

The Galaxy S9+ adds a second 12-megapixel rear module, but this one has a standard fixed aperture. In what will be important to many, all of the phones’ rear elements are aligned vertically, instead of horizontally like the S8, with the fingerprint scanner located more naturally at the bottom of the stack. Around front, both 2018 S-series models sport 8-megapixel selfie cams. On the bottom, another welcome change: stereo speakers.

Expect the Galaxy S9 and Galaxy S9+ to begin shipping, and selling through retail, on March 16 (further evidenced by that date appearing in the official press shots).

Microsoft Issues Emergency Out-Of-Band Update to Fix “Crazy Bad” Vulnerability

By 

Patched Microsoft Malware Protection Engine

In an emergency out-of-band update released late last night, Microsoft fixed a vulnerability in the Microsoft Malware Protection Engine discovered by two Google security experts over the weekend, and which the two described as “crazy bad” and “the worst Windows remote code exec in recent memory.”

While initially the two Google experts didn’t reveal what Windows feature the bug was found in, the veil of mystery lifted yesterday when both Microsoft and the two experts shared more details about the issue.

Vulnerability affects Microsoft Malware Protection Engine

As per the two sources, the bug affects the Microsoft Malware Protection Engine (MsMpEng), a core service that ships with Windows 7, Windows 8.1, Windows 10, and Windows Server 2016, and which is the core of many of Microsoft security tools, such as:

  • Windows Defender
  • Microsoft Security Essentials
  • Microsoft Endpoint Protection
  • Microsoft System Center Endpoint Protection
  • Windows Intune Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft Forefront Endpoint Protection 2010

According to the Google experts, the bug is a “type confusion” vulnerability in NScript, the MsMpEng component that handles “any filesystem or network activity that looks like JavaScript.”

The two experts say that NScript mishandles how it interprets some JavaScript object types, which allows them to deliver an exploit that can use the Microsoft Malware Protection Engine to execute malicious code.

Vulnerability is trivially exploitable

The researchers say the issue can be exploited with no user interaction needed.

This includes scenarios such as sending an email with the exploit included in the message’s body, hosting malicious JavaScript code inside a web page, or by delivering a JS exploit to thousands or millions on users, via ads on reputable sites.

“Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Tavis Ormandy, one of the Google researchers says.

This is because the service runs without sandboxing — a basic and very efficient security feature —, but also because the service runs as
NT AUTHORITY\SYSTEM, a system-level user with no limitations.

Furthermore, the service is included by default on all recent Windows operating system, exposing hundreds of millions of PCs to remote hacking.

Microsoft patches issue within days

Unlike past incidents, where Microsoft has allowed exploited zero-day vulnerabilities to fester in the wild without being bothered to deliver a patch for months, this time around, the company moved lightning fast to address the issue.

In just a few days, the company had prepared and already shipped a patch to fix the vulnerable MsMpEng service.

According to a Microsoft advisory, the first version of the Microsoft Malware Protection Engine affected by this flaw is v1.1.13701.0. The issue has been patched in v1.1.13704.0, released a few hours ago, and which has already reached some users (screenshot above).

Microsoft also said that on latest Windows platforms, the risk of exploitation should be lower if the user has turned on Windows CFG (Control Flow Guard), a security feature that can make exploitation of memory-based vulnerabilities much harder.

The vulnerability is tracked as CVE-2017-0290. The two Google researchers also released proof-of-concept exploit code. The entire exploit fits in a tweet. To help spread the word about this issue, US-CERT has also released an accompanying alert.