InSpectre : GRC.com Spectre & Meltdown testing tool

[+Warwagon MVC]

InSpectre

 

https://www.grc.com/dev/InSpectre.exe

 

Steve Gibson has recently created a new tool to run on a system to inform you whether or not a system is vulnerable to Meltdown or Spectre. At the moment it's in the testing phase, but it's getting closer to the final. You can still test it out.

 

 

[Mindovermaster Global Moderator]

Linux fans. this can be run in WINE as well. Just tested it.

 

Edit: I had YES for both, and it says performance is good...

[+Warwagon MVC]

12 minutes ago, Mindovermaster said:

Linux fans. this can be run in WINE as well. Just tested it.

 

Edit: I had YES for both, and it says performance is good...

While it can be run in wine it might be looking for certain Windows-specific fixes. Which is why you may be getting a Yes on Meltdown. I know from early versions that I was testing that under the hood (before he made it in plain English) there was a section that said "CPU Microcode yes or no." So Spectre results in this tool may be OS independent.

[Circaflex]

Just now, warwagon said:

While it can be run in wine it might be looking for certain Windows-specific fixes.

I tend to agree. For Linux, your best option is this native script https://github.com/speed47/spectre-meltdown-checker

[Mindovermaster Global Moderator]

mind@mind-PC ~ $ bash spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.31

Note that you should launch this script with root privileges to get accurate information.
We'll proceed but you might see permission denied errors.
To run it as root, you can try the following command: sudo spectre-meltdown-checker.sh

Checking for vulnerabilities against running kernel Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64
CPU is Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
spectre-meltdown-checker.sh: line 418: /boot/vmlinuz-4.4.0-104-generic: Permission denied
spectre-meltdown-checker.sh: line 418: /boot/vmlinuz-4.4.0-104-generic: Permission denied
spectre-meltdown-checker.sh: line 418: /boot/vmlinuz-4.4.0-104-generic: Permission denied
spectre-meltdown-checker.sh: line 418: /boot/vmlinuz-4.4.0-104-generic: Permission denied
spectre-meltdown-checker.sh: line 418: /boot/vmlinuz-4.4.0-104-generic: Permission denied
spectre-meltdown-checker.sh: line 418: /boot/vmlinuz-4.4.0-104-generic: Permission denied

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  UNKNOWN 
> STATUS:  UNKNOWN  (couldn't check (couldn't extract your kernel from /boot/vmlinuz-4.4.0-104-generic))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
*     The SPEC_CTRL CPUID feature bit is set:  UNKNOWN  (couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?)
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
* Checking if we're running under Xen PV (64 bits):  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

guess I'm still Vulnerable...

[CrashG]

@warwagon  I'm guessing you haven't updated the BIOS on that device you tested with?

[+Warwagon MVC]

5 minutes ago, CrashGordon said:

@warwagon  I'm guessing you haven't updated the BIOS on that device you tested with?

Correct, None my Windows PC/laptops have Bios Updates available for them and probably never will.

[CrashG]

6 minutes ago, warwagon said:

Correct, None my Windows PC/laptops have Bios Updates available for them and probably never will.

Thanks. Yeah got a couple here too. An Asus P5K-E and haven't even looked at the laptop yet, but I'm not expecting to find one for it either.

[+Warwagon MVC]

14 minutes ago, CrashGordon said:

Thanks. Yeah got a couple here too. An Asus P5K-E and haven't even looked at the laptop yet, but I'm not expecting to find one for it either.

I aso have a Macbook Pro 2011 and a Slightly Newer iMac (only because I got  a really good deal on both) .. so i'm hopeful both of those will get some kind of UFI update. The computer i'm most annoyed with probably not getting the update is my 16GB ram, 512 msata SSD  i7 4770R brix pro.

[goretsky Supervisor]

Hello,

I've noticed several third-party utilities beyond what Microsoft has provided are beginning to appear. 

 

Here's the ones I've found so far:

 

Alex Ionescu - SpecuCheck

Ashampoo - Ashampoo Spectre Meltdown CPU Checker

GRC - Inspectre

Qihu 360 - CPU Vulnerability Assessment and Fix Tool

 

Regards,

 

Aryeh Goretsky

 

[Mando]

gotta love grc.com

 

[Mando]

12 hours ago, warwagon said:

I aso have a Macbook Pro 2011 and a Slightly Newer iMac (only because I got  a really good deal on both) .. so i'm hopeful both of those will get some kind of UFI update. The computer i'm most annoyed with probably not getting the update is my 16GB ram, 512 msata SSD  i7 4770R brix pro.

As long as both systems have an up todate av with detection sigs for spectre/meltdown attack vectors, your somewhat covered in conjuction with windows patches.

[Pork Chopper]

So by changing two Registry entries you basically bypass what the Windows patch did as well as the BIOS update.  If this is such a big security concern why allow it to be overridden.  I have confirmed that the two Reg entries do reverse the patches.  I realize the logic for all of this is that the performance hit might be too much for some machines and servers.  It is also true, so I read, that no exploit has occurred for all the decades this so called security flaw has existed, until possibly now that it is splashed all over the place.

[oldtimefighter]

5 minutes ago, Pork Chopper said:

So by changing two Registry entries you basically bypass what the Windows patch did as well as the BIOS update.  If this is such a big security concern why allow it to be overridden.  I have confirmed that the two Reg entries do reverse the patches.  I realize the logic for all of this is that the performance hit might be too much for some machines and servers.  It is also true, so I read, that no exploit has occurred for all the decades this so called security flaw has existed, until possibly now that it is splashed all over the place.

No exploit has been discovered in the wild but that doesn't mean one doesn't exist. The three letter agencies right here the US are known to keep exploits secret.

[oldtimefighter]

You have to install it? Why?

[Mindovermaster Global Moderator]

2 hours ago, oldtimefighter said:

You have to install it? Why?

Umm, you don't?

[adrynalyne]

2 hours ago, Pork Chopper said:

So by changing two Registry entries you basically bypass what the Windows patch did as well as the BIOS update.  If this is such a big security concern why allow it to be overridden.  I have confirmed that the two Reg entries do reverse the patches.  I realize the logic for all of this is that the performance hit might be too much for some machines and servers.  It is also true, so I read, that no exploit has occurred for all the decades this so called security flaw has existed, until possibly now that it is splashed all over the place.

As it was explained to me, the patch alone is not enough to enable the protection on Windows Server. You must also proactively set the reg keys. Being that Windows Server is based off of Windows version whatever, they also end up working there but are not needed to be set to  enable it. They can however be used to disable it. 

[oldtimefighter]

30 minutes ago, Mindovermaster said:

Umm, you don't?

I meant it appears to be an installer. I got the Windows warning prompt and didn't go any further because really had to get to work anyway. Is that correct? I wanted someone to confirm either way. If so why? It seems like something that just needs to run once.

[DevTech]

7 hours ago, Pork Chopper said:

So by changing two Registry entries you basically bypass what the Windows patch did as well as the BIOS update.  If this is such a big security concern why allow it to be overridden.  I have confirmed that the two Reg entries do reverse the patches.  I realize the logic for all of this is that the performance hit might be too much for some machines and servers.  It is also true, so I read, that no exploit has occurred for all the decades this so called security flaw has existed, until possibly now that it is splashed all over the place.

YES. You have identified "The Emporer's New Clothes".  About time this issue gets to be right up front in any discussion.

 

The fuss is because the issue is related to CPU architecture and is mostly universal.

 

But to use the word "Exploit" is misleading for most people in most cases. The so-called security issue does not lead to an escalation of privilege level. Simply due to speculative execution of branch prediction code there can be other processes machine instructions that you can spy on. Woopy Doo, Scooby Doo...

 

To run a resident task to continuously spy on this information mains the computer has already been compromised by a real exploit and at that point there sure is a lot of better ways to steal user data! This issue is only of use in server systems where multiple people use the same machine and one customer can run code to spy on other customer's code. But even there, imagine trying to assemble coherently useful data out of cached branch instruction misses?

 

Every day a real virus takes over a real computer and does real illegal things. The best Anti-Virus have a 99% success score in real world testing. Compare that 1% of world wide successful penetration with Spectre and Meltdown. Look at the words "Spectre" and "Meltdown" and wonder what sort of marketing forces are at play in this non-situation.

 

 

 

[Mando]

Kudos to Kevin Beaumont for this matrix, its not mine. Lots of direct links to different vendors and patch status.

 

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

 

 

 

 

[DevTech]

It makes no sense to install any patches for this problem on any user computer since your own code can already spy on your own computer.

 

It makes no sense to install any patches for this problem on any server that is used on premise or used exclusively for one customer since again you can only spy on yourself!

 

Only in the case of vendors supplying shared hosting over the internet does it make any possible sense to install a fix and even then nobody has demonstrated any ability to extract useful information out of this "inter-process leak"

 

But instead, the world is rushing to install this everywhere at the cost of slowing down everyone's computer maybe 1% maybe 20% and multiplied by several billion computers and you get far worse damage in human labor and reduced processing or else energy cost.

 

There is NO escalation of privilege! Only an already infected computer could deploy code to examine branch misses but the absurdity of this is since the computer has already been root-kitted or trojaned, it can just freakin access the data directly!

 

We have a solution that does far more damage than the problem itself! 

[DevTech]

45 minutes ago, Mando said:

Kudos to Kevin Beaumont for this matrix, its not mine. Lots of direct links to different vendors and patch status.

 

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

 

 

 

 

I am straining to imagine the word "Kudos" in the context of promoting this insanity.

 

I.T. professionals, instead of doing a knee-jerk response of applying yet another security patch, should stop and ask WTF is this protecting against that justifies the huge cost of protection?

 

[xendrome]

9 minutes ago, DevTech said:

I am straining to imagine the word "Kudos" in the context of promoting this insanity.

 

I.T. professionals, instead of doing a knee-jerk response of applying yet another security patch, should stop and ask WTF is this protecting against that justifies the huge cost of protection?

 

I totally disagree with you to let a vulnerability sit out there open and not be addressed on systems that run the entire word seems like a horrible idea. The attack vector could change overnight, thinking about only how it could be exploited now is short-sighted.

[Mando]

im finding matrixes like this invaluable to catalogue what fixes to kit under my remit will require, awaiting parents corp official response to addressing it, meanwhile im collating info to help myself when they do respond.

[DevTech]

37 minutes ago, xendrome said:

I totally disagree with you to let a vulnerability sit out there open and not be addressed on systems that run the entire word seems like a horrible idea. The attack vector could change overnight, thinking about only how it could be exploited now is short-sighted.

But there is no attack vector! It is not a vulnerability! It is just information leakage of particularly incoherent information.

 

It it just a way of seeing incoherent bits of CPU instructions.

 

There is no mapping for access into another address space just a view into branch prediction misses from another process space. You are seeing really stupid stuff in a cache. You can't map in anything else. You have no control. You would probably need a Quantum Computer to make any useful sense of random fragments of code that were the exact opposite of the IF-THEN-ELSE that was actually executed.

 

There is no privilege escalation, so assuming you could insert your Quantum Computer into WTF who knows where, you couldn't do anything with it without an actual attack vector that gives you access to something at which point you don't need the garbage gobbledygook of this "giant security hole" because your real attack vector lets you access real data instead of fragments of code that were never meant to be executed...

 

Sorry, this one needs to get some sort of award for stupidest security fuss of all time!