I’m very very sorry, that you think I’m NOT understanding „Specter" and what this shows. - I understand this very well! ;)
FOR YOU: ====== PLEASE look at the possibilities of the new version 57.0.4 of Firefox. With this special created release (of this browser) you can PATCH the Microcode AGAINST Specter! ==> So this shows, that there IS an easy way for doing Microcode changes in user-mode! AND this also demonstrate, that quite the same can be done to change the Microcode AGAIN WITHOUT to be sure the new (now may be hacked) code-change come from intel or NOT! —> AND to start this CHANGE you just click on a „special-button". If such is possible without asking for any system passwords THIS is a huge security problem !!! In such a case a „user" don’t know, what’s realy going on and ALL normal OS & FW - checks looks to be sending green flags! THIS IS CREASY DANGEROUS and should NOT be possible on any secure system! Whenever we change things, we trust on the SW-sources. THIS I UNDERSTAND VERY WELL. But in this case (Spectre) just a "bad website" can be used to reed data from other areas. This is possible because of some side-effect the current Microcode has. If we can FIX that with the special version (57.0.4) of Firefox, a hacker can change it back again with an other program and no one knows! - After this he just need a "bad website" to get datas AGAIN. PLEASE: Before you send me your next quick answer, PLEASE read my E-Mail very carefully and try to understand WHAT I’m talking about. IT IS SERIOUS and IMPORTANT. ==> I’m NOT talking about what Spectre does (this is clear); I’ afraid HOW we can patch the Microcode to let them NOT allow this AND how easy it will be to let them allow to enable this/such again. MEMO: Linus Torvalds is also very unhappy with the actual situation! http://www.pcgameshardware.de/CPU-Hardware-154106/News/Meltdown-Spectre-Linux-Linus-Torvalds-1247248/ <http://www.pcgameshardware.de/CPU-Hardware-154106/News/Meltdown-Spectre-Linux-Linus-Torvalds-1247248/> Kind regards Patrik ifs³ Consulting+Engineering Patrik Lori CTO, cert. Computer Engineer & MAS-BA Panoramastr. 6, 5625 Kallern, Switzerland Web: http://www.ifs3.com <http://www.ifs3.com/> Email: patrik.l...@ifs3.com <mailto:patrik.l...@ifs3.com> Mobile: +41 79 326 75 97 CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please do advise the sender immediately. > Am 08.01.2018 um 21:09 schrieb Felix Winterhalter <fe...@audiofair.de>: > >> Sorry it’s NOT enough. Don’t worry I trust Intel for changing Intel CPUs; I >> trust AMD for changing AMD CPUs, etc. NO problem with that! - But >> >> SIMPLYFYED: >> How can Firefox 57.0.4 change the Intel CPU/MMU - Microcode if such change >> need a secret code signature and don’t know anything secured from my CPU? >> >> If a Browser-SW can change it (I hope this SW is running in user-mode), a >> "tarned Hacker-SW" can change it to !!! >> > I do not know where you got the impression that this is possible. As it isn't. > > The Meltdown and Specter vulnerabilities have nothing whatsoever to do with > putting "hacked microcode" or something like that on the CPU. I suggest you > read up on how these vulnerabilities actually work before posting messages > such as this or for that matter look up what exactly microcode IS as it seems > you have a bit of a misconception about the nature of it. > > In essence they use features that are already in the CPU in a way that allows > them to gain knowledge of privileged information. They don't put anything > malicious onto the CPU especially not something that would "stay there", > "hacker software", "malware" or anything of the sort. They use normal > operation features of modern CPUs in order to defeat higher level protection > mechanisms. >> For me this is NOT a trustful way for such an important change and need to >> be addressed very seriously to the HW manufactories. >> If your org can help for this, it’s great. >> > Sooo installing updates onto your system by downloading them is also not a > trustful way for updates to arrive? You want to chisel those onto your > harddrive manually? On Windows I think every user has the right to install > updates even ... which makes sense in a way. > > I do not really get what your issue is. As long as you trust that a signature > for an update is not compromised you should be fine installing that signed > update ( as long as you trust updates in general ). > > Your main problem really seems to be a misconception about the way these > vulnerabilities work and what exactly exploiting them entails. >
