Blog archive


Meltdown and Spectre patches

Intel currently has Meltdown and Spectre patches ready for 90 percent of modern processors.


With Meltdown and Spectre turning into something of a PR disaster for Intel, the chip-maker has promised that patches will be made available for the vast majority of modern processors by the end of next week.

The company says that it has already released "updates for the majority of processor products introduced within the past five years" in the form of firmware updates and software patches. By the end of next week, Intel hopes to have released updates for 90 percent of processors from the last five years. Refuting claims that have been made by many parties, Intel denies that the patches come with a significant performance impact, and says that any negative side effects will be mitigated against over time.

Intel is focusing attention on chips that have been produced in the last five years -- which is understandable to a degree. The company says that it "has developed and is rapidly issuing updates for all types of Intel-based computer systems," but it is not clear when -- or whether -- older devices will be treated to patches.

In a Statement posted on its website, Intel says:

Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.

Unbox your laptop, and say hello to security risks

Laptops from five popular PC makers all contained security vulnerabilities right out of the box, according to an investigation by Duo Labs.

Powering up a new laptop can be exhilarating. It can also be full of security risks.

Software update tools that are preinstalled on Acer, Asus, Dell, HP and Lenovo laptops all contained at least one critical security vulnerability that hackers could easily exploit, said Duo Labs, the research arm of Duo Security, in the results of an investigation published Tuesday. In total, Duo Labs uncovered 12 different OEM software vulnerabilities across all the computer makers.

OEM (original equipment manufacturer) software includes programs like product registration and 30-day free trials that come installed on a laptop right out of the box. They're often referred to as bloatware since they're largely unnecessary and weren't installed at the user's request. Not only is bloatware superfluous, it's often a weak link in the security chain, according to Duo Labs.

"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant -- meaning, trivial," wrote Darren Kemp, a security researcher with Duo Labs, in a blog post Tuesday.

The Duo Labs investigation highlights the risk of unnecessary software. Programs that people have little use for -- or didn't know were there in the first place -- can easily become out-of-date, which opens them up to security vulnerabilities. PC vendors also failed to build basic security measures into these update tools, said the report. When this happens, bloatware goes from annoying to dangerous.

Here's the really bad news: There's little that laptop owners can do to protect themselves from the vulnerabilities created by these OEM update tools, Duo Labs said. What safeguards there are require significant time and effort: The research team recommended wiping any OEM system and reinstalling a bloatware-free copy of Windows and uninstalling any unnecessary software.

Duo Labs reported these vulnerabilities to the PC makers, which were selected because they are popular brands, and some have already been fixed. In many cases, consistent use of encryption in these OEM update tools would have made these vulnerabilities much more difficult to exploit, said Duo Labs.

HP has fixed the high-risk vulnerabilities, Duo Labs said, and Lenovo will be releasing an update to remove the vulnerable software from all its laptops. Lenovo worked "swiftly and closely with Duo Security to mitigate the issue and publish a security advisory," the company said in a statement. HP did not respond to CNET's request for comment.

Acer and Asus acknowledged the vulnerabilities, said Duo Labs, but have not released a fix yet. Asus did not respond to CNET's request for comment. On Thursday, Acer said it deployed an update to fix the problem.

"This update addresses the vulnerabilities that could allow unauthorized parties to potentially tamper with the software update files distributed to Acer customers," the company said in a statement. "We will continue to focus on the security and functionality of our software to deliver an enhanced customer experience."

"Customer security is a top priority for Dell," said a spokeswoman for the company. "Like Duo Security called out in the report, we fared comparatively well in their testing and continue to test our software to identify and fix outstanding vulnerabilities as we examine their findings more closely."