Hi Felix Ok, I now understand your points. You have right, with the Firefox case; and this is GOOD NEWS for the SECURITY. AND if you argue with the one direction of microcode updates YOU have also right. ;)
But who (which tech.) can/will stop a clever hacker doing forward updates on the microcode with his own/bad changes? If it is cryptographic (as described) it’s better than nothing, but an additional local button/process would secure it in advance. We will see today HOW now Microsoft & RedHat will PATCH/CHANGE the microcode with there Update capabilities! It’s better they be able to do it, than just an other app from any uncertainty sources. You help me a lot, to feel more secure now. THANKS! Kind regards Patrik ifs³ Consulting+Engineering Patrik Lori CTO, cert. Computer Engineer & MAS-BA Panoramastr. 6, 5625 Kallern, Switzerland Web: http://www.ifs3.com <http://www.ifs3.com/> Email: patrik.l...@ifs3.com <mailto:patrik.l...@ifs3.com> Mobile: +41 79 326 75 97 CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please do advise the sender immediately. > Am 09.01.2018 um 02:25 schrieb Felix Winterhalter <fe...@audiofair.de>: > >> I’m very very sorry, that you think I’m NOT understanding „Spectre" and >> what this shows. - I understand this very well! ;) >> >> *FOR YOU:* >> *====== >> * >> PLEASE look at the possibilities of the new *version 57.0.4 of Firefox*. >> *With this special created release (of this browser) you can PATCH the >> Microcode* *AGAINST Spectre > Let me stop you right there. This is simply not true at all. If you > would have read up on what exactly they changed in 57.0.4 of Firefox to > mitigate the Meltdown and Spectre attacks you might have seen that they > simply changed the resolution of the timing source you can get via the > javascript function performance.now() to be 20 µs. > > Since both Meltdown and Spectre rely on having accurate high resolution > timing information available to the process running the attack, this > effectively leads to those attacks no longer working from within Firefox. > > This has absolutely NOTHING whatsoever to do with microcode patching, > and so is absolutely irrelevant. > >> But in this case (Spectre) just a "bad website" can be used to reed data >> from other areas. This is possible because of some side-effect the current >> Microcode has. If we can FIX that with the special version (57.0.4) of >> Firefox, a hacker can change it back again with an other program and no one >> knows! - After this he just need a "bad website" to get datas AGAIN. > > This also fundamentally shows that you have not understood how microcode > updates work. You can't just "change it back" as microcode updates only > work in one direction, that is "the update applied needs to be newer > than the one already applied", the update revision is included in the > cryptographic signature of the microcode update. So you cannot just > apply old updates on top of new ones.
