ASUS Provides BIOS updates addressing MDS vulnerabilities, ZombieLoad, RIDL, and Fallout - EVGA Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

Welcome, ! User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes

Mark Thread UnreadFlat Reading Mode ❐

ASUS Provides BIOS updates addressing MDS vulnerabilities, ZombieLoad, RIDL, and Fallout

Author Post Essentials Only Full Version
rjohnson11 EVGA Forum Moderator Total Posts : 102323 Reward points : 0 Joined: 2004/10/05 12:44:35 Location: Netherlands Status: offline Ribbons : 84 2019/05/24 23:51:27 (permalink) https://www.vortez.net/news_story/asus_releases_bios_update_to_address_zombieloadridland_fallout.html ASUS is aware that a new sub-class of speculative execution side-channel vulnerabilities in Intel CPUs, called Microarchitectural Data Sampling (MDS), also known as ZombieLoad, RIDL, and Fallout, may allow information disclosure. Intel states that selected 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable processor family, are not vulnerable to MDS. If you are using one of these processors, no further action is necessary. For other Intel processors, ASUS is working closely with Intel to provide a solution in a forthcoming BIOS update. AMD Ryzen 9 7950X, Corsair Mp700 Pro M.2, 64GB Corsair Dominator Titanium DDR5 X670E Steel Legend, MSI RTX 4090 Associate Code: H5U80QBH6BH0AXF. I am NOT an employee of EVGA #1 4 Replies Related Threads
Cool GTX EVGA Forum Moderator Total Posts : 31005 Reward points : 0 Joined: 2010/12/12 14:22:25 Location: Folding for the Greater Good Status: offline Ribbons : 122 Re: ASUS Provides BIOS updates addressing MDS vulnerabilities, ZombieLoad, RIDL, and Fallo 2019/05/25 00:17:21 (permalink) Good Learn your way around the EVGA Forums, Rules & limits on new accounts Ultimate Self-Starter Thread For New Members I am a Volunteer Moderator - not an EVGA employee https://foldingathome.org -->become a citizen scientist and contribute your compute power to help fight global health threats *RTX Project* EVGA X99 FTWK *Nibbler* EVGA X99 Classified EVGA 3080Ti FTW3 Ultra #2
Nereus Captain Goodvibes Total Posts : 18926 Reward points : 0 Joined: 2009/04/09 20:05:53 Location: Brooklyn, NYC. Status: offline Ribbons : 58 Re: ASUS Provides BIOS updates addressing MDS vulnerabilities, ZombieLoad, RIDL, and Fallo 2019/05/26 19:13:09 (permalink) Attackers need local execution first - attackers can only mount attacks in practical settings once they have the ability to execute (unprivileged) code on the victim machine. We could convince ourselves this is still an obstacle, but we should first be prepared to disable JavaScript (and similar) in the browser, abandon cloud computing, etc. - https://mdsattacks.com/ FYI, type "wmic cpu get caption" in Windows Command Prompt to get CPU family, model & stepping. BUILD 1 2 \| MINI-ITX BUILD \| MODSRIGS $1K WIN \| HEATWARE 111-0-0 \| ASSOCIATE CODE CSKKXUT5Q9GVAFR #3
ty_ger07 Insert Custom Title Here Total Posts : 21174 Reward points : 0 Joined: 2008/04/10 23:48:15 Location: traveler Status: offline Ribbons : 270 Re: ASUS Provides BIOS updates addressing MDS vulnerabilities, ZombieLoad, RIDL, and Fallo 2019/05/26 20:12:29 (permalink) NereusWe could convince ourselves this is still an obstacle, but we should first be prepared to disable JavaScript (and similar) in the browser... Our experience is heavily controlled by JavaScript. Many sites stop working without JavaScript. JavaScript has become a cornerstone of our internet experience. Right now we are seeing content which was provided to us by JavaScript. No one should ever confuse JavaScript with Java. Usually mitigation is put in place inside of the JavaScript framework for known vulnerabilities, but ultimately you can't expect a framework to be aware of, detect, and prevent all attacks. JavaScript is an immensely universal, often simple, but ultimately an enormously powerful and capable attack vector. With these Intel speculative attacks, over and over people have repeated how safe they feel, how impossible it is to exploit the speculative attacks, and mostly they over and over talked about needing physical access to the machine. Over and over I have pointed out that JavaScript has time and time again proven to be a capable attack vector. All you have to do is have an unpatched machine/browser/JavaScript framework, spend enough time on a compromised multimedia streaming website or stock/news ticker site, and that's it! Since JavaScript operates "client side" there is not necessarily any detectable suspicious network activity prior to the JavaScript finding whatever it is programmed to find and sending it back to mother. Unmitigated, the speculative attacks give the attacker access to absolutely anything in memory regardless of any previously-existing attempts to prevent it. Sandboxing did nothing. Antivirus did nothing. Restricting memory addresses did nothing. Kernel protections did nothing. "Physical access" is a hugely misleading term. post edited by ty_ger07 - 2019/05/26 20:27:03 ASRock Z77 • Intel Core i7 3770K • EVGA GTX 1080 • Samsung 850 Pro • Seasonic PRIME 600W Titanium My EVGA Score: 1546 • Zero Associates Points • I don't shill #4
Nereus Captain Goodvibes Total Posts : 18926 Reward points : 0 Joined: 2009/04/09 20:05:53 Location: Brooklyn, NYC. Status: offline Ribbons : 58 Re: ASUS Provides BIOS updates addressing MDS vulnerabilities, ZombieLoad, RIDL, and Fallo 2019/05/26 22:06:08 (permalink) ty_ger07 NereusWe could convince ourselves this is still an obstacle, but we should first be prepared to disable JavaScript (and similar) in the browser... Our experience is heavily controlled by JavaScript. Many sites stop working without JavaScript. JavaScript has become a cornerstone of our internet experience. Right now we are seeing content which was provided to us by JavaScript. No one should ever confuse JavaScript with Java. Usually mitigation is put in place inside of the JavaScript framework for known vulnerabilities, but ultimately you can't expect a framework to be aware of, detect, and prevent all attacks. JavaScript is an immensely universal, often simple, but ultimately an enormously powerful and capable attack vector. With these Intel speculative attacks, over and over people have repeated how safe they feel, how impossible it is to exploit the speculative attacks, and mostly they over and over talked about needing physical access to the machine. Over and over I have pointed out that JavaScript has time and time again proven to be a capable attack vector. All you have to do is have an unpatched machine/browser/JavaScript framework, spend enough time on a compromised multimedia streaming website or stock/news ticker site, and that's it! Since JavaScript operates "client side" there is not necessarily any detectable suspicious network activity prior to the JavaScript finding whatever it is programmed to find and sending it back to mother. Unmitigated, the speculative attacks give the attacker access to absolutely anything in memory regardless of any previously-existing attempts to prevent it. Sandboxing did nothing. Antivirus did nothing. Restricting memory addresses did nothing. Kernel protections did nothing. "Physical access" is a hugely misleading term. Yup. I'm just repeating what came from that site. It's impractical. Sounds like Intel damage control. Pretty scary stuff. Even some of the 8th and 9th Generation Intel Core processors are vulnerable, despite Intel assuring they are not earlier. Even turning off HT doesn't 'fix' it, although it (allegedly) does reduce the risk. BUILD 1 2 \| MINI-ITX BUILD \| MODSRIGS $1K WIN \| HEATWARE 111-0-0 \| ASSOCIATE CODE CSKKXUT5Q9GVAFR #5

Jump to:

Back to Mobile