hake

I wonder if the 22 year-old Google researcher will one day reflect that his revelations of irremediable processor flaws were worth his 15 minutes of fame. It was a tour de force to figure out the nature of the flaws but what a bounty he has bestowed on criminal hackers everywhere, even to simply tell them what is possible. The supposed beneficiaries, we the computer users, of his genius must wait for what is in store for us. If only he had kept his discoveries to himself. The chances are that such processor flaws would not even have occurred to anyone else. As it is, there is surely now hardly a single trustworthy computer on the planet. Thank you Jann.

Thanks for those URLs gigiadi. I guess that browser updates from now on will be a continual effort to place obstacles in the way of criminal hackers. NoScript can be used to achieve a sort of site isolation by allowing active content to be restricted to a list of domains. I use Firefox for my online banking and use NoScript to only allow the domain on the bank to use active content which I assume includes JavaScript.

For those who build their own PCs or use Toshiba computers there seems to be no way of installing Intel and AMD updates. In that case the Microsoft security updates for Meltdown/Spectre seem only to be ineffective system slowing entities. The main vulnerability presently seems to exist in web browsers and there lies, in the short term at least, the best hope for mitigating processor security flaws. I hope that more browser checkers like Tencent's become available so that users can readily and regularly test their vulnerabilities.

Much of my very modest understanding of the web browser situation has been gleaned from the articles via the following URLs: - https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ https://www.chromium.org/Home/chromium-security/ssca I always block third party cookies with Firefox, Google Chrome and Opera 12.17. Google Chrome has an experimental feature of Site Isolation, i.e. isolation of the code for each site being run in different processes. I have enabled this. The browser developers are rapidly developing mitigations. There are more to come on 23 January for both Google Chrome and Firefox. With Firefox which I use for my banking, I use NoScript which allows only my bank's web site to use JavaScript and enforces use of JavaScript with secure pages only. There are other restrictions but as far as Meltdown/Spectre are concerned, the critical thing seems to be to isolate the web browsing session to my bank only. Basically, I use Firefox only for accessing my bank account data. Here is a browser check for Spectre: - CAUTION: I have been made aware by others that Tencent apparently has a less than gleaming reputation with regard to its testing and web browser tools. https://xlab.tencent.com/special/spectre/spectre_check.html Firefox ESR 45.0.9, Comodo Dragon 33.1.0.0 (third party cookies blocked) and Opera 12.17 on my XP system (Jan 2018 Microsoft Windows XP security updates KB4056615 and KB4056941 installed) are all said by the check not to be vulnerable to Spectre. The same goes for my up-to-date and patched Windows 7 SP1 64-bit systems with Firefox ESR 52.5.3 and Google Chrome 63.0.3239.132. However, Steve Gibson's inspectre.exe (downloaded via https://grc.com/inspectre.htm) says that my Windows 7 and Windows XP systems are vulnerable to Spectre (so much for the January 2018 security updates!) but not to Meltdown. I do not have access to firmware updates (yet?). I infer from the tencent check that the browsers work in such a way as not to allow code which extracts data from memory to operate. I guess that my only likely practical exposure to the Spectre vulnerability is by using a web browser on web sites over the Internet. If my above assumptions are nonsense, please tell me. I would rather be corrected than to continue deluding myself (if that is the case).

With regard to Meltdown/Spectre and the now apparent role of JavaScript to execute Meltdown/Spectre exploits within web browsers, is MBAE able to identify and mitigate the behaviour of scripts run with JavaScript in the context of Meltdown/Spectre?

I have read that an exploit can be performed by using JavaScript which works in a web browser to access memory. A JavaScript program can read data from the address space of the browser process running it. Browser providers are working on mitigation updates: - https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ https://www.chromium.org/Home/chromium-security/ssca

MBAE did not react while the patch was being installed. I hope that MBAE will block any exploit needed to install Meltdown/Spectre spyware. I guess that the web browser or email attachment would be the route for an exploit to take.

I guess that the exploits necessary to install Meltdown/Spectre on a system are likely to be trapped by MBAE, especially via the web browser route. Is this a reasonable assumption?

MBAE Beta 1.11.1.45 continues to work faultlessly on Windows XP SP3 and Windows 7 (64-bit). It is now strutting its stuff on four XP systems.

Thank you Arthi. I have installed MBAE 1.11.1.45 onto 2 Windows 7 (64-bit) systems and two Windows XP SP3 systems. The behaviour on Windows XP this version of MBAE is now free of the problems I had reported such as running .bat files. I have all installations working with all advanced settings enabled, including the Ret Rop gadget detections. There is not a murmur of protest from any applications, on my systems at least. I can only report that everything works as I would wish. I am glad that you guys are persevering with Windows XP. Thanks.

I have installed MBAE Beta 1.11.1.40 on two Windows 7 (64bit) systems and it works fine. However, it seems that there is still a problem with Windows XP. This time, at least, it was possible to uninstall the new version and reinstall MBAE 1.10.1.24 without having to do a System Restore. Like with MBAE 1.11.1.26, MBAE 1.11.1.40 behaved OK for a short while before becoming troublesome.

I should add that I had no problem uninstalling MBAE 1.11.1.26 and then reinstalling MBAE 1.10.1.24 on the Windows XP system on which MBAE 1.11.1.26 did NOT work properly. On the Windows XP system on which the uninstall of MBAE 1.11.1.26 was a difficulty, I will take the precaution of trying the next MBAE Beta on a clone of my working system disk before deciding whether to install it on my actual working system disk.

DISAPPOINTMENT! The apparently successful Windows XP installation of MBAE 1.11.1.26 went wrong after several hours of satisfactory use. I had to do a system restore to get MBAE 1.10.1.24 back because installing a working MBAE 1.10.1.24 was not possible after uninstalling MBAE 1.11.1.26. I do not know if this also problem applies to installations of MBAE 1.11.1.26 on Windows 7. I hope not.

CORRECTED IMPRESSIONS of MBAE Beta 1.11.1.26 I have installed MBAE Beta 1.11.1.26 on one Windows XP SP3 system and two Windows 7 (64bit) systems and have noticed nothing amiss on Windows 7 and one of my XP systems. I tried installing MBAE 1.11.1.26 on my other XP system but it does not like MBAE 1.11.1.26 and had to be reverted to MBAE 1.10.1.24. With the working Windows XP/MBAE 1.11.1.26 combination, protected applications now behave as they should and there seem to be no issues with running .bat files. This is the first version of MBAE Beta since MBAE 1.10.1.24 which works as I would wish it to, on one system at least. In addition I have enabled EVERY advanced settings option without any complaint by my protected applications. I am not recommending users to do this but am simply observing that enabling all advanced settings causes me no problems on the systems on which MBAE 1.11.1.26 actually works properly. As I said above, one XP system seems to consistently behave as it did with MBAE 1.10.1.24 but the other worked OK for a short while only and then reverted to the behaviour I reported in an earlier post with MBAE 1.10.1.41. The non-co-operating XP system runs a couple of protected applications after startup but something seems to then get switched off. If MBAE protection is stopped, then protected applications will run. Start MBAE protection again and the problem resumes. Windows Task Manager tells me that the protected applications actually start and then hang. The processes remain on the task list even when MBAE protection is stopped. The other XP system continues to work happily with MBAE 1.11.1.26 so the developers of MBAE must have made some progress in overcoming the XP problems. I guess that users of XP might usefully try MBAE Beta 1.11.1.26 for themselves but don't be surprised if MBAE 1.11.1.26 does not work.

MBAE Beta 1.11.1.18 works without problems with Windows 7 (64bit).

I am disappointed to say that the problem running MBAE Beta1.10.1.41 with Windows XP SP3 (reported by me and others) appears to persist with MBAE Beta 1.11.1.18.

MBAE 1.10.1.37 works better than MBAE 1.10.1.41 on Windows XP but something still is not right.

Gloom! MBAE 1.10.1.41 still causes trouble with all three of my Windows XP SP3 installations. The pushed update (version 1.10.1.41) seemed to allow protected applications to run acceptably but .bat files misbehave, like the window opens but nothing happens and sometimes the system semi locks-up and switching off the power is necessary to restart. Seemingly a general problem with Windows XP, I think. It's back to MBAE 1.10.1.24 and using the HOSTS file to block the URL of the source of pushed updates. No problems with Windows 7 (64bit) though, at least I haven't noticed any. Windows 8.1 is probably also OK. I know this because my wife's older sister hasn't been on the phone to complain.

I have received a pushed update to MBAE Beta 1.10.1.41 and the file size is the same as the installer for the problem version. So far MBAE Beta 1.10.1.41 (reincarnated) seems to be working as I would wish it to and without the problems I previously reported.

Since updating from MBAE 1.10.1.24 to 1.10.1.41, my admittedly obsolete Windows XP SP3 system has been beset with misbehaving protected applications which refuse to start properly and yet are unable to terminate. Uninstalling MBAE 1.10.1.41 and reinstalling MBAE 1.10.1.24 restores order to the system. There seems to be no problem with MBAE 1.10.1.41 running on Windows 7. Could you please advise me about the current procedure available to the user to report information on MBAE problems. While the future of Windows XP is probably now limited, I imagine that MalwareBytes still wishes to receive information on issues with the behaviour of MBAE on Windows XP. I have run DDS.com (this runfile dates back to 2013) and have dds.txt and attach.txt available to send. Please let me know who to PM these too.

(I had asked another question here for which I have since found the answer but cannot rescind the post. It might be a useful forum option to allow a poster to be able to do this.)

Thank you exile360 for that informative and thoughtful response.

What are the prospects for continued database updates for MBAM 2 please? There seems to be no more suitable category in the forum to place this particular question.

OOPS! I invariably turn ON Bottom Up ASLR for Windows 7 systems and I guess that using it with Windows XP is better than not using it.

Hi Kaine, Thank you for your response. I am trying to acquire a better understanding of how these techniques work without actually having to understand them. Your comments are most helpful in furthering my quest. I have only recently discovered Comodo Memory Firewall (only 9 years late which is pretty good for me). My poor old non-Nx equipped Athlon XP 3000+ processor powered Windows XP PC needs it for any semblance of buffer overflow protection. I have a notion that MBAE's DEP Bypass Protection might be beneficial even on this venerable system, reliant as it is on software buffer overflow protection. Comodo Memory Firewall is presumably better than nothing. I have read that Bottom Up ASLR increases randomisation of memory occupied by executables. This seems to matter a lot with Windows 7 but less so with Windows 8 and later. The default MBAE advanced settings do not include the switching on of Bottom Up ASLR except for one class of application and I wondered why the benefit of greater entropy of memory allocation was not the default. I invariably turn off Bottom Up ASLR for Windows 7 systems and I guess that using it with Windows XP is better than not using it. My understanding is that Bottom Up ASLR causes different base addresses to be used each time an application is started in Windows 7 which thus increases randomisation.