Meltdown and Spectre bugs dominate January Patch Tuesday

Administrators have their work cut out for them on multiple fronts after a serious security flaw surfaced that affects most operating systems and devices.

The Meltdown and Spectre vulnerabilities encompass most modern CPUs — from Intel-based server systems to ARM processors in mobile phones — that could allow an attacker to pull sensitive data from memory. Microsoft mitigated the flaws with several out-of-band patches last week, which have been folded into the January Patch Tuesday cumulative updates. Full protection from the exploits will require a more concerted effort from administrators, however.

Researchers only recently discovered the flaws that have existed for approximately 20 years. The Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) exploits target the CPU’s pre-fetch functionality that anticipates the feature or code the user might use, which puts relevant data and instructions into memory. A CPU exploit written in JavaScript from a malicious website could pull sensitive information from the memory of an unpatched system.

“You could leak cookies, session keys, credentials — information like that,” said Jimmy Graham, director of product management for Qualys Inc., based in Redwood City, Calif.

In other January Patch Tuesday releases, Microsoft updated the Edge and Internet Explorer browsers to reduce the threat from Meltdown and Spectre attacks. Aside from these CPU-related fixes, Microsoft issued patches for 56 other vulnerabilities with 16 rated as critical, including a zero-day exploit in Microsoft Office (CVE-2018-0802).

Microsoft’s attempt to address the CPU exploits had an adverse effect on some AMD systems, which could not boot after IT applied the patches. This issue prompted the company to pull those fixes until it produces a more reliable update.

Most major cloud providers claim they have closed this security gap, but administrators of on-premises systems will have to complete several deployment stages to fully protect their systems.

“This is a nasty one,” said Harjit Dhaliwal, a senior systems administrator in the higher education sector who handles patching for his environment. “This is not one of your normal vulnerabilities where you just have a patch and you’re done. Fixing this involves a Microsoft patch, registry entries and firmware updates.”

Administrators must ensure they have updated their anti-virus product so  it has the proper registry setting otherwise they cannot apply the Meltdown and Spectre patches. Windows Server systems require a separate registry change to enable the protections from Microsoft’s Meltdown and Spectre patches. The IT staff must identify the devices under their purview and collect that information to gather any firmware updates from the vendor. Firmware updates will correct two exploits related to Spectre. Microsoft plugged the Meltdown vulnerability with code changes to the kernel.

Dhaliwal manages approximately 5,000 Windows systems, ranging from laptops to Windows Server systems, with some models several years old. He is exploring a way to automate the firmware collection and deployment process, but certain security restrictions make this task even more challenging. His organization requires BitLocker on all systems, which must be disabled to apply a firmware update, otherwise he could run into encryption key problems.

“This is not going to be an overnight process,” Dhaliwal said.

How expansive is Meltdown and Spectre?

Attacks that use the Meltdown and Spectre exploit a bug with how many CPUs execute address space layout randomization. The difference between the two vulnerabilities is the kind of memory that is presented to the attacker. Exploits that use the flaws can expose data that resides in the system’s memory, such as login information from a password manager.

Microsoft noted Meltdown and Spectre exist in many processors — Intel, AMD and ARM — and other operating systems, including Google Android and Chrome, and Apple iOS and macOS.  Apple reportedly has closed the vulnerabilities in its mobile phones, while the status of Android patching varies depending on the OEM. Meltdown only affects Intel processors, and the Spectre exploit works with processors from Intel, AMD and ARM, according to researchers.

Virtualized workloads may require fine-tuning

Some administrators have confirmed early reports that the Meltdown and Spectre patches from Microsoft affect system performance.

 Dave Kawula, principal consultant at TriCon Elite Consulting, applied the updates to his Windows Server 2016 setup and ran the VM Fleet utility, which runs a stress test with virtualized workloads on Hyper-V and the Storage Spaces Direct pooled storage feature. The results were troubling, with preliminary tests showing a performance loss of about 35%, Kawula said.

 “As it stands, this is going to be a huge issue,” he said. “Administrators better rethink all their virtualization farms, because Meltdown and Spectre are throwing a wrench into all of our designs.”

Intel has been updating its BIOS code since the exploits were made public, and the company will likely refine its firmware to reduce the impact from the fix, Graham said.

For more information about the remaining security bulletins for January Patch Tuesday, visit Microsoft’s Security Update Guide.

Tom Walat is the site editor for SearchWindowsServer. Write to him at twalat@techtarget.com or follow him @TomWalatTT on Twitter.

For Sale – GAMING PC FOR SALE “SELLING AS SEPARATES”

Hello i am selling my GAMING PC i bought from overclockers uk march 2017

Asus GeForce GTX 1080Ti “Founders Edition” 11264MB GDDR5X PCI-Express Graphics Card
GX-40Y-AS £550

Intel Core i7-7700K 4.2GHz @ 4.7GHz Guarantee OC (Kaby Lake) Socket LGA1151 Processor – Retail £220

MSI Z270 Gaming Pro Carbon Intel Z270 (Socket 1151) DDR4 ATX Motherboard £100

Team Group Xtreem 8GB (4x4GB) DDR4 PC4-31200C18 3866MHz Dual Channel Kit – Black (TXD48G3866HC18ADC0 £120

EVGA SuperNova G1 1000W ’80 Plus Gold’ Modular Power Supply £99

Corsair Crystal 460X RGB Midi Tower Tempered Glass Case – Black (CC-9011101-WW) £90

Crucial MX300 525GB SSD SATA 6Gbps 3D Nand 7mm Solid State Drive (CT525MX300SSD1) £95

WILL UPLOAD PICTURES SOON

Price and currency: 123456
Delivery: Delivery cost is included within my country
Payment method: PAYPAL GIFT
Location: LIVERPOOL
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – 3XS Gaming Laptop 17in GeForce GTX 1070

Hi there i’m looking to sell my Laptop which i have owned since Jan 2017 its boxed and i have all the paper work i paid £1669 for it to use well staying away for gaming. The hotel internet does not do this machine justice so i thought id sell it as it seems a waste as i don’t use it much now for that reason. I tried a 4g router from ee and it still didn’t work as i wanted :( drop outs ect. SO thats why i have come to the decision to sell :)

This is the laptop and specc please feel free to ask any questions and i will try to answer were i can.

3XS Gaming Laptop 17in GeForce GTX 1070

Price and currency: £1050
Delivery: Goods must be exchanged in person
Payment method: Cash
Location: Rochdale/Manchester
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – HP 860-008na VR Ready 980TI i7 PC 32gb Ram

[​IMG]
For Sale :

HP 860-008na VR Ready 980Ti i7 Gaming Pc

Due to news of a new arrival on the way I now have to clear the mancave to make way for a nursery. This PC was purchased end of December 2015. Its been used for about a year and then once I purchased my Xbox one it just got left unused. The Motherboard was replaced in October 2106 under warranty. At which point I purchased and extended warranty (that is transferable to the new owner) Which expires December 2018.
There are a few minor points of damage that have been pictured but other than those its a beautiful chassis and fast and future proof gaming setup that’s a very reluctant sale. The Pc is on windows 10.

A face to face meeting would be preferred so we can power up and have a visual inspection as its quite delicate to post. I do have the box in the loft aswell. Shipping isnt out of the question but due to its nature and value i would prefer to meet up.

(please note the picture showing the bang and olufson logo … that part still has the protective plastic factory wrapping on it.)

So basically the pc comes with full 12 month warranty.

Any questions then please feel free to ask.

[​IMG]

Price £775
Open to reasonable offers

Specs below :​

  • Intel CoreTM i7-6700 with Intel HD Graphics 530 (3.4 GHz, up to 4 GHz)
  • 32GBDDR4 Ram , 2TB HDD + 128GB SSD
  • Creative Sound Blaster X-fi Titanium Sound Card
  • NVIDIA GeForce GTX 980 Ti (6 GB GDDR5 dedicated)
  • 1 dual-link DVI; 1 HDMI; 3 DisplayPort
  • 802.11a/b/g/n/ac (1×1) and Bluetooth 4.0 combo Windows 10 Home 64 , Bang & Olufsen Sound

Price and currency: 775.00
Delivery: Goods must be exchanged in person
Payment method: Cash on Delivery/Collection
Location: Bury
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Mac mini Server 2012 (2.3Ghz i7, 4GB, 2x1TB)

Mac mini Server 2012 model for sale.

Excellent condition, minor cosmetic niggles.

Works perfectly, freshly formatted with High Sierra. Just bought an iMac so this is surplus.

More info here

Happy to answer any questions

Thanks

Price and currency: £510
Delivery: Delivery cost is not included
Payment method: Paypal Gift, Cash, Bank Transfer
Location: Sheffield
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Microsoft at the NRF Big Show: There’s nothing artificial about the real intelligence transforming retail – Transform

Here’s a small truth we can all recognize: The better experience a retailer gives us, the more we want such experiences everywhere we shop. If we don’t get that great treatment again, we’re a bit disappointed, maybe even peevish. We’ve been spoiled — and we want more spoiling.

The single most important factor in delighting the shopper is data – and more specifically, what retailers do with the volumes of data they have at their fingertips.

For example, we’ve come to expect that an online retailer will tell a shopper what people who looked at the same last three items finally ended up buying — a helpful and persuasive bit of information. But today’s intelligent retailers are using data not just for those anticipated recommendations, but also in new and surprising ways in physical environments.

An astute salesperson in a brick-and-mortar store might take note of a what a shopper has left in his online cart and, when that shopper visits the store, have those items – as well as others that are recommended based on his past purchase history – ready for trying on in a dressing room.

This week at the National Retail Federation’s (NRF) annual show in New York City, Microsoft’s emphasis is on data: what data retailers need, and how best to collect and analyze it. Happily, thanks in part to Microsoft Azure, as well as AI and Internet of Things (IoT) cloud services, wrangling data is becoming increasingly easy and inexpensive for retailers of all sizes.

Armed with the right data, brick-and-mortar stores can more easily offer world-class service that seamlessly spans online and in-person, too. Data-driven control over the supply chain can help maintain just the right levels of inventory. Data can help a store quickly stock items that will sell well because of weather or local events. Knowing a customer’s buying and browsing histories enables helpful purchase suggestions and increases opportunities for upselling.

Here are some examples of retailers innovating with Microsoft technology to make creative use of data, thus winning customers’ hearts, minds and dollars. All are on display in Microsoft’s booth at NRF.

Providing new and personalized experiences

Grocery chain Kroger is collaborating with Microsoft and others to create EDGE (Enhanced Display for Grocery Environment), a grocery-store shelf with a tall vertical front surface that’s a video screen displaying prices, nutritional and allergy information, videos, or other images or data that might boost sales. EDGE relies on Azure to store and process volumes of data.

Connected to both store management and customers by Zigbee, Bluetooth or Wi-Fi, EDGE monitors quantities to ensure stock doesn’t run low. Prices can be set systemically and changed quickly for flash promotions. EDGE can even be programmed to offer sale prices to customers as they pass by, if they’ve indicated they’re interested in a given product and have downloaded an associated app. Now being tested in about 20 Kroger stores, EDGE is set for wider roll-out in 2018.

Ensuring an agile supply chain and empowering employees with omnichannel insight

What’s warm, fuzzy and backed by hidden Microsoft technology? A custom-made stuffed deer, bear, monkey or rabbit from Build-A-Bear Workshop.

Until recently, the global company was using siloed systems that required IT efforts to provide company-wide views of key metrics. Now Dynamics 365 is helping the company build a sturdy, unified IT foundation that will allow for future innovation.

For example, moving forward – and with the customer relationship management capabilities of Dynamics 365 as the foundation – Build-A-Bear is looking to empower its store employees with Microsoft 365, which will provide them with easier access to training, sales metrics and information to assist in offering the best customer experience possible. All of this will help them focus on doing what Build-A-Bear does best: making kids (and their parents) happy.

Home-improvement chain Lowe’s worked with Silicon Valley-based Fellow Robots to deploy LoweBots, five-foot-tall autonomous robots powered by Microsoft Azure that scan shelf inventory and assist store personnel with inventory data, metrics and shelf intelligence.

Microsoft’s Azure cloud services come into play when processing the massive amount of data that a LoweBot generates while it scans inventory on the shelves. The bot takes high-resolution images and identifies which items are out of stock, misplaced or mislabeled. By keeping constant tabs on inventory, the robot frees store employees to aid customers, and empowers corporate employees to make better and faster decisions when it comes to inventory.

Currently LoweBots are deployed in Lowe’s and BevMo Bay Area stores, but in wider use, its inventorying skills could cut into the $70 billion that U.S. businesses spend each year on inventory management tasks.

Empowering employees with technology

Retail giant Macy’s relies on its Macy’s Technology team to provide in-store systems, e-commerce sites, mobile apps and internal tools that foster innovation and employee engagement to attract top talent and boost productivity. Macy’s uses insights from Microsoft Workplace Analytics and MyAnalytics to help build a culture that focuses on how employees choose to spend their time.

This improved understanding of workplace behaviors allows managers and employees to  free up time for creativity and innovation with practices like blocking out focus time and optimizing time in meetings.

Innovating to re-imagine the shopping experience

In a major innovation, software developer Xenia Retail has teamed with electronics giant Philips on a showroom/warehouse-model shopping experience designed to eliminate shopping carts and speed check-out, while allowing retailers to re-imagine what their physical footprint looks like for customers.

Rather than removing an item from the shelf and putting it into the cart, the shopper signals intent to buy by holding his phone up to a product to unveil digital value – such as crowd-sourced reviews and complimentary products – and select the quantity, color or size desired. Check-out is virtually instantaneous and can be completed in the app or via self-checkout on a secure payment terminal.

As carts are built and transacted in the digital realm, orders are picked and packed in real-time by team members in the back warehouse, and fulfilled according to the shopper’s preference. In doing so, retailers can optimize and reduce front-of-house operations to better focus on warehousing and online fulfillments as ecommerce continues to grow.

Xenia is based on Windows and runs on Azure. The company is integrating Power BI, Dynamics 365 and Outlook into its offerings.

To see and interact with these innovations, visit the Microsoft booth (#2803) at the NRF Big Show, and plan to attend our session to hear first-hand from these and other customers who are transforming their customer experiences, operations, employee engagement and products with intelligent technologies.

Researchers use AI to improve accuracy of gene editing with CRISPR

From left, Nicolo Fusi, a researcher at Microsoft, Jennifer Listgarten, who recently joined the faculty at UC Berkeley, and John Doench, an associate director at the Broad Institute, collaborated on a method of using AI to improve gene editing results. Photo by Dana J. Quigley.

A collaboration between computer scientists and biologists from research institutions across the United States is yielding a set of computational tools that increase efficiency and accuracy when deploying CRISPR, a gene-editing technology that is transforming industries from healthcare to agriculture.

CRISPR is a nano-sized sewing kit that can be designed to cut and alter DNA at a specific point in a specific gene.

The technology, for example, may lead to breakthrough applications such as modifying cells to combat cancer or produce high-yielding drought-tolerant crops such as wheat and corn.

Elevation, the newest tool released by the team, uses a branch of artificial intelligence known as machine learning to predict so-called off-target effects when editing genes with the CRISPR system.

Although CRISPR shows great promise in a number of fields, one challenge is that lots of genomic regions are similar, which means the nano-sized sewing kit can accidentally go to work on the wrong gene and cause unintended consequences – the so-called off-target effects.

“Off-target effects are something that you really want to avoid,” said Nicolo Fusi, a researcher at Microsoft’s research lab in Cambridge, Massachusetts. “You want to make sure that your experiment doesn’t mess up something else.”

Fusi and former Microsoft colleague Jennifer Listgarten, together with collaborators at the Broad Institute of MIT and Harvard, University of California Los Angeles, Massachusetts General Hospital and Harvard Medical School, describe Elevation in a paper published Jan. 10 in the journal Nature Biomedical Engineering.

Elevation and a complementary tool for predicting on-target effects called Azimuth are publicly available for free as a cloud-based end-to-end guide-design service running on Microsoft Azure as well as via open-source code.

Using the computational tools, researchers can input the name of the gene they want to modify and the cloud-based search engine will return a list of guides that researchers can sort by predicted on-target or off-target effects.

[embedded content]

Nature as engineer

The CRISPR gene-editing system is adapted from a natural virus-fighting mechanism. Scientists discovered it in the DNA of bacteria in the late 1980s and figured out how it works over the course of the next several decades.

“The CRISPR system was not designed, it evolved,” said John Doench, an associate director at the Broad Institute who leads the biological portions of the research collaboration with Microsoft.

CRISPR stands for “clustered regularly interspaced short palindromic repeats,” which describes a pattern of repeating DNA sequences in the genomes of bacteria separated by short, non-repeating spacer DNA sequences.

The non-repeating spacers are copies of DNA from invading viruses, which molecular messengers known as RNA use as a template to recognize subsequent viral invasions. When an invader is detected, the RNA guides the CRISPR complex to the virus and dispatches CRISPR-associated (Cas) proteins to snip and disable the viral gene.

Modern adaptations

In 2012, molecular biologists figured out how to adapt the bacterial virus-fighting system to edit genes in organisms ranging from plants to mice and humans. The result is the CRISPR-Cas9 gene editing technique.

The basic system works like this: Scientists design synthetic guide RNA to match a DNA sequence in the gene they want to cut or edit and set it loose in a cell with the CRISPR-associated protein scissors, Cas9.

Today, the technique is widely used as an efficient and precise way to understand the role of individual genes in everything from people to poplar trees as well as how to change genes to do everything from fight diseases to grow more food.

“If you want to understand how gene dysfunction leads to disease, for example, you need to know how the gene normally functions,” said Doench. “CRISPR has been a complete game changer for that.”

An overarching challenge for researchers is to decide what guide RNA to choose for a given experiment. Each guide is roughly 20 nucleotides; hundreds of potential guides exist for each target gene in a knockout experiment.

In general, each guide has a different on-target efficiency and a different degree of off-target activity.

The collaboration between the computer scientists and biologists is focused on building tools that help researchers search through the guide choices and find the best one for their experiments.

Several research teams have designed rules to determine where off-targets are for any given gene-editing experiment and how to avoid them. “The rules are very hand-made and very hand-tailored,” said Fusi. “We decided to tackle this problem with machine learning.”

Training models

To tackle the problem, Fusi and Listgarten trained a so-called first-layer machine-learning model on data generated by Doench and colleagues. These data reported on the activity for all possible target regions with just one nucleotide mismatch with the guide.

Then, using publicly available data that was previously generated by the team’s Harvard Medical School and Massachusetts General Hospital collaborators, the machine-learning experts trained a second-layer model that refines and generalizes the first-layer model to cases where there is more than one mismatched nucleotide.

The second-layer model is important because off-target activity can occur with far more than just one mismatch between guide and target, noted Listgarten, who joined the faculty at the University of California at Berkeley on Jan. 1.

Finally, the team validated their two-layer model on several other publicly available datasets as well as a new dataset generated by collaborators affiliated with Harvard Medical School and Massachusetts General Hospital.

Some model features are intuitive, such as a mismatch between the guide and nucleotide sequence, noted Listgarten. Others reflect unknown properties encoded in DNA that are discovered through machine learning.

“Part of the beauty of machine learning is if you give it enough things it can latch onto, it can tease these things out,” she said.

Off target scores

Elevation provides researchers with two kinds of off-target scores for every guide: individual scores for one target region and a single overall summary score for that guide.

Target scores are machine-learning based probabilities provided for every single region on the genome that something bad could happen. For every guide, Elevation returns hundreds to thousands of these off-target scores.

For researchers trying to determine which of potentially hundreds of guides to use for a given experiment, these individual off-target scores alone can be cumbersome, noted Listgarten.

The summary score is a single number that lumps the off-target scores together to provide an overview of how likely the guide is to disrupt the cell over all its potential off-targets.

“Instead of a probability for each point in the genome, it is what’s the probability I am going to mess up this cell because of all of the off-target activities of the guide?” said Listgarten.

End-to-end guide design

Writing in Nature Biomedical Engineering, the collaborators describe how Elevation works in concert with a tool they released in 2016 called Azimuth that predicts on-target effects.

The complementary tools provide researchers with an end-to-end system for designing experiments with the CRISPR-Cas9 system – helping researchers select a guide that achieves the intended effect – disabling a gene, for example – and reduce mistakes such as cutting the wrong gene.

“Our job,” said Fusi, “is to get people who work in molecular biology the best tools that we can.”

In addition to Listgarten, Fusi and Doench, project collaborators include Michael Weinstein from the University of California Los Angeles, Benjamin Kleinstiver, Keith Joung and Alexander A. Sousa from Harvard Medical School and Massachusetts General Hospital, and Melih Elibol, Luong Hoang, Jake Crawford and Kevin Gao from Microsoft Research.

Related:

John Roach writes about Microsoft research and innovation. Follow him on Twitter.

Tags: CRISPR, healthcare