Intel bug incoming? Meltdown and Spectre exploits

[jabbz]

I just hope its not a big impact to us the user!

 

[IT Troll]

Apparently AMD let the cat out of the bag during the embargo by mentioning the nature of the exploit in some Christmas patch notes. This led to the story breaking early and tech companies not being as ready as they could have been. What a thoughtful gift. I’m sure it was just an accidental slip...

https://lkml.org/lkml/2017/12/27/2

 

[AmateurExpert]

For meltdown yes. However, from what i have read Spectre affects AMD stuff as well.

Also from what i have read meltdown is fixed with the OS update but it is Spectre that needs the microcode update.

This is what I understand too. The concern is that the performance impact from the microcode update (to address Spectre) could well be worse than the Meltdown patch. Need moar benchmarks!

 

[opethdisciple]

Are AMD systems going to need a microcode update?

 

[TrixP10]

The problem isn't trust, it's need. If your company requires 500 more computers, or if a server farm needs upgrading you can't simply not buy and if AMD computers aren't available you only have one other choice. That is the big issue, computers run the world, the choice to not buy doesn't exist for business. If Amazon require expanding their cloud capacity they can't just wait, they lose business doing that to someone else who would buy computers to expand their capacity instead. So Amazon have to buy and again they can only buy what is available. I fully expect companies to think heavily about buying AMD and many will, but AMD will run out of chips and given no other option trust or no trust, they'll buy Intel.

Now if GloFo had the same manufacturing capacity as AMD and it wasn't already assigned (which itself is a situation that wouldn't happen, you don't keep 20billion+ worth of fabs sitting there idle waiting for this kind of situation) then I think trust could massively massively hurt Intel, but in the current situation it will likely make much less difference than it should.

On the other hand, selling every Polaris / Vega / Epyc chip that you can make must be kinda nice.

I don't see Intel solving this one too soon

 

[Rroff]

Damn, thats a hell of a lot more than 30%

Gonna be an interesting one for me - one of the reasons I've stuck with the 4820K over Ryzen was that some of the compiler stuff I do runs seriously faster even with max threading on it over AMD that said I can just air gap a machine for that and run it unpatched if it came to it.

 

[killianzz]

Sorry to burst your bubble, but that's not what safety in numbers means though - it means that most get away unscathed as a minority pay the price.

Abundant technology exists to enable scale and automation - it's very little cost to attack millions vs attacking a few. If you're a victim alongside many others, you're still a victim

Of course you have your own pain thresholds and unique circumstances, but don't let scary headlines put you off patching.

Most get away is exactly what I mean by safety in numbers. The minority (not impossible that I will be scathed) will be scathed regardless of whether I patch or not. I'll reassess the risk in the future once I've seen how much these are exploited. If my Steam password gets hacked in the meantime, I won't lose much sleep.

How skilled a hacker is needed to crack these weak points anyway?

 

[AmateurExpert]

Good hygiene should avoid him downlaoding any compromised/injected code though, plus two factor authorisation on the critical applications means passwords are of limted use (unless the attacker is waiting ready to control your system immediately you provide the second password) ?

Agreed, but the sheer number of systems being vulnerable doesn't afford anyone additional protection in of itself. And it's tricky to avoid the risk from Javascript attacks without foregoing Javascript entirely.

Most get away is exactly what I mean by safety in numbers

You said "the fact that such a vast amount of hardware has got the flaw" will give safety in numbers, but as I've already said attacks aren't limited in targeting only a minority - it's the same vulnerability so the hardware is vulnerable en masse.

 

[AmateurExpert]

once I've seen how much these are exploited. If my Steam password gets hacked in the meantime, I won't lose much sleep.

Perhaps because of this from meltdownattack.com:

Can I detect if someone has exploited Meltdown or Spectre against me?

Probably not. The exploitation does not leave any traces in traditional log files.

Can my antivirus detect or block this attack?

While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.

How skilled a hacker is needed to crack these weak points anyway?

The proof of concepts are in the public domain. There are more than enough people around the world (state sponsored and otherwise) with the necessary skills to turn POCs into functional exploits.

 

[west1980]

Intel states that its next batch of security updates to its processors will grant them immunity to the exploits.

http://www.techradar.com/news/intel...own-and-spectre-after-latest-security-updates

 

[LabR@t]

Sorry don't buy it

 

[LabR@t]

When are the Intel CPUs going to tank in cost then?

 

[David Bisset]

Safety in numbers does not apply at all i n computer security (whatever bank uses that line makes me facepalm)

Viruses etc target the largest demographic they can - it's danger in numbers. This is why the fallacy about mac security came about. They had more vulnerabilities discovered but way fewer viruses because market share used to be too low for it to be worth the effort.

This is widespread enough it will see more exploits for sure, and once written it takes a script kiddie all of a minute to try and use it against people. So skill level required is near zero.

 

[keyser]

Not a lot we can do beyond make sure you patch things, be careful what software and websites you visit. Intel release microcode update, Microsoft release that plus kernel patch? The patch will slow all CPUs down by ~5%, we will have to wait for post-patch benchmarks to confirm that. It's going to take a while for Intel (and all CPU manufacturers) to fix this at the hardware level, probably cause delays in future releases and might be too late to fix for the next update of CPUs(?) On the plus side the next gen CPUs that have been fixed will be 5% faster

https://youtu.be/PEmC5-BdO28?t=218
https://www.anandtech.com/show/12214/understanding-meltdown-and-spectre

 

[deuse]

When are the Intel CPUs going to tank in cost then?

Soon I hope

 

[LabR@t]

Doesn't this require a new design paradigm in cpu design

 

[keyser]

Doesn't this require a new design paradigm in cpu design

I was wondering the same thing. Hopefully not.

 

[keyser]

As bad at this is its not as bad as Windows 98 where people could open my CDROM drive and BSOD nuke me once they knew my IP address.. good times I guess they're examples of writable attacks! This is read-only.

 

[stockhausen]

...
It's going to take a while for Intel (and all CPU manufacturers) to fix this at the hardware level
...

They have all had at least six months to think about it but yes, it will probably involve a lot more work.

Regaining trust will take a bit of effort as well.

 

[LoadsaMoney]

Noticed it said X-series on x99, but on checking the website, my 5930K, is listed under that series, so looks like a BIOS update is also required ?

https://www.intel.co.uk/content/www/uk/en/products/processors/core/x-series.html?page=2

EDIT:

Yup.

https://ark.intel.com/products/82931/Intel-Core-i7-5930K-Processor-15M-Cache-up-to-3_70-GHz