• Competitor rules

    Please remember that any mention of competitors, hinting at competitors or offering to provide details of competitors will result in an account suspension. The full rules can be found under the 'Terms and Rules' link in the bottom right corner of your screen. Just don't mention competitors in any way, shape or form and you'll be OK.

Yet another Intel CPU security vulnerability!

IT Troll said:
Nothing to worry about as a typical home user. Just don't go hosting any VMs to strangers.
Click to expand...

Well said. Sound advice. As serious as the mounting vulnerabilities with Intel are and the valid concern over the mitigation and its affect on performance - for the vast majority of users and systems you should not loose any sleep. There are literally millions of other exploits in the wild which require no heavy lifting from the bad guys that you SHOULD be more concerned about.

The new zero day in IE is a great example of that. And affects Intel and AMD systems equally.
 
So 242 publicly disclosed Intel vulnerabilities vs AMD's 16 and that's not even including the latest round :eek:
giphy.gif
 
Ice Tea said:
It amazes me that Intel parts still fetch such a high price secondhand seeing as some of these flaws will never be fully patched, i'm guessing some people just don't care.
Click to expand...
Even worse for a second hand buyer is that flaws are patched and make the CPU slower. Second hand CPU is unlikely to end in a high security requirement machine, but is likely to need every ounce of power it has.
 
humbug said:
Most Desktop enthusiasts or professionals alike actually don't care or believe its real, a lot of them think the whole thing is a conspiracy.
Click to expand...

And quite a number presume that the exploits to do this stuff are so exotic that they don't have to worry, or tht browser-makers can/should protect them entirely.

(For the record I don't imagine AMD is entirely perfect, I think they probably come under less scrutiny than intel at the moment).
 
Jimmy Weirdarms said:
And quite a number presume that the exploits to do this stuff are so exotic that they don't have to worry, or tht browser-makers can/should protect them entirely.

(For the record I don't imagine AMD is entirely perfect, I think they probably come under less scrutiny than intel at the moment).
Click to expand...

Can't remember the exact time in this conversation.

Kevin Krewell. Analyst, Used to work for both AMD and Nvidia, his opinion is Intel have Frankensteined what is a very old architecture to eek more and more performance out of it, its basically a heavily butchered Core Duo that's as a result full of holes and Intel are just flapping around trying to plug them up.

Intel havent designed a new ground up architecture in more than a decade, they haven't needed to.

Actually an interesting conversation.

 
NinjaCool said:
So 242 publicly disclosed Intel vulnerabilities vs AMD's 16 and that's not even including the latest round :eek:
giphy.gif
Click to expand...

The Intel number is going to keep climbing (almost infinitely) as there will always be new variants found to apply some aspects of Spectre - but that doesn't mean it is necessarily a new exploit that existing mitigations don't protect against.

Jimmy Weirdarms said:
And quite a number presume that the exploits to do this stuff are so exotic that they don't have to worry, or tht browser-makers can/should protect them entirely.

(For the record I don't imagine AMD is entirely perfect, I think they probably come under less scrutiny than intel at the moment).
Click to expand...

A lot of this is the consequence of constantly rehashing a decades old architecture - almost any hardware security gets compromised if it has been around long enough (see emulators for older games machines, etc.) and is enough of a target - some of these attacks have taken years of teasing out with increasingly more advanced understanding (some incredible "deep dives" in some cases) of clever side-channel techniques and the application of things like machine learning in more recent years to find convergences of how systems work that produce exploitable behaviour in seemingly unconnected parts, etc. anyone talking about these architectures being fundamentally flawed or full of security holes due to sloppy work, etc. most likely don't know what they are talking about.
 
Last edited:
Rroff said:
The Intel number is going to keep climbing (almost infinitely) as there will always be new variants found to apply some aspects of Spectre - but that doesn't mean it is necessarily a new exploit that existing mitigations don't protect against.
Click to expand...

Today's disclosure sounds like something entirely separate to spectre, to me.
 
Jimmy Weirdarms said:
Today's disclosure sounds like something entirely separate to spectre, to me.
Click to expand...

Yes and an interesting use of undocumented behaviour - funny enough I was reading up a few days ago on the security concerns presented by undocumented features (in this case named pipes in Windows).

I was just saying that the numbers aren't entirely meaningful in magnitude as there will be a lot of variants of the same exploits found now the cat is out the bag on things like Spectre though as there will be many different ways to reuse that behaviour - which don't necessarily present a new threat though could be a stepping stone to new threat discoveries.
 
Rroff said:
Yes and an interesting use of undocumented behaviour - funny enough I was reading up a few days ago on the security concerns presented by undocumented features (in this case named pipes in Windows).

I was just saying that the numbers aren't entirely meaningful in magnitude as there will be a lot of variants of the same exploits found now the cat is out the bag on things like Spectre though as there will be many different ways to reuse that behaviour - which don't necessarily present a new threat though could be a stepping stone to new threat discoveries.
Click to expand...

This is probably true but it doesn't take away from the fact that the architecture is quite obviously flawed in its now butchered state and no amount of cork is going to plug it up completely.
 
Jimmy Weirdarms said:
And quite a number presume that the exploits to do this stuff are so exotic that they don't have to worry, or tht browser-makers can/should protect them entirely.
Click to expand...

To expand a bit on this - a lot of these attacks require the target data to be in some way forced to be frequently in a location it can be leaked from and usually in a manner that requires a hands on approach - in a normal desktop session this might happen 1-3 times and with the attacker having no idea when that might be - even assuming they had any kind of unprotected potential remote connection to the machine via a website for instance (I don't think there has been any behaviour identified that naturally happens 1000s of times a second) and to feasibly leak data using these attacks you need that data to be appearing very frequently (it usually takes hours under ideal conditions - and days under slightly less ideal conditions and potentially decades at a natural pace) in a location you can leak it from. Which is why I'm largely unconcerned as a desktop user as if someone is exposed to these attacks in a meaningful way then they already have much bigger security concerns in the first place but very concerned in a multi-user/business/server type environment which gives a would be attacker many chances to initiate a procedure constantly so as to leak data as they can for instance be potentially launched using a normal procedure (such as one of the examples being failed login attempts*) and unprivileged code in combination - although that example is highly theoretical as any properly setup system will monitor for and take counter action against multiple failed logins.

EDIT: * This isn't a dictionary attack but that failed logins momentarily load privileged auth information into a buffer that it is possible for unprivileged code to leak from - eventually.
 
You must log in or register to reply here.
Back
Top Bottom