# Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown



## btarunr (Jan 5, 2018)

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018. 

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).





*View at TechPowerUp Main Site*


----------



## eidairaman1 (Jan 5, 2018)

Ouch another one, not good at all


----------



## First Strike (Jan 5, 2018)

It is OK to blame Intel for releasing Meltdown-vulnerable processors. But since it can be solved with Linux KPTI and Windows kernel rework, and Intel did finish those work with Linux team and Microsoft in time, it's kinda less unacceptable.

But hell no, you can’t blame Intel for Spectre vulnerability. It affects ALL modern processors with speculative execution and is simply impossible to fix (unless every app developer cooperates). The only way we currently know is to drop speculative execution and get back to stone age (80x86). We need another breakthrough in computer science in the following years to fix it.


----------



## Prima.Vera (Jan 5, 2018)

Why do I have a feeling that things are blowing out of proportions again...


----------



## Chaitanya (Jan 5, 2018)

Prima.Vera said:


> Why do I have a feeling that things are blowing out of proportions again...


I dont think it blown to proportions it needs to, these c***-ups are affecting millions of users of cloud computing. What's worse is that now that it's all over the news hackers who may have been in dark will now exploit the bug even after software band-aid patches have been applied(since its a hardware bug still it can be exploited). Intel needs to own up their mess and clean it up or go belly up for good. Just a few months back it was Intel ME exploit , before that a USB exploit and now these 3 new exploits guess its a good thing so many fanboys are still a**-******g Intel in making sure they make profit end of the year.


----------



## First Strike (Jan 5, 2018)

Nevertheless, Intel CEO did a great job on timing in terms of dumping stocks, so he didn't get thrown into jail. lmao


----------



## RejZoR (Jan 5, 2018)

I hope shit is paying off for Intel skimping on quality work on hardware saving few millions back then and now losing 10x as much. And no, I don't think anything is blowing out of proportions. Crap like this shows the real attitide of the company. Releasing a flawed product well knowing it's flawed to such extent shows intent. They were literally hoping no one would notice or care. Damn right people should be outraged and they should feel the angre financially. I'm still waiting for actual confirmations what all the recent patches are fixing (if anything at all and how much penalty we're paying for it), but it's very unlikely I'll be buying Intel next time. I ditched Intel as an option for laptop the moment news broke out about the flaws and how their CEO dumped the stocks right before shit went public. That was the moment I ordered AMD based laptop which was as a second a bit more expensive (but faster) option. Same fate will meet the desktop eventually depending on situation. Not in the mood to change my entire X99 platform just yet...


----------



## Prima.Vera (Jan 5, 2018)

But then again, for a normal desktop machine, do you really need a bios and OS update that just going to slow your CPU down? I mean how many Joes are running VMs in a shared environment??


----------



## piloponth (Jan 5, 2018)

Has been Intel's CEO sued for insider trading yet? Or once again rule "too big to fail" applies?


----------



## RejZoR (Jan 5, 2018)

Prima.Vera said:


> But then again, for a normal desktop machine, do you really need a bios and OS update that just going to slow your CPU down? I mean how many Joes are running VMs in a shared environment??



If you think VM means only VMWare and VirtualBox, then you're greatly mistaken. Pretty much all security software today uses virtualization for malware protection and analysis. You know, what they used to run in dreadfully slow and limited emulators is now run natively in its own secure space and dissected there. Would you want to allow that in a "secure space" from which malware can potentially access your actual host?


----------



## lilunxm12 (Jan 5, 2018)

First Strike said:


> It is OK to blame Intel for releasing Meltdown-vulnerable processors. But since it can be solved with Linux KPTI and Windows kernel rework, and Intel did finish those work with Linux team and Microsoft in time, it's kinda less unacceptable.
> 
> But hell no, you can’t blame Intel for Spectre vulnerability. It affects ALL modern processors with speculative execution and is simply impossible to fix (unless every app developer cooperates). The only way we currently know is to drop speculative execution and get back to stone age (80x86). We need another breakthrough in computer science in the following years to fix it.


The fact that Meltdown can be easily patched by software update actually makes it more unacceptable to me. The logic behind the fix is simple enough and shouldn't be ignored to new generation of CPU release. To me it sounds like intel chosed to quickly push out competitive products (with an undisclosed critical flaw) against Ryzen over offering better security to all customers. Not patching Spectre can be excused, but not Meltdown.


> Intel is committed to product and customer security


That official statement is a plain lie to me.


----------



## thesmokingman (Jan 5, 2018)

You don't ship a flawed product as new, especially one where you knew well in advance. It's rather deceptive imo. The cost after the fact is immeasurable.


----------



## notb (Jan 5, 2018)

Man... you and @Raevenlord are like a TPU's special squad for writing these anti-Intel comments. It's not even qualified as editorial or a citation from another page. It's just you - being able to put your personal opinion on the front page... 

Was AMD aware of Spectre when they released Ryzen Mobile in November? 

This really is a serious issue, but this panic is totally pointless. The reason why there is an embargo after a bug/flaw is found, is to give companies time to fix it before the problem goes public and media make a mess of it.
The most possible outcome now is that this whole situation will rush companies into releasing precooked fixes (so soon we'll get fixes to fixes).


----------



## cmmw (Jan 5, 2018)

This may all not be a design flaw but *"is functional by design as a backdoor to professional hackers, legel, and illegal organization that had been informed about the backdoor."  NSA is one of the publicly known organizations. *

The leak of the backdoors is however undesirable to the *organizations and hackers *that use the backdoors on a daily basis.


----------



## LocutusH (Jan 5, 2018)

I also feel that this gets way overhyped (by the press) already...


----------



## Patriot (Jan 5, 2018)

cmmw said:


> This may all not be a design flaw but *"is functional by design as a backdoor to professional hackers, legel, and illegal organization that had been informed about the backdoor."  NSA is one of the publicly known organizations. *
> 
> The leak of the backdoors is however undesirable to the *organizations and hackers *that use the backdoors on a daily basis.



Yeah... no shit they knew there was a backdoor on the latest gen cpu... it's been there for 15yrs...   the next wikileak dump should make this all more clear.
Given that 4 independent research groups happened to find all this shit at the same exact time...  this was a tip-off/retiring of a backdoor due to impending leak.


----------



## biffzinker (Jan 5, 2018)

Prima.Vera said:


> I mean how many Joes are running VMs in a shared environment??



I prefer my passwords as an example of the information disclosure being talked about in text I quoted below stay private undisclosed to third party apps in user space. 


			
				Microsoft Security Advisory said:
			
		

> Speculative execution side-channel vulnerabilities can be used to *read the content of memory across a trusted boundary and can therefore lead to information disclosure*.
> These mitigations prevent attackers from triggering *a weakness in the CPU which could allow the contents of memory to be disclosed.*
> 
> In client (desktop) scenarios, a *malicious user mode application* could be used to *disclose the contents of kernel memory*.
> ...



Source: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities - Security Advisory


----------



## dj-electric (Jan 5, 2018)

piloponth said:


> Has been Intel's CEO sued for insider trading yet? Or once again rule "too big to fail" applies?



I'm a firm believer in "the bigger they are, the harder they fall".


----------



## ensabrenoir (Jan 5, 2018)

.....just ignore that iceberg  intel....nothing to worry about.... On the real though....this is kinda sad....


----------



## thesmokingman (Jan 5, 2018)

LocutusH said:


> I also feel that this gets way overhyped (by the press) already...



It's all fake news right?


----------



## cmmw (Jan 5, 2018)

May just be like you said "retiring of a backdoor" and later push for next-generation processor sale with even more powerful backdoors:
(without the leaked backdoors)
Intel Management Engine (ME) cannot be switched off
AMD's Platform Security Processor （PSP)  it uses an ARM processor..... can be switched off in BIOS, but can it actually be switched off in hardware level?

Scary.....

may just be retiring some leaked backdoors.....  retiring some leaked backdoors...
main investors have both AMD and Intel shares
boosting AMD for balancing the CPU market, dramas and competitions are needed to boost sales.

*All in the name for the greater good*


----------



## Outback Bronze (Jan 5, 2018)

Looks like ill have to fire up my old P4  : )


----------



## Patriot (Jan 5, 2018)

Outback Bronze said:


> Looks like ill have to fire up my old P4  : )



It is still vulnerable.... you would have to break out a P1 to be unaffected....


----------



## qubit (Jan 5, 2018)

Intel are clearly, a caring, sharing company. Aww, I feel so warm and fuzzy now.


----------



## Rahmat Sofyan (Jan 5, 2018)

Is it all of this related to yahoo problem and other hacked or leaked  accounts ?


----------



## I No (Jan 5, 2018)

Tis funny how everyone ignores the fact that these chips were made way before specter and meltdown hit. The only thing you can blame intel is realsing it to the public but then again some hefty sum went into the development of said chips. Business is business. Work for coffee lake was done pretty much at least 6 months before the chip went into production. Could Intel stop the launch with Ryzen lurking around? I wouldn't. As for the CEO dumping shares it was all legal under plan 10b5-1. So thinfoil hats on everybody. Oh and btw when the investors start dumping shares and bailing out THAT would be a sign that the ship has a leak. As far as this goes it's all getting blown out of proportion. Intel will still have the data center niche (kudos to AMD for their awsome business model that practicly gave the segment away for free). At the end of the day this could've happened to any big tech firm out there.... They are all the same.


----------



## ArbitraryAffection (Jan 5, 2018)

Whelp, Intel Damage control is here.


----------



## Devon68 (Jan 5, 2018)

The fact that Intel knew about this 5-6 months ago and the fact they sold stock before the leak seems to be too big of a coincidence.
Oh well. Keep On Digging


----------



## Emu (Jan 5, 2018)

Prima.Vera said:


> But then again, for a normal desktop machine, do you really need a bios and OS update that just going to slow your CPU down? I mean how many Joes are running VMs in a shared environment??



You do realise that the Meltdown exploit allows any program running on your computer to gain access to protected kernel memory.  Stuff that is supposed to be kept secure like passwords are kept there.  Exploiting Meltdown will allow a program to take over your computer.

Meltdown affects ALL INTEL CPUS THAT SUPPORT Out Of Order Execution which is pretty much all Intel CPUs released since 1995 other then some Atom and all Itanium CPUs.

Spectre is a different story though.  Spectre potentially allows a program to access memory from another running program.  This could potentially allow the program to steal things like your credentials, browser history, credit card numbers, and so on.

So, yes, if you are running a modern Intel CPU then you need the OS update.  And you will also need the BIOS update to fix the ME exploit which allows malicious programs to get beyond kernel level access to a Intel based machine.



I No said:


> Tis funny how everyone ignores the fact that these chips were made way before specter and meltdown hit. The only thing you can blame intel is realsing it to the public but then again some hefty sum went into the development of said chips. Business is business. Work for coffee lake was done pretty much at least 6 months before the chip went into production. Could Intel stop the launch with Ryzen lurking around? I wouldn't. As for the CEO dumping shares it was all legal under plan 10b5-1. So thinfoil hats on everybody. Oh and btw when the investors start dumping shares and bailing out THAT would be a sign that the ship has a leak. As far as this goes it's all getting blown out of proportion. Intel will still have the data center niche (kudos to AMD for their awsome business model that practicly gave the segment away for free). At the end of the day this could've happened to any big tech firm out there.... They are all the same.



The Intel CEO may still run into issues with insider trading if he did not have the share sale time and quantity predetermined before Intel found out about the vulnerabilities.


----------



## I No (Jan 5, 2018)

Even if he sold the shares due to the vulnerability panic I'm still having a hard time believing he's that much of a moron to actually risk a lawsuit over this... actually this is more like white collar prison grade stuff to mess around with. Then again I could be wrong lol. If he's guilty then to a prison he'll be going and I have no problem with that, if the law was broken haul his ass up to the big house.


----------



## Flaky (Jan 5, 2018)

Thank god I still have an atom n450 netbook 

Anyway...
Coffee lake was meant to be a release of 6 core cpus with no architectural changes. 
There would be no point in halting the release of coffee lake, especially when ES/QS cpus are being provided, and all partners already have working prototypes of new platform.
As the OS workaround is already out, the problem is resolved. Not in a way satisfying everyone, but it is resolved.


----------



## HisDivineOrder (Jan 5, 2018)

Haha.  Everyone thought Intel rushed out Coffee Lake and the i9 because of competition with AMD.  The truth is more sinister.  They needed to get all their affected product lines out well in advance of the revelation of their insecurity came to light.

So the truth is Intel never worried about AMD; they worried about their own disastrous mistakes tanking a launch that might have otherwise been great for them.  It's really hard to believe the entire tech industry tried to protect Intel from its own shortsightedness rather than expose them and let them reap all that they sowed.


----------



## I No (Jan 5, 2018)

HisDivineOrder said:


> Haha.  Everyone thought Intel rushed out Coffee Lake and the i9 because of competition with AMD.  The truth is more sinister.  They needed to get all their affected product lines out well in advance of the revelation of their insecurity came to light.
> 
> So the truth is Intel never worried about AMD; they worried about their own disastrous mistakes tanking a launch that might have otherwise been great for them.  It's really hard to believe the entire tech industry tried to protect Intel from its own shortsightedness rather than expose them and let them reap all that they sowed.




They can't do anything else, the whole tech industry is running on their hardware.


----------



## R-T-B (Jan 5, 2018)

notb said:


> being able to put your personal opinion on the front page...



Facts aren't opinions...  What he said is fact.

AMD did not know about Spectre from their behavior until the project zero release, is my bet.  Otherwise they would not have tried to market their cpus as immune in a rather vain struggle.


----------



## Jism (Jan 5, 2018)

This is why trust AMD with hardware more then Intel. The amount of bugs that Intel actually has is scaring. The IMEI thing, now this. So basicly no matter how updated your OS, Antivir, Firewall and even router configuration was, your system was still completely vulnerable towards some slick exploits causing safe data to be compromised. And on top of that, have 5 up to 30% performance penalty due to a software fix. Intel is bin skimping out on testing their CPU's. it's not just testing, it's the TIM and all sorts of stuff as well. Maximize profit, lower down the time required for the devs to test CPU's and all, as managers insist on doing so. 

Intel WAS a quality company back in the 386/486/586 days. Their CPU's where superior compared to cloned ones such as AMD. But from that complete P3 and above, alot of various tactics where used to put themself on top and keep it that way, by offering vendors huge discounts of not the competition (=AMD) was being sold to the mass. 

This company should burn over this case.


----------



## EarthDog (Jan 5, 2018)

Rahmat Sofyan said:


> Is it all of this related to yahoo problem and other hacked or leaked  accounts ?


No.


----------



## Thefumigator (Jan 5, 2018)

I am the only one who doesn't care? I will continue using my ryzen 7 cpu, and I don't even use an antivirus. Nobody is going to get rich by breaking into my email account and reading my stuff. All these vulnerability issues is making media go along for the ride.


----------



## jigar2speed (Jan 5, 2018)

Thefumigator said:


> I am the only one who doesn't care? I will continue using my ryzen 7 cpu, and I don't even use an antivirus. Nobody is going to get rich by breaking into my email account and reading my stuff. All these vulnerability issues is making media go along for the ride.



^This, this is the reason why people get hacked and don't even realise/know that its not just your email account. Identity theft is the first thing that comes to my mind. Incase if you are using netbanking, you are screwed, incase if you are using CC for buying anything online, you are screwed. 
This vulnerability has your computer completely exposed to attacks that you don't even comprehend yet. Oh and not having antivirus is an excellent recipe where you are already breached and someone might using your system for DDOS attacks or someone might be threatening someone pretending to be you. Things can go bad to worst and you won't even know it until authorities show up at your doorsteps.


----------



## Vayra86 (Jan 5, 2018)

HisDivineOrder said:


> Haha.  Everyone thought Intel rushed out Coffee Lake and the i9 because of competition with AMD.  The truth is more sinister.  They needed to get all their affected product lines out well in advance of the revelation of their insecurity came to light.
> 
> So the truth is Intel never worried about AMD; they worried about their own disastrous mistakes tanking a launch that might have otherwise been great for them.  It's really hard to believe the entire tech industry tried to protect Intel from its own shortsightedness rather than expose them and let them reap all that they sowed.



Don't overinflate and speculate, because that is what you're doing here.

CPUs are already designed, probably even the next Intel release will still contain the same architecture with the same leak.

This topic and the supposed scandal of Intel stock being sold are perfect examples of everything we don't really need. Only Meltdown is directly attributable to an Intel specific design, Spectre hits everyone. Also consider the alternative: not releasing anything, not just for the past 6 months but also the next year. Meanwhile, you also can't disclose WHY you're not releasing anything. Imagine the question marks that would raise...

The fact that Intel is a rat company was known long ago, these news items really add zero to that fact.


----------



## Manu_PT (Jan 5, 2018)

Ok, this is bad, sure. But isn´t all of this fixed already? Yes it is, and no you won´t have a 30% performance hit in any application. Tests and benchmarks are all over the web. This issue is fixed just like Blaster was fixed in 2001, for those that can remember it or if you even used computers back then.

You guys are acting like right now everyone with a personal computer is at risk while surfing the web and is the end of the world. This affects big data centers and companies more than anything, not the home user. Most of those exploits can´t even be used against you, unless you use specific apps/tasks. And as I said, it is fixed now, so chill out. Intel is still faster than Ryzen, and that still makes more money to some people, wich is what matters.


----------



## Vayra86 (Jan 5, 2018)

Manu_PT said:


> Ok, this is bad, sure. But isn´t all of this fixed already? Yes it is, and no you won´t have a 30% performance hit in any application. Tests and benchmarks are all over the web. This issue is fixed just like Blaster was fixed in 2001, for those that can remember it or if you even used computers back then.
> 
> You guys are acting like right now everyone with a personal computer is at risk while surfing the web and is the end of the world. This affects big data centers and companies more than anything, not the home user. Most of those exploits can´t even be used against you, unless you use specific apps/tasks. And as I said, it is fixed now, so chill out. Intel is still faster than Ryzen, and that still makes more money to some people, wich is what matters.



There are multiple exploits. Only 'Spectre 1' is fixed with the current patches as far as I can tell, which is based on the proof of concept that is currently available. That said, the leak that allows the exploit still exists in a basic sense. It just needs a new workaround to be used.

In addition, as I posted earlier to clarify, EVERY SYSTEM is vulnerable. Including your home PC. Happen to be a crypto whale? I'd start worrying.






- Entry: have code execution on system = ridiculously easy. Any website can inject malware, remember the malware we got served by *ads* not too long ago?
- Method: uses a very basic processor function that is present everywhere. Any attack is potentially huge in scope
- Impact: Read out memory and you can spy on everything someone does on a rig
- Action: software patching. As with all software, it can be hacked.

Let me sketch a worst-case scenario: software patching keeps getting circumvented and new hacks actually occur using these backdoors. At some point, public outrage forces Intel/AMD to start disabling branch prediction/speculative exec entirely. All of a sudden we're back in Sandy Bridge performance metrics ie. performance drops to 2012 mainstream.


----------



## I No (Jan 5, 2018)

Jism said:


> This is why trust AMD with hardware more then Intel. The amount of bugs that Intel actually has is scaring. The IMEI thing, now this. So basicly no matter how updated your OS, Antivir, Firewall and even router configuration was, your system was still completely vulnerable towards some slick exploits causing safe data to be compromised. And on top of that, have 5 up to 30% performance penalty due to a software fix. Intel is bin skimping out on testing their CPU's. it's not just testing, it's the TIM and all sorts of stuff as well. Maximize profit, lower down the time required for the devs to test CPU's and all, as managers insist on doing so.
> 
> Intel WAS a quality company back in the 386/486/586 days. Their CPU's where superior compared to cloned ones such as AMD. But from that complete P3 and above, alot of various tactics where used to put themself on top and keep it that way, by offering vendors huge discounts of not the competition (=AMD) was being sold to the mass.
> 
> This company should burn over this case.



It's called running a business not a charity. They tend to maximize profit, everyone's on the "let's make moneyz" wagon. In a perfect world where all things were fair we wouldn't have to see these headlines, Intel would not roll out bugged hardware, AMD wouldn't skip the testing and rush out Ryzen or VEGA, nVidia wouldn't have seen a class action lawsuit over the 970 memory, Samsung wouldn't have to owe SAMSUNG for the Note 8 fiasco, Apple wouldn't sell the same crap they brought to the table a couple of years ago for $1000 and so forth. Besides this whole thing's been blown out of proportions data centers are ok your system is safe for the time being : 
_https://newsroom.intel.com/news-rel...impacting-performance-real-world-deployments/_
The company should burn if they would bail out on their customer base ... which mind you Intel isn't going to do with the branch that provides the biggest chunk of their income (Data Centers).


----------



## Manu_PT (Jan 5, 2018)

Vayra86 said:


> There are multiple exploits. Only 'Spectre 1' is fixed with the current patches. Meltdown is not.
> 
> The other forms of Spectre are still out in the wild and potential backdoors, given the right approach/malware.
> 
> In addition, as I posted earlier to clarify, EVERY SYSTEM is vulnerable. Including your home PC. Happen to be a crypto whale? I'd start worrying.



You can worry if you want. I´m not worried at all, I don´t use anything that can allow access to my stuff with those flaws. You need to read the full disclosure of it to understand. Then talk please.

Stop spreading misinformation if you guys don´t know what you´re talking about.


----------



## Vayra86 (Jan 5, 2018)

Manu_PT said:


> You can worry if you want. I´m not worried at all, I don´t use anything that can allow access to my stuff with those flaws. You need to read the full disclosure of it to understand. Then talk please.
> 
> Stop spreading misinformation if you guys don´t know what you´re talking about.



I did. Seems like it matters a lot what/where you read. And most importantly, when, because this issue is still developing. Truths of yesterday are not the ones of today. I have already posted my sources. You're at liberty to think this isn't relevant for yourself, but I find that pretty naive, if not to say arrogant, especially when you state 'I don't use anything that can allow access'. So you never visit websites then?

Bottom line: we now all own a system with a broken lock on one of the doors. The software patch allows us to put duct tape over it, so we can pray it holds until this gets an architectural fix.


----------



## notb (Jan 5, 2018)

R-T-B said:


> AMD did not know about Spectre from their behavior until the project zero release, is my bet.  Otherwise they would not have tried to market their cpus as immune in a rather vain struggle.


Google informed manufacturers (Intel, AMD and ARM) about Spectre on 2017-06-01, so before AMD launched Threadripper, Ryzen PRO and Ryzen Mobile.
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html


----------



## john_ (Jan 5, 2018)

notb said:


> Man... you and @Raevenlord are like a TPU's special squad for writing these anti-Intel comments. It's not even qualified as editorial or a citation from another page. It's just you - being able to put your personal opinion on the front page...


In the past, TPU was like doing a Holly Crusade against AMD for much less than a huge security flaw. I was complaining back then the way you do now. Well, having 3-4 articles in 2-3 days about the same stuff, does look a little too much. But considering that they where doing the same in the past about AMD stuff, I would say that they are keeping a balance here.


----------



## notb (Jan 5, 2018)

Jism said:


> Intel WAS a quality company back in the 386/486/586 days. Their CPU's where superior compared to cloned ones such as AMD. But from that complete P3 and above, alot of various tactics where used to put themself on top and keep it that way, by offering vendors huge discounts of not the competition (=AMD) was being sold to the mass.
> 
> This company should burn over this case.


Hmm... so what you've said above is: before Intel had a serious competitor in AMD, they were a quality company. So maybe if we got rid of AMD, Intel would be back to it's great days? 
Plus, older Intel designs were also full of issues, including the well known FDIV. It's even more significant when you think how far we've come in CPU design.

Also, your approach to this matter is really sad. Intel is the company running global microprocessor business. It's way more complicated than just you replacing your i7 with a Ryzen for gaming.
This problem might cost Intel billions and will have a serious impact on the whole computer industry.


----------



## newtekie1 (Jan 5, 2018)

I think Intel definitely needs to pay for releasing known insecure products to the market, but I also think people are over-reacting to the problems.  The news reports want to make it sound like doomsday for security, and it really isn't.  Yes, this is a hardware vulnerability, but it isn't as bad as some of the software vulnerabilities that exist.  Spectre and Meltdown both require the exploit to be run locally, it can't be exploited remotely.  There are vulnerabilities that can give people control of systems remotely.  These require the user to execute something.

That said, people are likely to be able to easily be tricked into running virus programs.  If there weren't people that run random things, I probably would lose half my business, and all those ransomware people wouldn't be making any money.  But at the same time, I'd bet any good anti-virus programs will very quickly be updated to watch for behavior of this exploit and stop it, I mean that is what anti-viruses do with minimal performance impact.

I'm just glad Intel did this, because now I'll get some money back from the class-action lawsuit!


----------



## Vayra86 (Jan 5, 2018)

newtekie1 said:


> These require the user to execute something.



I keep reading this on TPU, but these days 'to execute code' is not something that needs to be done locally, it just needs to reside locally. Any malware can reside on your system for days, months, undetected and call home once its done reading out the process it wants to read.

The user really doesn't have to be in play here.


----------



## CrAsHnBuRnXp (Jan 5, 2018)

We should all get a refund on our processors and motherboards and then buy stock in AMD and all buy Ryzen products.


----------



## EarthDog (Jan 5, 2018)

LOL, I'll pass... and just kick back and watch.



I am glad I took a seat on the sidelines here... this is humorous to watch what many believe/think they know/don't know... etc. and the reactions from some are priceless.

Not saying I know any better. I don't really, but I'm not here running around like a chicken with my head cut off. Life is good.


----------



## NicklasAPJ (Jan 5, 2018)

jigar2speed said:


> ^This, this is the reason why people get hacked and don't even realise/know that its not just your email account. Identity theft is the first thing that comes to my mind. Incase if you are using netbanking, you are screwed, incase if you are using CC for buying anything online, you are screwed.
> This vulnerability has your computer completely exposed to attacks that you don't even comprehend yet. Oh and not having antivirus is an excellent recipe where you are already breached and someone might using your system for DDOS attacks or someone might be threatening someone pretending to be you. Things can go bad to worst and you won't even know it until authorities show up at your doorsteps.



What? I did not use a Anti Virus program for 10 years now, and still not a single time I got hacked.


----------



## Basard (Jan 5, 2018)

NicklasAPJ said:


> What? I did not use a Anti Virus program for 10 years now, and still not a single time I got hacked.


Same here.....  I say its half luck.  Pray to RNJesus.


----------



## Emu (Jan 5, 2018)

NicklasAPJ said:


> What? I did not use a Anti Virus program for 10 years now, and still not a single time I got hacked.



How do you know that?  How do you know that your computer is not spewing out spam email by the boat load?  How do you know that your computer is not sending out random packets at hosts in a DDoS bot network?  Not all malware is aimed at disrupting your experience...


----------



## lexluthermiester (Jan 5, 2018)

Prima.Vera said:


> Why do I have a feeling that things are blowing out of proportions again...


Perhaps the seriousness of these problems have not been made clear to you yet? These vulnerabilities go back all the way to CPU's made in the 90's.

*All CPU's* are affected. Intel's CPU's a taking a bit more of the brunt of all of this, but *all x86, x64, MIPS, PPC and RISC CPU's are affected*.


Emu said:


> How do you know that?  How do you know that your computer is not spewing out spam email by the boat load?  How do you know that your computer is not sending out random packets at hosts in a DDoS bot network?  Not all malware is aimed at disrupting your experience...


Maybe because they use network monitoring software or a firewall and watches their network traffic?


----------



## Steevo (Jan 5, 2018)

Manu_PT said:


> You can worry if you want. I´m not worried at all, I don´t use anything that can allow access to my stuff with those flaws. You need to read the full disclosure of it to understand. Then talk please.
> 
> Stop spreading misinformation if you guys don´t know what you´re talking about.



You are on the internet, using a browser, and Intel hardware, you are susceptible to at least two of the flaws. https://arstechnica.com/gadgets/201...el-apple-microsoft-others-are-doing-about-it/ 

I have read the full disclosures, read the way the fauls were found, and understand that it affects almost everyone on the internet, and one idiot not running AV as they are somehow immune only makes it worse as your system could easily be host to a plethora of malware. Your TPU ID could be compromised, you could start sending out spam messages, your email could be compromised, your home PC could be being used to bounce traffic or to spam. Your bank account information, personal data from taxes, and much more can be accessed by simply reading data out of your computer as if they were sitting in front of it reading your passwords written on sticky notes. It is a big deal to essentially every company, as all it takes to get this access is using the internet, and a simple java script. Its akin to the olden days where network worms were prevalent and few had anti-virus so they spread like wildfire, except this doesn't need to spread, it just needs you to use any portion of the internet and your browser to run a snip of java, which happens all the time.


----------



## lexluthermiester (Jan 5, 2018)

Steevo said:


> You are on the internet, using a browser, and Intel hardware, you are susceptible to at least two of the flaws.


You are on the internet, using a browser, and using a modern CPU, you are susceptible to at least two of the flaws. https://meltdownattack.com/


----------



## newtekie1 (Jan 5, 2018)

Vayra86 said:


> I keep reading this on TPU, but these days 'to execute code' is not something that needs to be done locally, it just needs to reside locally. Any malware can reside on your system for days, months, undetected and call home once its done reading out the process it wants to read.
> 
> The user really doesn't have to be in play here.



For the code to get on the machine locally, it requires the user do something to get it there.  Despite popular belief, hackers can't just access your computer and put anything on your computer you they want without you doing something to allow it.  Even if that something is visiting a malicious website.


----------



## lexluthermiester (Jan 5, 2018)

newtekie1 said:


> For the code to get on the machine locally, it requires the user do something to get it there.  Despite popular belief, hackers can't just access your computer and put anything on your computer *they* want without you doing something to allow it.  Even if that something is visiting a malicious website.


Fixed that for you. I agree with your points. While these are serious problems, criminals are not going to be able to just waltz into a PC willy-nilly.


----------



## _UV_ (Jan 5, 2018)

Vayra86 said:


> Let me sketch a worst-case scenario: software patching keeps getting circumvented and new hacks actually occur using these backdoors. At some point, public outrage forces Intel/AMD to start disabling branch prediction/speculative exec entirely. All of a sudden we're back in Sandy Bridge performance metrics ie. performance drops to 2012 mainstream.



Very optimistic. Branch prediction and speculative execution related to Pentium/Pro era, and it doubles performance against 486. Also we have much more than 2 execution units per core (processor) now with all what x86 microop decoding to RISC. So i would say modern 4GHz would be equal to Piii/early Athlons with all features enabled.


----------



## Xzibit (Jan 5, 2018)

Even Nvidia is getting in on the patching action

*NVIDIA - Security Bulletin: NVIDIA GPU Display Driver Security Updates for Speculative Side Channels*


----------



## Vayra86 (Jan 5, 2018)

Xzibit said:


> Even Nvidia is getting in on the patching action
> 
> *NVIDIA - Security Bulletin: NVIDIA GPU Display Driver Security Updates for Speculative Side Channels*



Mitigating, not fixing


----------



## efikkan (Jan 5, 2018)

First Strike said:


> It is OK to blame Intel for releasing Meltdown-vulnerable processors. But since it can be solved with Linux KPTI and Windows kernel rework, and Intel did finish those work with Linux team and Microsoft in time, it's kinda less unacceptable.
> 
> But hell no, you can’t blame Intel for Spectre vulnerability. It affects ALL modern processors with speculative execution and is simply impossible to fix (unless every app developer cooperates). The only way we currently know is to drop speculative execution and get back to stone age (80x86). We need another breakthrough in computer science in the following years to fix it.


It's not only unfair, but completely ridiculous to blame Intel for everyone's mistakes. This of course doesn't diminish the severity of the problem, but makes them all sinners.

Some refers to these issues with speculative execution as "Meltdown" and "Spectre", Google divides it into three classes, and ARM divides it into "four". All modern x86 (both Intel and AMD), most ARM processors and even IBM Power are affect by one or more of these exploits. It's worth mentioning that these are not production errors or tapeout mistakes, these are all logical design errors. So why does very different designs have similar mistakes? Simply because engineers are prone to do similar mistakes and assumptions when tackling similar problems. This is why it's simple to find many new problems once we've discovered one new class of mistakes.

Something tells me there will be even more exploits found soon, with this many people exploring these new approaches and the embargo being lifted next Tuesday.



Prima.Vera said:


> But then again, for a normal desktop machine, do you really need a bios and OS update that just going to slow your CPU down? I mean how many Joes are running VMs in a shared environment??


Most sites, including TPU, incorrectly refers to these bugs as VM related, but they're not. These bugs are related to leaking of virtual memory, which is the method of separating the address space of each process and of course kernel memory. This is done in every modern operating system, and is one of the primary tasks of the OS kernel itself. The process involves something called "paging", which are small chunks of memory mapped into a continuous address space for each process, while it in reality are fragmented chunks spread throughout the physical address space.

A user space process is only allowed to access it's own memory, attempting to access memory outside this range will result in a _page fault_. These new exploits involves techniques to make the CPU leak small parts of unaccessible kernel memory. It seems like you can only get a few bytes at the time, and Google achieved something like ~2kB/s, so it will take a while to dump all of the memory… But provided you can dump arbitrary memory this way, any single user space process can in theory* dump the entire system memory, including memory of other processes and the kernel itself.

This is where Virtual Machines actually comes in, since VMs technically only is a process on a host machine. So if one process can access the memory of any other process, it would mean one VM can access the memory of another VM as well. This is a serious exploit vector since cloud providers make their living off allowing people to run their own VMs on the same host.

But as mentioned, the exploit itself has nothing to do with VMs. Any specially crafted program with the right system calls executed on a machine will be able to do it. So going back to your question, does this apply to your desktop machine? Yes, if you run any executable which is not trusted. But, this is not limited to standalone programs, but also JIT programs like Java applets or Java apps on your phone, various scripts, etc. The big question remains if JavaScript in Web Browsers are able to execute this. I'm not sure yet if it's possible, but evidently both Google and Mozilla thinks there might be a risk. If this turns out to be feasable, then these exploits become much worse than for VMs, since it will allow any web page to scan through system memory for things like encryption keys, passwords, etc. , and then it's really bad!

**)* Why in theory? At this rate the memory is likely to change rapidly while dumping it, so making a complete dump will be hard.



cmmw said:


> This may all not be a design flaw but "is functional by design as a backdoor to professional hackers, legel, and illegal organization that had been informed about the backdoor."  NSA is one of the publicly known organizations.


These exploits is about leaking memory, not backdoors.

BTW, Windows has had a "service backdoor" since 95…



Jism said:


> This is why trust AMD with hardware more then Intel. The amount of bugs that Intel actually has is scaring. The IMEI thing, now this. So basicly no matter how updated your OS, Antivir, Firewall and even router configuration was, your system was still completely vulnerable towards some slick exploits causing safe data to be compromised.


Because AMD is bug-free? Have you even followed this subject? AMD is affected as well.
AMD also incorporate a security processor like Intel, and it's not that many months ago that AMD refused to admit a serious stability issue which they dismissed as a "performance bug marginally affecting Linux", despite it having no relation to Linux nor performance. All of these vendors will always downplay or dismiss problems, even when they are fully aware.
Edit: AMD PSP Affected By Remote Code Execution Vulnerability

Both Intel, AMD and ARM has been aware of these new bugs since last summer.



Jism said:


> And on top of that, have 5 up to 30% performance penalty due to a software fix.


These performance numbers are referring to the performance in edge cases with Linux kernel KPTI patches which were made in a rush to circumvent the problem. It's very likely that better OS patches combined with firmware tweaks will reduce this slowdown. Many workloads, such as gaming and video encoding should not be affected.



CrAsHnBuRnXp said:


> We should all get a refund on our processors and motherboards and then buy stock in AMD and all buy Ryzen products.


You mean old 486 cpus from AMD, right? All modern AMD CPUs are affected.



newtekie1 said:


> For the code to get on the machine locally, it requires the user do something to get it there.  Despite popular belief, hackers can't just access your computer and put anything on your computer you want without you doing something to allow it.  Even if that something is visiting a malicious website.


This all depends on this being exploitable through JavaScript, which "everyone" executes happily. It's already known to be exploitable through JIT compiled stuff such as Android apps and Java applets. See my longer paragraph above.


----------



## newtekie1 (Jan 6, 2018)

lexluthermiester said:


> Fixed that for you. I agree with your points. While these are serious problems, criminals are not going to be able to just waltz into a PC willy-nilly.



Yes, thank you.  For these things to be exploited on a consumer level system, or even really an enterprise data center system, there has to be some other security issues at play. In the consumer space, those other security flaws already pretty much give the malicious person access to your system, so this security flaw is just icing on the cake.



efikkan said:


> This all depends on this being exploitable through JavaScript, which "everyone" executes happily. It's already known to be exploitable through JIT compiled stuff such as Android apps and Java applets. See my longer paragraph above.



Yes, like I said, it could be as simple as visiting the wrong site.  But this is also where having a AV program is a must.  I would be very surprised if the major AV programs out there aren't updated to recognize a process that is exhibiting the behavior of this exploit and lock down the process long before it can really get anything useful from a consumer level system.  It is exploits like this that made all the good AVs add behavior detection in the first place.


----------



## efikkan (Jan 6, 2018)

newtekie1 said:


> Yes, like I said, it could be as simple as visiting the wrong site.  But this is also where having a AV program is a must.  I would be very surprised if the major AV programs out there aren't updated to recognize a process that is exhibiting the behavior of this exploit and lock down the process long before it can really get anything useful from a consumer level system.  It is exploits like this that made all the good AVs add behavior detection in the first place.


That's not how Antivirus works. It can only recognize file signatures of known malware and known filenames, they never are able to analyze execution of code in real time, that would slow down your computer by a factor of 10,000 and be analytically impossible.

Even if this is exploitable through JavaScript, no Antivirus can intercept this execution. It will have to be up to the CPU firmware, OS kernel an to some extent JavaScript interpretor (browser) to put the appropriate safeguards in place to avoid the problem.


----------



## lexluthermiester (Jan 6, 2018)

efikkan said:


> That's not how Antivirus works. It can only recognize file signatures of known malware and known filenames, they never are able to analyze execution of code in real time, that would slow down your computer by a factor of 10,000 and be analytically impossible.


That's not true at all. Antivirus suites have been using real-time heuristic analyzation for over a decade and some of them are very good at it. It isn't perfect and can often render false positives, but it is used none-the-less.


----------



## newtekie1 (Jan 6, 2018)

efikkan said:


> That's not how Antivirus works. It can only recognize file signatures of known malware and known filenames, they never are able to analyze execution of code in real time, that would slow down your computer by a factor of 10,000 and be analytically impossible.
> 
> Even if this is exploitable through JavaScript, no Antivirus can intercept this execution. It will have to be up to the CPU firmware, OS kernel an to some extent JavaScript interpretor (browser) to put the appropriate safeguards in place to avoid the problem.



Yeah, go do more research on how modern anti-virus programs work.  Signature based detection, while still in use, has long been considered largely ineffective against modern viruses.  Behavioral and heuristic based detection has become the new method that any good anti-virus uses.


----------



## Manu_PT (Jan 6, 2018)

efikkan said:


> It's not only unfair, but completely ridiculous to blame Intel for everyone's mistakes. This of course doesn't diminish the severity of the problem, but makes them all sinners.
> 
> Some refers to these issues with speculative execution as "Meltdown" and "Spectre", Google divides it into three classes, and ARM divides it into "four". All modern x86 (both Intel and AMD), most ARM processors and even IBM Power are affect by one or more of these exploits. It's worth mentioning that these are not production errors or tapeout mistakes, these are all logical design errors. So why does very different designs have similar mistakes? Simply because engineers are prone to do similar mistakes and assumptions when tackling similar problems. This is why it's simple to find many new problems once we've discovered one new class of mistakes.
> 
> ...



AMD has the spectre problem wich isn´t 1/10 as bad as meltdown. Don´t spread misinformation. Meltdown is the real problem here, Spectre is just another threat like 10000 others, and you need physical access to the machine first, to use it.


----------



## efikkan (Jan 6, 2018)

Manu_PT said:


> AMD has the spectre problem wich isn´t 1/10 as bad as meltdown. Don´t spread misinformation. Meltdown is the real problem here, Spectre is just another threat like 10000 others, and you need physical access to the machine first, to use it.


No, both needs to be executed on the actual machine.


> The first two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. Collectively these are known as "Spectre".  Both variants rely upon the presence of a precisely-defined instruction sequence in the privileged code, as well as the fact that memory accesses may cause allocation into the microprocessor’s level 1 data cache even for speculatively executed instructions that never actually commit (retire).  As a result, an unprivileged attacker could use these two flaws to read privileged memory by conducting targeted cache side-channel attacks. These variants could be used not only to cross syscall boundary (variant 1 and variant 2) but also guest/host boundary (variant 2).



BTW; The new ARM Cortex-A75 have all of these problems.


----------



## lexluthermiester (Jan 6, 2018)

Manu_PT said:


> AMD has the Spectre problem which isn't 1/10 as bad as meltdown. Don´t spread misinformation.


Actually, that statement is misinformed. Meltdown is solved with a software fix. Spectre is a vulnerability in all hardware platforms and can be exploited many different ways. It's far more dangerous and far more serious.


Manu_PT said:


> Meltdown is the real problem here, Spectre is just another threat like 10000 others, and you need physical access to the machine first, to use it.


Sorry, that's also incorrect. Like most other forms of malicious code, Spectre is remotely exploitable.


----------



## trparky (Jan 6, 2018)

piloponth said:


> Has been Intel's CEO sued for insider trading yet? Or once again rule "too big to fail" applies?


As long as he informed the SEC that he was going to sell his stock it's not Insider Trading, it's perfectly legal to do so. Now had he sold his stock and did *not* inform the SEC then yes, it would be Insider Trading. That's what happened to Martha Stewart a couple of years ago, she didn't inform the SEC and got thrown in jail.


----------



## I No (Jan 6, 2018)

trparky said:


> As long as he informed the SEC that he was going to sell his stock it's not Insider Trading, it's perfectly legal to do so. Now had he sold his stock and did *not* inform the SEC then yes, it would be Insider Trading. That's what happened to Martha Stewart a couple of years ago, she didn't inform the SEC and got thrown in jail.




While the 10b5-1 is a way to counter insider trading all sells of stocks is submitted via a SEC form 4 so everything he did was public knowledge and SEC knew about this. The thing SEC didn't know about was the "flaw" that Google dug up because it wasn't meant to be public.


----------



## lexluthermiester (Jan 6, 2018)

I No said:


> While the 10b5-1 is a way to counter insider trading all sells of stocks is submitted via a SEC form 4 so everything he did was public knowledge and SEC knew about this. The thing SEC didn't know about was the "flaw" that Google dug up because it wasn't meant to be public.


trparky's right, This doesn't qualify as insider trading. The reality is Intel did not know how serious this was until after the sale, and even if they did, it would have to be proved that there was a connection. For all anyone else knows it could have been a personal reason motivating the sale. People like us don't have all the details and therefore can not make informed conclusions.


----------



## Devon68 (Jan 6, 2018)

Speculation "If this didn't reach the public would the public know after they resolved it"?


----------



## vacavalier (Jan 7, 2018)

Simply put...  Bastads.


----------



## efikkan (Jan 7, 2018)

Devon68 said:


> Speculation "If this didn't reach the public would the public know after they resolved it"?


Intel regularly updates their errata, just look at this long list for skylake.
A lot of small bugs are normal for CPUs, if they fixed it "silently", nobody would have noticed it in the list.


----------



## GreiverBlade (Jan 7, 2018)

Prima.Vera said:


> Why do I have a feeling that things are blowing out of proportions again...


actually it's refreshing .... 

usually it's ...
"oh it's Intel, no biggies, we can forgive them"
"what? AMD has a bug in their CPU? BURN DOWN THE WITCHE!" 

actually considering financial disparities between these two ... i consider Intel blunder to be unforgivable


----------



## David Fallaha (Jan 7, 2018)

Flaky said:


> Thank god I still have an atom n450 netbook
> 
> Anyway...
> There would be no point in halting the release of coffee lake, especially when ES/QS cpus are being provided, and all partners already have working prototypes of new platform.



Er excuse me? Then announce the flaw then try selling it, or don't sell it at all. What planet do you come from?


----------



## R0H1T (Jan 7, 2018)

David Fallaha said:


> Er excuse me? *Then announce the flaw then try selling it, or don't sell it at all*. What planet do you come from?


Would definitely love to know how many would raise their hands knowing Intel chips had a *meltdown* bug, with a fix probably six months away? Pretty sure the loss in sales would be in the tens of billions, with a capital *B,* as it stands right now they might get away with just a slap on the wrist - like the last so many times! In fact their server sales would also be devastated, I'd say Google saved them anywhere between 10 to 30 billion in lost sales over the last 6 months.


----------



## lexluthermiester (Jan 7, 2018)

David Fallaha said:


> Er excuse me? Then announce the flaw then try selling it, or don't sell it at all. What planet do you come from?


It's called capitalism. Welcome to planet Earth.


R0H1T said:


> Would definitely love to know how many would raise their hands knowing Intel chips had a *meltdown* *vulnerability*


Fixed that for you. The difference is that the CPU's in question operate perfectly, so not a bug. But the fact that software can be made to take advantage of a CPU's normal functionality in a malicious way is a vulnerability. And it's likely the same number of people who would buy anything else that has/had a known problem, like iPhones with their battery problems and Windows for example.


----------



## R0H1T (Jan 8, 2018)

lexluthermiester said:


> It's called capitalism. Welcome to planet Earth.
> 
> Fixed that for you. *The difference is that the CPU's in question operate perfectly*, so not a bug. But the fact that software can be made to take advantage of a CPU's normal functionality in a malicious way is a vulnerability. And it's likely the same number of people who would buy anything else that has/had a known problem, like iPhones with their battery problems and Windows for example.


Both spectre & meltdown are vulnerabilities, except AMD doesn't need a meltdown fix because it doesn't allow a *rogue data cache load* in the way Intel does. Hence the bug(gy) part wrt Intel.

This isn't true for meltdown as can be seen with AMD chips right now.


----------



## lexluthermiester (Jan 8, 2018)

R0H1T said:


> Both Spectre & Meltdown are vulnerabilities


True.


R0H1T said:


> except AMD doesn't need a meltdown fix because it doesn't allow a *rogue data cache load* in the way Intel does.


Actually, that is an incorrect conclusion.


R0H1T said:


> Hence the bug(gy) part wrt Intel.


Meltdown is a vulnerability. A vulnerability is not "bug", nor a flaw, nor a defect of design. You are mixing up and confusing proper terminology.


R0H1T said:


> This isn't true for meltdown as can be seen with AMD chips right now.


My information and understanding comes from the people who discovered the problems, have been researching and documenting it.
https://meltdownattack.com/
That website is one they created to publish the information for everyone to read. According to them and the documentation they have provided, your conclusions are incorrect.


----------



## R0H1T (Jan 8, 2018)

lexluthermiester said:


> Actually, that is an incorrect *conclusion*.


How so?


> Meltdown is a vulnerability. A vulnerability is not "bug", nor a flaw, nor a defect of design. You are mixing up and confusing proper terminology.


Am I? Intel chips allow user apps to read data from the kernel memory but AMD does not, so how is that not a bug or *defective* design?


> My information and understanding comes from the people who discovered the problems, have been researching and documenting it.
> https://meltdownattack.com/
> That website is one they created to publish the information for everyone to read. According to them and the documentation they have provided, your conclusions are incorrect.


I've read everything from Ars, AMD, project zero, the register & no where does it say that meltdown was a feature of OoO chips. The unintended *feature* you're talking is speculative branching i.e. spectre.


Spoiler



On Wed, Jan 3, 2018 at 3:09 PM, Andi Kleen <andi@firstfloor.org> wrote:
> This is a fix for Variant 2 in
> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>
> Any speculative indirect calls in the kernel can be tricked
> to execute any kernel code, which may allow side channel
> attacks that can leak arbitrary kernel data.

Why is this all done without any configuration options?

*A *competent* CPU engineer would fix this by making sure speculation
doesn't happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.*

I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed.

.. *and that really means that all these mitigation patches should be
written with "not all CPU's are crap" in mind*.

Or is Intel basically saying "we are committed to selling you shit
forever and ever, and never fixing anything"?

Because if that's the case, maybe we should start looking towards the
ARM64 people more.

Please talk to management. Because I really see exactly two possibibilities:

- *Intel never intends to fix anything*

OR

- these workarounds should have a way to disable them.

Which of the two is it?

*Linus*


----------



## I No (Jan 8, 2018)

And again things are getting blown out of proportion .... give it a rest .... not even the involved parties aren't making such a big fuss out of this


----------



## goodeedidid (Jan 8, 2018)

eidairaman1 said:


> Ouch another one, not good at all


Ouch what, don't be silly. What the whole industry should stop working because of a bug? Do you commit suicide when you cough once?


----------



## eidairaman1 (Jan 8, 2018)

goodeedidid said:


> Ouch what, don't be silly. What the whole industry should stop working because of a bug? Do you commit suicide when you cough once?




Intel launched serveral products that had this architecture flaw and they knew about it. That is criminal period. This will impact their wallets across the board.

By the way welcome to my ignore list.


----------



## HammerON (Jan 8, 2018)

goodeedidid said:


> Ouch what, don't be silly. What the whole industry should stop working because of a bug? Do you commit suicide when you cough once?


Not the best analogy there.  You can get your point across without using such an analogy.  Sometimes it is okay to agree to disagree and then move on.  Do so in this case.


----------



## Berfs1 (Jan 8, 2018)

Similarly to the GTX 970 incident, Intel needs to partially reimburse the customer of these CPUs, as it affects the performance now.


----------



## 64K (Jan 8, 2018)

Berfs1 said:


> Similarly to the GTX 970 incident, Intel needs to partially reimburse the customer of these CPUs, as it affects the performance now.



Not really similar to the 970 though. The 970 performed exactly the same in reviews before and after the the deception by Nvidia was made known. 

In this case we have CPUs that don't perform exactly the same as before and after the news broke of it's security vulnerabilities and the patch and the potential risks on down the road. At least thus far.


----------



## eidairaman1 (Jan 8, 2018)

64K said:


> Not really similar to the 970 though. The 970 performed exactly the same in reviews before and after the the deception by Nvidia was made known.
> 
> In this case we have CPUs that don't perform exactly the same as before and after the news broke of it's security vulnerabilities and the patch and the potential risks on down the road. At least thus far.



Considering that card was falsely advertised as having 4 gigs when in fact it only had 3.5


----------



## 64K (Jan 8, 2018)

It did have 4 GB VRAM and you probably noticed that Nvidia continued to advertise it as a 4 GB  card even after the class action lawsuit was settled out of court. Where Nvidia deceived, and eventually paid up for with $30 rebates per card, is in failing to disclose that the last .5 GB VRAM ran 7 times slower that the rest of VRAM. But, in any case, what Intel has done is a bit more far reaching in consequences imo. We'll see.


----------



## eidairaman1 (Jan 9, 2018)

64K said:


> It did have 4 GB VRAM and you probably noticed that Nvidia continued to advertise it as a 4 GB  card even after the class action lawsuit was settled out of court. Where Nvidia deceived, and eventually paid up for with $30 rebates per card, is in failing to disclose that the last .5 GB VRAM ran 7 times slower that the rest of VRAM. But, in any case, what Intel has done is a bit more far reaching in consequences imo. We'll see.



I see legal suits in their future


----------



## xorbe (Jan 9, 2018)

Berfs1 said:


> Similarly to the GTX 970 incident, Intel needs to partially reimburse the customer of these CPUs, as it affects the performance now.



Technically, it's the OS that slowed down ...


----------



## lexluthermiester (Jan 9, 2018)

xorbe said:


> Technically, it's the OS that slowed down ...


It was more than the OS. In games, whenever that last 512mb of VRAM were accessed the game itself would stutter and chug. Never understood why and thought it was a driver problem until after the info went public. But it was an unpleasantness for sure. I will not touch that card because of the inconsistent performance. It would literally have been better to release the card with only 3.5GB of ram.


----------



## evernessince (Jan 9, 2018)

First Strike said:


> It is OK to blame Intel for releasing Meltdown-vulnerable processors. But since it can be solved with Linux KPTI and Windows kernel rework, and Intel did finish those work with Linux team and Microsoft in time, it's kinda less unacceptable.
> 
> But hell no, you can’t blame Intel for Spectre vulnerability. It affects ALL modern processors with speculative execution and is simply impossible to fix (unless every app developer cooperates). The only way we currently know is to drop speculative execution and get back to stone age (80x86). We need another breakthrough in computer science in the following years to fix it.



It's not in any way acceptable.  They released a product they knew would take a performance hit and would get bad publicity during the holiday season to reap maximum sales before customers could realize what was up.  That's not even the full picture either, we are getting reports of 8000 series processors getting up to 30% less performance on lower end motherboards. It definitely looks like Intel essentially released these processors with only their top end motherboards and super lower base clocks because they knew people would buy based off reviews, regardless of whether or not they are actually getting that performance on their lower end motherboards.

The last 2 years for Intel have been nothing but shit from the thin PCB of skylake bending, to their shitty TIM, to IME issues, and now this (the biggest of them all). I know this list is missing allot but people get the point.



64K said:


> It did have 4 GB VRAM and you probably noticed that Nvidia continued to advertise it as a 4 GB  card even after the class action lawsuit was settled out of court. Where Nvidia deceived, and eventually paid up for with $30 rebates per card, is in failing to disclose that the last .5 GB VRAM ran 7 times slower that the rest of VRAM. But, in any case, what Intel has done is a bit more far reaching in consequences imo. We'll see.



In most cases, Companies are not required to admit fault, merely they are required to pay money.  It's shitty but it's the way the system works.  Companies are granted far more rights and power than individuals.



lexluthermiester said:


> It's called capitalism. Welcome to planet Earth.
> 
> Fixed that for you. The difference is that the CPU's in question operate perfectly, so not a bug. But the fact that software can be made to take advantage of a CPU's normal functionality in a malicious way is a vulnerability. And it's likely the same number of people who would buy anything else that has/had a known problem, like iPhones with their battery problems and Windows for example.



Well, when you say it like that you make it sounds like one of the most horrible economic systems out there.  Granted, we are definitely seeing how bad unmitigated capitalism can really be.


----------



## I No (Jan 9, 2018)

evernessince said:


> It's not in any way acceptable.  They released a product they knew would take a performance hit and would get bad publicity during the holiday season to reap maximum sales before customers could realize what was up.  That's not even the full picture either, we are getting reports of 8000 series processors getting up to 30% less performance on lower end motherboards. It definitely looks like Intel essentially released these processors with only their top end motherboards and super lower base clocks because they knew people would buy based off reviews, regardless of whether or not they are actually getting that performance on their lower end motherboards.




Giving the circumstances you would've done the same thing. Let's see ... Coffee Lake is built upon Kaby Lake which is built upon Skylake and the list goes on, they share the same arch. Now Intel would have to scrap the whole arch and send it back to the drawing board thus sending the arch back into development stages... that would be what 6-8 months? Also there are contracts and deadlines that they need to deliver that would not only mean an impact on sales but also would result in the company owing money to 3rd parties for a deadline breach. Would you put the company in a more awkward position than it already is? Bad publicity can be mitigated while shipping out trucks worth of money for contract breaches cannot. You're making this sound like they didn't intend to fix anything regarding both Meltdown and Specter although the public statement was due today. The only reason this is news is because someone decided to blow the horn early otherwise the statement given today would be "we had some vulnerabilities and they've been patched" .
It's not Intel's motherboards, it's Intel's chipset granted, the rest is handled by AIB's, last time I checked Intel wasn't in charge of that. Furthermore would you get a 8700k and stick it on a $20 MB?. 
*Any company out there would've done the same thing* in Intel's position and if the Data Centers can live with it I'm betting so can the average user *who won't notice the difference. *If Intel cocked-up which they did they will pay there's no way around that. Mind posting the links to those 30% less performance benches? Asking out of sheer curiosity.



evernessince said:


> The last 2 years for Intel have been nothing but shit from the thin PCB of skylake bending, to their shitty TIM, to IME issues, and now this (the biggest of them all). I know this list is missing allot but people get the point.



Skylake sold, Kaby sold, Coffee sold. If a product is inferior by any means in your opinion you have other options which now you do: Ryzen. The only one responsible for Intel's tight grip on the market is whom? If the answer is the lack of competition you are right and I'm not sure if Intel is worried about AMD at this point either since they still control the enterprise segment and they will as long as contracts are still running.
The rest is politics which I won't get into.


----------



## eidairaman1 (Jan 9, 2018)

I No said:


> Giving the circumstances you would've done the same thing. Let's see ... Coffee Lake is built upon Kaby Lake which is built upon Skylake and the list goes on, they share the same arch. Now Intel would have to scrap the whole arch and send it back to the drawing board thus sending the arch back into development stages... that would be what 6-8 months? Also there are contracts and deadlines that they need to deliver that would not only mean an impact on sales but also would result in the company owing money to 3rd parties for a deadline breach. Would you put the company in a more awkward position than it already is? Bad publicity can be mitigated while shipping out trucks worth of money for contract breaches cannot. You're making this sound like they didn't intend to fix anything regarding both Meltdown and Specter although the public statement was due today. The only reason this is news is because someone decided to blow the horn early otherwise the statement given today would be "we had some vulnerabilities and they've been patched" .
> It's not Intel's motherboards, it's Intel's chipset granted, the rest is handled by AIB's, last time I checked Intel wasn't in charge of that. Furthermore would you get a 8700k and stick it on a $20 MB?.
> *Any company out there would've done the same thing* in Intel's position and if the Data Centers can live with it I'm betting so can the average user *who won't notice the difference. *If Intel cocked-up which they did they will pay there's no way around that. Mind posting the links to those 30% less performance benches? Asking out of sheer curiosity.
> 
> ...


Well it put them in an even more awkward position because of multiple security breaches in the architecture, they were not upfront about it but tried hiding it.


----------



## trparky (Jan 9, 2018)

evernessince said:


> The last 2 years for Intel have been nothing but shit from the thin PCB of skylake bending, to their shitty TIM, to IME issues, and now this (the biggest of them all). I know this list is missing allot but people get the point.


Don't get me started on that crap. All of these issues and yet we still have people around here defending Intel and going so far as to still recommend people to buy their processors. Where is the hate for Intel? Where is the kind of hate that everyone loves to spew in Microsoft's direction? Oh yeah... I forgot. *crickets*


----------



## lexluthermiester (Jan 9, 2018)

eidairaman1 said:


> they were not upfront about it but tried hiding it.


Rubbish. The release of information was done in a responsible and coordinated way working with the researchers. They had no intention of hiding anything.
EDIT sorry for the late response, didn't see it earlier..


----------



## eidairaman1 (Jan 10, 2018)

lexluthermiester said:


> Rubbish. The release of information was done in a responsible and coordinated way working with the researchers. They had no intention of hiding anything.
> EDIT sorry for the late response, didn't see it earlier..



Ok 


lexluthermiester said:


> Rubbish. The release of information was done in a responsible and coordinated way working with the researchers. They had no intention of hiding anything.
> EDIT sorry for the late response, didn't see it earlier..



For it to date back as far as it has that is pretty serious and they were hiding it


----------



## lexluthermiester (Jan 10, 2018)

eidairaman1 said:


> For it to date back as far as it has that is pretty serious and they were hiding it


You'd think, but the reality is most companies and researchers do not release vulnerability findings like this to the pubic without giving those affected by it a chance to research it themselves. Just throwing out to the public willy-nilly would be an act of gross irresponsibility. So yes, companies like Microsoft, Apple, Google, Intel, AMD, Nvidia, etc., etc. will keep such info confidentual until they have time to solve the problem. Intel and the researchers were being responsible, not secretive or sneaky. Meltdown is effectively solved and that solution will be refined in the coming months. And this is why we have a fix for within days instead of weeks or months.


----------



## Vayra86 (Jan 10, 2018)

lexluthermiester said:


> You'd think, but the reality is most companies and researchers do not release vulnerability findings like this to the pubic without giving those affected by it a chance to research it themselves. Just throwing out to the public willy-nilly would be an act of gross irresponsibility. So yes, companies like Microsoft, Apple, Google, Intel, AMD, Nvidia, etc., etc. will keep such info confidentual until they have time to solve the problem. Intel and the researchers were being responsible, not secretive or sneaky. Meltdown is effectively solved and that solution will be refined in the coming months. And this is why we have a fix for within days instead of weeks or months.



This.

You all have to keep in mind that if someone finds a leak in your CPU architecture, there is no realistic way to adjust that on a hardware design level anyway, any fix like that is one or two years ahead of us at best. The fact they found this in June, only months before CFLs release, is proof of that in itself. Yes, they knew it was in there, and yes, they were already testing and finding fixes for Meltdown back then. I think its safe to say that we won't see a hardware adjustment until Ice Lake, or beyond.

Communicating leaks before you have solutions is possibly much worse than announcing them days prior to a fix. The entire industry works with that premise, its really telling that people here think otherwise - its a clear sign you have no clue of how this industry functions. While not the best layer of security, Security by Obscurity still is a layer of defense, and it was utilized here.

On the other side of the fence, even AMD releases their CPUs with knowledge of Spectre's existence, and even after official announcements were to be found on Intel's website, AMD's website did not contain a SINGLE TRACE of Spectre's existence. This is a strategy, too, and it shows in everything AMD has put out regarding this issue: they want to silence the issue ASAP, they are making it 'small and inconsequential' if you read their PR. I'll leave it up to each individual to decide what's better...

The bottom line remains: both Intel and AMD had this knowledge around the same time, and the decision to keep this quiet until now has been a unanimous one across ALL related companies. Any alternative decision is much more damaging: to end users, to the industry, to the overall level of trust in every PC we use, and all of the data we handle.


----------



## lexluthermiester (Jan 10, 2018)

Vayra86 said:


> This is a strategy, too, and it shows in everything AMD has put out regarding this issue: they want to silence the issue ASAP, they are making it 'small and inconsequential' if you read their PR. I'll leave it up to each individual to decide what's better...


I don't think that's what AMD is doing at all. The public knows how serious this is. AMD knows they have nothing to add because, at this moment, there is no real solution for Spectre. Like everyone else, they're working the problem and they're not going to say anything until they have something to say.

There real thing with Meltdown and Spectre is this, *there are no villains in this matter*. Not one manufacturer in their right mind would engineer such a pervasive problem into their products. And the fact that Spectre affects every CPU in existence for the past 25+ years, regardless of architecture, is evidence enough that it *was not foreseen* and has caught everyone almost equally off-guard. Laying blame at anyone is a waste of time and effort because we'd have to blame everyone equally. Even old games systems like the Playstation and N64 are vulnerable. So let's all stop the blame game, focus on the details of the problems and solving it, shall we?

Because of the way these vulnerabilities work, they take advantage of a very useful set of functions within CPU's that help them work faster and more efficiently. Engineering that out of CPU's is going to take us back at least a decade, performance-wise, and even more than that for some forms of software. Instead, it might be better to find a way to isolate those functions from direct high-level software access, which would mitigate the problems without removing them.


----------



## Vayra86 (Jan 10, 2018)

lexluthermiester said:


> I don't think that's what AMD is doing at all. The public knows how serious this is. AMD knows they have nothing to add because, at this moment, there is no real solution for Spectre. Like everyone else, they're working the problem and they're not going to say anything until they have something to say.
> 
> There real thing with Meltdown and Spectre is this, *there are no villains in this matter*. Not one manufacturer in their right mind would engineer such a pervasive problem into their products. And the fact that Spectre affects every CPU in existence for the past 25+ years, regardless of architecture, is evidence enough that it *was not foreseen* and has caught everyone almost equally off-guard. Laying blame at anyone is a waste of time and effort because we'd have to blame everyone equally. Even old games systems like the Playstation and N64 are vulnerable. So let's all stop the blame game, focus on the details of the problems and solving it, shall we?
> 
> Because of the way these vulnerabilities work, they take advantage of a very useful set of functions within CPU's that help them work faster and more efficiently. Engineering that out of CPU's is going to take us back at least a decade, performance-wise, and even more than that for some forms of software. Instead, it might be better to find a way to isolate those functions from direct high-level software access, which would mitigate the problems without removing them.



You're right, but its not a mistake to think there hasn't gone serious thought over what to publish or what not to publish / say. That, is strategy


----------



## mcraygsx (Jan 11, 2018)

I wonder for how long Government agencies and hackers alike have been exploiting bug on systems with INTEL's processors. Intel was aware of this bug well in advance when they released Skylake X and Coffee lake processors and yet they continue to market/sell these processors to consumers and business. It seems as if ethical and moral values hold no value in IT industry any longer. There goes resale value of anyone who purchased these processors.

Asus 1203


----------



## lexluthermiester (Jan 11, 2018)

Vayra86 said:


> You're right, but its not a mistake to think there hasn't gone serious thought over what to publish or what not to publish / say. That, is strategy


Agreed, they're being strategic, but not in any nefarious way.


----------



## Xzibit (Jan 11, 2018)

lexluthermiester said:


> Agreed, they're being strategic, but not in any nefarious way.



The only thing wrong is waiting until the last minute while others were already patching their cloud servers. Intel was sitting on their hands for the general public.

The NDA was over on the 9th and if it wasn't for an AMD linux patch leading to the general public disclosure of this. It would still be hush, hush.  We wouldn't know how this would have played it out and how Intel would react or have treated it.


----------



## lexluthermiester (Jan 11, 2018)

Xzibit said:


> The only thing wrong is waiting until the last minute while others were already patching their cloud servers. Intel was sitting on their hands for the general public.
> 
> The NDA was over on the 9th and if it wasn't for an AMD linux patch leading to the general public disclosure of this. It would still be hush, hush.  We wouldn't know how this would have played it out and how Intel would react or have treated it.


Ok.


----------



## I No (Jan 11, 2018)

Microsoft's thoughts on the matter. Apparently the Specter mitigation puts a dent into performance aka Variant 2 which requires a microcode update (BIOS flash) . Techspot even has a benchmark on it.


In case anyone missed Microsoft's post :
https://cloudblogs.microsoft.com/mi...459594)(nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA)()


Techspot's benchmark:
https://www.techspot.com/article/1556-meltdown-and-spectre-cpu-performance-windows/


----------



## lexluthermiester (Jan 11, 2018)

I No said:


> In case anyone missed Microsoft's post :
> https://cloudblogs.microsoft.com/mi...459594)(nOD_rLJHOac-0BvaqQnfhAKWeHcm0ft.mA)()


This talked about it..


I No said:


> Techspot's benchmark:
> https://www.techspot.com/article/1556-meltdown-and-spectre-cpu-performance-windows/


This showed it. Kinda interesting.

The only set of benchmarks that stand out as anything more than "statistical margin of error" is the storage benchmarks. And based on the rumblings coming out of variously locations, those performance problems will likely have a fix soon.


----------



## hapkiman (Jan 17, 2018)

And here I am like thousands of others, just an average user seemingly unaffected by Meltdown and Spectre
enjoying my new i7 8700k build.

I guess when I get hit in the head by a piece of falling sky, I'll know to panic.  But until then...I think I'll go play some BF1.


----------



## lexluthermiester (Jan 17, 2018)

hapkiman said:


> But until then...I think I'll go play some BF1.


Go play some "Return to Castle Wolfenstein" ( https://www.gog.com/game/return_to_castle_wolfenstein ) with the Realisim HD pack ( http://www.moddb.com/mods/realrtcw-realism-mod ). Much better, if older, game play experience.


----------

