Od1sseas13th Gen :cool:

AusWolfIt makes me wonder if these vulnerabilities really deserve the attention they get. I mean, sure, someone could potentially hack your PC doing the point-and-click steps you described, but why would they?

These news are way more important for businesses than for us, imo.

lexluthermiesterNo they are not. And if you really believe that, I have a bridge in Brooklyn NYC I'd like to sell you...

MusselsTheres been some pretty big updates along the way

efikkan:wtf:
So-called "AI" is not currently intelligent at all, it's basically using heuristics to recognize patterns, which in turn can be used to generate new data. So in essence, using "AI" to design CPUs will probably lead to designs with more flaws, since there is no intelligence behind the "decisions".

Using "AI" to help test designs could be interesting though, as it might expose some interesting use cases.

(OT: Using AI to generate text can yield some seriously hilarious results though: link)


I'm a software engineer, not a hardware engineer, but if the corporate culture in companies like Intel, AMD, Nvidia, etc. is anything like what I've experienced in software companies with 1000+ employees (or read about in horror stories), I'm not surprised at all that a lot of serious flaws slip through. I've personally witnessed several cases of even "inexperienced" interns discovering critical flaws which have been completely dismissed. If you have hundreds or thousands of engineers on a project, there is probably a huge hierarchy of middle management, where it's hard to get the right information through the "noise". (Not to mention, engineers are generally stubborn "know-it-alls") And then there is the case of management knowing the issue, but deliberately covering it up to ship a product.
To be clear, I'm explaining it, not excusing it.

To answer your first paragraph, how would you do good enough QA?
CPUs are incredible complex state machines, and verifying every possible combination is impossible.
With every released CPU there is commonly a long errata, containing typically 20-30 flaws discovered during testing. It is actually quite normal that a lot of features are disabled or timings adjusted in the firmware due to bugs, so probably no CPU performs "as they expected", no new architecture anyways.
And it's common that some flaws are not addressed in firmware either, so certain software can be triggering a CPU bug on specific CPUs.
I know of two such examples. The Bulldozer family had some error triggered by compiling (I believe it was gcc), resulting in invalid binaries. Zen(1) had another flaw triggered most easily by gcc and llvm, which AMD never fully acknowledged. And Intel has had plenty too.


You should be much more worried about the crappy firmware of your router, it probably has several easily exploitable vulnerabilities.

For any bug that requires root access to exploit, it's not really a problem for desktop users, as a root can do anything on your computer anyways.

The concern is for cloud providers, as someone in one VM can potentially affect another VM. But even then it's probably mostly theoretical. It is one thing to reproduce a problem in a controlled environment, and something completely different to do it on a server with randomized memory addresses, lots of data churning through constantly, VMs being loaded and unloaded all the time. The chances of someone stealing a continuous piece of data through a randomized and fragmented memory space is minuscule. But sure, an attacker can get lucky and strike a few bytes containing a private key etc.

PatriotIt's not just a different customer issue, its a about pivoting from a useless VM of one customer to a more useful VM of the same customer. Being able to pivot across VMs is highly useful for a hacker "going deep" (shrugs)

AnotherReaderIn addition, fast zeroing of registers upon a context switch would kill exploits like this completely.

AnotherReaderIf the attacker is already within your VM, then you have bigger fish to fry than Downfall as there are far easier exploits available at that point.

lexluthermiesterTrue, but that's not what I was saying. They were saying that every single update was critical, which is just as silly as it is wrong.

MusselsThey're relevant in a few ways, but rarely effect home users directly - it's more than home users are not worth the effort to develop malware that byte steal a few bytes of a code at a time, while a cloud server running a dozen instances of sensitive data those few bytes could strike gold

Common hardware (as desktops are more or less cut down enterprise hardware these days) means we're vulnerable too

MusselsThat's where some confusion sets in, because of how you interpret the updates

Every major release had major changes - entire ranges of CPUs added in, new features like ReBar, default settings changes for windows 11, and so on.

Beta and test releases can count or not count depending on your perspective - they're both major in that they had the big improvements first, but minor in that they weren't the final release of that feature.
Then board makers could put out 20 BIOS updates on the same AGESA code fixing their own shit which is a different metric again


I do agree that not every update was critical by the way, just saying that depending how you view it it can seem that way - check Asus BIOS lists for the boards and the only remaining visible files are those major updates with the minor ones removed from view

AusWolfYes, we're vulnerable, but what's the likelihood of actually being hacked?

AusWolfYes, we're vulnerable, but what's the likelihood of actually being hacked?

WyeThis sounds like a very old issue that existed 10 years ago, or similar. And it has the same caveat: zero impact on desktop users.

NhonhoDon't worry. They will publish the 13th generation security flaw only next year to you buy new CPU and motherboard too.

R-T-BThere are opt out registry keys for everything trailing all the way back to meltdown for the os side. In that sense you can.

Microcode is harder to skip but also tends to lose far less performance than the OS mitigations.


Admin is not needed. People keep saying this but there is no evidence for it that I've seen.

It would be hard, but not impossible to mount such an attack in javascript. It'd probably help if you knew the exact target hardware in advance.


Windows had regkeys to disable every mitigation, just FYI. It's virtually the same as Linux there. Looking them up is far more homework, however.

Od1sseasI will just install an antivirus

MusselsThat wont change how mitigations work

Solid State Soul ( SSS )Planned obsolescence at its finest ladies and gentlemen

MarsM4NTbh. Microsoft did way more harm with their ridiculous Windows 11 hardware requirements. :shadedshu: The amount of PC's that end up in landfills because of that will be monumental.

Od1sseasAntivirus has anti-exploit protection

Prima.VeraSometimes I feel paranoid and think maybe Intel is doing those things on purpose, just for companies to start replacing "old" hardware much faster. Who knows what are they cooking for 13th and 12th gen CPUs in 1 or 2 years from now ;)

MusselsBut they can't turn off something already active - that defeats the purpose of the mitigations because then a virus can just turn them off, too.


They certainly held onto news of this so they had another year of sales of products with a known flaw, knowing those consumers will need to replace them

ncrsThe comments here also imply some performance impact, but again - we'll need to wait for Phoronix benchmarks.

mkdrLets hope you can disable the mitigations under Windows.