Major Intel CPU Hardware Vulnerability Found

[R0H1T]

GURU of 3D did a bunch of tests, showed little if any impact. Makes me laugh all the pissing n moaning that went on.

Yeah keep laughing

• SaturnusDK - Thursday, January 04, 2018 - link
  So if I'm understanding this correctly then the Windows Update rolled out yesterday is not complete for Intel system before Intel have rolled out a microcode update as well? And if so, we cannot make performance impact tests before that happens?
• Ryan Smith - Thursday, January 04, 2018 - link
  It's looking that way. We've yet to find a system that shows as having hardware support for branch injection mitigation.

 

[biffzinker]

So Intel microcode update delivered through Windows Update is on the way? I doubt Asus would bother with a update for older boards such as my Z97.

 

[R0H1T]

So Intel microcode update delivered through Windows Update is on the way? I doubt Asus would bother with a update for older boards such as my Z97.

This is for spectre (2) so a microcode update may work or it may not, considering it should also cover spectre variant 1. That's what Ryan is saying, there's no demonstrable exploit for Ryzen though in theory it might be vulnerable.

 

[TheoneandonlyMrK]

Me either. What scares me is the poor and unethical reporting by some bloggers and tech sites and their highly exaggerated, blown way out of proportion claims. And what scares me is readers who automatically believed those exaggerated reports, or worse, parrot those reports without doing their homework.

Was the bug bad? Sure. Was it exploited? There's no evidence of that. Microsoft has already released a patch. Has it degraded everyone's performance by 30% as claimed by those headline seeking bloggers and [cough cough, choke choke] "journalists" in the IT press. No.

Wise words

Miggt be wiser to wait until it's proveably fixed instead of jumping on the opposite soap box and shouting it's all fine ,carry on.
Most do still use an email server Not in their own home, that's just one and my main concern regarding security outside my homes control.

I wouldn't want a performance hit of any kind like others but it's definitely the security issues that concerns me most, the bit about needing physical access assures me least as it's probably the easiest thing to work on a solution to if you're interested ie blackhat wearer and is also where a lot of work is being done (by many hacker teams)to mitigate the air gap safety.

 

[Bill_Bright]

instead of jumping on the opposite soap box and shouting it's all fine ,carry on.

For sure, nobody is suggesting all is fine. There is a problem. But are users, even cloud, corporate and server users at such risk as many in the IT media suggest? Heck no. As is typically the case with newly discovered vulnerabilities, those exaggerating the threats are ether totally ignorant or choose to ignore the very real-world fact the malicious code (which first must be developed) needed to exploit these vulnerabilities must some how bypass all the security measures already in place designed to thwart unknown, suspicious and malicious activities and "behavior". Then this code must execute or deliver its payload, and get away with the compromised undetected.

It is like telling someone not to leave a $20 bill on their dinning room table because it will get stolen, totally ignoring the fact the bad guy must somehow first get past the nosy neighbor, exterior security cameras, locked doors and windows, advanced security alarm system, and past the two rottweilers while he snatches the $20, then make it out of the house and out of the neighborhood without getting bit or anyone noticing.

Is it possible? Yes. Likely? Probably not.

 

[jaggerwild]

No Windows update rolled out yesterday, the news only just broke..................For all I know your Ryan!!!! Why don't you list yer spec's?

 

[Vayra86]

Miggt be wiser to wait until it's proveably fixed instead of jumping on the opposite soap box and shouting it's all fine ,carry on.
Most do still use an email server Not in their own home, that's just one and my main concern regarding security outside my homes control.

I wouldn't want a performance hit of any kind like others but it's definitely the security issues that concerns me most, the bit about needing physical access assures me least as it's probably the easiest thing to work on a solution to if you're interested ie blackhat wearer and is also where a lot of work is being done (by many hacker teams)to mitigate the air gap safety.

Oh this isn't fine

The best guess right now on an ETA for this to be fixed in a definitive sense, is probably two years at best. The fix has to be on an architectural (CPU design) level.

I'm quite up to speed but unfortunately the best most informative piece I've read was in Dutch. Still is worth a Google Translate, I suppose:

Squee's top comment.

https://tweakers.net/reviews/5939/l...ntwoord.html?showReaction=10996183#r_10996183

The gist of it is: even something as cute as a Javascript can now gain control of your system, read out anything you're doing, etc. That means: you visit a website, you can already pick up malware that just sits on your PC for a while until a specific process has been read out, it calls home, and you're compromised. Now consider the risk for a simple sys admin anywhere who runs a password manager.

So physical access is not at all required for this to work. What's more, consider the fact that all of our data is stored in the cloud right now. Your home PC is the least interesting target but think about crypto wallets, banking, etc.

Suffice to say, this is f'in huge.

For sure, nobody is suggesting all is fine. There is a problem. But are users, even cloud, corporate and server users at such risk as many in the IT media suggest? Heck no. As is typically the case with newly discovered vulnerabilities, those exaggerating the threats are ether totally ignorant or choose to ignore the very real-world fact the malicious code (which first must be developed) needed to exploit these vulnerabilities must some how bypass all the security measures already in place designed to thwart unknown, suspicious and malicious activities and "behavior". Then this code must execute or deliver its payload, and get away with the compromised undetected.

It is like telling someone not to leave a $20 bill on their dinning room table because it will get stolen, totally ignoring the fact the bad guy must somehow first get past the nosy neighbor, exterior security cameras, locked doors and windows, advanced security alarm system, and past the two rottweilers while he snatches the $20, then make it out of the house and out of the neighborhood without getting bit or anyone noticing.

Is it possible? Yes. Likely? Probably not.

You say that, but look at how many data leaks get reported and you can't possibly be convinced this won't go south at some point.

 

[biffzinker]

No Windows update rolled out yesterday, the news only just broke..................For all I know your Ryan!!!! Why don't you list yer spec's?

The update is out, ask @P4-630 - already made post about getting the update through Windows Update eariler.

 

[brandonwh64]

this is NOT just an Intel bug, it affects AMD and ARM processors as well

This effects a range of platforms, not just intel. This is a major issue that even the Gov sent our work security emails today warning us. Our personal security company also called to have a meeting about this issue. Here is a gov article explaining in more detail

https://isc.sans.edu/diary.html?utm...al&utm_source=twitter.com&utm_campaign=buffer

 

[jaggerwild]

We gonna get money back? Yeah huge is the scope of people who are affected, I don't use VM'S or anything. But I do worry about what if anything is being "FIXED" on my computer, for all i know they will open a back door then. Sense I'm least affected by this news, Smmh!

 

[EarthDog]

Premature lawsuit is premature, no? DO we have any idea what the performance hits are? We have seen some preliminary testing, but... in many cases, there isn't a hit (and others, significant). Seems like the chicken and the egg to me.

 

[Vayra86]

Premature lawsuit is premature, no? DO we have any idea what the performance hits are? We have seen some preliminary testing, but... in many cases, there isn't a hit (and others, significant). Seems like the chicken and the egg to me.

It is premature and outright wrong because the way we handle branch prediction really is a uniform best practice in most performance oriented cpu architectures.

 

[R-T-B]

It is like telling someone not to leave a $20 bill on their dinning room table because it will get stolen, totally ignoring the fact the bad guy must somehow first get past the nosy neighbor, exterior security cameras, locked doors and windows, advanced security alarm system, and past the two rottweilers while he snatches the $20, then make it out of the house and out of the neighborhood without getting bit or anyone noticing.

Is it possible? Yes. Likely? Probably not.

Bill, I like you, but you really don't understand this one. This vulnerability, if allowed unchecked, is akin to being locked in a cage in a house with money, with the keys to cage in hand.

If you have a VM on the machine (and many VMs in the cloud share with rental providers), you can access any memory of any OTHER VM on the machine... Yes, undetected, from within your own VM. In other VMs memory, there are keys, passwords, certificates, and all these can be accessed unchecked. That's how bad this is unpatched, and there is no exaggeration there.

In many ways, this is worse than heartbleed. It will depend on how fast cloud providers deploy the fix how much damage is done, though. That's the determining factor.

The performance penalty is exagerated. The security implications are not. Nor is the call of it being a "signifigant redesign of OS kernels." After reading they basically ripped out the shared symbol file wholehog (a mainstay since the 90s) I'm actually inclined to agree with the media: That's the biggest redesign in some time.

 

[Solaris17]

Bill, I like you, but you really don't understand this one. This vulnerability, if allowed unchecked, is akin to being locked in a cage in a house with money, with the keys to cage in hand.

If you have a VM on the machine (and many VMs in the cloud share with rental providers), you can access any memory of any OTHER VM on the machine... Yes, undetected, from within your own VM. In other VMs memory, there are keys, passwords, certificates, and all these can be accessed unchecked. That's how bad this is unpatched, and there is no exaggeration there.

In many ways, this is worse than heartbleed. It will depend on how fast cloud providers deploy the fix how much damage is done, though. That's the determining factor.

The performance penalty is exagerated. The security implications are not. Nor is the call of it being a "signifigant redesign of OS kernels." After reading they basically ripped out the shared symbol file wholehog (a mainstay since the 90s) I'm actually inclined to agree with the media: That's the biggest redesign in some time.

This and might I add, the performance penalty is exaggerated for US, azure,aws,google farms have yet to feel the impact since these patches will require full node reboots. But those clusters dont word the way our desktops do.

EDIT:: I would also like too add, the real question is again, what are the performance implications for those this will actually affect? The answer is we will probably never know. Internal metrics are seldom announced or shared for competitive advantage. However MS isnt just going to let its Azure clusters fall on there face. They will task out more nodes to pick up the performance so customers dont see a thing. I would be very interested in that number though.

 

[lexluthermiester]

This effects a range of platforms, not just intel. This is a major issue that even the Gov sent our work security emails today warning us. Our personal security company also called to have a meeting about this issue. Here is a gov article explaining in more detail
https://isc.sans.edu/diary.html?utm...al&utm_source=twitter.com&utm_campaign=buffer

This seems to have the greatest effect on enterprise level systems. But even on personal type devices there is risk. I'm betting this has already been exploited on some level in the wild. It wouldn't be surprising at all if there were governments around the world have do so. Apple's walled garden seems to have had a benefit though.

 

[jaggerwild]

Will my smart phone be safe(not running windows, or IOS)? Is it a dumb phone now? Or just a phone, do I need to be running certain programs for it to be vulnerable? OK, I'll go read more links..........

 

[lexluthermiester]

Will my smart phone be safe(not running windows, or IOS)? Is it a dumb phone now? Or just a phone, do I need to be running certain programs for it to be vulnerable?

If it's Android, root your phone, install a firewall[my personal fav is AFWall+] and don't let anything connect that does not need to. Then install an adblocker on your web browser and never turn it off. Get yourself in the habit of not leaving the phone connected to the internet 24/7. Making sure you stay away from websites that fall under the category of " IShouldn'tBeHere.Com " and you should be ok.
If you have a phone that you can't root, you can still use a non-root firewall that will still work well.

 

[TheMailMan78]

Damn casuals. Run VIA chips like real men!

 

[lexluthermiester]

Damn casuals. Run VIA chips like real men!

VIA CPU's are also affected. Sorry, but "real men" are just as boned..

 

[EarthDog]

Didnt google mention android wasnt affected? May want to check their statement...

..id link it, but im mobile.

 

[lexluthermiester]

Didnt google mention android wasnt affected? May want to check their statement...
..id link it, but im mobile.

When you get a chance, I'd like to read what you're referring to. According to brandonwh64's link and arctechnica; https://arstechnica.com/gadgets/201...odern-processor-has-unfixable-security-flaws/ , and a growing number of other sources, these problems will effect all CPU's with any level of execution prediction, which literally goes all the way back to the CPU's from the late 90's on. This is turning into some seriously scary stuff.

EDIT; found this; https://meltdownattack.com/
The info found there is very informative about the details of this set of problems.

 

[FireFox]

Premature lawsuit is premature, no? DO we have any idea what the performance hits are? We have seen some preliminary testing, but... in many cases, there isn't a hit (and others, significant). Seems like the chicken and the egg to me.

Many Journalist and Reviewers are just playing the Nostradamus's Game. Lol

Does anyone has the time to tell if this whole thing affect Intel's future CPU's?

 

[Hood]

My 4790K system received the KB4056892 update from Windows earlier today, so I tested overall performance with Passmark Performance Test 9.0 a few minutes ago. It tested out the same as always, maybe a tiny bit slower, but within margin of error. It is still faster than 99% of all systems tested. I'm not worried about it, and any Intel-bashing is not justified, in my opinion.

 

[biffzinker]

My 4790K system received the KB4056892 update from Windows earlier today, so I tested overall performance with Passmark Performance Test 9.0 a few minutes ago. It tested out the same as always, maybe a tiny bit slower, but within margin of error. It is still faster than 99% of all systems tested. I'm not worried about it, and any Intel-bashing is not justified, in my opinion.

The full effect of Micrsoft's patch hasn't been felt yet until Intel pushes out a microcode/firmware update. The first half of the patch is still inactive.

Branch Target Injection is inactive without the necessary hardware support but Rogue Data Cache Load is flipped on.

 

[Regeneration]