Intel Reveals New Spectre-Like Attack, Advises Disabling Hyper-Threading

[trparky]

https://support.microsoft.com/en-us/help/4494441/windows-10-update-kb4494441

I already have that update installed and everything still says that my system is vulnerable. I even removed the custom registry value entries to have it be the default and yet still, no dice.

 

[Bill_Bright]

I have yet to find and keep asking for links to a "look what happend here" story related to these vulnabilities. None so far.

Right. And yet you'd think with all the fuss and uproar and knee-jerk reactions by some over these things that life, as we know it, was about to end.

 

[trparky]

What I find absolutely insane is that in order to regain the security we once had before all of these exploits came about, we have to effectively castrate our processors by turning off Hyperthreading. I don't know about you guys but I don't find that solution to be an acceptable option.

Right. And yet you'd think with all the fuss and uproar and knee-jerk reactions by some over these things that life, as we know it, was about to end.

The bad part is, you don't know you got hit until you find your info on the dark web and then it's too late.

 

[Bill_Bright]

The bad part is, you don't know you got hit until you find your info on the dark web and then it's too late.

And how is that different from any other malicious activity? Why would you assume all your other security measures have been compromised? Do you feel your router has been compromised? Do you assume your anti-malware solution will not detect any suspicious activity? Do you leave your computer unattended at a public library where anyone can gain physical access to it?

You are much more likely to find your info on the dark web because your bank, Yahoo, The Home Depot, Equifax or Facebook were hacked - again - due to the lackadaisical incompetence of the IT administrators and/or CIOs and CSOs.

 

[trparky]

The point I'm trying to make here is that because of these silicon-level vulnerabilities, can we really trust our systems? Can we really trust what our anti-malware is saying to us considering that these vulnerabilities open the door for Ring-0 level attacks? I would say no.

If you ask me, Intel should be held legally liable since the very architecture is fundamentally flawed. As one person on the old HardOCP forums said...

I mean their un-patched chips basically don't bother to check if bits have permission to be there until after they execute.

It's like Intel left the door open and then after the shady looking guy walks in and he's done God knows what, we check his credentials. That makes no sense.

Oh this is good... as much as I hate referencing The Verge, Intel is currently facing 32 lawsuits regarding Spectre and Meltdown and that was back at the beginning of 2018. (Source) How much do you want to bet that the number of lawsuits is much larger now? Yeah...

 

[FireFox]

Does anyone knows if there is a media creation tool for 1903?

 

[biffzinker]

Does anyone knows if there is a media creation tool for 1903?

1903 is still in the testing phase, another 19H1 build 18362.113 was pushed to the slow ring.

 

[trparky]

Once again Microsoft can't stick to a promised release schedule. What more proof do you need to indicate that Microsoft really does need to slow down on these upgrades? Twice a year is too hard, slow it down to once a year.

 

[Vayra86]

The point I'm trying to make here is that because of these silicon-level vulnerabilities, can we really trust our systems? Can we really trust what our anti-malware is saying to us considering that these vulnerabilities open the door for Ring-0 level attacks? I would say no.

If you ask me, Intel should be held legally liable since the very architecture is fundamentally flawed. As one person on the old HardOCP forums said...

It's like Intel left the door open and then after the shady looking guy walks in and he's done God knows what, we check his credentials. That makes no sense.

Oh this is good... as much as I hate referencing The Verge, Intel is currently facing 32 lawsuits regarding Spectre and Meltdown and that was back at the beginning of 2018. (Source) How much do you want to bet that the number of lawsuits is much larger now? Yeah...

The problem with this is that its hindsight speak. The only way Intel will be held accountable and liable is when some memo or communication turns up prior to the release of these CPUs where the flaws are discussed and tossed aside. I doubt that's the case - never say never though.

Another question that could be legitimately asked is: 'why did no one else ever figure this out'. I mean, we're talking about millions of CPUs in a many thousands of businesses, but also governments., up to and including the highest confidentiality levels. The stakes cannot be higher, yet still after all this time nobody ever said a thing about it, or noticed anything weird.

Some mistakes are just genuine, human, and yes even collectively we are very good at making the same mistake together... What's more important is how it is fixed. On top of that, we already know that its impossible to guarantee perfect security, and now we get to see this in practice (and without major damage). Maybe it's a learning experience for us.

 

[trparky]

What's more important is how it is fixed.

Basically I think it's time to scrap the Core architecture and design a new one from scratch. I have a feeling that that's what Intel has planned, why else would they hire Jim Keller? Unfortunately, even with the lauded Jim Keller at the helm it's going to take a few more years until that new architecture is anywhere near being ready for mass use and until then we get to enjoy several years of new flaws.

 

[Bill_Bright]

If you ask me, Intel should be held legally liable

Legally liable for what? Have you been damaged or harmed? This is not like airbags blowing shrapnel in our faces with the company knowing about it and intenti

There are billions of transistor gates in processors. No way to expect perfection. And now you want a whole new architecture with billions more "new" and un-scrutinized gates and coding? Not to mention this would then require new OS architectures, chipsets/motherboards, perhaps RAM and all new I/Os too. And then there's all the software out there designed to run on the current platform.

Once again Microsoft can't stick to a promised release schedule.

What does MS have to do with this? This thread is about Intel so that's just more opportunistic bashing just to bash. And where did Microsoft "promise" to release anything? They didn't.

 

[trparky]

Have you been damaged or harmed?

I may have not been damaged. However if I were an Amazon.com AWS architect I'd be raising seven kinds of hell.

What does MS have to do with this? This thread is about Intel so that's just more opportunistic bashing just to bash. And where did Microsoft "promise" to release anything? They didn't.

People, including myself, don't necessarily need a reason to bash Microsoft. They practically give material for us to use much like politicians do for late night TV comedy hosts.

 

[Bill_Bright]

People, including myself, don't necessarily need a reason to bash Microsoft.

That's just silly. How about because this is a technical forum and maybe having a little pride in what is posted is technically correct? That seems like a a good reason to me.

And how about because this thread is about the Intel flaw?

 

[Deleted member 24505]

1903 is still in the testing phase, another 19H1 build 18362.113 was pushed to the slow ring.

Tbh imo it's fine for release now, been using it for 6 weeks, everyday use and gaming, no problems.

 

[TheoneandonlyMrK]

And how is that different from any other malicious activity? Why would you assume all your other security measures have been compromised? Do you feel your router has been compromised? Do you assume your anti-malware solution will not detect any suspicious activity? Do you leave your computer unattended at a public library where anyone can gain physical access to it?

You are much more likely to find your info on the dark web because your bank, Yahoo, The Home Depot, Equifax or Facebook were hacked - again - due to the lackadaisical incompetence of the IT administrators and/or CIOs and CSOs.

Exactly , hackers wont be after enthusiast and gamers Pc's directly , they are after, corporate tech or financial advantage after all, what with Intel owning the majority of servers , and human nature being what it is I admire your positivity.

 

[biffzinker]

What does MS have to do with this? This thread is about Intel so that's just more opportunistic bashing just to bash. And where did Microsoft "promise" to release anything? They didn't.

Likely in relation to my post about 1903 not being released yet. I was just trying to answer @Knoxx29 post about media creation tool for 1903 not being available.

Tbh imo it's fine for release now, been using it for 6 weeks, everyday use and gaming, no problems.

Ran into a blue screen disabling the new Sandbox feature myself after playing around with it. Might of been because of Windows Defender Application Guard with the recent cumulative update for 1903.

 

[Deleted member 24505]

Likely in relation to my post about 1903 not being released yet. I was just trying to answer @Knoxx29 post about media creation tool for 1903 not being available.


Ran into a blue screen disabling the new Sandbox feature myself after playing around with it. Might of been because of Windows Defender Application Guard with the recent cumulative update for 1903.

The sandbox is very useful imo, for testing dubious proggys before you trust them properly.

 

[ratirt]

Not according to this...
View attachment 123038

Yeah well. I've looked over the internet and read some articles about this and I seen that table. It appears even the 9th gen is affected so as 8th. Sorry bro for the bad news.

What do you expect them to say? "Some processors may have this vulnerability" then leave it at that keeping everyone guessing which processors?

I am not saying this isn't bad, it is. And it is not just another ho-hum vulnerability. But it is not the end of the world either.

If you run without being behind a router, without running any anti-malware or firewall protection and you don't keep Windows current, cut your Ethernet cables and panic. Otherwise, I recommend leaving the OS alone. Don't start making changes to the Registry. Let Intel and OS makers do their thing - they are already on it.

That wasn't my point Mr. "Corn Husker" the question is why this hasn't been fixed within the time. Are you saying Intel didn't know about it? Ryzens don't have that vulnerability. It's just disappointing considering Intel is such a vast company in microprocessors and yet it is there. Meaning they don't give a rats ass about the security. I'm just disappointed. Anyway it can be fixed via soft? Hopefully not by disabling HT cause that's a fools errand in my opinion. They need to catch up with that and hopefully new products won't have that vulnerability.

Legally liable for what? Have you been damaged or harmed? This is not like airbags blowing shrapnel in our faces with the company knowing about it and intenti

There are billions of transistor gates in processors. No way to expect perfection. And now you want a whole new architecture with billions more "new" and un-scrutinized gates and coding? Not to mention this would then require new OS architectures, chipsets/motherboards, perhaps RAM and all new I/Os too. And then there's all the software out there designed to run on the current platform.

Maybe they should have been held responsible. Here's that Corn husker attitude again. Stop offending people. So what if it has billions of transistors? You can protect from this when you want to do it despite how many transistors you have. Maybe at some point Intel will be held responsible if the companies using this product get really pissed or lose sensitive data cause of this. Intel didn't put too much effort to test products for security breach. It's their product and I'm100% sure they had known about this when the products were released.

Tbh imo it's fine for release now, been using it for 6 weeks, everyday use and gaming, no problems.

Is it open for free download on Microsoft page? If not when is the release scheduled if anyone knows?

 

[R-T-B]

The sandbox is very useful imo, for testing dubious proggys before you trust them properly.

And ironically, breaking out of a sandbox is one thing this vulnerability can do with relative ease.

 

[Bill_Bright]

the question is why this hasn't been fixed within the time.

I ask again? What do you expect? How do you change the coding of a processor already out in the field - coding that is basically hardwired in there by the default "quiescent" state of the gates?

Are you saying Intel didn't know about it?

And how do you know they did? You don't! Yet you assume (1) they knew about it all along and (2) you assume they intentionally chose to do nothing about it and (3) you have decided based on your assumptions and speculations (with no proof at all) that Intel doesn't care about security! Yeah right. Talk about YOUR attitude.

And by the way, just because I live in Nebraska, it does NOT, in any way imply I am native to here, that I am a Cornhusker fan, or that I have the same values as them. Frankly, your comments just indicate serious concerns with your attitude in how you prejudge people without ever actually knowing them. That's pretty sad.

So what if it has billions of transistors? You can protect from this when you want to do it despite how many transistors you have.

Oh, excuse me. I did not realize you are the preeminent expert in microprocessor design and manufacturing and know it all when it comes to discovering, identifying and protecting consumers from every potential flow in them.

 

[HD64G]

I already have that update installed and everything still says that my system is vulnerable. I even removed the custom registry value entries to have it be the default and yet still, no dice.

My take is that without firmware updates this vulnerability will keep existing as some of the others previously.

 

[Chomiq]

Once again Microsoft can't stick to a promised release schedule. What more proof do you need to indicate that Microsoft really does need to slow down on these upgrades? Twice a year is too hard, slow it down to once a year.

What they need to do is to hire an actual QA team instead of using users to beta test their updates.

 

[Bill_Bright]

What they need to do is to hire an actual QA team instead of using users to beta test their updates.

They do. But it is important to understand virtually every single one of the 1.5+ billion Windows systems out there is a unique machine. Unique with its own hardware configurations, security setups, network setup, users and user customization, and installed apps. No way can they test every scenario. So they have to rely on the beta testers.

What they need to do is actually listen to the Windows Insiders who do the beta testing and when problems are reported, fix them. They were not staying on top of that well -but after last years fiasco, they are now - or are at least much better at it. But they actually need more insiders testing. As any statistician knows, the greater the sampling, the more accurate the results. So I recommend everyone who has an extra system, join up and be a part of the solution.

 

[trparky]

No way can they test every scenario.

And yet they did it back in the day, they had their own QA department and they "dog fooded" their software on their own employees. And you know what? Software quality was far better than it is now. These days installing a Windows Update is like playing Russian Roulette, you never know if your system won't boot after the update's done.

There used to be an initiative called the Trusted Computing Platform. Where is it? Gone. QA department? Gone. When Satya was hired as CEO both departments went bye bye and with it overall software quality.

 

[Bill_Bright]

And yet they did it back in the day, they had their own QA department and they "dog fooded" their software on their own employees.

No they didn't. Get real and stop trying to BS everyone. Intel has never had more than 150,000 employees. No way, even back in the day - except MAYBE when there only the IBM PC could they test every scenario.

Software quality was far better than it is now.

Software quality? This is about Intel hardware!

You are just throwing anything you can get your hands on at the wall and hope it sticks.