Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

[btarunr]

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).



View at TechPowerUp Main Site

 

[eidairaman1]

Ouch another one, not good at all

 

[First Strike]

It is OK to blame Intel for releasing Meltdown-vulnerable processors. But since it can be solved with Linux KPTI and Windows kernel rework, and Intel did finish those work with Linux team and Microsoft in time, it's kinda less unacceptable.

But hell no, you can’t blame Intel for Spectre vulnerability. It affects ALL modern processors with speculative execution and is simply impossible to fix (unless every app developer cooperates). The only way we currently know is to drop speculative execution and get back to stone age (80x86). We need another breakthrough in computer science in the following years to fix it.

 

[Prima.Vera]

Why do I have a feeling that things are blowing out of proportions again...

 

[Chaitanya]

Why do I have a feeling that things are blowing out of proportions again...

I dont think it blown to proportions it needs to, these c***-ups are affecting millions of users of cloud computing. What's worse is that now that it's all over the news hackers who may have been in dark will now exploit the bug even after software band-aid patches have been applied(since its a hardware bug still it can be exploited). Intel needs to own up their mess and clean it up or go belly up for good. Just a few months back it was Intel ME exploit , before that a USB exploit and now these 3 new exploits guess its a good thing so many fanboys are still a**-******g Intel in making sure they make profit end of the year.

 

[First Strike]

Nevertheless, Intel CEO did a great job on timing in terms of dumping stocks, so he didn't get thrown into jail. lmao

 

[RejZoR]

I hope shit is paying off for Intel skimping on quality work on hardware saving few millions back then and now losing 10x as much. And no, I don't think anything is blowing out of proportions. Crap like this shows the real attitide of the company. Releasing a flawed product well knowing it's flawed to such extent shows intent. They were literally hoping no one would notice or care. Damn right people should be outraged and they should feel the angre financially. I'm still waiting for actual confirmations what all the recent patches are fixing (if anything at all and how much penalty we're paying for it), but it's very unlikely I'll be buying Intel next time. I ditched Intel as an option for laptop the moment news broke out about the flaws and how their CEO dumped the stocks right before shit went public. That was the moment I ordered AMD based laptop which was as a second a bit more expensive (but faster) option. Same fate will meet the desktop eventually depending on situation. Not in the mood to change my entire X99 platform just yet...

 

[Prima.Vera]

But then again, for a normal desktop machine, do you really need a bios and OS update that just going to slow your CPU down? I mean how many Joes are running VMs in a shared environment??

 

[piloponth]

Has been Intel's CEO sued for insider trading yet? Or once again rule "too big to fail" applies?

 

[RejZoR]

But then again, for a normal desktop machine, do you really need a bios and OS update that just going to slow your CPU down? I mean how many Joes are running VMs in a shared environment??

If you think VM means only VMWare and VirtualBox, then you're greatly mistaken. Pretty much all security software today uses virtualization for malware protection and analysis. You know, what they used to run in dreadfully slow and limited emulators is now run natively in its own secure space and dissected there. Would you want to allow that in a "secure space" from which malware can potentially access your actual host?

 

[lilunxm12]

It is OK to blame Intel for releasing Meltdown-vulnerable processors. But since it can be solved with Linux KPTI and Windows kernel rework, and Intel did finish those work with Linux team and Microsoft in time, it's kinda less unacceptable.

But hell no, you can’t blame Intel for Spectre vulnerability. It affects ALL modern processors with speculative execution and is simply impossible to fix (unless every app developer cooperates). The only way we currently know is to drop speculative execution and get back to stone age (80x86). We need another breakthrough in computer science in the following years to fix it.

The fact that Meltdown can be easily patched by software update actually makes it more unacceptable to me. The logic behind the fix is simple enough and shouldn't be ignored to new generation of CPU release. To me it sounds like intel chosed to quickly push out competitive products (with an undisclosed critical flaw) against Ryzen over offering better security to all customers. Not patching Spectre can be excused, but not Meltdown.

Intel is committed to product and customer security

That official statement is a plain lie to me.

 

[thesmokingman]

You don't ship a flawed product as new, especially one where you knew well in advance. It's rather deceptive imo. The cost after the fact is immeasurable.

 

[notb]

Man... you and @Raevenlord are like a TPU's special squad for writing these anti-Intel comments. It's not even qualified as editorial or a citation from another page. It's just you - being able to put your personal opinion on the front page...

Was AMD aware of Spectre when they released Ryzen Mobile in November?

This really is a serious issue, but this panic is totally pointless. The reason why there is an embargo after a bug/flaw is found, is to give companies time to fix it before the problem goes public and media make a mess of it.
The most possible outcome now is that this whole situation will rush companies into releasing precooked fixes (so soon we'll get fixes to fixes).

 

[cmmw]

This may all not be a design flaw but "is functional by design as a backdoor to professional hackers, legel, and illegal organization that had been informed about the backdoor." NSA is one of the publicly known organizations.

The leak of the backdoors is however undesirable to the organizations and hackers that use the backdoors on a daily basis.

 

[LocutusH]

I also feel that this gets way overhyped (by the press) already...

 

[Patriot]

This may all not be a design flaw but "is functional by design as a backdoor to professional hackers, legel, and illegal organization that had been informed about the backdoor." NSA is one of the publicly known organizations.

The leak of the backdoors is however undesirable to the organizations and hackers that use the backdoors on a daily basis.

Yeah... no shit they knew there was a backdoor on the latest gen cpu... it's been there for 15yrs... the next wikileak dump should make this all more clear.
Given that 4 independent research groups happened to find all this shit at the same exact time... this was a tip-off/retiring of a backdoor due to impending leak.

 

[biffzinker]

I mean how many Joes are running VMs in a shared environment??

I prefer my passwords as an example of the information disclosure being talked about in text I quoted below stay private undisclosed to third party apps in user space.

Speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and can therefore lead to information disclosure.
These mitigations prevent attackers from triggering a weakness in the CPU which could allow the contents of memory to be disclosed.

In client (desktop) scenarios, a malicious user mode application could be used to disclose the contents of kernel memory.

Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 need to apply both firmware and software updates.

Source: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities - Security Advisory

 

[dj-electric]

Has been Intel's CEO sued for insider trading yet? Or once again rule "too big to fail" applies?

I'm a firm believer in "the bigger they are, the harder they fall".

 

[ensabrenoir]

.....just ignore that iceberg intel....nothing to worry about.... On the real though....this is kinda sad....

 

[thesmokingman]

I also feel that this gets way overhyped (by the press) already...

It's all fake news right?

 

[cmmw]

May just be like you said "retiring of a backdoor" and later push for next-generation processor sale with even more powerful backdoors:
(without the leaked backdoors)
Intel Management Engine (ME) cannot be switched off
AMD's Platform Security Processor （PSP) it uses an ARM processor..... can be switched off in BIOS, but can it actually be switched off in hardware level?

Scary.....

may just be retiring some leaked backdoors..... retiring some leaked backdoors...
main investors have both AMD and Intel shares
boosting AMD for balancing the CPU market, dramas and competitions are needed to boost sales.

All in the name for the greater good

 

[Outback Bronze]

Looks like ill have to fire up my old P4 : )

 

[Patriot]

Looks like ill have to fire up my old P4 : )

It is still vulnerable.... you would have to break out a P1 to be unaffected....

 

[qubit]

Intel are clearly, a caring, sharing company. Aww, I feel so warm and fuzzy now.

 

[Rahmat Sofyan]

Is it all of this related to yahoo problem and other hacked or leaked accounts ?