Intel Reveals New Spectre-Like Attack, Advises Disabling Hyper-Threading

[trparky]

I'm referring to Microsoft since the piece I quoted from you was regarding Microsoft. This part of the conversation started with @Chomiq.

And yet they (Microsoft) did it back in the day, they (Microsoft) had their own QA department and they (Microsoft) "dog fooded" their software on their own employees. Windows XP was rock solid, we never had to worry about a Windows Update bricking systems world wide back in the days of Windows XP. Fast forward to Windows 10 and we are all Microsoft's own lab rats.

Case in point, the last update that caused issues with a certain antivirus installed on the system. Really Microsoft? This would have never happened years ago.

 

[TheoneandonlyMrK]

I'm referring to Microsoft since the piece I quoted from you was regarding Microsoft. This part of the conversation started with @Chomiq.

And yet they (Microsoft) did it back in the day, they (Microsoft) had their own QA department and they (Microsoft) "dog fooded" their software on their own employees.

playing fair software and hardware was significantly simpler Back int day , as were the dev suites and Sdk's , Api's , interfaces, in fact i can actually state everything was simpler back int day.

this is not even a fault, to be clear it's a vulnerability, something NO ONE foresaw being technically possible both when it was designed and made and also in the many years since then until a researcher Discovered the FLAW in intel's security architecture , the chips were not made bad or defective.

 

[trparky]

I'm simply referring to the fact that these days you have to worry if a Windows Update will suddenly either BSOD your system upon restart or delete your data.

And besides, people don't exactly like the idea of being spied on (or so they say, see Windows 10 telemetry) along with the inability to disable Windows Update (without having to install such programs like ShutUp10) which is why so many people haven't upgraded to Windows 10 yet. Go ahead and journey into the General Software forum right here on TPU and I can guarantee you that you'll find people who rant constantly about how Windows 10 is a train wreck. I may not necessarily think Windows 10 is a train wreck but if enough people do think that way, Windows 10 will be seen as such by the general public.

As for software quality issues... see this thread. How the heck did Microsoft not catch this? This would've never happened years ago.

 

[TheoneandonlyMrK]

I'm simply referring to the fact that these days you have to worry if a Windows Update will suddenly either BSOD your system upon restart or delete your data.

And besides, people don't exactly like the idea of being spied on (or so they say, see Windows 10 telemetry) along with the inability to disable Windows Update (without having to install such programs like ShutUp10) which is why so many people haven't upgraded to Windows 10 yet. Go ahead and journey into the General Software forum right here on TPU and I can guarantee you that you'll find people who rant constantly about how Windows 10 is a train wreck. I may not necessarily think Windows 10 is a train wreck but if enough people do think that way, Windows 10 will be seen as such by the general public.

As for software quality issues... see this thread. How the heck did Microsoft not catch this? This would've never happened years ago.

I updated when 1809 deleted all your folders, I lost a couple of logs ,that's all.
Stuff can go wrong , maybe an update, maybe the dog pisses on it regardless if you own a PC and have'nt had it completely shit the bed and kill all your everything , then you have'nt had a PC long enough to moan about update deaths imho.

besides I f&%£d my Pc up way more times then Microsoft or Intel Ever could, i fixed it ,eh.

 

[phanbuey]

I have yet to find and keep asking for links to a "look what happend here" story related to these vulnabilities. None so far.

Too early still, also the attacks are pretty difficult to pull off. It's catching in flight cache data... that might be sensitive data... but most likely not, and it has to have a locally executing javascript applet to do it; again possible - but no one is going to sit around looking at randomly leaked cache data hoping for a password to a normal user.

 

[trparky]

I updated when 1809 deleted all your folders, I lost a couple of logs ,that's all.

I don't care if it was just log files, data loss because of an upgrade is simply NOT acceptable! It's one thing if hardware failure or user error occurred, it's another thing because something didn't get tested properly.

 

[P4-630]

Anyone else got the same kb4494441 update again today?

 

[TheoneandonlyMrK]

I don't care if it was just log files, data loss because of an upgrade is simply NOT acceptable! It's one thing if hardware failure or user error occurred, it's another thing because something didn't get tested properly.

User error causes data loss Even in that case , not an update , bacup , enough said.

 

[trparky]

Anyone else got the same kb4494441 update again today?

Yeah, I did. Microsoft Kuality Control strikes again.

 

[phanbuey]

im hoping intel's cascade lake has a bunch of this stuff mitigated... and has some extra cache to mitigate the performance hit lol

 

[ratirt]

I ask again? What do you expect? How do you change the coding of a processor already out in the field - coding that is basically hardwired in there by the default "quiescent" state of the gates?
And how do you know they did? You don't! Yet you assume (1) they knew about it all along and (2) you assume they intentionally chose to do nothing about it and (3) you have decided based on your assumptions and speculations (with no proof at all) that Intel doesn't care about security! Yeah right. Talk about YOUR attitude.

And by the way, just because I live in Nebraska, it does NOT, in any way imply I am native to here, that I am a Cornhusker fan, or that I have the same values as them. Frankly, your comments just indicate serious concerns with your attitude in how you prejudge people without ever actually knowing them. That's pretty sad.
Oh, excuse me. I did not realize you are the preeminent expert in microprocessor design and manufacturing and know it all when it comes to discovering, identifying and protecting consumers from every potential flow in them.

I can bet they knew about this but they just kept their mouths shut. I ask again. You don't need to change the coding. Are you telling me you are an expert? Cause you make it sound like one of us must be an expert to know something about it. So if I'm not an expert then you are? I seriously doubt it. It has already been fixed with software at least some of it. So you were wrong.
Secondly, Cornhusker is a reference to a native Nebraska person or a resident. Besides I wasn't referring to any sports team and imply you being a fan of one. I'm guessing you have missed this.
Intel and any other company has a department to test their products in terms of any security issues. Maybe instead of taking this seriously they been goofing off recently and this is what consumers get.
"from every potential flow?(or flaw) in them" I didn't get that one.

 

[juiseman]

So is this the 4th or 5th discovery in the last year? I have lost track now....

What is the performance hit in total with all of the patches installed? is it a few % on each?
are we talking about 20%-25% total now?
Or do I have all this wrong.....

 

[er557]

I have all mitigations enabled and secure on haswell-ep, latest updates and microcode, hyperthreading enabled, I see no performance impact whatsoever, storage or cpu.
win 1903 has retpoline system to prevent performance impact from mitigations. In fact, my benchmarks are higher...

 

[P4-630]

I have all mitigations enabled and secure on haswell-ep, latest updates and microcode

How did you confirm this?
And just by windows updates?

 

[Chomiq]

How did you confirm this?
And just by windows updates?

There's MDS Tool that's available on:

MDS Attacks: Microarchitectural Data Sampling

mdsattacks.com

 

[er557]

Easier than this tool, there is a powershell script from MS called speculationcontrol, google it, use it, and you will see all vulnerabilities and whether they are OK.

edit: indeed, just by updates, whether standalone from web or from windows update itself.

 

[P4-630]

Easier than this tool, there is a powershell script from MS called speculationcontrol, google it, use it, and you will see all vulnerabilities and whether they are OK.

edit: indeed, just by updates, whether standalone from web or from windows update itself.

Can you make a screenshot from when you run the MDS tool?

MDS Attacks: Microarchitectural Data Sampling

mdsattacks.com

 

[R0H1T]

I have all mitigations enabled and secure on haswell-ep, latest updates and microcode, hyperthreading enabled, I see no performance impact whatsoever, storage or cpu.
win 1903 has retpoline system to prevent performance impact from mitigations. In fact, my benchmarks are higher...

That's factually inaccurate, except for edge cases all ucode+OS mitigations produce a negative impact on performance on all systems (w/spectre) including AMD. The impact is application dependent, but it is there, more so wrt meltdown.

 

[er557]

 

[Bill_Bright]

I can bet they knew about this but they just kept their mouths shut.

Yeah right! Because they thought nobody would notice? These companies have learned that bad publicity from the cover-up is MUCH WORSE than the crime itself. And they have learned whistle-blowers will leak such information if nothing is done about it.

If they knew about it and kept their mouths shut it was to keep that information from the bad guys - which IS the proper and logical way to deal with these type issues.

You don't need to change the coding.

Well of course coding needs to be changed. If the code is flawed, it needs to be fixed. They cannot "recall" all these processors out in the field so they will need to rely on other ways to patch that code for those already in the field. But for future processors, then they will need to revise the coding within the dies.

Are you telling me you are an expert?

No, but I do have multiple degrees and certs in electronics and IS/IT systems, and have taken several courses in computer electronics, including micro-electronics. I have taught electronics and I have company management training and experience too - enough of each to give me some pretty good insight here. You can follow the link in my sig to see if I might know a little about what I am talking about. But I still would not pretend to be a CPU expert enough to make such claims as "Intel knew all along", that "they don't care", or any of the other purely speculative assumptions many, including you, have made in this thread when you are neither an expert nor an Intel insider. You are just guessing, pretending to know things you have no clue about, and then pretending that gives you the credentials to accuse and bash Intel and others with totally unsubstantiated, often nonsensical (like that below), if not totally false claims. Example:

And yet they did it [test every scenario] back in the day,
Once again Microsoft can't stick to a promised release schedule.
we never had to worry about a Windows Update bricking systems world wide back in the days of Windows XP

Every scenario? Promised release schedule? World wide bricking of systems? See? Nonsense.

As for bricking systems, for one, problems with WU are very rare and "bricking" system is even more rare. Does it happen? Of course! As I noted, they cannot test every scenario. But the odds it might happen are extremely rare. If it was anything like trparky wants you to believe, it would have happened to 1000s of TPU posters. Where are they? I personally know of no system ever "bricked" by a WU. Worse case was having to reboot a couple times and then they were good to go.

And comparing W10 from today to XP from almost 20 years ago is more nonsense. The emphasis back then was legacy hardware and software support, not security. Microsoft today puts security ahead of legacy support. So what happens? Microsoft gets bashed by the trparky's for not supporting legacy stuff. But that's okay. Microsoft would much rather get bashed for that instead of getting bashed for security issues that are not their fault - and rightfully so, IMO.

Is this Intel problem bad? It sure is not good. But is it right to go on this relentless bash fest, feeding frenzy, pulling in Microsoft and others to bash in the process? No.

 

[trparky]

Does it happen? Of course!

Yes, and it's happening more lately since they fired their own internal QA department. Well, that may be a bit of a sensationalist kind of way to say it but they (according to people in the industry, Why did Microsoft lay off 'Programmatic testers'?) Microsoft laid off a lot of their programmatic testers and have put much more of the testing on the developers themselves. Just like novelists and newspaper reporters (at least the good newspapers!) hire editors to go over their writing to check for grammar and various other issues with their writing so as to bring in a fresh pair of eyes to the situation, programming code also needs someone else (who didn't write the code) to check it over. This last step was done away with internal to Microsoft and that job has been put into the hands of the same people writing the code. Has this caused software quality to drop? Oh hell yeah!

I personally know of no system ever "bricked" by a WU.

Then you really need to talk to some of your IT buddies because I'm damn sure you'll hear horror stories.

 

[R-T-B]

I ask again? What do you expect? How do you change the coding of a processor already out in the field - coding that is basically hardwired in there by the default "quiescent" state of the gates?

Microcode. But even that has rather immense limits... just pointing it out. It's the best approach, albeit, pretty tough to manage.

I've built a name for myself around my understanding of UEFI, microcode, and my ability to reverse engineer things. So while I am hardly an expert (someone who reverse engineers never is), I can say the timeframe is quite plausible.

Then you really need to talk to some of your IE buddies because I'm damn sure you'll hear horror stories.

The only brick-like update I'm aware of related to Surface tablet, gen 1 hardware. And a bootloop is not a brick, mind you.

 

[trparky]

And a bootloop is not a brick, mind you.

To your average user who doesn't know jack about computers, they might think of it as such.

 

[R-T-B]

I have all mitigations enabled and secure on haswell-ep, latest updates and microcode, hyperthreading enabled, I see no performance impact whatsoever, storage or cpu.
win 1903 has retpoline system to prevent performance impact from mitigations. In fact, my benchmarks are higher...

Retpoline has been used in linux for a bit now and is pretty ingenius. Needs to be deployed widely asap.

To your average user who doesn't know jack about computers, they might think of it as such.

Doesn't change the definition though.

I agree Windows 10 quality of updates has suffered dramatically though. In order to rehire quality testers though, be prepared to pay full upgrade price every 2 years again.

Trusted Computing Platform

This is part of Trusted Computing Group, still exists, and is unrelated to Microsoft.

They do things like TPM, Opal, and related standards.

 

[trparky]

In order to rehire quality testers though, be prepared to pay full upgrade price every 2 years again.

If that means that we get better quality software and where patches don't send our systems into BSODs then that's money well spent. Sometimes you have to pay for quality.

Think about it this way... Windows 10 was given away for free for the first year (officially). Unofficially that free upgrade is still going on. So with Windows 10 being given away for free, one has to wonder what that's done to the Windows Development Department's budget. I can't imagine the hit was very good.