Major Intel CPU Hardware Vulnerability Found

[notb]

No spreading FUD, please.
Meltdown was discovered independently by Jann Horn from Google's Project Zero, Werner Haas and Thomas Prescher from Cyberus Technology, as well as Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology.[19] The same research teams that discovered Meltdown also discovered a related CPU security vulnerability now called Spectre

Not what I meant.
Project Zero was the first to discover and inform CPU makers about these problems (which they did in June). The issue wasn't made public to give CPU manufacturers time to fix it.
However, it leaked some time before the planned patch launch date.
There's a good article about this situation:
https://arstechnica.com/gadgets/201...el-apple-microsoft-others-are-doing-about-it/
"It's true that AMD didn't actually reveal the details of the flaw before the embargo was up, but one of the company's developers came very close. Just after Christmas, an AMD developer contributed a Linux patch that excluded AMD chips from the Meltdown mitigation. In the note with that patch, the developer wrote, "The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.
(...)
For a company operating under an embargo, with many different players attempting to synchronize and coordinate their updates, patches, whitepapers, and other information, this was a deeply unhelpful act."

The patch note is from Dec 26. I've seen some forum discussions about it on 27-28 already.

 

[TheoneandonlyMrK]

Not what I meant.
Project Zero was the first to discover and inform CPU makers about these problems (which they did in June). The issue wasn't made public to give CPU manufacturers time to fix it.
However, it leaked some time before the planned patch launch date.
There's a good article about this situation:
https://arstechnica.com/gadgets/201...el-apple-microsoft-others-are-doing-about-it/
"It's true that AMD didn't actually reveal the details of the flaw before the embargo was up, but one of the company's developers came very close. Just after Christmas, an AMD developer contributed a Linux patch that excluded AMD chips from the Meltdown mitigation. In the note with that patch, the developer wrote, "The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.
(...)
For a company operating under an embargo, with many different players attempting to synchronize and coordinate their updates, patches, whitepapers, and other information, this was a deeply unhelpful act."

The patch note is from Dec 26. I've seen some forum discussions about it on 27-28 already.

Still trying to run up your intel share portfolio i see.

 

[Bill_Bright]

but I believe Microsoft is trying to shake some guilt off over the mess done

Why should Microsoft have any guilt? It's a processor problem. Microsoft does not make Intel, AMD or ARM processors. The flaw is in processors designed by Intel, AMD and ARM. Not Microsoft.

Three different processor manufacturing companies making CPUs designed to run various operating systems and who gets the blame and is expected to accept guilt? Microsoft.

I don't get why some just have to blame Microsoft for every and anything that goes wrong, or even might go wrong. There are plenty of screwed up things Microsoft has actually done that deserves our scorn, why do some feel it necessary to pour gas on the fire? These clear biases and down right hatred makes no sense. But worse, it spreads unwarranted, misdirected fear and loathing and misinformation.

In another thread where the mods thankfully shutdown, you have folks calling Microsoft "immoral", "greedy", "morons", "foul", "sneaky", "blatantly dishonest" "dbags" because they have a program that offers Windows 10 for free to "people with disabilities" - but not to able-bodied people. And just because Microsoft is such an evil company, it is okay for able-bodied people to grab those free licenses intended for people with disabilities too. Who's being greedy?

Microsoft can't catch a break even when they are trying to do something good.

For decades Microsoft have been blamed for the security mess we are in when it was the bad guys who put us here and the anti-malware industry who failed to stop them - after they (Norton, McAfee, CA, TrendMicro, and the others) cried and whined to Congress and the EU it was their job to do so. But who got blamed? Microsoft.

Now you want to blame Microsoft for a flaw in microprocessors made by other companies? They did not require those processor makers to put that vulnerability in there! They are just trying to mitigate the severity for now because it is easier at the software level than it is at the hardware level where the real and permanent fix must occur.

Do you blame MacOS and Linux too? Are they guilty? Why not? Those system are affected too!

If Microsoft is not perfect in everything they do, someone will find fault and bash them relentlessly, then others will blindly follow. Who out there is perfect?

Gee whiz. Bash where bashing is due and I will defend your right to do so with vigor. But senselessly bash the innocent and I will defend them (regardless their past sins) with the same vigor!

And speaking of those in the security industry, where have they been for the last 23 years? Huh? Where? This flaw apparently affects some Intel processors manufactured since 1995! Why was it not discovered until just recently? And you want to blame Microsoft?

Pure FUD and biased MS bashing! The problem is serious enough without MS biases and MS bashing rumormongering based on falsehoods.

Why is there even all this effort to place blame? Does that solve anything? Especially on a problem that goes back 23 years?

 

[_JP_]

Bill...like calm down for a minute.
I wrote that as purely my opinion. I didn't try to set it in stone.
To me, developers writing code, releasing it, stating "MUST USE" and then, if shit hits the fan go all "wasn't me", just doesn't sound responsible.
Pointing all the blame to the hardware manufacturer for products that have existed since 2006 and have survived 4 supported OS iterarions on Windows alone (XP, Vista, 7 and 8.1) isn't...well, reasonable, to me.

 

[Bill_Bright]

I don't care why you wrote it. You are entitled to your opinion and I will defend your right to express it - where appropriate. But in a technical discussion, it should be based on fact, not biases and misinformation.

Pointing all the blame to the hardware manufacturer for products that have existed since 2006 and have survived 4 supported OS iterarions on Windows alone (XP, Vista, 7 and 8.1) isn't...well, reasonable, to me.

It is not the job of OS developers to reverse engineer processors (devices with billions of transistor gates and millions of instruction sets) looking for obscure security flaws. It is the job of the hardware manufacturers and those security organizations who have put themselves in the position of detecting such flaws.

I said my piece. Now please stop spreading more FUD and stick with the facts. There are plenty of real and true facts to place real and deserving blame where it belongs - since placing blame seems to be your goal here.

 

[TheoneandonlyMrK]

I don't care why you wrote it. You are entitled to your opinion and I will defend your right to express it - where appropriate. But in a technical discussion, it should be based on fact, not biases and misinformation.
It is not the job of OS developers to reverse engineer processors (devices with billions of transistor gates and millions of instruction sets) looking for obscure security flaws. It is the job of the hardware manufacturers and those security organizations who have put themselves in the position of detecting such flaws.

I said my piece. Now please stop spreading more FUD and stick with the facts. There are plenty of real and true facts to place real and deserving blame where it belongs - since placing blame seems to be your goal here.

Playing fair Bill, the mucks being thrown quite widely on this one and everyone's deserved of a bit of it , they do all talk after all, and the continuing emergant cockups are just adding fuel to a few fires.
I don't think we're going to be passed this for a bit.

 

[trparky]

Gee whiz. Bash where bashing is due and I will defend your right to do so with vigor. But senselessly bash the innocent and I will defend them (regardless their past sins) with the same vigor!

The same can be said about Apple, the Apple hate train is just as packed as the Microsoft hate train is. I swear that hating on both Microsoft and Apple have become some sort of e-sport, the "in" or "cool" thing to do just because everyone else is doing it. Oh, since everyone else is doing it I don't want to feel left out so give me that ticket to board the hate train! All aboard the hate train! Next stop is Microsoft... get your pitchforks and torches ready, it's going to be a real hoot!

Edit
You see, I'm not a fanboy in any sense of the word. I will defend a company when the need arises and I will bash them with the same amount of vigor when that need arises. People are blaming Microsoft for this crap when you really should be blaming Intel. As @Bill_Bright said, how long has this been an issue? More than a decade! But oh no, we can't blame Intel... we're going to blame Microsoft who had no part in it other than trying to patch the systems against Intel's screw-up. If it weren't for Intel's screw-up we would not be in this mess to begin with!!! Put the blame where the blame is due... at Intel's feet.

 

[Bill_Bright]

The same can be said about Apple, the Apple hate train is just as packed as the Microsoft hate train is.

That's very true. But the numbers are much smaller so they don't get the same level of attention or make near as much noise.

they do all talk after all

And that's a good thing. I don't think there is any evidence of hiding (except from the general public - and therefore the bad guys) or worse, any signs of a cover up. What I see is Microsoft, ASUS, Gigabyte and others trying to be proactive and releasing patches and updates as quickly as possible And that's a good thing.

 

[TheoneandonlyMrK]

That's very true. But the numbers are much smaller so they don't get the same level of attention or make near as much noise.
And that's a good thing. I don't think there is any evidence of hiding (except from the general public - and therefore the bad guys) or worse, any signs of a cover up. What I see is Microsoft, ASUS, Gigabyte and others trying to be proactive and releasing patches and updates as quickly as possible And that's a good thing.

True i do however think it's not going to pan out for some , my phones now on the ropes because of this(zenphone2) it shouldn't be as it's still a good and viable phone but it won't receive Any fix and for that im angry at many companies ,intel asus Google, pile of nobs just chasing now cash.
Then there's the millions of motherboards and devices that wont get a patch ,any asus mobo over two years gets dropped clean off the update lists , and it's likely the same with some others so if a OS patch , firmware patch and mobo bios are all requirements of a fix some are definitely SOL.
That some would be millions , this needs much more clarity on what Is required to mitigate it per system type etc.

I sure as shit wont be seen defending asus intel or ms or Google on meltdown and spectre.
They're all complicit with implementing features that have proved to have been made too insecure by design, that's all of them to blame equally.
Though i get defending an unbalanced blame post.

 

[eidairaman1]

I have to, but I believe Microsoft is trying to shake some guilt off over the mess done, so that the line of fire remains aimed at CPU makers.
Ryzen was a completely different situation. New tech being released vs. early support being pushed within NDA period.
Conspiracies against AMD? please...

Microsoft was providing the patch for every system, issue arised on older AMD processors/chipsets. Microsoft has since halted patching for AMD-detected systems.

Just to be on safe side we should be aware of Patches for Intel, make sure they dont show up on AMD Winupdate lists by having those KBs listed that should be intel only for fixing them.

 

[Bill_Bright]

Then there's the millions of motherboards and devices that wont get a patch ,any asus mobo over two years gets dropped clean off the update lists , and it's likely the same with some others

True, but the vast majority of those boards will not likely be exposed to the exploits those flaws might imposed. Are they running multiple VM environments on a system with public access where a bad guy with access to one VM accesses data in memory used by another VM? That's a pretty specific scenario that doesn't apply to many home users.

 

[TheoneandonlyMrK]

True, but the vast majority of those boards will not likely be exposed to the exploits those flaws might imposed. Are they running multiple VM environments on a system with public access where a bad guy with access to one VM accesses data in memory used by another VM? That's a pretty specific scenario that doesn't apply to many home users.

Agreed but that's with the risk potential as is , an attack vector can be expanded upon over time.
Hopefully you are right about this still in six or twelve months.
But i do think more clarity is required by OEMs as to what they will and wont be required to do and what is or isn't updated personally, hopefully that comes with time.

 

[Bill_Bright]

But i do think more clarity is required by OEMs as to what they will and wont be required to do and what is or isn't updated personally, hopefully that comes with time.

This fix will not be cheap. OEMs with deeper pockets will be better able to absorb the expense. So I suspect ASUS, Gigabyte, MSI and some of the other big name boards will be more supportive - especially if it only takes a BIOS firmware update.

Lessor known brand owners may be out of look sooner.

That said, not sure the OEMs will be "required" to do anything.

More clarity all around is required. But in order to keep valuable information from the bad guys, it may not be that forthcoming. Like it or not, that is probably the best policy too.

 

[Deleted member 163934]

New Intel Microcode Update from Intel for Linux: https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t

Release notes don't say much as usual...

 

[Vayra86]

I have to side with @Bill_Bright here, I think the industry is doing a pretty good job at providing and fixing quality product, and a 'blame game' has no place here.

That being said, this is not purely a 'technical discussion' (lets be fair, there is little for us to figure out here), and it still is interesting to see how different companies react to this in different ways. It shows a certain company culture, and once you can discern that, you get a pretty solid feel for how companies are likely to act. I think @notb commenting on how AMD communicates to and within the industry is a very good example of that, and another really good example was the first press release Intel sent out where it explicitly mentioned other companies and made it a core piece of that text. Every company right now is completely out of their comfort zone, out of their 'managed PR'. We get to see things as they are from very close by right now. You just need to read between the lines.

The problem is mostly with the reader, not the writer. We all need to let go of the idea that every comment directed at whichever company automatically labels one as a fanboy. If we can do that, we can be a community of like-minded individuals that look at the industry and form opinion about it. And perhaps discover some things along the way.

 

[Bill_Bright]

another really good example was the first press release Intel sent out where it explicitly mentioned other companies and made it a core piece of that text.

Not to drive this off on yet another OT tangent, I wonder how much of that first press release was dictated by company shysters... err... lawyers trying to mitigate liability issues?

''The first thing we do, let's kill all the lawyers''. William Shakespeare, Henry VI, Part 1. 1591.

 

[biffzinker]

New Intel Microcode Update from Intel for Linux: https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t

Release notes don't say much as usual...

The microcode update provides hardware support for "branch target injection." Windows patch is showing this after I used the VMware driver. For whatever reason though Windows doesn't want to enable that part of the patch even if I force it by registry key.


Reverting to the November microcode update

 

[Deleted member 163934]

The microcode update provides hardware support for "branch target injection." Windows patch is showing this after I used the VMware driver. For whatever reason though Windows doesn't want to enable that part of the patch even if I force it by registry key.
View attachment 95713

Reverting to the November microcode update
View attachment 95716

Same here.
I suspect that Windows is checking before the new microcode is loaded by vmware driver and because the check fails it doesn't enable it.
Microsoft might actually have to provide the microcode update via WU for older cpu because I doubt all mb manufacturer will release bios updates for mb that aren't sold for years. Some do but there are others that just don't really bother to update the bios even when there are obvious problems with it...

 

[Flaky]

I suspect that Windows is checking before the new microcode is loaded by vmware driver and because the check fails it doesn't enable it.

Yup, exactly.
It's interesting why microsoft simply does not push new microcodes into the system. They had no problem previously doing that and accidentally hurting G3258 OC on cheap mobos
Updating microcode should be also doable with some simple pre-os utility, that would just update the microcode - somehow similar to how diy egpu setup works.
It would be a much less invasive alternative to bios modding

Anyway, updating microcode was easy. I also disabled ME - just because I can

 

[RejZoR]

Easy to use tool to check for Spectre/Meltdown vulnerability:
https://www.ashampoo.com/en/usd/pin/1304/security-software/Ashampoo-Spectre-Meltdown-CPU-Checker

It's just odd that it's still showing AMD system as "Vulnerable" for Spectre. MS only distributed patches for Meltdown so far? The system also had BIOS updated which addresses this vulnerability (dated December 2017). CPU is AMD A9-9420 APU (Stoney Ridge).

Use this command in PowerShell afterwards because Ashampoo for some dumb reason doesn't set it back after the test:
Set-ExecutionPolicy -ExecutionPolicy Default -Scope CurrentUser

 

[biffzinker]

An Update on AMD Processor Security 1/11/2018

The public disclosure on January 3rd that multiple research teams had discovered security issues related to how modern microprocessors handle speculative execution has brought to the forefront the constant vigilance needed to protect and secure data. These threats seek to circumvent the microprocessor architecture controls that preserve secure data.
At AMD, security is our top priority and we are continually working to ensure the safety of our users as new risks arise. As a part of that vigilance, I wanted to update the community on our actions to address the situation.

• Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.
  • We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue.
  • Microsoft is distributing patches for the majority of AMD systems now. We are working closely with them to correct an issue that paused the distribution of patches for some older AMD processors (AMD Opteron, Athlon and AMD Turion X2 Ultra families) earlier this week. We expect this issue to be corrected shortly and Microsoft should resume updates for these older processors by next week. For the latest details, please see Microsoft’s website.
  • Linux vendors are also rolling out patches across AMD products now.
• GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors.
  • While we believe that AMD’s processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat. We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat.
  • AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks. These software updates will be provided by system providers and OS vendors; please check with your supplier for the latest information on the available option for your configuration and requirements.
  • Linux vendors have begun to roll out OS patches for AMD systems, and we are working closely with Microsoft on the timing for distributing their patches. We are also engaging closely with the Linux community on development of “return trampoline” (Retpoline) software mitigations.
• GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.
  • We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.

There have also been questions about GPU architectures. AMD Radeon GPU architectures do not use speculative execution and thus are not susceptible to these threats.
We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop mitigation solutions to protect users from these latest security threats.
Mark Papermaster,
Senior Vice President and Chief Technology Officer

Source: An Update on AMD Processor Security 1/11/2018

It's just odd that it's still showing AMD system as "Vulnerable" for Spectre.

Probably because AMD's processors are vulnerable to Spectre going by their latest update they just posted.


Update from Intel on the performance impact of a patched system with Skylake up to Coffeelake if anyone missed yesterdays update.

Jan. 10 Performance Data Results

Today we are sharing data on several 6th, 7th and 8th Generation Intel® Core™ processor platforms using Windows* 10. We previously said that we expected our performance impact should not be significant for average computer users, and the data we are sharing today support that expectation on these platforms.

The performance impact of the mitigation on 8th generation platforms (Kaby Lake, Coffee Lake) with SSDs is small. Across a variety of workloads, including office productivity and media creation as represented in the SYSMark2014SE benchmark, the expected impact is less than 6 percent. In certain cases, some users may see a more noticeable impact. For instance, users who use web applications that involve complex JavaScript operations may see a somewhat higher impact (up to 10 percent based on our initial measurements). Workloads that are graphics-intensive like gaming or compute-intensive like financial analysis see minimal impact.

Our measurements of the impact on the 7th Gen Kaby Lake-H performance mobile platform are similar to the 8th generation platforms (approximately 7 percent on the SYSMark2014SE benchmark).

For the 6th generation Skylake-S platform, our measurements show the performance impact is slightly higher, but generally in line with the observations on 8th and 7th generation platforms (approximately 8 percent on the SYSMark2014SE benchmark). We have also measured performance on the same platform with Windows 7, a common configuration in the installed base, especially in office environments. The observed impact is small (approximately 6 percent on the SYSMark2014SE benchmark). Observed impact is even lower on systems with HDDs.

As we collect more information across the broad range of usages and Intel platforms, we will make it available. Within the next week, we intend to offer a representative set of data for mobile and desktop platforms that were launched within the past five years. For those Intel customers who are worried about performance impacts, you should know that we will work on creative solutions with our industry partners to reduce those performance impacts wherever possible.


Source: Intel Security Issue Update: Initial Performance Data Results for Client Systems

 

[notb]

• GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.
  • We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.

It took them a week to go from "Zero AMD vulnerability due to AMD architecture differences." to "we believe we're not susceptible, because we've included countermeasures ".
Also, they still didn't show any sign they've actually analyzed the problem or replicated Project Zero's results. I'd expect an extensive publication by now - ARM and Intel gave them a week ago...

Seriously, this is not how you win enterprise clients. Even if the patches slow down Intel by 30% and don't touch AMD at all (unlikely), companies will just buy more Xeons...

 

[Frag_Maniac]

Never mind AMD's response, what's their excuse for not knowing, or at least claiming to not know this was going to be a problem when designing the chips? How is it when this kind of thing comes out, only Intel gets accused of cleverly hiding the truth? AMD may make a lot of bone headed marketing decisions, but it's not like their design guys are total imbeciles. I'm sure they must have seen this vulnerability, especially since server farms and the cloud have been around so long. It's mostly those corporations that use them and their many customers that deserve at least an honest answer. Most of us mere individual PC users aren't going to be affected by it at all in comparison.

For the record, I'm not saying Intel doesn't have dirt on their hands, I'm saying both of them do. I look at this stuff with the same bad taste in my mouth I get from US politics lately. They both sling muck at each other, and feign innocence, while the customers are caught in the middle. This is also kind of like how bank derivatives got out of control. Many saw it as a potential financial crisis coming, but too many were just pretending it would iron itself out. There's a lot to be said for preventative maintenance when it comes to design time. I hope both sides have learned their lesson from this.

 

[johnspack]

Yep, here it comes, let's see what it does to my vms..... diddly squad so far, whee!

 

[biffzinker]

Yep, here it comes, let's see what it does to my vms..... diddly squad so far, whee!

Since your chip is Sandybridge maybe skip out on the microcode update for Spectre but patch for Meltdown? I'm considering going that direction myself.