More Intel leaks.. this one is not good though

[ItsMitch]

Just now, Sypran said:

Yeah, but remember that windows update is blocked for those CPUs? https://arstechnica.com/information-technology/2017/04/new-processors-are-now-blocked-from-receiving-updates-on-old-windows/
So is it for this one update going to be the exception?

They'll just force it through as it's a critical security patch

[johnukguy]

3 minutes ago, Sypran said:

Yeah, but remember that windows update is blocked for those CPUs? https://arstechnica.com/information-technology/2017/04/new-processors-are-now-blocked-from-receiving-updates-on-old-windows/
So is it for this one update going to be the exception?

As SC2Mitch mentioned, this one is going out regardless. Also, Windows 7 users can still get updates. All you need to do is make sure that you have the patch that allows this for Ryzen.

[AresKrieger]

8 hours ago, luigi90210 said:

YOU didnt read that article as i did, i NEVER CLAIMED nvidia and intel will performs better after this patch, unlike yourself

i used their source because it shows a I/O reduction which will DIRECTLY AFFECT HOW WELL NVIDIA'S DRAW CALLS ARE GONNA BE ON INTEL

You seem to misunderstand my issue with you it has nothing to do with your latter points about the draw calls and simply has to do with posting unreliable information as if it proved something, nothing else, and my post about AMD + Nvidia not working well to together had nothing to do with the patch itself, AMD's hardware doesn't play nice with Nvidia's GPUs in general especially in the hitching and lag department due to extremely low 1% and .1% fps values and frame time issues

 

8 hours ago, Stefan Payne said:

You don't know that. Depends on the Game.

I was simply trying to point out the info provided in a link did not support arguments being presented, and that it seemed unreliable, but if the info were true then games would be completely unaffected

[mrchow19910319]

[tonyeezy]

Man this is depressing I just bought my 8700k D:

[OreoCupcakes]

50 minutes ago, johnukguy said:

Microsoft are releasing an update next Tuesday for Windows 7 users.

The patch is already out for Windows 7 and 8.1. It'll show up in Windows Update next Tuesday, but if you want to patch it now you have to manually do it. The download links for the patches are here, in Microsoft's Update Catalog.

 

Individual Download Links:

Windows 7 (KB4056897)

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056897

Windows 8.1 (KB4056898)

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056898

Windows 10 1507 (KB4056893)

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056893

Windows 10 1511 (KB4056888)

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056888

Windows 10 1607 (KB4056890)

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056890

Windows 10 1703 (KB4056891)

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056891

Windows 10 1709 (KB4056892)

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892

[mr moose]

32 minutes ago, mrchow19910319 said:

Yep, some say the moon landing was a hoax and the earth is flat.  Give us some actual information to go off rather than just hearsay.  we all know the CEO sold his shares, given Intel's shares have gone up since then I don't think anyone can claim insider trading. 

 

EDIT: totally directed at hardware unboxed, not you MrChow. 

[realsmart987]

I thought this bug was already covered back in May 2017 on the WAN show.  Is this a separate bug or are they just now deploying a fix for the May 2017 bug?

[mr moose]

3 minutes ago, realsmart987 said:

I thought this bug was already covered back in May 2017 on the WAN show.  Is this a separate bug or are they just now deploying a fix for the May 2017 bug?

different bug.  Pretty sure the one back in may was about the ME exploit.

[Mira Yurizaki]

2 hours ago, Nicholatian said:

Yeah, that's fallacious buddy. I know you didn't explicitly say it, but an argument from ignorance is no grounds to assume anything one way or the other. In the realm of that which is known, AMD is, for the moment, more secure than Intel.

Security doesn't really care about what's known other than it's known. They want to know what's unknown so they poke at it, characterize, figure out how to make it known.

 

In this case, sure, there's a security flaw with Intel's processors. But now it's characterized and known. It also has a mitigation to defeat it, making it a gamble for an attacker to be successful or not, depending of it the system was patched. But if an attacker exploits something publicly unknown, then you have no way of defending against it. You may as well effectively have a 100% chance at pwning any given system.

 

AMD's processors are not more secure simply because they don't have as many known vulnerabilities as Intel. Unless you can test for every possible outcome, there is effectively an indefinite number of vulnerabilities in either, and from a security perspective knowing what those vulnerabilities are, characterizing them, and having ways to mitigate an attack's effectiveness is better than not knowing what your vulnerabilities are.

[leadeater]

1 hour ago, AresKrieger said:

You seem to misunderstand my issue with you it has nothing to do with your latter points about the draw calls and simply has to do with posting unreliable information as if it proved something, nothing else, and my post about AMD + Nvidia not working well to together had nothing to do with the patch itself, AMD's hardware doesn't play nice with Nvidia's GPUs in general especially in the hitching and lag department due to extremely low 1% and .1% fps values and frame time issues

Sometimes it's best to let fear-mongers have their little podium and ignore it, just remember go back and quote it with "I told you so" .

 

There's already enough information available to have an accurate, not definitive, indication of the performance impact for games which is very small. There has already been tests done on Windows using Nvidia GPU showing marginal difference and there has been a number of synthetic tests including FireStrike which shows the same. Also that draw call stuff is a total red herring, that's not how graphics drivers and APIs interact with the operating system they are not system calls, if they were then rendering would be THE most effected and it isn't.

 

The people working on the kernel patches for Linux have already given information on actual performance tests done and given clear advice on what to expect and indicated the types of workloads most effected, if you're not a server operator then the sky is not falling. Getting damn sick of that 30% figure being thrown around, how many times do we have to say that was a specific worst case scenario done on purpose to find out what the worst resulted in.

[gGODg]

waits for wan show , dun dun dun

[Metal_Kitty]

Quote

The researchers discovered that the vulnerabilities affect many CPUs, including those from Intel, Advanced Micro Devices (AMD) and ARM Holdings, as well as the devices and operating systems running on it.

This is taken from RT.com - https://www.rt.com/usa/414955-intel-processors-meltdown-spectre/ 

according to a tweet reported on RT -  There is an apparent fix out for it for windows machines https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 

[Mooshi]

So...I did good going AMD this gen? lol

[mr moose]

1 hour ago, Nicholatian said:

When that logic shows to be practical, do let us know. For now though it's little more than smoke-and-mirrors, and that really doesn't help anyone with a real CPU that's really insecure, when they need to do real things in real time.

 

There's theoretically an indefinite number of vulnerabilities in AMD CPUs, Intel CPUs, and even VIA and ARM CPUs for that matter. Theoretically there's also an indefinite number of vulnerabilities in the operating procedures of the Secret Service, whose duties are to protect the President, but they've realised that it's impossible to make the President completely safe. Since you've effectively proved nothing here, it's unsurprising to find that they've taken other measures to protect one of the most powerful people on the planet.

I wouldn't call it smoke and mirrors,  There are literally thousands of people (who know what they are doing) looking for bugs/vulnerabilities in everything.  Knowing this exploit exists and having it patched means it is no longer a threat, however all those currently unknown vulnerabilities are still a threat (it only ceases to be a threat when the appropriate companies can patch it).

 

Whether we like it or not, tech has gotten so advanced and so complex that there is going to be threats, bugs and open exploits in everything.  The race is for the good guys to find and patch it before the bad guys find and exploit it.   You get to decide who the good and bad guys are.

 

This idea that one product is safer/more secure than another is false concept based on a misunderstanding. 

[ionbasa]

Some more update for you guys. Researchers at Google have published some of their findings:

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

Quote

The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.
In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.
There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.
We will continue our work to mitigate these vulnerabilities and will update both our product support page and this blog post as we release further fixes. More broadly, we appreciate the support and involvement of all the partners and Google engineers who worked tirelessly over the last few months to make our users and customers safe.

 

There is now also a website up detailing the bugs:

https://spectreattack.com/

 

Amazon has posted a security bulletin in regards to their cloud services platform:

https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

Quote

AWS is aware of recently disclosed research regarding side-channel analysis of speculative execution on modern computer processors (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754).

This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.

While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin.

Most noteworthy piece of information from the security bulletin is that the exploit has existed for more than 20 years, Amazon also lists the CVEs as the following: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. Amazon then also states that all CPU brands are affected: Intel, AMD, and ARM.

 

Intel also has an initial public response:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Quote

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.

 

[EG!]

The problem then again with this flaw/bug is that mainstream media (atleast in my country) have journalists that can't differtiate a shoe from a cpu and are writing articles about this which scares the "common folk" they throw with "operating systems are 30% slower" and "Q: Am I infected? A: Yes" and "Already 10 years risks with intel processors". I think it would be better than someone with enough knowledge of this explains it in an easy manner (not a whitepaper) what it exactly is (Linus on techquickie for instance).

 

From what I read you need either direct access (be next to the computer) or have to get through the firewall anyway to make use of this flaw or am I wrong here? If so there are other ways to get data off a harddrive if you have access to it and if you get through a firewall you probably have the skills to get the data you want anyway.

[ionbasa]

In addition, here's one more news article from ZDnet: http://www.zdnet.com/article/google-reveals-trio-of-speculative-execution-flaws-says-amd-affected/

And here too: http://www.zdnet.com/article/security-flaws-affect-every-intel-chip-since-1995-arm-processors-vulnerable/

 

^^^They do a 'ok' job explaining the vulnerabilities, 

Quote

Intel's statement said that "any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."

 

Gruss told ZDNet that general browsing and low processor-intensive work are less likely to be affected by any slow downs.

 

"We have observed many workloads that are not affected much," he said. "Generally, a large number of context switches is bad for performance when KAISER is applied," referring to KAISER, a kernel isolation technique, which Gruss wrote a paper about last year.

 

"For instance doing a lot of accesses to small files, you might have slow downs of 50 percent or more," he confirmed.

 

Although patches are available, new processors are expected to be re-engineered to avoid a similar problem in the future. But existing affected devices could long see the after-effects of these vulnerabilities.

Gruss said that, given how tricky the Spectre attacks are to mitigate, they are "going to haunt us for years."

Quote

AMD said in a statement: "The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."

 

British chipmaker ARM told news site Axios prior to this report that some of its processors, including its Cortex-A chips, are affected.

 

The two bugs break down a fundamental isolation that separates kernel memory -- core of the operating system -- from user processes. Meltdown lets an attacker access whatever is in the affected device's memory, including sensitive files and data, by melting down the security boundaries typically held together by the hardware. Spectre, meanwhile, can trick apps into leaking their secrets.

 

One example of a worst-case scenario is a low-privileged user on a vulnerable computer could run JavaScript code on an ordinary-looking web page, which could then gain access to the contents of protected memory.

 

The vulnerabilities are known as "Meltdown" and "Spectre"

Academia papers here:

https://spectreattack.com/spectre.pdf

https://meltdownattack.com/meltdown.pdf

 

[Guest]

On 03/01/2018 at 8:55 AM, Jon4248 said:

hmm interesting, soo XNU is not affected, correct? 

 

Edit: yup, MacOS's Kernel is affected as well.....

Edit: ..but it's already been patched; 

 

Looks like Apple has come top once again.

[jagdtigger]

8 minutes ago, EG! said:

The problem then again with this flaw/bug is that mainstream media (atleast in my country) have journalists that can't differtiate a shoe from a cpu and are writing articles about this which scares the "common folk" they throw with "operating systems are 30% slower" and "Q: Am I infected? A: Yes" and "Already 10 years risks with intel processors". I think it would be better than someone with enough knowledge of this explains it in an easy manner (not a whitepaper) what it exactly is (Linus on techquickie for instance).

 

From what I read you need either direct access (be next to the computer) or have to get through the firewall anyway to make use of this flaw or am I wrong here? If so there are other ways to get data off a harddrive if you have access to it and if you get through a firewall you probably have the skills to get the data you want anyway.

Not necessarily, if you can get in through an other programs security hole(a browser for instance) which isnt uncommon then this little flaw becomes a real threat...

[2unlimited]

Apparently, Apple already addresed this problem in security patch from Dec 6th. 

 

Link: https://www.macrumors.com/2018/01/03/intel-design-flaw-fixed-macos-10-13-2/

 

They called the fix "double map" : 

From my own expiricence so far, recently I tried to run some React projects in Visual Studio Code on my 2017 mbp, the result is program crash and processor temperature going over 90C. So far I was thinking it might be the VSC issue but now I'm a little bit more affraid. Hope that 10.13.3 resolves some of this scre*up

[mtn]

I wonder if the vulnerability also affecting Xeon/other server type of cpu as well. 

 

https://www.reuters.com/article/us-cyber-intel/design-flaw-found-in-intel-chips-fix-causes-them-to-slow-report-idUSKBN1ES1BO

 

Way to go for AMD?

[johnukguy]

5 hours ago, OreoCupcakes said:

The patch is already out for Windows 7 and 8.1. It'll show up in Windows Update next Tuesday, but if you want to patch it now you have to manually do it. The download links for the patches are here, in Microsoft's Update Catalog.

 

Thanks for the headsup.

[Valentyn]

2 hours ago, 2unlimited said:

Apparently, Apple already addresed this problem in security patch from Dec 6th. 

 

Link: https://www.macrumors.com/2018/01/03/intel-design-flaw-fixed-macos-10-13-2/

 

They called the fix "double map" : 

From my own expiricence so far, recently I tried to run some React projects in Visual Studio Code on my 2017 mbp, the result is program crash and processor temperature going over 90C. So far I was thinking it might be the VSC issue but now I'm a little bit more affraid. Hope that 10.13.3 resolves some of this scre*up

Did you contact Apple Care? It’s a free call and they can run some diagnostics and check it all out with you.

 

might be a software issue or something else

[PCGuy_5960]

Benchmarks comparing performance with the patch/without the patch:

TL;DW:

• NVMe SSD read/write performance is affected (up to 20% in some cases)
• CPU performance in everyday tasks is not affected
• Gaming performance is not affected

So most users aren't going to be affected by this patch. Thank goodness!