More devastating CPU vulnerabilities akin to Spectre found in CPUs - Intel first, others might follow.

[Questargon]

The german technews-site heise.de claims, that more CPU vulnerabilities like the Spectre and Meltdown bugs have been found in Intel CPUs.

(Links to german and english articles at the bottom of this post).

 

Quote

A total of eight new security flaws in Intel CPUs have already been reported to the manufacturer by several teams of researchers. For now, details on the flaws are being kept secret. All eight are essentially caused by the same design problem – you could say that they are Spectre Next Generation.

One of these flaws is endangering virtual machines dramatically, because it seems, that one can exploit this bug quite easily - much more simply than the previously found bugs that kept the computing industry on its toes.

 

Quote

One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example. Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap. Intel's Software Guard Extensions (SGX), which are designed to protect sensitive data on cloud servers, are also not Spectre-safe.

Although attacks on other VMs or the host system were already possible in principle with Spectre, the real-world implementation required so much prior knowledge that it was extremely difficult. However, the aforementioned Spectre-NG vulnerability can be exploited quite easily for attacks across system boundaries, elevating the threat potential to a new level. Cloud service providers such as Amazon or Cloudflare and, of course, their customers are particularly affected.

These flaws have been found on Intel Processors first, but users of AMD Processors shouldn't lean back, since similar bugs might linger there as well. These problems seem to be linked to the general design of modern processors, so to get rid of them, these processors might have to be redesigned with higher security aspects in mind.

 

Quote

Of course, Intel needs to fix the current weaknesses as quickly as possible – and that's what is happening. At the same time, however, the CPU design needs to be fundamentally rethought. Werner Haas of the German company Cyberus Technology and one of the co-discoverers of Spectre/Meltdown, considers it quite possible to equip high-performance processors with a solid security design. However, this would require security aspects to be taken into account in the architecture right from the start. Paul Kocher, who was also involved in unveiling Spectre, suggested implementing additional, specially secured CPU cores. And with methods such as threat modeling, risky techniques can be implemented in such a way that security remains controllable.

Well, I just hope, that we won't tumble down an endless path of updates that will result in computers that are patched up like ripped jeans and thereby loose much of their processing power with all the patchups implemented.

 

But at the moment ... the outlook is rather bleak.

 

 

Full English Article: https://heise.de/-4040648

Full German Article: https://heise.de/-4039134

[Ashley MLP Fangirl]

I didn't notice a lot of slowdown from the original flaws, hopefully this can be fixed the same way.. 

 

for now the 3th gen I5 in my laptop is still doing fine so... i'm hoping that it won't slow down too much.. 

[rcmaehl]

These again definitely won't be fixed easily, these are hardware architecture level flaws. Huge companies like Microsoft are offering huge bounties on ways to mitigate... Let's just hope we don't have another "Total Meltdown" exploit trying to mitigate again

 

https://www.theregister.co.uk/2018/04/26/total_meltdown_win7_server_2008_exploit/

[NMS]

 

I honestly feel bad for Intel now.

[porina]

How much impact has Spectre and/or Meltdown had to people here so far? Little? None? In my case, I've spent some time looking at bios updates and applying them, but pretty much everything else is routine. As a side effect, I'm more familiar with PowerShell given the MS tool for checking it goes via that.

 

These new ones... we'll have to wait and see more details about them. What could they affect? What is the possible impact of patching them?

[Mira Yurizaki]

23 minutes ago, NMS said:

I honestly feel bad for Intel now.

I only feel bad for Intel because they're the tallest peg that keeps getting hammered down.

 

Remember, just because nobody's tested it on the other side of the fence doesn't mean it's not vulnerable.

[Ryujin2003]

Cue AMD smear campaign....

 

 

So, why did these just get found now but never in the past? I guess I'm lost on why these existed for such a long time without being public knowledge much earlier.

[pas008]

6 minutes ago, Ryujin2003 said:

Cue AMD smear campaign....

 

 

So, why did these just get found now but never in the past? I guess I'm lost on why these existed for such a long time without being public knowledge much earlier.

bounty programs to find security flaws.

[Taf the Ghost]

16 minutes ago, Ryujin2003 said:

Cue AMD smear campaign....

 

 

So, why did these just get found now but never in the past? I guess I'm lost on why these existed for such a long time without being public knowledge much earlier.

Looking for security flaws in CPU hardware is actually somewhat new, and it's more that a lot more resources has gone into it over the last few years.

[App4that]

Finding security flaws, no matter their actual risk to the anyone, is how you get yourself known.

 

Just fear mongering for someone's CV...

[rcmaehl]

Just now, App4that said:

Finding security flaws, no matter their actual risk to the anyone, is how you get yourself known.

 

Just fear mongering for someone's CV...

There's proper disclosure procedures and I'm sure they've been followed... unlike the whole AMDFlaws smear campaign.

[App4that]

1 minute ago, rcmaehl said:

There's proper disclosure procedures and I'm sure they've been followed... unlike the whole AMDFlaws smear campaign.

Ah, so if it's Intel having issues we should look into it, if AMD has issues it's a smear campaign...

 

37 minutes ago, M.Yurizaki said:

I only feel bad for Intel because they're the tallest peg that keeps getting hammered down.

 

Remember, just because nobody's tested it on the other side of the fence doesn't mean it's not vulnerable.

BTW my X370 board won't hold my memory at 3200Hmz after the updated bios for the security flaws, AMD didn't have...

[ScratchCat]

Back to the Pentium I without internet connectivity in a Faraday cage attached to car batteries it is....

Interestingly low end devices such as the raspberry pi and budget Android phones with A53s / A7s are not vulnerable at all as they don't use speculative execution.

 

Thankfully this company is using industry standard procedures which should reduce the fallout to those who don't upgrade.

 

1 hour ago, rcmaehl said:

These again definitely won't be fixed easily, these are hardware architecture level flaws. Huge companies like Microsoft are offering huge bounties on ways to mitigate... Let's just hope we don't have another "Total Meltdown" exploit trying to mitigate again

 

https://www.theregister.co.uk/2018/04/26/total_meltdown_win7_server_2008_exploit/

Intel and the others were able to fix Meltdown and Spectre even though they were hardware flaws reasonably well in a reasonable amount of time, given that these are derivatives they shouldn't be too much harder to fix.

[rcmaehl]

3 minutes ago, App4that said:

Ah, so if it's Intel having issues we should look into it, if AMD has issues it's a smear campaign...

 

BTW my X370 board won't hold my memory at 3200Hmz after the updated bios for the security flaws, AMD didn't have...

AMDFlaws was 100% a smear campaign. No proper disclosure. Issues were released to the press days before they even informed AMD of anything and the bugs were blown WAY out of proportion requiring Admin rights and physical access to flash BIOS.

[Mira Yurizaki]

Just now, rcmaehl said:

... the bugs were blown WAY out of proportion. 

Which is what Meltdown and Spectre are starting to become. Most people aren't appreciably affected by it but people can't be bothered to read past the headline of "HORRIBLE SECURITY BUG CRIPPLES INTEL CPU PERFORMANCE UP TO 40%"

[App4that]

1 minute ago, rcmaehl said:

AMDFlaws was 100% a smear campaign. No proper disclosure. Issues were released to the press days before they even informed AMD of anything and the bugs were blown WAY out of proportion requiring Admin rights and physical access to flash BIOS.

Yet, the updated bios meant to adress those flaws, and other risks, from ASUS caused my system to crash even going into Windows unless I dropped the frequency of my RAM.

 

So. BS

[yian88]

more fake vulnerabilities that dont affect anyone

[pas008]

14 minutes ago, rcmaehl said:

AMDFlaws was 100% a smear campaign. No proper disclosure. Issues were released to the press days before they even informed AMD of anything and the bugs were blown WAY out of proportion requiring Admin rights and physical access to flash BIOS.

getting admin rights isnt that hard either.  dont need physical access to flash bios either

not going to get into that again there was a thread about that awhile ago

[rcmaehl]

22 minutes ago, App4that said:

Yet, the updated bios meant to adress those flaws, and other risks, from ASUS caused my system to crash even going into Windows unless I dropped the frequency of my RAM.

 

So. BS

- Snip, Mods delete please - 

[rcmaehl]

I'm not saying the vulnerabilities don't exist but it was 100% a smear campaign. It'd be like someone saying

 

100% CONFIRMED HUGE BUG IN ALL MICROSOFT OPERATING SYSTEMS. MICROSOFT SHOULD BE WORTH $0.00!

 

Only for the "bug" to be the fact some people don't set password on their admin accounts or use a weak password.

[Mira Yurizaki]

2 minutes ago, rcmaehl said:

It was nothing but an attempt to shortsell AMD for their own profit with the most minor of vulnerabilities.

The intent was malicious sure, but the flaws aren't minor.

 

There was a security flaw with Intel's systems that would let you install a rootkit in the system management module, effectively opening up backdoors that even Hypervisors can't detect. Except you had to install the rootkit as an admin.

 

Oh, I guess it's so minor that Intel shouldn't have bothered fixing it a while ago.

[App4that]

9 minutes ago, rcmaehl said:

It was nothing but an attempt to shortsell AMD for their own profit.

You're not following, might be my fault so I'll try again.

 

When Meltdown and Spectre hit, it was Intel that took the brunt of the heat. AMD claimed to not be affected, and later had to admit they were. As someone with both a X370 and Z370 system (home business) I saw the impact on performance with how ASUS handled both as both are ASUS boards. The bios update for my Z370 did nothing outside I did see an aditional 2fps in Far Cry 5, which I giggled at. My X370 Crosshair suffered massive stability issues. 

 

Intel isn't fairly addressed when it comes to these issues, and AMD is completely ignored for their responsibility to their customers. Some of whom rely on AMD's product for their lively hood.

[rcmaehl]

6 minutes ago, App4that said:

You're not following, might be my fault so I'll try again.

 

When Meltdown and Spectre hit, it was Intel that took the brunt of the heat. AMD claimed to not be affected, and later had to admit they were. As someone with both a X370 and Z370 system (home business) I saw the impact on performance with how ASUS handled both as both are ASUS boards. The bios update for my Z370 did nothing outside I did see an aditional 2fps in Far Cry 5, which I giggled at. My X270 Crosshair suffered massive stability issues. 

 

Intel isn't fairly addressed when it comes to these issues, and AMD is completely idnored for their responsibility to their customers. SOme of whom rely on AMD's product for their lively hood.

Okay yeah, I do see what you're saying here. AMD did say that they weren't affected by some of the exploits and actually were and were quickly found out. I was thinking you were having an issue and saying CTS-Labs actions weren't the most phishy thing ever by a so called "security firm"

[App4that]

Just now, rcmaehl said:

Okay yeah, I do see the point here. AMD did say that they weren't affected by some of the exploits and actually were and was quickly found out. I was thinking you were having an issue with saying CTS-Labs actions weren't the most phishy thing ever by a so called "security firm"

CTS-Labs took advantage of a market ripe for scare tactics. You could argue they didn't understand the bias against Intel and the bias supporting AMD, but that's group to group. These security flaws are much like saying you have had a window next to your locked door for years someone can break to get in, well no shit LOL. We still lock our doors.

 

The point is anyone who wants in your system will get in, we shouldn't ignore issues that facilitate that happening, but using those issues to push a bias against Intel isn't right.

[Morgan MLGman]

14 minutes ago, App4that said:

You're not following, might be my fault so I'll try again.

 

When Meltdown and Spectre hit, it was Intel that took the brunt of the heat. AMD claimed to not be affected, and later had to admit they were. As someone with both a X370 and Z370 system (home business) I saw the impact on performance with how ASUS handled both as both are ASUS boards. The bios update for my Z370 did nothing outside I did see an aditional 2fps in Far Cry 5, which I giggled at. My X270 Crosshair suffered massive stability issues. 

 

Intel isn't fairly addressed when it comes to these issues, and AMD is completely idnored for their responsibility to their customers. SOme of whom rely on AMD's product for their lively hood.

AFAIK AMD was vulnerable to Spectre but not to Meltdown, and they succeeded in fixing those vulnerabilities from what I've heard. At least on Ryzen chips.

 

What's more, you're forgetting that those flaws do not really affect home users, but you cannot ignore corporate ones - there are institutions, governments, companies, hospitals etc. that do use Intel CPUs (primarily) and those are a potential target for security exploits to steal data, collect ransom etc etc... I wouldn't bother with even talking about those exploits and home users because let's be honest, they aren't a concern for us

 

As for performance - I did see some performance loss with my 6700K system, on both CPU & storage side, despite using a Samsung 850 EVO as a boot drive so those are definitely something to keep in mind. It wasn't significant or game-changing but it was there and I feel like there should be some compensation for that performance loss, since my CPU is still under warranty and it was Intel's design flaw that was the culprit here.