• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."

Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 50 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

richaron

Golden Member
Mar 27, 2012
1,349
328
136
It'll all come out in the wash...and there's absolutely nothing at all that I can do in any case.
Except wait to buy my next CPU.
Haswell systems (one desktop & one Xeon) report meltdown is patched and performance is "good".
Ivy Bridge reports meltdown is patched and performance is "slower", but it's not noticeable.
FX-6300 system reports meltdown is patched and performance is "good".
All report Spectre vulnerability, but I expect no help on that at all, and I don't consider it a threat for my desktop systems anyway.
And yet we have an independent expert saying intel's response is a joke.

Again; I'm going to believe the expert rather than forum posters who keep trying to imply everything is OK. And I think other people should also.
 
  • Like
Reactions: DarthKyrie

zinfamous

No Lifer
Jul 12, 2006
102,016
16,251
136
Intel is clearly still working on this, so Linus isn't helping any by screeching to the press instead of working with Intel.
The way I see it, Intel isn't helping anyone because their presswork has been nothing short of duplicitous. It is much better for everyone that trusted experts become more public about what is actually happening.

I expected things to smooth out with this by now, but it seems like the situation has only gotten worse, especially for Intel. But remain comforted by the fact that the press still seems largely in thrall to the information that Intel prefers. I haven't seen much secondary or even tertiary "news" out there that doesn't paint a generally darker picture for Intel's competitors, which is truly strange.
 

LTC8K6

Lifer
Mar 10, 2004
28,523
1,569
126
Don't worry, we have a guy here that is perfectly satisfied with their patches. ;)
January 11th, Intel acknowledges reboot issues from the patches, and customers were talking about them a few days before that.
https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/


January 22nd, Intel identifies root cause of reboot issues and rolls out new beta patches:
https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/
 

FIVR

Diamond Member
Jun 1, 2016
3,753
906
106
The way I see it, Intel isn't helping anyone because their presswork has been nothing short of duplicitous. It is much better for everyone that trusted experts become more public about what is actually happening.

I expected things to smooth out with this by now, but it seems like the situation has only gotten worse, especially for Intel. But remain comforted by the fact that the press still seems largely in thrall to the information that Intel prefers. I haven't seen much secondary or even tertiary "news" out there that doesn't paint a generally darker picture for Intel's competitors, which is truly strange.

Brian Kraznich had a tough decision to make - He couldn't simply give all his attention to properly patching Meltdown. There were other priorities...






Trolling isn't allowed, nor are these cartoon meme's. This is not OT or P&N.
Other members, please take note.


esquared
Anandtech Forum Director
 
Last edited by a moderator:

MrTeal

Platinum Member
Dec 7, 2003
2,822
379
126
Intel is clearly still working on this, so Linus isn't helping any by screeching to the press instead of working with Intel.
Unless there's something I missed, I'm not seeing how Linus was screeching to the press about this. He was replying to a message by a Linux Kernel Engineer at AWS who previously spent nearly a decade at Intel and who (according the the thread) has his name on some of the patches. The press might have picked up on it, but this was a conversation between industry experts.
 
  • Like
Reactions: Kuosimodo

traderjay

Member
Sep 24, 2015
189
134
116
It'll all come out in the wash...and there's absolutely nothing at all that I can do in any case.
Except wait to buy my next CPU.
Haswell systems (one desktop & one Xeon) report meltdown is patched and performance is "good".
Ivy Bridge reports meltdown is patched and performance is "slower", but it's not noticeable.
FX-6300 system reports meltdown is patched and performance is "good".
All report Spectre vulnerability, but I expect no help on that at all, and I don't consider it a threat for my desktop systems anyway.
The problem is the infrastructure guys that run mission critical or demanding workloads that are heavily impacted by the patches. It is also these guys that generate the most revenue for Intel, not us, the enthusiasts unfortunately.
 

LTC8K6

Lifer
Mar 10, 2004
28,523
1,569
126
The problem is the infrastructure guys that run mission critical or demanding workloads that are heavily impacted by the patches. It is also these guys that generate the most revenue for Intel, not us, the enthusiasts unfortunately.
What are they going to do? They aren't going to throw out the systems they just bought. There's nothing to switch to that isn't vulnerable to Spectre anyway.
Perhaps they won't buy Intel if they are looking to buy at the moment?
Perhaps they can sue Intel over loss of performance, but that'd be in litigation forever with no guarantee of winning.
Does Intel guarantee performance anyway?

When would we see data that would show that Intel is losing market share over the problem, as opposed to just losing market share to Zen anyway?
 
  • Like
Reactions: tential

traderjay

Member
Sep 24, 2015
189
134
116
What are they going to do? They aren't going to throw out the systems they just bought. There's nothing to switch to that isn't vulnerable to Spectre anyway.
Perhaps they won't buy Intel if they are looking to buy at the moment?
Perhaps they can sue Intel over loss of performance, but that'd be in litigation forever with no guarantee of winning.
Does Intel guarantee performance anyway?

When would we see data that would show that Intel is losing market share over the problem, as opposed to just losing market share to Zen anyway?
In the short term, these guys can't do anything and it is really a prisoner's dilemma here. As for the performance drop, Intel will have some tough time to defend itself in court when the pre and post patch shows huge variance that is outside of the norm. Last but not least, there will be a discovery process to see if these bugs are in fact known, and deliberately suppressed or a real oversight - unless of course the folks at INTC are busy expunging emails and paper trails.
 

beginner99

Diamond Member
Jun 2, 2009
4,590
940
136
Intel users are in for more patching fun!

Intel Says Patches for Meltdown and Spectre are Flawed
https://www.eetimes.com/document.asp?doc_id=1332880
At this point I'm glad my PC is so old and I will not see and BIOS fixes. And even if I did I would probably not install them. I still fails to see why this is such a huge deal for consumers. It isn't. This is an issue for virtualized servers in the cloud. Only client issue (JavaScript) was fixed in browsers.

Exploiting any of the fixes requires code to run on your machine and if a hacker can run code on your machine, then you are REDACTED either way. In the cloud however it's a huge issue because it is 100% legitimate that I rent a VM in which I can install any software I like. And said software can then spy on other VMs on the same host. There is nothing that can be done except patching OS and BIOS. But again for consumers? Hardly matters. I mean why isn't a single expert saying this?

Profanity is not allowed in the tech sub-forums.
You have been warned before.

Iron Woode
Super Moderator
 
Last edited by a moderator:

StinkyPinky

Diamond Member
Jul 6, 2002
6,477
388
126
Intel are doing a god awful job in communication here. At this point I've stopped caring about this, and perhaps that is not a good thing but there's so many poorly worded press releases from them at this point that I will ignore this and look into it again in a few months.

In the meantime it seems i get to enjoy their buggy solution on top of my already buggy gigabyte bios.
 

Carfax83

Diamond Member
Nov 1, 2010
5,885
577
126
At this point I'm glad my PC is so old and I will not see and BIOS fixes. And even if I did I would probably not install them. I still fails to see why this is such a huge deal for consumers. It isn't. This is an issue for virtualized servers in the cloud. Only client issue (JavaScript) was fixed in browsers.

Exploiting any of the fixes requires code to run on your machine and if a hacker can run code on your machine, then you are REDACTED either way. In the cloud however it's a huge issue because it is 100% legitimate that I rent a VM in which I can install any software I like. And said software can then spy on other VMs on the same host. There is nothing that can be done except patching OS and BIOS. But again for consumers? Hardly matters. I mean why isn't a single expert saying this?
This is my take as well. At least we can disable the OS fix if we want by using InSpectre. And I sure as hell will never install a UEFI update if it becomes available for my motherboard.
 

thecoolnessrune

Diamond Member
Jun 8, 2005
9,439
375
126
At this point I'm glad my PC is so old and I will not see and BIOS fixes. And even if I did I would probably not install them. I still fails to see why this is such a huge deal for consumers. It isn't. This is an issue for virtualized servers in the cloud. Only client issue (JavaScript) was fixed in browsers.

Exploiting any of the fixes requires code to run on your machine and if a hacker can run code on your machine, then you are REDACTED either way. In the cloud however it's a huge issue because it is 100% legitimate that I rent a VM in which I can install any software I like. And said software can then spy on other VMs on the same host. There is nothing that can be done except patching OS and BIOS. But again for consumers? Hardly matters. I mean why isn't a single expert saying this?
This is my take as well. At least we can disable the OS fix if we want by using InSpectre. And I sure as hell will never install a UEFI update if it becomes available for my motherboard.
I completely disagree. You're talking two different things. Mitigation, vs. Prevention. It's like saying if you're in a fast enough car crash you're dead either way, so why bother with seatbelts. We allow packages from different groups to run on our systems all the time. Modern computing wouldn't exist without the concept. While we can't prevent all intrusions, we can absolutely discern a difference between something that allows access to your system, vs. something that allows it to read parts of your memory that are supposed to be highly secured, breaking established boundaries inside a system and not leaving a discernable trace.

This isn't some Sci-Fi movie with someone literally logged into your system haxxing your files, this is things like that website you went to by accident, or maybe not (maybe it itself was hacked) running javascript that collects a payload or sends it back. In the case of things like Spectre, it very well could be a payload you got from nearly anywhere. What if there was a spectre leveraging vulnerability in Rocket League? What if there was a payload that simply got Rocket League to do the collection on its behalf and send it off? That's the whole point of Spectre. It uses weaknesses in applications to do its dirty work. The whole concept of what's a safe package and what isn't is a non-starter because tiny unsafe packages that you aren't even aware of can get packages you trust to do its dirty work because the applications themselves are vulnerable.

That's why no real expert is saying this. A hacker running code on your machine is not an automatic ruination. We have literally decades of security technology development that is developed towards this, or do you guys really believe that all modern AV's and Firewalls do is just make sure nothing gets in?
 

urfe

Junior Member
Dec 19, 2012
3
2
86
This is my take as well. At least we can disable the OS fix if we want by using InSpectre. And I sure as hell will never install a UEFI update if it becomes available for my motherboard.
I'm not sure there is any strong argument to be made against applying security patches. Even if we'd assume that your data is (generally) useless to state sponsors.

There are for example entire communities for people renting or buying malicious services, e.g. botnets or ransomeware. And such communities and services will more than surely employ Spectre and Meltdown exploiting code in the upcoming future, which will make you a potential target.
I'm sure that having your data encrypted and held ransom or that being part of (an aggressive) botnet responsible for DDOS'ing game servers and various websites, pushing spam or forwarding questionable/illegal material is not something that you'd want to expose your self to.
 
Last edited:

traderjay

Member
Sep 24, 2015
189
134
116
Here is another kicker in the field of machine vision where every millisecond counts to meet manufacturing cycle time requirements. If the patches or "fixes" increases the processing time, the whole operation is thrown into disarray.
 

Carfax83

Diamond Member
Nov 1, 2010
5,885
577
126
I completely disagree. You're talking two different things. Mitigation, vs. Prevention. It's like saying if you're in a fast enough car crash you're dead either way, so why bother with seatbelts. We allow packages from different groups to run on our systems all the time. Modern computing wouldn't exist without the concept. While we can't prevent all intrusions, we can absolutely discern a difference between something that allows access to your system, vs. something that allows it to read parts of your memory that are supposed to be highly secured, breaking established boundaries inside a system and not leaving a discernable trace.
I'm not sure there is any strong argument to be made against applying security patches. Even if we'd assume that your data is (generally) useless to state sponsors.

There are for example entire communities for people renting or buying malicious services, e.g. botnets or ransomeware. And such communities and services will more than surely employ Spectre and Meltdown exploiting code in the upcoming future, which will make you a potential target.
I'm sure that having your data encrypted and held ransom or that being part of (an aggressive) botnet responsible for DDOS'ing game servers and various websites, pushing spam or forwarding questionable/illegal material is not something that you'd want to expose your self to.
@ the coolenessrune and urfe, sometimes the cure is worse than the disease. The patches and UEFI updates that Microsoft and Intel released have wrought quite a bit of havoc for many people and businesses in terms of stability and performance.

Also, Meltdown and Spectre require local access to be exploited. If it's already gotten to that point, I am screwed anyway because the hacker or malware can do anything they want to my machine. They wouldn't need something as subtle as Spectre or Meltdown which only allows read access to memory or cache, they could take anything they want without it.

And that's my point. For end consumers, Meltdown and Spectre aren't much of a concern provided the software mitigations are in place, especially for the browsers, because that's where a threat is likely to originate from. And most of us here are computer savvy enough to know not to click on or download something that might potentially be dangerous.
 
  • Like
Reactions: TempAcc99

Carfax83

Diamond Member
Nov 1, 2010
5,885
577
126
What makes you say that? Are you saying data center operators do not have to worry about this issue because they restrict access to their server farm?
I'm not talking about data centers, servers or anything. I am talking about end consumers like us. The chances of being targeted by an attack using Spectre or Meltdown is extremely remote, so remote that it's not worth the hassle for me to use the mitigation patches from Microsoft and Intel which affect the stability and performance of my machine.
 
  • Like
Reactions: TempAcc99

urfe

Junior Member
Dec 19, 2012
3
2
86
I'm not talking about data centers, servers or anything. I am talking about end consumers like us. The chances of being targeted by an attack using Spectre or Meltdown is extremely remote, so remote that it's not worth the hassle for me to use the mitigation patches from Microsoft and Intel which affect the stability and performance of my machine.
I understand your point of view, in the sense that it requires remote code execution and there are quite a few issues with the patches for now, which should be fixed however.
Still, foreign code is constantly being executed transparently, i.e. as JS or Flash. Chrome, Firefox and Microsoft already worked on JS patches for browsers, I'm aware. And if this alone is sufficient, we'll see. I still feel a bit uneasy that for many, the issue is somewhat addressed or mitigated by browsers only. I'll add that if you check the browser patches, some of them are really urgent, short-term fixes: Firefox for example mainly reduces the time precision available through some functions or constructs.

The main issues with Spectre and Meltdown is that the they are not software vulnerabilities, tested/reviewed/certified running software will not address them. I guess we'll see how much of a problem this will become (or not). Especially now that the focus has shifted on hardware, and other similar vulnerabilities will be most likely discovered by the public security research community.

Btw, I have three desktops, two of them being 4th generation i5 and i7. Third one is a 1600. I don't have any microcode updates AFAIK, so I'm also affected.
 

CluelessOne

Member
Jun 19, 2015
64
40
91
So, Intel said in the financial report that there will be in silicon patches for CPU sold later this year.
My question is just how fast can you make a new silicon masks (or just the relevant parts of it), to test, qualify, and produce the chips? Less than a year?
 

ASK THE COMMUNITY