• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."

Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 51 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

LTC8K6

Lifer
Mar 10, 2004
28,523
1,573
126
So, Intel said in the financial report that there will be in silicon patches for CPU sold later this year.
My question is just how fast can you make a new silicon masks (or just the relevant parts of it), to test, qualify, and produce the chips? Less than a year?
I get laughed at when I mention what Intel said about having fixed CPUs out this year...
 

PingSpike

Lifer
Feb 25, 2004
21,443
357
126
I get laughed at when I mention what Intel said about having fixed CPUs out this year...
Well, so far they haven't been able to release working microcode updates this year so I think people are justified in being skeptical that they can turn hardware around that fast. Not to mention Intel says a lot of things lately, some of them even sort of true.

We'll see I guess, I honestly have no idea how long it would take to tweak the issues out of a design if you kept the scope limited. It may not be as ugly as some people say.
 
  • Like
Reactions: IEC and Kuosimodo

LTC8K6

Lifer
Mar 10, 2004
28,523
1,573
126
Well, so far they haven't been able to release working microcode updates this year so I think people are justified in being skeptical that they can turn hardware around that fast. Not to mention Intel says a lot of things lately, some of them even sort of true.

We'll see I guess, I honestly have no idea how long it would take to tweak the issues out of a design if you kept the scope limited. It may not be as ugly as some people say.
No one here is capable of waiting and seeing. We must all make definite pronouncements immediately, particularly if they involve doom and gloom. :D
 

thecoolnessrune

Diamond Member
Jun 8, 2005
9,520
426
126
@ the coolenessrune and urfe, sometimes the cure is worse than the disease. The patches and UEFI updates that Microsoft and Intel released have wrought quite a bit of havoc for many people and businesses in terms of stability and performance.

Also, Meltdown and Spectre require local access to be exploited. If it's already gotten to that point, I am screwed anyway because the hacker or malware can do anything they want to my machine. They wouldn't need something as subtle as Spectre or Meltdown which only allows read access to memory or cache, they could take anything they want without it.

And that's my point. For end consumers, Meltdown and Spectre aren't much of a concern provided the software mitigations are in place, especially for the browsers, because that's where a threat is likely to originate from. And most of us here are computer savvy enough to know not to click on or download something that might potentially be dangerous.
I'm very much aware of the havoc that's been brought in the industry from these patches. That's on Intel. That's an entirely separate discussion from how bad the current situation is, and the belief that somehow consumers don't have to worry about this.

Meltdown and Spectre require local access, but that means nothing in regards to the vector used to get that local access. It's also, again an entirely different discussion from what a hacker can "do to your machine."

The only thing that separates a normal program that we use everyday from a virus, worm, exploit, etc. etc. is the intention of the program. A hacker can craft a package for a myriad of purposes. A hacker getting something on your machine has absolutely zero correlation with a hacker getting unfettered access to your machine. In fact, the vast majority of malicious packages out there do no such thing. They stay under the radar getting access to just a couple of things needed to suit whatever their end goal is. The Slammer Worm from the early 2000's for instance did not give a hacker the ability to "do anything they wanted". It merely exploited a vulnerability in Microsoft SQL to overload networks with traffic. Subsequent buffer overflows could be used in vulnerable systems (and systems made vulnerable by being a recipient of the junk traffic) could then have then have leaked confidential data that could be harvested.

This exploit is the exact same way, specifically in regards to Spectre. Just because browsers are now safer, does not mean there are not other vectors that can be used to exploit a Spectre vulnerability. A spectre exploit need not be a one-stop-shot package that infects, exploits, harvests, and sends data, and it need not be kicked off by someone holding onto your system. A worm could deliver a spectre exploit that simply leverages another known (or unknown) program long out of support to do its spectre mitigation. For all we know, some version of WinDirStat could be used as a vector if it has such a vulnerability. That's the nasty thing about Spectre, and why this needs to be at least partially handled at the CPU level. I just can't agree that this is some issue consumers don't need to worry about. They need to worry about it like they do any new vulnerability.
 

maddie

Diamond Member
Jul 18, 2010
3,387
2,335
136
No one here is capable of waiting and seeing. We must all make definite pronouncements immediately, particularly if they involve doom and gloom. :D
If you accept the assumption that this group is more knowledgeable about tech matters than the average person, you should not be surprised at the reactions your postings are receiving. Accepting that silicon fixes will be ready later this year appears very naive if genuinely believed. Intel will have to have known about the situation a long time before the official Google notification, and sat on it. One thing we all share is 24hrs/day. Having all the money in the world cannot change that.

With regards to waiting. The next time you see a Semi heading towards you, try waiting to see if it swerves at the last second.
 
  • Like
Reactions: Kuosimodo

LTC8K6

Lifer
Mar 10, 2004
28,523
1,573
126
If you accept the assumption that this group is more knowledgeable about tech matters than the average person, you should not be surprised at the reactions your postings are receiving. Accepting that silicon fixes will be ready later this year appears very naive if genuinely believed. Intel will have to have known about the situation a long time before the official Google notification, and sat on it. One thing we all share is 24hrs/day. Having all the money in the world cannot change that.

With regards to waiting. The next time you see a Semi heading towards you, try waiting to see if it swerves at the last second.
Is it a Tesla battery powered semi that I can't hear, that will automatically avoid me?

Posting what Intel says is not an indication that I believe it will occur.

Not sure why that is so hard to understand.

I'm certain I said we'd need to wait and see what Intel does, and judge as we find.

If anyone can throw enough money at this problem to get it fixed reasonably fast, it's Intel.

If they can't, oh well. We'll have to wait.

The very last thing we need is another CPU maker monopoly.
 

psolord

Golden Member
Sep 16, 2009
1,324
386
136
Wow, Asrock pulled the 1.40 BIOS for my z370 Extreme 4 motherboard. I had already installed it and I don't have any problems however.

It's the first time in history that I have a BIOS not available on the manufacturers website. I kinda feel my system is special. lol
 

DrMrLordX

Lifer
Apr 27, 2000
17,029
5,991
136
So, Intel said in the financial report that there will be in silicon patches for CPU sold later this year.
My question is just how fast can you make a new silicon masks (or just the relevant parts of it), to test, qualify, and produce the chips? Less than a year?
Pardon me if I remain skeptical. My guess is their "fix in silicon" will be: hey, we ship all our products with updated firmware now. They will come pre-patched, and for some users . . . pre-crippled.

Wow, Asrock pulled the 1.40 BIOS for my z370 Extreme 4 motherboard. I had already installed it and I don't have any problems however.

It's the first time in history that I have a BIOS not available on the manufacturers website. I kinda feel my system is special. lol
Trippy isn't it? Kinda like running a beta BIOS you got off some enthusiast website. It's all fun and games until you find out why it's beta . . .
 

Carfax83

Diamond Member
Nov 1, 2010
6,051
850
126
I'm very much aware of the havoc that's been brought in the industry from these patches. That's on Intel. That's an entirely separate discussion from how bad the current situation is, and the belief that somehow consumers don't have to worry about this.
No it isn't a separate discussion. I'm talking about risk potential for end consumers, and not corporations or businesses.

1) The current mitigations for these vulnerabilities affect performance and stability in a significant way. This might change in the future, but until then, they are unacceptable to me personally.

2) Being primarily a gamer, the chances of being affected by these vulnerabilities is extremely remote. According to Google, there are currently no malware out in the field that target these vulnerabilities, and they require local access to be utilized, which is a huge obstacle for malware writers to overcome.

As I said before, if it's gotten to the point that a hacker has local access to your personal machine, taking advantage of Spectre and Meltdown (which has memory read only restrictions) would be a complete waste of time for them as they have great latitude to do what they want. In effect, my primary consideration should be to prevent a hacker from getting local access to my machine, as the risk potential for that would be far more devastating.
 

LTC8K6

Lifer
Mar 10, 2004
28,523
1,573
126
Pardon me if I remain skeptical. My guess is their "fix in silicon" will be: hey, we ship all our products with updated firmware now. They will come pre-patched, and for some users . . . pre-crippled.



Trippy isn't it? Kinda like running a beta BIOS you got off some enthusiast website. It's all fun and games until you find out why it's beta . . .
I generally don't touch anything beta, not even with a 39.5 foot pole. :)
 

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,005
3,784
136
The ASRock BIOS/UEFI updates were listed as official, non-beta. My Z370 Taichi had a 1.40 UEFI update that was also pulled.

I'll be reverting to 1.30 until an official stable stable release is made.
 

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,005
3,784
136
No it isn't a separate discussion. I'm talking about risk potential for end consumers, and not corporations or businesses.

1) The current mitigations for these vulnerabilities affect performance and stability in a significant way. This might change in the future, but until then, they are unacceptable to me personally.

2) Being primarily a gamer, the chances of being affected by these vulnerabilities is extremely remote. According to Google, there are currently no malware out in the field that target these vulnerabilities, and they require local access to be utilized, which is a huge obstacle for malware writers to overcome.

As I said before, if it's gotten to the point that a hacker has local access to your personal machine, taking advantage of Spectre and Meltdown (which has memory read only restrictions) would be a complete waste of time for them as they have great latitude to do what they want. In effect, my primary consideration should be to prevent a hacker from getting local access to my machine, as the risk potential for that would be far more devastating.
You don't need local access to the machine to exploit these vulnerabilities. Full stop.
 
  • Like
Reactions: Kuosimodo

Fir

Senior member
Jan 15, 2010
465
179
116
The "updated microcode" in the Asus Prime Deluxe X299 has a HUGE performance hit on storage. Using Intel 900P 480G saw serious write performance drops. Flashed back to previous BIOS and saw performance back to prior levels. Not worth it.
 

IndyColtsFan

Lifer
Sep 22, 2007
33,522
575
126
Wow, Asrock pulled the 1.40 BIOS for my z370 Extreme 4 motherboard. I had already installed it and I don't have any problems however.

It's the first time in history that I have a BIOS not available on the manufacturers website. I kinda feel my system is special. lol
They pulled the 1.40 for the Taichi as well, which I already installed. Yikes
 

IndyColtsFan

Lifer
Sep 22, 2007
33,522
575
126
The ASRock BIOS/UEFI updates were listed as official, non-beta. My Z370 Taichi had a 1.40 UEFI update that was also pulled.

I'll be reverting to 1.30 until an official stable stable release is made.
Any idea why 1.4 was pulled?
 

Carfax83

Diamond Member
Nov 1, 2010
6,051
850
126
You don't need local access to the machine to exploit these vulnerabilities. Full stop.
Are you sure about that? These are the CVEs associated with Spectre and Meltdown, and all of them state that local access is required for a successful attack. I suppose with Spectre, you can supposedly do a java script attack that could leak protected information, but unless you have local access, how could you get the data and make use of it?

Spectre 1
Spectre 2
Meltdown
 

Jimzz

Diamond Member
Oct 23, 2012
4,389
181
106
The "updated microcode" in the Asus Prime Deluxe X299 has a HUGE performance hit on storage. Using Intel 900P 480G saw serious write performance drops. Flashed back to previous BIOS and saw performance back to prior levels. Not worth it.
Yea thats going to be the rub for Intel system. Security or performance, pick one.

Also a major reason I am waiting for the updated Ryzen CPUs to upgrade my Intel system.
 

Jimzz

Diamond Member
Oct 23, 2012
4,389
181
106
Apparently Intel has lots of beers for everyone to hold.

Intel Warned Chinese Companies of Chip Flaws Before U.S. Government
https://www.wsj.com/articles/intel-warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430

Jesus , and people still try to defend intel and the CEO for selling all his shares and options before all this came out.

I thought the worst had already come out about intel but things like this just make me wonder what bomb shell will drop next. So glad AMD makes good chips again.
 

jpiniero

Diamond Member
Oct 1, 2010
9,040
1,742
126
In fairness, the Chinese companies mentioned were Lenovo and Alibaba. IOW their biggest customers.

I'd say it's a bigger deal about the rumor that they were told on the same day that BK's stock sold.
 

Kenmitch

Diamond Member
Oct 10, 1999
8,401
2,138
136
Jesus , and people still try to defend intel and the CEO for selling all his shares and options before all this came out.

I thought the worst had already come out about intel but things like this just make me wonder what bomb shell will drop next. So glad AMD makes good chips again.
Strange world we live in.
 

Kenmitch

Diamond Member
Oct 10, 1999
8,401
2,138
136
Apparently Intel has lots of beers for everyone to hold.

Intel Warned Chinese Companies of Chip Flaws Before U.S. Government
https://www.wsj.com/articles/intel-warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430
Can't really think of any logical reasoning why Intel wouldn't have informed the US Government 1st. You'd think they'd have priority over all others in the end.

Guess you could go the conspiracy route and say the US Government already knew about the exploits and was using them for spying purposes.

Would seem silly if the reasoning behind it was just $'s.
 

zinfamous

No Lifer
Jul 12, 2006
105,366
20,061
136
Apparently Intel has lots of beers for everyone to hold.

Intel Warned Chinese Companies of Chip Flaws Before U.S. Government
https://www.wsj.com/articles/intel-warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430
the crap? what kind of deals has Intel been working with China all along?

I hate conspiracy nonsense...but this is really "weird," is it not? Why alert the big Chinese customers before you alert the US gov't and relevant security industries?
 
  • Like
Reactions: Zstream

ASK THE COMMUNITY

TRENDING THREADS