Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

IEC · May 8, 2018

Per Heise.de's c't magazine, the eight (8) new flaws known as "Spectre-NG" have had fixes pushed back to July, with more fixes coming in August. These fixes are to address 4 of the 8 new flaws.
https://www.heise.de/security/meldung/Spectre-NG-Intel-verschiebt-die-ersten-Patches-koordinierte-Veroeffentlichung-aufgeschoben-4043790.html

Guru3D English press release:
http://www.guru3d.com/news-story/intel-has-to-delays-patches-for-new-spectre-ng-vulnerabilities.html

LTC8K6 · May 8, 2018

IEC said:
Per Heise.de's c't magazine, the eight (8) new flaws known as "Spectre-NG" have had fixes pushed back to July, with more fixes coming in August. These fixes are to address 4 of the 8 new flaws.
https://www.heise.de/security/meldung/Spectre-NG-Intel-verschiebt-die-ersten-Patches-koordinierte-Veroeffentlichung-aufgeschoben-4043790.html

Guru3D English press release:
http://www.guru3d.com/news-story/intel-has-to-delays-patches-for-new-spectre-ng-vulnerabilities.html

Seems reasonable.

I'm glad they are on top of it, even though it's apparently still not a problem for home users.

Shamrock · May 11, 2018

Well, people on various forums are reporting that MSI are denying BIOS updates for motherboards with only 2 numbers in them (Z87, Z97, X99, etc). So my MSI Gaming 5 (Z97) mobo is left vulnerable. What's sad is, Gigabyte, Asus, and ASRock already have their BIOSes out.

MSI is off my buy list, for a long while.

I am protected from Meltdown, but not Spectre.

beginner99 · May 12, 2018

Shamrock said:
I am protected from Meltdown, but not Spectre.

Spectre really ins't a big issue for consumers anyway. It would mean a hacker already can execute code on your machine and at that point you lost anyway. The issue is with virtualization in the cloud. I can setup my EC2 instance and then expect to run any software I want. Said software could then exploit meltdown/spectre and read any data (like encryption keys) from other VMs running on the same physical CPU.
But even this is kind of very untargeted attack because you never know who/what else is running on the same physical cpu. All in all this is kind of overblown. People that need to worry are Amazon, MS, google and co. and companies using their services but not you or me.

LTC8K6 · May 15, 2018

I see a very recent beta BIOS for ASUS Z-97A boards. Doesn't say what it addresses, though.

IEC · May 15, 2018

beginner99 said:
Spectre really ins't a big issue for consumers anyway. It would mean a hacker already can execute code on your machine and at that point you lost anyway. The issue is with virtualization in the cloud. I can setup my EC2 instance and then expect to run any software I want. Said software could then exploit meltdown/spectre and read any data (like encryption keys) from other VMs running on the same physical CPU.
But even this is kind of very untargeted attack because you never know who/what else is running on the same physical cpu. All in all this is kind of overblown. People that need to worry are Amazon, MS, google and co. and companies using their services but not you or me.

Even if the threat profile in your mind is little, the performance hit is not.

For those of us who run VMs on our home rigs the performance penalty is very significant (sometimes 40%+, particularly I/O) and extremely irritating.

On the enterprise side of things... the performance hit for ESXi + Horizon or XenApp is so bad for some common use cases (hint: used in pretty much every major medical center in the country... and then some) that patches simply cannot be installed yet due to CPU util and response time impacts being on the order of 50%+. On some very common configurations.

Brahmzy · May 15, 2018

^^ Can you provide some data on that. It’s what I’ve been hearing as well, but need some ammo to combat my security team.

I’ve held off applying most all of these due to the massive IO hit SQL, ESXi and others take. I didn’t even think about View.

jpiniero · May 15, 2018

Yeah, you can see why the rumors of Intel doing Skylake-X Toasty Edition, because they know once Cascade Lake is released it basically obsoletes Skylake-SP due to Spectre/Meltdown and they need a place to dump the remaining dies.

beginner99 · May 15, 2018

IEC said:
Even if the threat profile in your mind is little, the performance hit is not.

For those of us who run VMs on our home rigs the performance penalty is very significant (sometimes 40%+, particularly I/O) and extremely irritating.

On the enterprise side of things... the performance hit for ESXi + Horizon or XenApp is so bad for some common use cases (hint: used in pretty much every major medical center in the country... and then some) that patches simply cannot be installed yet due to CPU util and response time impacts being on the order of 50%+. On some very common configurations.

This in my opinion only adds to the poor handling of the situation. Now user get a huge performance loss for no real benefit. This was just rushed out so all involved can say we indeed did something. Neither Intel, AMD nor MS could afford to speak the truth and say: We only provide fixes for cloud providers that actually need them.

jpiniero · May 21, 2018

https://www.theregister.co.uk/2018/05/21/spectre_meltdown_v4_microsoft_google/

Microcode fixes for Variant 4 coming. Intel says it's a 2-8% perf hit if workaround enabled. Not sure if this is on top of the other performance hits.

coercitiv · May 22, 2018

jpiniero said:
https://www.theregister.co.uk/2018/05/21/spectre_meltdown_v4_microsoft_google/

Microcode fixes for Variant 4 coming. Intel says it's a 2-8% perf hit if workaround enabled. Not sure if this is on top of the other performance hits.

I think it's on top

They wouldn't quote a perf drop for an opt-in protection, unless it was independent of Meltdown/Spectre patches.

snstr · May 22, 2018

As far as I understand it, the new spectre variants target other areas of the CPU but use the basic Spectre pattern (sidechannel data leaks & possibly timing?). I guess that many security researchers are now systematically looking for the keywords "speculation" and "prediction" in CPU/ISA documentations. This way they could reliably find new specific attacks per CPU/ISA.

PingSpike · May 22, 2018

https://newsroom.intel.com/editorials/addressing-new-research-for-side-channel-analysis/

Default off, security is optional at Intel.

This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact.

Wow, no performance impact when its off. Is this some kind of magic?

Jimzz · May 22, 2018

jpiniero said:
https://www.theregister.co.uk/2018/05/21/spectre_meltdown_v4_microsoft_google/

Microcode fixes for Variant 4 coming. Intel says it's a 2-8% perf hit if workaround enabled. Not sure if this is on top of the other performance hits.

Yea that's on top of previous ones. And this is just #4, there are other "fixes" coming.

My 3770 is going backwards everyday it seems.

LTC8K6 · May 22, 2018

Most of us don't really need the patches, though.

SPBHM · May 22, 2018

if there is the potential to affect "web browsing", than I think there is a high potential for everyone to be exposed
not enabling it to avoid a "2-8%" performance loss is very strange,
I would assume default settings should be the safest, with the option to give up safety for speed.

Spjut · May 22, 2018

Can anyone say whether it's any point to update the BIOS compared to using the microcode updates that are provided within Windows?

Jimzz · May 22, 2018

Spjut said:
Can anyone say whether it's any point to update the BIOS compared to using the microcode updates that are provided within Windows?

You have to use both to be fully protected. At least as fully as we have been told since there seems to be more to come for Intel users.

zinfamous · May 22, 2018

LTC8K6 said:
Most of us don't really need the patches, though.

Probably. But this is an actual real problem for data centers and whatnot that deploy hundreds of these CPUs. "We" aren't the clients that really make the difference, because this is a huge issue for Intel in the end. And the timing can't be worse right now with Epyc poised to pick up the slack.

2-8% performance hit here, on top of 5-30% there with Intel, this means that for a significant number of clients, AMD has not only completely caught up with Intel on performance but has passed them. Not for all use cases, obviously, but toss in the messaging that Intel really doesn't care about security and they don't seem to have for several generations as these implementations are looking more and more like intentional false performance designs at the expense of security, this should hurt Intel rather severely. ..should, but this is Intel. Their marketing is well-funded, targeted, and they have a history of brushing off shady practices with shady messaging, and they still maintain long histories with their clients.

LTC8K6 · May 22, 2018

zinfamous said:
Probably. But this is an actual real problem for data centers and whatnot that deploy hundreds of these CPUs. "We" aren't the clients that really make the difference, because this is a huge issue for Intel in the end. And the timing can't be worse right now with Epyc poised to pick up the slack.

2-8% performance hit here, on top of 5-30% there with Intel, this means that for a significant number of clients, AMD has not only completely caught up with Intel on performance but has passed them. Not for all use cases, obviously, but toss in the messaging that Intel really doesn't care about security and they don't seem to have for several generations as these implementations are looking more and more like intentional false performance designs at the expense of security, this should hurt Intel rather severely. ..should, but this is Intel. Their marketing is well-funded, targeted, and they have a history of brushing off shady practices with shady messaging, and they still maintain long histories with their clients.

You would think we'd hear all the data centers using Intel screaming about the loss of performance, demanding money back, class action suits, etc.

You can't hide a big loss of performance for very long.

I admittedly don't pay attention to that area, but is that happening? Are class-action lawsuits looming?

I would be reacting quite strongly if I lost 30% of the performance I need for my business.

LTC8K6 · May 22, 2018

Spectre 4 affects AMD and ARM chips as well as Intel, according to WCCFtech's report.

SPBHM · May 22, 2018

Jimzz said:
You have to use both to be fully protected. At least as fully as we have been told since there seems to be more to come for Intel users.

you need both a microcode update and changes to windows, but you don't need a new bios, with this https://support.microsoft.com/en-us/help/4100347/intel-microcode-updates-for-windows-10-version-1803-and-windows-server
windows loads/uses the updated microcode from your drive and not from the bios chip, but the result is the same...

I would assume the bios method is preferable, because it's more permanent, gives some extra protection against hacking!? but the spectre fix from the bios and from this update for windows gives you the same result.

the901 · May 22, 2018

Brahmzy said:
^^ Can you provide some data on that. It’s what I’ve been hearing as well, but need some ammo to combat my security team.
I’ve held off applying most all of these due to the massive IO hit SQL, ESXi and others take. I didn’t even think about View.

https://theorypc.ca/2018/04/30/meltdown-spectre-performance-analysis/

coercitiv · May 22, 2018

LTC8K6 said:
Spectre 4 affects AMD and ARM chips as well as Intel, according to WCCFtech's report.

https://www.amd.com/en/corporate/security-updates

5/21/18

Today, Microsoft and Google Project Zero researchers have identified a new category of speculative execution side channel vulnerability (Speculative Store Bypass or SSB) that is closely related to the previously disclosed GPZ/Spectre variant 1 vulnerabilities. Microsoft has released an advisory on the vulnerability and mitigation plans.

AMD recommended mitigations for SSB are being provided by operating system updates back to the Family 15 processors (“Bulldozer” products). For technical details, please see the AMD whitepaper. Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process. Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules.

Based on the difficulty to exploit the vulnerability, AMD and our ecosystem partners currently recommend using the default setting that maintains support for memory disambiguation.

We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date.

As a reminder, security best practices of keeping your operating system and BIOS up-to-date, utilizing safe computer practices and running antivirus software are always the first line of defense in maintaining device security.

LTC8K6 · May 22, 2018

Inspectre says there is a microcode update for my IB desktop system, but where do I find it?

The one listed above does not list IB desktop chips.

Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Elite Member

Lifer

Golden Member

Diamond Member

Lifer

Elite Member

Senior member

Lifer

Diamond Member

Lifer

Diamond Member

Member

Lifer

Diamond Member

Lifer

Diamond Member

Senior member

Diamond Member

No Lifer

Lifer

Lifer

Diamond Member

Junior Member

Diamond Member

Lifer

ASK THE COMMUNITY