Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 23 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

PhonakV30

Senior member
Oct 26, 2009
987
378
136
I read and checked :
https://support.microsoft.com/en-hk...ive-execution-side-channel-vulnerabilities-in

I get Error for "PS > Install-Module SpeculationControl".

PS : Cannot find a process with the name "SpeculationControl". Verify the process name and call the cmdlet again.
At line:1 char:1
+ PS > Install-Module SpeculationControl
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (SpeculationControl:String) [Get-Process], ProcessCommandException
+ FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand

Windows 10 Enterprise 1709 Build 16299.125

Edit :
I checked this ( note : Run in IE or Microsoft Edge , this link does not work in non-IE)

https://catalog.update.microsoft.com/v7/site/search.aspx?q=kb4056892

but Windows update reports Your device is up to date
 
Last edited:

french toast

Senior member
Feb 22, 2017
988
825
136
If foreign governments have been using these hacks for years to steal intellectual property and gather secrets from the west (or other places) then how the hell would anyone know?
This has likely been going on for decades at an unimaginable cost.
 

urvile

Golden Member
Aug 3, 2017
1,575
474
96
If foreign governments have been using these hacks for years to steal intellectual property and gather secrets from the west (or other places) then how the hell would anyone know?
This has likely been going on for decades at an unimaginable cost.

It's curious isn't it? This isn't a worm exploiting a buffer overflow in a service. It's the actual design that causes the vulnerability and it has to be fixed in software. It's a risk that foreign intelligence agencies would discover it's existence but how long did it take for someone to find it? Plus the NSA would already know how to mitigate it. Also the NSA is well know for compromising equipment from leading US companies like dell and cisco.

Or maybe intel just lost sight of the security implications because they were pushing to hard for MOAR speed and adding to much complexity. Or maybe intel employs really incompetent engineers? The list goes on........

I guess it would be like any other zero day that the NSA and others have/do use in their tools. It's useful until it isn't.

When it comes to zero days Intelligence agencies are prepared to a) take the risk that someone else has it and b) don't care about how it effects the rest of the world.
 
Last edited:
May 11, 2008
19,299
1,129
126
I read and checked :
https://support.microsoft.com/en-hk...ive-execution-side-channel-vulnerabilities-in

I get Error for "PS > Install-Module SpeculationControl".



Windows 10 Enterprise 1709 Build 16299.125

Edit :
I checked this ( note : Run in IE or Microsoft Edge , this link does not work in non-IE)

https://catalog.update.microsoft.com/v7/site/search.aspx?q=kb4056892

but Windows update reports Your device is up to date

Here they explain what to do :
https://www.bleepingcomputer.com/ne...stems-for-the-meltdown-and-spectre-cpu-flaws/

You have to adjust the policy for powershell, you also have to run it as administrator.
Search : powershell , Alternative mouse button : run as administrator.

Adjust policy.
Set-ExecutionPolicy Bypass

Then do install.

After install and testing do :
Set-ExecutionPolicy Restriced.
to set the policy back to default which is restriced.

Test with Get-ExecutionPolicy.
 

PhonakV30

Senior member
Oct 26, 2009
987
378
136
Here they explain what to do :
https://www.bleepingcomputer.com/ne...stems-for-the-meltdown-and-spectre-cpu-flaws/

You have to adjust the policy for powershell, you also have to run it as administrator.
Search : powershell , Alternative mouse button : run as administrator.

Adjust policy.
Set-ExecutionPolicy Bypass

Then do install.

After install and testing do :
Set-ExecutionPolicy Restriced.
to set the policy back to default which is restriced.

Test with Get-ExecutionPolicy.

I found out why , My Windows does not update KB4056892 (2018-01 Cumulative Update for Windows 1709) so I can not run script , even with reg file.
 

beginner99

Diamond Member
Jun 2, 2009
5,208
1,580
136
i'm gonna side with cpu manufacturers saying "it works as intended".

Disagree. If we stay with stupid car analogies. Your self-driving car drives into a no-vehicles zone and you get finned (hacked). The supplier says car operates within spec because they never designed it not to do that.
 

urvile

Golden Member
Aug 3, 2017
1,575
474
96
Looks like Apple's custom CPUs were also vulnerable to Meltdown:

https://support.apple.com/en-us/HT208394

Right. I am adding apple to the list of conspirators.

In all seriousness as it points out in that apple support article. You still need to install malware to get the exploit onto the device. Or I guess it can come via JS. Yikes. If a network and devices attached to it have been properly secured it's not much of an issue except maybe for the JS vector. Anyway. I imagine what will happen is microsoft etc. will keep tweaking the patch for performance.
 
May 11, 2008
19,299
1,129
126
Right. I am adding apple to the list of conspirators.

In all seriousness as it points out in that apple support article. You still need to install malware to get the exploit onto the device. Or I guess it can come via JS. Yikes. If a network and devices attached to it have been properly secured it's not much of an issue except maybe for the JS vector. Anyway. I imagine what will happen is microsoft etc. will keep tweaking the patch for performance.

I think it is not a conspiracy, but these implementations of speculative execution and Oout of order execution and branch prediction are surely patented.
This is all a big if :
What if the patent exactly describes how to implement these concepts.
Why reinvent the wheel when somebody else already has done the ground work.
And that everybody in the business licenses the patent to design a high performance cpu core.
Then the patent with the design flaw becomes a part of every higher perfomance cpu core.
And all cpu cores are susceptible.
No conspiracy. C'est la vie.
 

urvile

Golden Member
Aug 3, 2017
1,575
474
96
I think it is not a conspiracy, but these implementations of speculative execution and Oout of order execution and branch prediction are surely patented.
This is all a big if :
What if the patent exactly describes how to implement these concepts.
Why reinvent the wheel when somebody else already has done the ground work.
And that everybody in the business licenses the patent to design a high performance cpu core.
Then the patent with the design flaw becomes a part of every higher perfomance cpu core.
And all cpu cores are susceptible.
No conspiracy. C'est la vie.

Couldn't agree more. I hate reinventing the wheel in software development. Also these types of algorithms are very hard to implement. I don't really think it's a conspiracy either but zero day exploits are very useful to certain people.

EDIT: Although I cannot guarantee I won't be wearing a tinfoil hat by the end of the night.
 
  • Like
Reactions: french toast

StinkyPinky

Diamond Member
Jul 6, 2002
6,761
776
126
Personally, I'd rather have a secure system. If the flaw is significant to cause harm to the consumer than they should be compensated. I'll take a new free secure CPU please. Thank you.

This exploit has been around 15 years. Google could have just quietly told Intel/ARM and they could have just patched their next generation of cpus.
Only gaming test I've seen using an older CPU so far. i7 4930k, which is Ivy Bridge E six core HT CPU
http://www.dsogaming.com/news/windo...triple-a-games-tested-in-cpu-bound-scenarios/

Interesting that Assassins Creed Origins was the only game to take a hit. Could be related to the oppressive DRM that game has.
 

coercitiv

Diamond Member
Jan 24, 2014
6,151
11,674
136
You know what the first thing I said when I seen this security problem was? So, this is how we get everyone to buy new CPU's and systems!
This incident won't have a considerable effect on CPU sales. In fact, it may have an adverse effect if it turns out some manufacturers end up delaying or canceling products.
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
This exploit has been around 15 years. Google could have just quietly told Intel/ARM and they could have just patched their next generation of cpus.


Interesting that Assassins Creed Origins was the only game to take a hit. Could be related to the oppressive DRM that game has.

What hit?
Assassins2.png
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
This incident won't have a considerable effect on CPU sales. In fact, it may have an adverse effect if it turns out some manufacturers end up delaying or canceling products.
When data centers that are close to max get a speed reduction, and their clients start calling asking why everything is running so slow.... Yeah, they need to buy more infrastructure.
 

CatMerc

Golden Member
Jul 16, 2016
1,114
1,149
136
Updated the OP with new information. Left out opinions since I don't want to have them in the OP.

My opinion however is this: EPYC Q1/Q2 orders are going to skyrocket. Already heard from IT friends that their companies are looking into integrating EPYC and phasing out all affected Intel CPU's over the next year or two. That doesn't mean that they won't use Intel, just that anything before and including Skylake-SP is something they don't want to have to deal with.

This issue is going to be good for server orders in general from what I gather. Companies will be looking to upgrading more than usual. AMD in particular is going to have a great year if things go as I hear.
 
Last edited:

french toast

Senior member
Feb 22, 2017
988
825
136
I want to see results for online multiplayer games.
Anyway, seems general desktop users shouldn't care much for this, does not seem to make any difference what so ever.
Enterprise is going to be affected though, to what degree we will only find out in 12-18 months.

Edit, following on from catmerc...IF Epyc 2...ie..Zen 2 @ 7nm come Q3/4 2018....and goes head to head against rehashed 14nm ++ skylake xeons , likely with this same fault....well it's going to be lambs to the slaughter!!.
 
Last edited:

coercitiv

Diamond Member
Jan 24, 2014
6,151
11,674
136
When data centers that are close to max get a speed reduction, and their clients start calling asking why everything is running so slow.... Yeah, they need to buy more infrastructure.
So we went from "everyone" to "data centers close to max" in just one reply :)
 

DarkKnightDude

Senior member
Mar 10, 2011
981
44
91
Are those tests actually taking into account that they have to actually apply the patch? Downloading it apparently doesn't just add it.
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
So we went from "everyone" to "data centers close to max" in just one reply :)
You said
In fact, it may have an adverse effect if it turns out some manufacturers end up delaying or canceling products.
in one sentence. "Everyone" included manufacturers for you, and data centers I think are cover in it as well! :)

You will see these data centers switching to reliable products.
 

DigDog

Lifer
Jun 3, 2011
13,443
2,083
126
Disagree. If we stay with stupid car analogies. Your self-driving car drives into a no-vehicles zone and you get finned (hacked). The supplier says car operates within spec because they never designed it not to do that.
in common market products, you might have a slim chance if it was proven that a manufacturing company skipped common tests for common vulnerability, such as a company that produces roof tiles and does not test them for rain.
i've already answered you, as you see. a self driving car that doesn't self drive falls under common market clauses and also would likely run afoul of false advertising. A self driving car that drives into people when subject to malicious action comparable to the one necessary to take over the CPU as in meltdown, that would leave you without a cause for legal action.

Now, i *do* understand the computing world, and i know that Intel will lose a shitload* of money, but unless it's proven that they KNEW the CPU could be compromised, i don't think they will have to refund 1 penny.
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
i've already answered you, as you see. a self driving car that doesn't self drive falls under common market clauses and also would likely run afoul of false advertising. A self driving car that drives into people when subject to malicious action comparable to the one necessary to take over the CPU as in meltdown, that would leave you without a cause for legal action.

Now, i *do* understand the computing world, and i know that Intel will lose a shitload* of money, but unless it's proven that they KNEW the CPU could be compromised, i don't think they will have to refund 1 penny.
Kaiser security holes will devastate Intel’s marketshare
Analysis: This one tips the balance toward AMD in a big way

Jan 4, 2018 by Charlie Demerjian
Since Google first discovered these holes in June, 2017, there have been patches pushed up to various Linux kernel and related repositories. The first one SemiAccurate can find was dated October 2017 and the industry coordinated announcement was set for Monday, January 9, 2018 so you can be pretty sure that the patches are in place and ready to be pushed out if not on your systems already.
They have known since Jun of last year! CEO sold all the stock he could, and put in the order to sell after Jun and sold before vulnerability was revealed publicly.

Edit: here is the link to the CNBC article:
https://www.cnbc.com/2018/01/04/int...lready-knew-about-massive-security-flaws.html
 

hnizdo

Member
Aug 11, 2017
33
16
41
SSD performance for random 4K reads took a hit for 23%. You can skim over the rest of the tests.

Only in Crystaldiskmark alone.Not in ATTO. I have near zero influence on my rig (Win10pro, 8700k, 960Pro 1TB).

EDIT:
Before patch
AhfVZcC.png


After patch
8SJ5Dca.png


Quick RoTR test
Before [fps avg/min/max]:
146/73/222
110/40/157
101/40/165
sum 120

After
146/77/229
106/41/151
98/37/161
sum 117
 
Last edited:
  • Like
Reactions: pcp7 and Burpo