Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

[William Gaatjes]

Intel in straight up corporate doublespeak PR mode with a splash of strawman. Unbelievable!

https://www.intel.com/content/www/u...side-channel-analysis-and-intel-products.html

They are in full damage control mode.

 

[bryanW1995]

Intel in straight up corporate doublespeak PR mode with a splash of strawman. Unbelievable!

https://www.intel.com/content/www/u...side-channel-analysis-and-intel-products.html

They're getting better, at least they didn't mention AMD and ARM...

 

[William Gaatjes]

Cisco is not taking any chances either.
Intel says network products are not affected but Cisco does not agree and are doing their own research.
Some Cisco product seem save.

http://www.crn.com/news/networking/...-be-affected-by-spectre-meltdown-exploits.htm

Cisco Systems is putting dozens of routers, switches and servers under the microscope to find out whether any of them may be affected by the Spectre or Meltdown exploits impacting processors worldwide.In a security advisory issued Thursday night, the networking giant said the majority of its products are closed systems and therefore not vulnerable to the exploits. The Spectre and Meltdown security flaws affect chips from multiple vendors, including market leader Intel.
Intel argues that the exploits are not a problem for networking, but Cisco isn't taking any chances.

"A Cisco product that may be deployed as a virtual machine or container, even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable," the company advised, adding that it would release software updates to combat that prospect.
In the meantime, the San Jose, Calif., company suggests that customers "harden their virtual environment," and "ensure that all security updates are installed."
The company said it is investigating its Cisco Cloud Services Platform 2100; ASR, NCS, XRv9000 and Industrial Integrated Service routers; Nexus series switches including blade and fabric models; as well as UCS B- and C-series blade and rack servers.
None of the products are known to be vulnerable, Cisco said, and the company has confirmed that its 1000 Series Connected Grid routers are not affected.
Other networking vendors are also keeping a close eye on the exploits. HPE Aruba issued a notice saying its "products are not affected by these vulnerabilities." An advisory from Juniper Networks says the company is "actively investigating the impact on Juniper Networks products and services."
The Spectre and Meltdown exploits have ignited a firestorm in the IT industry because the vulnerabilities, if ever exploited, could be used to expose sensitive data on most modern processors – including mobile devices, desktops, laptops and servers running in cloud environments.

....

...

 

[teejee]

They're getting better, at least they didn't mention AMD and ARM...

Sure they do, more or less the first thing on the page.

 

[William Gaatjes]

https://www.epicgames.com/fortnite/forums/news/announcements/132642-epic-services-stability-update

This is what i was looking for.

It seems to get serious.
https://dotesports.com/general/news/fortnite-battle-royale-server-issues-cloud-problems-19972

 

[LTC8K6]

It's going to be a while before we know the whole story.

The analysis of these problems is not over yet.

The patching is nowhere near finished yet, even for the first effort.

There's little point in making dire predictions this early, or in making any serious moves yet, regarding software or hardware.

I'm sitting tight for a couple weeks at least. Fortunately I never really updated after Haswell, so I can afford to wait.

I did buy an i5-8400 for msrp in early October, but it's still unopened. I never bought a board or ram.

If you want to try to make a stock move, well, stocks are risky anyway, so have at it.

 

[bryanW1995]

Sure they do, more or less the first thing on the page.

Oh crap, how did I miss that??

 

[goldstone77]

The hit coming from speculative branch prediction from the microcode update will be dramatic! This will affect everything to a certain degree including total system performance. Algos for virus programs you speculative branch chain prediction. Online gaming will be affected. "Back to the Future!"

 

[IEC]

I have yet to see enough solid evidence that the typical user will notice much difference to draw that conclusion. The gaming impact appears to mostly affect servers, which would indirectly affect users who might have worse performance and login issues to their favorite games (like Fortnite) until server load is brought under control.

But we'll have to wait and see what the impact will be on users once enough updates are out there and enough configurations are tested by reputable sources.

 

[Malogeek]

No. This is not a bug or a flaw in Intel products. These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

How convenient of them to focus on Spectre attacks throughout their PR pieces, ignoring Meltdown completely. It's very helpful for Intel that the 2 types of exploits are being lumped together, despite the other "different vendors" specifically reporting the differentiation between the types of attacks and exactly how they're vulnerable.

 

[goldstone77]

I have yet to see enough solid evidence that the typical user will notice much difference to draw that conclusion. The gaming impact appears to mostly affect servers, which would indirectly affect users who might have worse performance and login issues to their favorite games (like Fortnite) until server load is brought under control.

But we'll have to wait and see what the impact will be on users once enough updates are out there and enough configurations are tested by reputable sources.

This is true! Anti-Virus use Algo's that use speculative branch prediction. Personal computers, when it comes to networking uses a lot of I/O's. Streaming, encoding, and video editing. This will be interesting!

 

[mxnerd]

Google said Meltdown is not tested against AMD and ARM processors, does that mean Google believes that Meltdown only affects Intel processors?

 

[goldstone77]

Google said Meltdown is not tested against AMD and ARM processors, does that mean Google believes that Meltdown only affects Intel processors?

That's not what they said. They used a toy experiment for proof of concept, but were never able to successfully exploit it.
6.4 Limitations on ARM and AMD
We also tried to reproduce the Meltdown bug on several
ARM and AMD CPUs. However, we did not manage
to successfully leak kernel memory with the attack described
in Section 5, neither on ARM nor on AMD. The
reasons for this can be manifold. First of all, our implementation
might simply be too slow and a more optimized
version might succeed. For instance, a more shallow
out-of-order execution pipeline could tip the race
condition towards against the data leakage. Similarly,
if the processor lacks certain features, e.g., no re-order
buffer, our current implementation might not be able to
leak data. However, for both ARM and AMD, the toy
example as described in Section 3 works reliably, indicating
that out-of-order execution generally occurs and
instructions past illegal memory accesses are also performed.
AMD's response:

Our CPUs don't speculate using memory references pointing to locations restricted to higher privilege levels than the running code

https://www.amd.com/en/corporate/speculative-execution

 

[richierich1212]

This really sucks as I have 4 Intel systems and 1 AMD one in my household. 3 of the Intel-based ones are laptops powered by a i5-6300u and 2x i5-7300HQs. And the other system is powered by a 4790K. When I bought these Intel systems I expected the best performance and wasn't expecting to replace them anytime soon. Ugh. Darn you Intel!!!

I'm already paranoid enough about security and identity theft as is with all of the data breaches. This just really bums me out.

 

[CatMerc]

I'll give it a week before I make a judgement about performance on either Intel or AMD. Too many things we don't know.

 

[StinkyPinky]

This really sucks as I have 4 Intel systems and 1 AMD one in my household. 3 of the Intel-based ones are laptops powered by a i5-6300u and 2x i5-7300HQs. And the other system is powered by a 4790K. When I bought these Intel systems I expected the best performance and wasn't expecting to replace them anytime soon. Ugh. Darn you Intel!!!

I'm already paranoid enough about security and identity theft as is with all of the data breaches. This just really bums me out.

I am seriously thinking about selling my entire system if it is bad as it seems to be. I will wait a few months though and see the final fallout first (plus by then the newer ryzens should be on their way).

This weird double speak from Intel makes me think they know it's really bad and they're trying to downplay it bigtime.

 

[richaron]

I'll give it a week before I make a judgement about performance on either Intel or AMD. Too many things we don't know.

Agreed. Plenty of people are either freaking out with intel systems or smug about their AMD boxes atm, though we really don't know enough yet.

Early performance benchmarks are a mess of OS only or BIOS+OS fixes, and all with minimal scope. I think there's a decent chance the software fixes will be optimized somewhat in the future. But it seems clear that this effects VMs and memory intensive tasks more than the 'average' PC workload, so I wouldn't be surprised if the intel patches have a huge effect in the enterprise sector.

 

[PhonakV30]

http://bbs.ngacn.cc/read.php?tid=13199794

Clevo W230SS，Core i7-4712MQ

bios patch +windows patch

PCMARK10 : 3303 ---> 2657

What Exactly did Bios patch do ?

 

[richierich1212]

Agreed. Plenty of people are either freaking out with intel systems or smug about their AMD boxes atm, though we really don't know enough yet.

Early performance benchmarks are a mess of OS only or BIOS+OS fixes, and all with minimal scope. I think there's a decent chance the software fixes will be optimized somewhat in the future. But it seems clear that this effects VMs and memory intensive tasks more than the 'average' PC workload, so I wouldn't be surprised if the intel patches have a huge effect in the enterprise sector.

And as consumers why shouldn't we be freaking out? These are massive security holes. Intel is such a huge company with massive profits I can't understand how they can release processors like this in the first place.

 

[aigomorla]

I'd edit the thread title unless it only applies to Xeon processors?

no at this point its pretty much meant for any Intel processor that was on that long list.

And as consumers why shouldn't we be freaking out? These are massive security holes. Intel is such a huge company with massive profits I can't understand how they can release processors like this in the first place.

because there is always that one person who seems to figure out how to stuff a square down a circular hole.

The team from google managed to find out this exploit.
It hasn't been used yet, which basically saves intel from a massive law suit because its a exploit that wasn't exploited.

But the same can be said even in video games, no matter how well a dev patches something, there will always be that little kid who will think outside the box, and manage to break your patch in unbelievable ways causing the dev to immediately repatch.

 

[StinkyPinky]

And as consumers why shouldn't we be freaking out? These are massive security holes. Intel is such a huge company with massive profits I can't understand how they can release processors like this in the first place.

Especially if they knew about it with the 8th gen cpus. They should have not released them if they knew before hand. It's unethical at best, criminal at worst. I guess time will tell. If it is proven they knew about it prior to the 8th gen rollout, they should be forced to recall all 8th gen cpus.

 

[richaron]

And as consumers why shouldn't we be freaking out? These are massive security holes. Intel is such a huge company with massive profits I can't understand how they can release processors like this in the first place.

I'm putting together a Ryzen system atm as my new home server. Sorry I might not understand how it feels to be uncool

Seriously though I agree it's a big problem, and it's even worse on a bunch of levels if intel released new chips knowing they were buggy. But we really don't know the full extend of the performance impact of the fixes yet... And I suspect it will be worse for the enterprise sector than for regular PC workloads.

 

[goldstone77]

https://www.epicgames.com/fortnite/forums/news/announcements/132642-epic-services-stability-update

Looks like meltdown patch is having a significant effect. Wonder what the Spectre micro code fix is going to feel like?

 

[Hitman928]

It hasn't been used yet, which basically saves intel from a massive law suit because its a exploit that wasn't exploited.

We don't actually know this, despite what AMD and intel have said. We know that no one's been caught using this exploit, but it's impossible to know if it's been used as it can be run without leaving a trace on the host computer.

 

[Excessi0n]

And as consumers why shouldn't we be freaking out? These are massive security holes. Intel is such a huge company with massive profits I can't understand how they can release processors like this in the first place.

Because these are really weird, convoluted, and indirect exploits. It's like bouncing a laser off a window to see how it's vibrating and using that info to figure out what people in a room are saying. Except even harder to wrap your mind around. The fact that anybody was able to come up with this sort of attack in the first place is actually fairly impressive.