Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 59 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,323
4,904
136
  • Like
Reactions: lightmanek

LTC8K6

Lifer
Mar 10, 2004
28,520
1,575
126
Per Heise.de's c't magazine, the eight (8) new flaws known as "Spectre-NG" have had fixes pushed back to July, with more fixes coming in August. These fixes are to address 4 of the 8 new flaws.
https://www.heise.de/security/meldu...e-Veroeffentlichung-aufgeschoben-4043790.html

Guru3D English press release:
http://www.guru3d.com/news-story/intel-has-to-delays-patches-for-new-spectre-ng-vulnerabilities.html
Seems reasonable.

I'm glad they are on top of it, even though it's apparently still not a problem for home users.
 

Shamrock

Golden Member
Oct 11, 1999
1,438
558
136
Well, people on various forums are reporting that MSI are denying BIOS updates for motherboards with only 2 numbers in them (Z87, Z97, X99, etc). So my MSI Gaming 5 (Z97) mobo is left vulnerable. What's sad is, Gigabyte, Asus, and ASRock already have their BIOSes out.

MSI is off my buy list, for a long while.

I am protected from Meltdown, but not Spectre.
 

beginner99

Diamond Member
Jun 2, 2009
5,208
1,580
136
I am protected from Meltdown, but not Spectre.

Spectre really ins't a big issue for consumers anyway. It would mean a hacker already can execute code on your machine and at that point you lost anyway. The issue is with virtualization in the cloud. I can setup my EC2 instance and then expect to run any software I want. Said software could then exploit meltdown/spectre and read any data (like encryption keys) from other VMs running on the same physical CPU.
But even this is kind of very untargeted attack because you never know who/what else is running on the same physical cpu. All in all this is kind of overblown. People that need to worry are Amazon, MS, google and co. and companies using their services but not you or me.
 
  • Like
Reactions: Schmide and Drazick

LTC8K6

Lifer
Mar 10, 2004
28,520
1,575
126
I see a very recent beta BIOS for ASUS Z-97A boards. Doesn't say what it addresses, though.
 

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,323
4,904
136
Spectre really ins't a big issue for consumers anyway. It would mean a hacker already can execute code on your machine and at that point you lost anyway. The issue is with virtualization in the cloud. I can setup my EC2 instance and then expect to run any software I want. Said software could then exploit meltdown/spectre and read any data (like encryption keys) from other VMs running on the same physical CPU.
But even this is kind of very untargeted attack because you never know who/what else is running on the same physical cpu. All in all this is kind of overblown. People that need to worry are Amazon, MS, google and co. and companies using their services but not you or me.

Even if the threat profile in your mind is little, the performance hit is not.

For those of us who run VMs on our home rigs the performance penalty is very significant (sometimes 40%+, particularly I/O) and extremely irritating.

On the enterprise side of things... the performance hit for ESXi + Horizon or XenApp is so bad for some common use cases (hint: used in pretty much every major medical center in the country... and then some) that patches simply cannot be installed yet due to CPU util and response time impacts being on the order of 50%+. On some very common configurations.
 

Brahmzy

Senior member
Jul 27, 2004
584
28
91
^^ Can you provide some data on that. It’s what I’ve been hearing as well, but need some ammo to combat my security team. :)
I’ve held off applying most all of these due to the massive IO hit SQL, ESXi and others take. I didn’t even think about View.
 

jpiniero

Lifer
Oct 1, 2010
14,511
5,159
136
Yeah, you can see why the rumors of Intel doing Skylake-X Toasty Edition, because they know once Cascade Lake is released it basically obsoletes Skylake-SP due to Spectre/Meltdown and they need a place to dump the remaining dies.
 

beginner99

Diamond Member
Jun 2, 2009
5,208
1,580
136
Even if the threat profile in your mind is little, the performance hit is not.

For those of us who run VMs on our home rigs the performance penalty is very significant (sometimes 40%+, particularly I/O) and extremely irritating.

On the enterprise side of things... the performance hit for ESXi + Horizon or XenApp is so bad for some common use cases (hint: used in pretty much every major medical center in the country... and then some) that patches simply cannot be installed yet due to CPU util and response time impacts being on the order of 50%+. On some very common configurations.

This in my opinion only adds to the poor handling of the situation. Now user get a huge performance loss for no real benefit. This was just rushed out so all involved can say we indeed did something. Neither Intel, AMD nor MS could afford to speak the truth and say: We only provide fixes for cloud providers that actually need them.
 

snstr

Member
Aug 16, 2017
29
7
36
As far as I understand it, the new spectre variants target other areas of the CPU but use the basic Spectre pattern (sidechannel data leaks & possibly timing?). I guess that many security researchers are now systematically looking for the keywords "speculation" and "prediction" in CPU/ISA documentations. This way they could reliably find new specific attacks per CPU/ISA.
 

PingSpike

Lifer
Feb 25, 2004
21,729
559
126
Last edited:

Jimzz

Diamond Member
Oct 23, 2012
4,399
190
106

SPBHM

Diamond Member
Sep 12, 2012
5,056
409
126
if there is the potential to affect "web browsing", than I think there is a high potential for everyone to be exposed
not enabling it to avoid a "2-8%" performance loss is very strange,
I would assume default settings should be the safest, with the option to give up safety for speed.
 

Spjut

Senior member
Apr 9, 2011
928
149
106
Can anyone say whether it's any point to update the BIOS compared to using the microcode updates that are provided within Windows?
 

Jimzz

Diamond Member
Oct 23, 2012
4,399
190
106
Can anyone say whether it's any point to update the BIOS compared to using the microcode updates that are provided within Windows?

You have to use both to be fully protected. At least as fully as we have been told since there seems to be more to come for Intel users. :(
 

zinfamous

No Lifer
Jul 12, 2006
110,515
29,100
146
Most of us don't really need the patches, though.

Probably. But this is an actual real problem for data centers and whatnot that deploy hundreds of these CPUs. "We" aren't the clients that really make the difference, because this is a huge issue for Intel in the end. And the timing can't be worse right now with Epyc poised to pick up the slack.

2-8% performance hit here, on top of 5-30% there with Intel, this means that for a significant number of clients, AMD has not only completely caught up with Intel on performance but has passed them. Not for all use cases, obviously, but toss in the messaging that Intel really doesn't care about security and they don't seem to have for several generations as these implementations are looking more and more like intentional false performance designs at the expense of security, this should hurt Intel rather severely. ..should, but this is Intel. Their marketing is well-funded, targeted, and they have a history of brushing off shady practices with shady messaging, and they still maintain long histories with their clients.
 

LTC8K6

Lifer
Mar 10, 2004
28,520
1,575
126
Probably. But this is an actual real problem for data centers and whatnot that deploy hundreds of these CPUs. "We" aren't the clients that really make the difference, because this is a huge issue for Intel in the end. And the timing can't be worse right now with Epyc poised to pick up the slack.

2-8% performance hit here, on top of 5-30% there with Intel, this means that for a significant number of clients, AMD has not only completely caught up with Intel on performance but has passed them. Not for all use cases, obviously, but toss in the messaging that Intel really doesn't care about security and they don't seem to have for several generations as these implementations are looking more and more like intentional false performance designs at the expense of security, this should hurt Intel rather severely. ..should, but this is Intel. Their marketing is well-funded, targeted, and they have a history of brushing off shady practices with shady messaging, and they still maintain long histories with their clients.
You would think we'd hear all the data centers using Intel screaming about the loss of performance, demanding money back, class action suits, etc.

You can't hide a big loss of performance for very long.

I admittedly don't pay attention to that area, but is that happening? Are class-action lawsuits looming?

I would be reacting quite strongly if I lost 30% of the performance I need for my business.
 

LTC8K6

Lifer
Mar 10, 2004
28,520
1,575
126
Spectre 4 affects AMD and ARM chips as well as Intel, according to WCCFtech's report.
 

SPBHM

Diamond Member
Sep 12, 2012
5,056
409
126
You have to use both to be fully protected. At least as fully as we have been told since there seems to be more to come for Intel users. :(

you need both a microcode update and changes to windows, but you don't need a new bios, with this https://support.microsoft.com/en-us...or-windows-10-version-1803-and-windows-server
windows loads/uses the updated microcode from your drive and not from the bios chip, but the result is the same...

I would assume the bios method is preferable, because it's more permanent, gives some extra protection against hacking!? but the spectre fix from the bios and from this update for windows gives you the same result.
 

coercitiv

Diamond Member
Jan 24, 2014
6,151
11,686
136
Spectre 4 affects AMD and ARM chips as well as Intel, according to WCCFtech's report.
https://www.amd.com/en/corporate/security-updates
5/21/18

Today, Microsoft and Google Project Zero researchers have identified a new category of speculative execution side channel vulnerability (Speculative Store Bypass or SSB) that is closely related to the previously disclosed GPZ/Spectre variant 1 vulnerabilities. Microsoft has released an advisory on the vulnerability and mitigation plans.

AMD recommended mitigations for SSB are being provided by operating system updates back to the Family 15 processors (“Bulldozer” products). For technical details, please see the AMD whitepaper. Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process. Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules.

Based on the difficulty to exploit the vulnerability, AMD and our ecosystem partners currently recommend using the default setting that maintains support for memory disambiguation.

We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date.

As a reminder, security best practices of keeping your operating system and BIOS up-to-date, utilizing safe computer practices and running antivirus software are always the first line of defense in maintaining device security.
 

LTC8K6

Lifer
Mar 10, 2004
28,520
1,575
126
Inspectre says there is a microcode update for my IB desktop system, but where do I find it?

The one listed above does not list IB desktop chips.