Massive Intel blunder affecting a decades worth of CPU's

Gary · Jan 03, 2018, 11:04:51

'It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.

A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor
mode. lMore recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.'

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

zappaDPJ · Jan 03, 2018, 12:36:26

I wonder if they got the idea from Apple http://www.bbc.co.uk/news/technology-42508300

I regularly run a process that takes well over 48 hours to complete. A 30% slowdown on that would be rather noticeable. Hopefully that's a pessimistic view.

Glenn · Jan 03, 2018, 22:05:43

http://www.ubergizmo.com/2018/01/intel-cpu-flaw-reports-incorrect-company-says

Intel says in its statement that it believes that the exploits detailed in the report do not have the ability to corrupt, modify or delete data.

Gary · Jan 04, 2018, 11:10:13

Quote from: Glenn on Jan 03, 2018, 22:05:43
http://www.ubergizmo.com/2018/01/intel-cpu-flaw-reports-incorrect-company-says

Intel says in its statement that it believes that the exploits detailed in the report do not have the ability to corrupt, modify or delete data.

But it can be read thats worse really, we also now now there is 2 parts, one is the biggy called Meltdown then another called spectre which may not be so easy to patch. It also seems some Arm CPU's are vulnerable and possibly AMD to some extent or not depending who says what.

CERT says 'The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware.'

https://www.kb.cert.org/vuls/id/584653

https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/

zappaDPJ · Jan 04, 2018, 11:11:43

Quote from: Glenn on Jan 03, 2018, 22:05:43
http://www.ubergizmo.com/2018/01/intel-cpu-flaw-reports-incorrect-company-says

Intel says in its statement that it believes that the exploits detailed in the report do not have the ability to corrupt, modify or delete data.

That might be true of one exploit but there are two and the second flaw, Spectre affects Intel, AMD and ARM products: http://www.bbc.co.uk/news/technology-42561169

My understanding which I'll admit is fairly limited at this point in time is that you wouldn't know if any of your devices had been compromised. From what I've read it's perfectly possible to access sensitive data by exploiting either of these flaws but most analysts suggest that it's unlikely to have happened yet. The problem is this information was not supposed to be in the public domain until fixes were in place so hackers now have a highly publicised window of opportunity.

[EDIT] And what Gary said

Gary · Jan 04, 2018, 11:20:18

Quote from: zappaDPJ on Jan 04, 2018, 11:11:43
That might be true of one exploit but there are two and the second flaw, Spectre affects Intel, AMD and ARM products: http://www.bbc.co.uk/news/technology-42561169

My understanding which I'll admit is fairly limited at this point in time is that you wouldn't know if any of your devices had been compromised. From what I've read it's perfectly possible to access sensitive data by exploiting either of these flaws but most analysts suggest that it's unlikely to have happened yet. The problem is this information was not supposed to be in the public domain until fixes were in place so hackers now have a highly publicised window of opportunity.

[EDIT] And what Gary said

Apple in 10.13.2 have mitigated the issue somewhat which is good 10.13.3 will finish off that and I've not noted massive slowdowns in my work load which is light enough, the big guys with cloud servers will be hit the hardest. Also ISP's maybe? The mind boggles over the size of this bug. Many machines wont get patched, browsers need updating but old OS's wont get patched and many new browsers wont run on old OS's, its a huge mess. Also lots of Android devices not patched too, and other devices using ARM like routers. Also when will Intel get CPU's out without this flaw? Ugh

JB · Jan 04, 2018, 11:41:04

There is quite a lot of information on both vulnerabilities here:-

https://meltdownattack.com/

Simon · Jan 04, 2018, 12:50:10

Quote from: zappaDPJ on Jan 04, 2018, 11:11:43
The problem is this information was not supposed to be in the public domain until fixes were in place so hackers now have a highly publicised window of opportunity.

Thanks to The Register.

zappaDPJ · Jan 04, 2018, 14:25:17

Quote from: Gary on Jan 04, 2018, 11:20:18
Apple in 10.13.2 have mitigated the issue somewhat which is good 10.13.3 will finish off that and I've not noted massive slowdowns in my work load which is light enough, the big guys with cloud servers will be hit the hardest. Also ISP's maybe?

If what I've read so far is at all accurate that's correct. The payload from the fix is far more likely to impact servers than someone running a graphics intensive process like a computer game.

Quote from: Simon on Jan 04, 2018, 12:50:10
Thanks to The Register.

Apparently Google discovered the flaws last year and there was a planned news announcement for Jan 9th but it was leaked earlier than planned https://techcrunch.com/2018/01/03/googles-project-zero-team-discovered-critical-cpu-flaw-last-year/

QuoteThe Google Security team wrote that they began taking steps to protect Google services from the flaw as soon as they learned about it. If you're wondering why they didn't tell the public about it as soon as they learned about it, it's because there was supposed to be a coordinated release coming up next week (on January 9th). When the news leaked, Google, Intel and other interested parties decided to release the information to end speculation.

Gary · Jan 05, 2018, 08:49:21

Quote from: Simon on Jan 04, 2018, 12:50:10
Thanks to The Register.

From all accounts I think it was Google that leaked the information early. Still its a complete clusterf*ck. Sky Lake and newer (I have a Kaby Lake i7 and wish I didn't) will get some microcode updates to help mitigate spectre, older CPU;s will be software fixes, there is so much misinformation out there from different websites. iOS and Apple CPU's are also vulnerable to Meltdown and Spectre.

Arm and almost all modern CPU's seem to have issues with spectre, AMD has some but not so much, only SPARC seem to come out pretty unscathed so far. iOS 11.2 has mitigations against Meltdown and updates should be coming for Safari for spectre. Firefox has released 57.0.4 to help mitigate Spectre and Meltdown (mainly spectre) it's slowed the browser down but if its helps for now so be it. Chrome will release an update soonish, I think the 23rd. Mainly all this will go on for years till new CPU architecture comes into play though

zappaDPJ · Jan 05, 2018, 09:41:58

I did find yesterday's Financial Times front page headline rather amusing...

'Companies warned to replace all hardware or risk 'Spectre' attack.'

No panic there then

Gary · Jan 05, 2018, 10:03:30

Quote from: zappaDPJ on Jan 05, 2018, 09:41:58
I did find yesterday's Financial Times front page headline rather amusing...

'Companies warned to replace all hardware or risk 'Spectre' attack.'

No panic there then

Cert have since removed that replace your hardware message, also at this time there are no Intel CPU's with new architecture, I imagine there wont be until at least Ice Lake. Even AMD's Ryzen I believe are open to spectre, where is James bond when you need him

zappaDPJ · Jan 05, 2018, 11:12:41

Tacitus · Jan 05, 2018, 11:32:11

An individual is probably at low risk of a Meltdown attack since it's a difficult exploit and can be mitigated via software. It's servers that are most at risk; just think of all those NHS servers with all the patient data on them. Why would a hacker bother with average Joe when there's a much better target to aim for.

For the individual it's Spectre that may be the biggest problem since that is possible via Javascript in a browser. Ad and Script blocking might lower the risk but a lot of legitimate sites won't work unless you allow Javascript and quite a few want you to unblock ads. If nothing else it might be a wake up call to the ad industry to get their house in order, although I won't hold my breath.