Every modern processor has unfixable security flaws

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
465
Location
Virginia

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
Intelpocalypse should be interesting to see how this flushes out in 2018. I'm glad I waited on building my next system and hope they can address this in future hardware to not get hit with the performance penalty in the upcoming software patches.
 

timwhit

Hairy Aussie
Joined
Jan 23, 2002
Messages
5,278
Location
Chicago, IL
Doesn't seem like the AMD flaw is nearly as bad. Is there even an real exploit in the wild for AMD yet?
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,327
Location
Gold Coast Hinterland, Australia
Doesn't seem like the AMD flaw is nearly as bad. Is there even an real exploit in the wild for AMD yet?

IIRC, exploits for AMD are only theoretical at this point, as no proof of concept code has been made available. are a lot harder and some POC has shown AMD CPUs to be affected by Spectre.

Note: There are actually two items going on, one is a deep flaw in the OOE (out-of-order execution) engine of the the Intel CPU core (called Meltdown), and another of how page tables and OS's use them and will affect all CPUs (irrespective of make/model) that use this style of virtual memory. (called Spectre)

Both Anandtech and Arstechnica have decent layman terms writeups.
https://www.anandtech.com/show/12214/understanding-meltdown-and-spectre
https://arstechnica.com/gadgets/201...odern-processor-has-unfixable-security-flaws/

As for me, the old moto 68K or early PowerPC are looking mighty fine at this point.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,327
Location
Gold Coast Hinterland, Australia
Intel list for Meltdown:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Looks like my ancient Atom N570 powered netbook is safe from Meltdown at least...

What's interesting is, the above list shows no Pentium4, Core or Core2 based CPUs (these lack the IMC (Integrated Memory Controller) that the ix-Core series brings), so is Meltdown a result of a design decision in how the IMC was integrated with the CPU?
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
But is it really a concern to home users? They'd need physical access to the machine to run such an exploit in which case you've already got a bigger problem.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
I don't care about the security risk. If the workaround is that 10 runs like a slug, then the options are limited.
At least I won't be buying a new system until the issue is resolved.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,327
Location
Gold Coast Hinterland, Australia
But is it really a concern to home users? They'd need physical access to the machine to run such an exploit in which case you've already got a bigger problem.

There (reportedly) is a POC for Spectre that runs via javascript on Chrome that extracts details from other running processes on the system and displays them in the browser... Could mean possible leaks of username/passwords for online sites (banking, social media, etc). Could mean attacks looking for kerberos ticket information to get access to other machines on the network, etc.

Very low probability of success, but is still an issue. I've read some people claiming both are largely a non-issue for desktop users, as exploit code needs to be run on the host system... but when the exploit code can be javascript from some random site... that's a different ball-game.

I don't see the issue of Meltdown or Spectre used in isolation, but rather as a small part of a larger exploit/attack setup. eg, as a stepping stone to getting deeper into the system.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,327
Location
Gold Coast Hinterland, Australia
FYI, Meltdown patches for Win10 being released today, patches for Win7/8.x released as well, but expected to be widely deployed next Tuesday.
Patches for some GNU/Linux distros are already out (all my Arch Linux boxes are patched). (kernel 4.14.11 includes initial patches for Meltdown, distro vendors to backport as appropriate).
And there are rumors that the last patchset macOS High Sierra included some initial patches for Meltdown as well.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,327
Location
Gold Coast Hinterland, Australia
I don't care about the security risk. If the workaround is that 10 runs like a slug, then the options are limited.
At least I won't be buying a new system until the issue is resolved.

I guess you won't be buying a new system for a while. From what I've read, the full impact of Spectre isn't known yet, so mitigations will take time.
 

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
465
Location
Virginia
But is it really a concern to home users? They'd need physical access to the machine to run such an exploit in which case you've already got a bigger problem.
It may be a concern for home users that, for instance, log on to their bank's web pages that may have been compromised by these issues. And IIRC, these exploits can effect VMs, so that, for example, a "rogue" VM server on The Cloud might be able to access another company's VM server.

There (reportedly) is a POC for Spectre that runs via javascript on Chrome that extracts details from other running processes on the system and displays them in the browser... Could mean possible leaks of username/passwords for online sites (banking, social media, etc). Could mean attacks looking for kerberos ticket information to get access to other machines on the network, etc.

Very low probability of success, but is still an issue. I've read some people claiming both are largely a non-issue for desktop users, as exploit code needs to be run on the host system... but when the exploit code can be javascript from some random site... that's a different ball-game.

I don't see the issue of Meltdown or Spectre used in isolation, but rather as a small part of a larger exploit/attack setup. eg, as a stepping stone to getting deeper into the system.
There is a somewhat popular impression that exploiting these kinds of issues is unlikely, because the perpetrators are isolated miscreants. However, recent events seem to give some indication that various government entities have devoted significant resources to pursuing malware intrusions of computer systems for their own nefarious purposes.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
I guess you won't be buying a new system for a while. From what I've read, the full impact of Spectre isn't known yet, so mitigations will take time.

I hope the old 5930K system holds up for a while. I'm not spending $3K+ for mainboard/CPU/RAM and having a slower computer than the old one if the fixes kill performance.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
They weren't pimping security in their CES booth. I can't imagine why...

5G was a really big topic though.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
It is still not clear to me what these malwares will accomplish. Will they delete data or try to extort money for example?
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
Where are you finding malware?

No, I never find any. There are all sorts of technical discussions about the Meltdown and Spectre (malware), but what is the actual impact to the user's infected computer and data?
Are people losing data, being extorted, dying in hospital, etc.?
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,737
Location
USA
Meltdown and Spectre are not malware. Malware can be written to exploit the technical deficiencies in security that Meltdown and Specter have within the CPU.

The full extent of the impact has yet to be determined but the possibility of some user space code having access to other user space data means your sensitive information could be at risk. I don't believe it is as much at risk on your own machine as it would be on a public cloud system but I'm sure that can be argued.
 

timwhit

Hairy Aussie
Joined
Jan 23, 2002
Messages
5,278
Location
Chicago, IL
Eventually, someone will write a JavaScript version of the exploit and anything you do online will be at risk. No one is going to announce this exploit. You should patch your system now.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
Yikes! The internet is becoming more of a pain than it is worth. :(
Perhaps I should take the main computer offline after the outbursts as I was planning to do last year. Then I could update Windows on the NUC and only connect with that device. At least I don't do anything on my home computers that would have a financial impact.
The work laptops are so slow with all the extra security lately that it is ridiculous. All the incoming or outgoing e-mails take up to several minutes with the scanning.
 
Top