CPU vulnerabilities. Intel, AMD and Arm.

http://www.bbc.co.uk/news/technology-42561169

Tech firms are working to fix two bugs that could allow hackers to steal personal data from computer systems.

Google researchers said one of the "serious security flaws", dubbed "Spectre", was found in chips made by Intel, AMD and ARM.

The other, known as "Meltdown" affects Intel-made chips alone.

The industry has been aware of the problem for months and hoped to solve it before details were made public.

The UK's National Cyber Security Centre (NCSC) said there was no evidence that the vulnerability had been exploited.

According to the researchers who found the bugs, chips dating as far back as 1995 have been affected.

Some fixes, in the form of software updates, have been introduced or will be available in the next few days, said Intel, which provides chips to about 80% of desktop computers and 90% of laptops worldwide.

Often when researchers discover a security problem, they share the information with the affected company so the issue can be fixed.

Typically, both parties agree not to publicise the problem until a fix has been implemented, so that criminals cannot take advantage of the issue.

This time it looks like somebody jumped the gun and information was leaked before a software fix was ready for distribution.

Intel said it had planned to share information next week, and several security researchers have tweeted that they have made a secrecy pact with the chip-maker.

That leaves the company in an uncomfortable situation, with a widely-publicised problem made public before the fix is ready to go.

Microchips are the basic electronic systems behind many devices such as computers and mobile phones.

The issue was originally linked to a flaw only in Intel's chips, but the firm said this was "incorrect".

"Many types of computing devices - with many different vendors' processors and operating systems - are susceptible to these exploits," said Intel.

ARM said patches had already been shared with its customers, which include many smartphone manufacturers.

AMD said it believed there was "near zero risk to AMD products at this time."

There are a number of software updates coming however the fix may cause as much as a 30% performance hit in certain tasks depending on what tasks you use the CPU for.

Tech support are going to have a gooseberry fool time with people calling them about stuff seeming to be slower.

Isn't Specter one basically not fixable.

I was reading yesterday that it is all down the the underlying architecture and would require a hardware refresh to resolve so that one will be around and a risk for a very very long time.

Yeah, a microcode fix isn't possible so they are having to do it in the OS which is putting a stupid overhead on the performance. There is a rumour that the "fault" is a backdoor put in for the NSA but that will just remain a rumour. Oh and the CEO has sold of 24 million dollars of stock he had and owns the bare minimum that he has to own in his position.

Yeah saw that, monumental bell he is!

It will be interesting how this will all play out, I can't imagine they will be able to go down the recall route so imagine it will be ridden out and be sorted in the next gen of chips.

Xeno wrote:Yeah, a microcode fix isn't possible so they are having to do it in the OS which is putting a stupid overhead on the performance. There is a rumour that the "fault" is a backdoor put in for the NSA but that will just remain a rumour. Oh and the CEO has sold of 24 million dollars of stock he had and owns the bare minimum that he has to own in his position.

And he coincidentally sold them a week before this news came out. What are the odds of that happening?

Intel are quite possibly facing a lawsuit from cloud providers like Amazon and Cloud if their infrastructure ends up taking a noticeable performance hit.

The main hit will be the server market based on what I have read. Gaming might get a tiny hit but nothing to what all those server farms will have.

So how long will it take for them to release a chip without the built in vulnerability? If AMD are smart they will already be working with their sales teams and working out how best to benefit from this.

Only took the millennium bug 17 years and 3 days :roll:

Its sort of funny. Every generation we test AMD and Intel servers against eachother to see which is fastest, and as a result we have 99.9% Intel infrastructure, now we are gonna patch and lose our performance advantage lel.

Also Xeno, its not a performance overhead from a lazy patch. The speculative memory grabbing is being disabled which forces a reload of the kernel memory table every time it is required to read/write. Essentially no other way to fix issues with spec memory without turning it off. Being as its a ring 0 issue impacting ring 3 its more like a hobbled ankle.

Could this completely hobble already low powered computers, i.e. ones that retail for around £200 and just about manage to run Windows 10?

I didn't say it was a lazy patch.

This is why consoles are better than PCs.

KK wrote:Could this completely hobble already low powered computers, i.e. ones that retail for around £200 and just about manage to run Windows 10?

It might slow down the OS stuff a bit, but seeing as an application isnt supposed to write into ring 0 (kernel space), only ring 3 (user space) it shouldnt be a lot, if any.

Basically the only places you should see a performance hit is early OS running or initiating or when an app drops to ring 0 - which per best security practice it should never ever do.

AMD's stock value has risen significantly. This has definitely given them a hand in regaining market share.

The unfortunate thing is that chips take years to bring through development so we will be near the back end of 2020 probably before we see hardware free of this problem.

Dual wrote:This is why consoles are better than PCs.

I'm pretty sure most console gamers also use PCs and laptops with personal information on them.

Besides, aren't the current gen console CPUs manufactured by AMD? Spectre is probably an issue with them as well.

YouTube

Poor people don't get Dual.

Gently-Hung Holly Wreath wrote:
KK wrote:Could this completely hobble already low powered computers, i.e. ones that retail for around £200 and just about manage to run Windows 10?

It might slow down the OS stuff a bit, but seeing as an application isnt supposed to write into ring 0 (kernel space), only ring 3 (user space) it shouldnt be a lot, if any.

Basically the only places you should see a performance hit is early OS running or initiating or when an app drops to ring 0 - which per best security practice it should never ever do.

So, the average user probably won't notice much slowdown then?

Its still quite a massive problem though as there must be several million affected cpu's out there, I imagine it's potentially far worse than the Y2K 'crisis' was as there's no real solution to the problem other than disabling the vulnerable cpu routines and crippling performance.

I think the only solution is to scrap all modern computers and get back the the Spectrum 48K and its superior rubber keyboard.

This is what happened to some of the back end servers of Fortnite after they patched

Attention Fortnite community,

We wanted to provide a bit more context for the most recent login issues and service instability. All of our cloud services are affected by updates required to mitigate the Meltdown vulnerability. We heavily rely on cloud services to run our back-end and we may experience further service issues due to ongoing updates.

Here is a link to an article which describes the issue in depth.

The following chart shows the significant impact on CPU usage of one of our back-end services after a host was patched to address the Meltdown vulnerability.

https://www.epicgames.com/fortnite/foru ... ity-update

I wondered why everyone was put in a 15 minute queue last night.

I’m sure this will have made Apple even more determined to create their own innards.

Lastpostamorph wrote:This is what happened to some of the back end servers of Fortnite after they patched

lol I decided to try that yesterday, it took a 20 minutes queue just to open the game

Battle royale game is rubbish anyway, you hide in a shed for 10 minutes and then get killed with an rpg

CPU vulnerabilities. Intel, AMD and Arm.

Who is online

Affiliates