https://www.dangerous.com/39808/intel-cpus-major-security-flaw-fixing-causes-huge-performance-hit/
“It’s impossible to fix with a chip-based update, and requires a software-based solution through the operating system, which in turn causes a performance hit of up to 30 percent.”
It’s being reported by all tech websites.
That’s in addition to their Intel-SA-00086 Management Engine vulnerability…
I misunderstood it, I thought that fixing it the CPU would increase the performance by a 30%!
That would have been neat!
That seems fairly annoying. I think I’m Intel
This is a big problem. You can access kernel memory with an unprivileged process and nothing can stop it and it leaves no traces. Sandboxing in virtual machines does not stop it (cloud providers).
It was supposed to be disclosed next week but rumors and panic made them publish it early.
Meltdown and Spectre
Bugs in modern computers leak passwords and sensitive data.
There are three variants and the most serious one only affects Intel (Meltdown), but other variants also affect AMD, ARM, etc.
Spectre (variants 1 and 2)
Meltdown (variant 3) affects almost all Intel-CPUs since 1995
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
That stuff makes my head hurt. Although I can see roughly what they’re getting at (considering I haven’t had my coffee yet) I’m not sure this follows:
It would be literally like looking for a needle in a haystack. Now I realise that’s precisely what computers are good at, but I suspect a virus scavenging leftover scraps from the cache would consume so much CPU time that people would notice something badly wrong and do a virus scan.
Or perhaps I overestimate people’s competence with computers.
A key-logger that does not need to hook the system, can be started in a silent unprivileged process and is therefore undetectable by antivirus. AVs can detect it after the AV companies get a sample of the key-logger code and make a hash signature. But small changes make it invisible to AV again.
But who would go after individuals if there are other juicy targets. Run the exploit on the cloud. The resources are shared and you will find access keys to other cloud accounts that happen to run code on the same hardware. Get access to huge databases of companies that use cloud services.
It is a big deal as it compromises security everywhere until the systems have been patched.
If the CPU has a design flaw, would it be possible to order a recall for newer purchases and perhaps a significant discount for people to upgrade to a newer model. how far back was this problem?
The meltdown flaw can be fixed with software patches. Windows, MacOS and Linux already have patches made. This results in slightly lower performance. For end users the slowdown is almost non existent. The slowdowns can be big for some databases (cloud).
So big datacenters using Intel might get some reparatons from Intel as they have the resources to preassure Intel.
Btw. Intel CEO sold $24 million in company stock recently (everything he was legally able to sell).
Doing my updates now. We’ll see what happens
Don’t think that update is out yet actually
Meltdown fixed in
macOS 10.13.2
Windows 10 Insider Preview Build 17063 (public patch next Tuesday)
Linux-Kernel 4.14.11
Amd stock up 5% from yesterday, Intel down 2%.
Installing the latest Linux kernel now. Let’s see…
UP to latest kernel and all seems well, but my main game isn’t working in background mode after some recent update which basically makes it unplayable.
LIinux’ boss said the patches are garbage and Intel is fooking insane, lol
Linus loves himself the f-word.
