[UPDATE 5: Intel's Spectre-focused BIOS updates causing crashes] Intel CPUs vulnerable

A vulnerability has been discovered in Intel CPU designs over the last 20 years. Due to their implementation of “speculative execution” - where a CPU will race ahead executing code before it has determined whether that code will be used by the program - carefully crafted code could be used to access protected kernel memory. This cannot be fixed with a microcode update.

Linux and Windows are in the process of being updated to workaround the problem. One synthetic test has shown the fix degrading performance by ~50%. It is thought that it will most commonly be between 5% and 30%, with gaming and web browsing hardly affected and servers typically being more affected than desktops due to their differing workloads.

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/




Update: A second, harder to exploit, but more difficult to fix bug has been found. See here.

Update 2: AMD and Intel respond. See here.

Update 3: Microsoft Windows update is NOT safe for Athlon systems. See here.

Update 4: Microsoft pulls the patch for AMD systems. See here.

Update 5: Intel's turn to admit their fixes cause crashes. See here.



Not really an update per se, but this is a good read if you’re interested in who discovered these vulnerabilities, and how they did so. Very accessible article, even if you’re not particularly comfortable with kernels, microcode, and CPU architectures. :)

I'd be mildly surprised if game performance isn't hit more in the range of 15-20% from the fix.. we are after all talking about the addition of another layer of cumputing needed to be called on every operation a process requires the cpu for at all, regardless of load size or intensity.

Of course we'll still have to wait and see though for now :)

A critical design flaw in virtually all microprocessors allows attackers to dump the entire memory contents off of a machine/mobile device/PC/cloud server etc. Our story on the motherlode of all vulnerabilities just posted here. More will be post soon.

We're dealing with two serious threats. The first is isolated to Intel chips, has been dubbed Meltdown, and affects virtually all Intel microprocessors. The patch, called KAISER, will slow performance speeds of processors by as much as 30 percent. The second issue is a fundamental flaw in processor design approach, dubbed Spectre, which is more difficult to exploit, but affects virtually ALL PROCESSORS ON THE MARKET (Note here: Intel stock went down today but Spectre affects AMD and ARM too), and has NO FIX.

Spectre will require a complete re-architecture of the way processors are designed and the threats posed will be with us for an entire hardware lifecycle, likely the next decade. The basic issue is the age old security dilemma: Speed vs Security. For the past decade, processors were designed to gain every performance advantage. In the process, chipmakers failed to ask basic questions about whether their design was secure. (Narrator: They were not)

Meltdown and Spectre show that it is possible for attackers to exploit these design flaws to access the entire memory contents of a machine. The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals data from other customers renting space on that same Amazon/Google/Microsoft cloud server, then marches onto another cloud server to repeat the attack, stealing untold volumes of data (SSL keys, passwords, logins, files etc) in the process.

Basically, the motherlode. Meltdown can be exploited by any script kiddie with attack code. Spectre is harder to exploit, but nearly impossible to fix, short of shipping out new processors/hardware. The economic implications are not clear, but these are serious threats and chipmakers like Intel will have to do a full recall -- unclear if there's even manufacturing capacity for this -- OR customers will have to wait for secure processors to reach the market, and do their own risk analysis as to whether they need to swap out all affected hardware. But judging by stock moves today (Intel down, AMD up), investors didn't know that, taken together, Spectre and Meltdown affect all modern microprocessors.

Meltdown and Spectre affect most chipmakers including those from AMD, ARM, and Intel, and all the devices and operating systems running them (Google, Amazon, Microsoft, Apple, etc). The flaws were originally discovered last June by a researcher at Google Project Zero (shout out @ Jann Horn) and then separately by Paul Kocher and a crew of highly impressive researchers at Rambus and academic institutions. Originally public disclosure was set for next week. But news of Meltdown started to leak out (shout out @ The Register) yesterday, so the disclosure was moved up a week to right now.

The problem with this rushed timeline is that we don't necessarily know when to expect Meltdown patches from tech companies. Google says its systems have been updated to defend against Meltdown. Microsoft issued an emergency update today. Amazon said it protected AWS customers running Amazon's tailored Linux version, and would roll out the Microsoft patch for other customers today.


—Nicole Perlroth
Cybersecurity reporter, New York Times

“Based on the analysis to date, many types of computing devices - with many different vendors’ processors and operating systems - are susceptible to these exploits...” —Intel
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/


“Differences in AMD architecture mean there is a near zero risk of exploitation...” —AMD
https://www.amd.com/en/corporate/speculative-execution


If you’re interested in an impartial source more interested in facts about the vulnerabilities than scoring points, this is the best one I’ve found thus far: https://spectreattack.com/


tl;dr: Multiple vulnerabilities discovered. Software updates can mitigate the risk but not eliminate it entirely. AMD’s CPUs are affected, but far less at risk than Intel’s. The fixes being pushed will degrade CPU performance - usually by a minimal amount (1-5%), but one test has shown a ~50% loss in performance. Web browsing and most games will see the least impact.


Edit: The Google team were testing old AMD FX CPUs, not Ryzen models.

Holy shit! I smell lawsuits.

"

kolyaboo wrote:

Holy shit! I smell lawsuits.

The fun thing is that Intel has rules on share ownership. In November, while developers were working on fixing these problems, Intel’s CEO sold $11 million’s worth - leaving him with exactly the minimum required by Intel’s rules. Coincidences sure are fun, aren’t they?

"

Sarno wrote:

https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

I’d speculate that, for most games, you’ll see around a 5% loss. Some will be drastically worse.

As it’s fixing a security problem, not installing the update won’t really be an option...


Update: See here.

Given that some people manage exceptionally bad PC's that perform way way worse than they should going by the hardware i would expect it will make the game near unplayable for some.

One post in bug reports alleging that he had a windows update to fix the meltdown one,and it apparently broke dynamic resolution.

https://www.youtube.com/watch?v=PEmC5-BdO28

First half hour pretty much all on the vulnerabilities.

Good wee tidbit, is that MS has found that trying to fix the problem is borking some anti viruse programs.

"

lagwin1980 wrote:

https://www.youtube.com/watch?v=PEmC5-BdO28

Never personally been fond of Linus and gang tbh. :/

I watched for a few minutes and got the impression they're mostly just reading an Ars Technica article about it, which I'd probably recommend people read themselves instead.

I loved "Intel Inside..... Trader" in the comments, though.



The first three class-action lawsuits have been filed: https://arstechnica.com/gadgets/2018/01/intel-faces-class-action-lawsuits-regarding-meltdown-and-spectre/

It'll be interesting to see where those end up.