Intel Releasing Updates That Immunize Systems Against Meltdown and Spectre

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,500
Intel has released a PR statement saying they have released updates for Meltdown and Spectre that make systems immune from both exploits. Supposedly they are doing this with firmware and software patches. Also, they will have updates issued for 90% of the processors introduced over the last 5 years by the end of next week. They appear to be confident that performance impact will be able to be worked around with additional software updates. However, I'll take all of this with a grain of salt until independent sources confirm these claims.

Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.
 
Wonder how it would be rolled put when 99% of intel users will be unaware or forget in a month... Windows updates?
 
However, I'll take all of this with a grain of salt until independent sources confirm these claims.
PCPer ran early tests and the differences between them were minimal. In one instance, an increase of performance was had. I'd guess that's margin of error territory though.

They were of the opinion the performance hit would be unnoticeable unless you run huge compute clusters on the scale of Amazon or Microsoft.

Still, I'll hold final judgement until I see more than talk in the podcast and/or other sources confirming those results.
 
How much do you want to bet that "typical users" doesn't include gamers? I want to see updated benchmarks and see what impact this is having on games!
 
Also, they will have updates issued for 90% of the processors introduced over the last 5 years by the end of next week.

Worst bit is I have a feeling that those of us with older hardware are gonna get royally fucked in all this. I'll eat my hat if I see a firmware/microcode update from Asus or Intel.
 
Worst bit is I have a feeling that those of us with older hardware are gonna get royally fucked in all this. I'll eat my hat if I see a firmware/microcode update from Asus or Intel.

Home users don't have a lot to fear from this. Remember, for this to work...something bad already has to be there to do something bad.
 
So are firmware updates delivered in BIOS updates?


I'm guessing some of the updates will be BIOS updates, but there is NO 100% fix for this flaw that can be corrected by any type of update, only mitigated till the next flaw is found.
 
Intel has released a PR statement saying they have released updates for Meltdown and Spectre that make systems immune from both exploits. Supposedly they are doing this with firmware and software patches. Also, they will have updates issued for 90% of the processors introduced over the last 5 years by the end of next week. They appear to be confident that performance impact will be able to be worked around with additional software updates. However, I'll take all of this with a grain of salt until independent sources confirm these claims.

Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.
so for the last 5 years only... basically creating obsolescence of older yet still functional computers since they are open to this security flaw...
 
Like JavaScript on a webpage?

Like keeping your browser updated? If your browser is up to date and don't use plugins from less that reputable sources...these two issues are zero issue. The real issue is when you don't have control (e.g. cloud computing) of who is playing on your HW and in what way.

Honestly...i'm glad that this happened NOW. Flaws will always exist in any system at any level. Whether or not those flaws can be exploited is often very hard to determine. In aerospace we actually use HW based system to prevent sandboxes from playing with other sandboxes. But, it comes at a cost. Back then..the cost was VERY high in terms of performance and $. With silicon being so capable now and actually a body knowledge and very smart people, we might actually be able to start creating better secure computing platforms at the HW level that still perform well. The issue with this is people might become complacent and use this to shift the blame away from other flaws/issues.
 
I just don't know about this whole thing. I mean, this is a big deal. There has to be a way to prevent these exploits on a high level like the browser, since it is web based. This whole hacking business over the past year is accelerating at an astonishing pace. We can't keep up.
 
How much do you want to bet that "typical users" doesn't include gamers? I want to see updated benchmarks and see what impact this is having on games!

I saw a decent video on YouTube benchmarking the Windows Updates(s)... Obviously onces the microcode is released things could be different.
 
I just don't know about this whole thing. I mean, this is a big deal.
Not really. It's a hard to do hack that leaks random info from memory very slowly. It doesn't crash the system or elevate the attacker's privilege. And you have to give the attacker access, such as surfing an infected web page with an unpatched browser or downloading an infected application.

But this is the Internet, and unwarranted hysteria is the norm.
 
Last edited:
So are firmware updates delivered in BIOS updates?
I'm guessing it is through a bios update. I don't see see how it is safe to push a micro code update for cpu through windows update. If something goes wrong during the update would brick your cpu?
 
Like keeping your browser updated? If your browser is up to date and don't use plugins from less that reputable sources...these two issues are zero issue. The real issue is when you don't have control (e.g. cloud computing) of who is playing on your HW and in what way.

Honestly...i'm glad that this happened NOW. Flaws will always exist in any system at any level. Whether or not those flaws can be exploited is often very hard to determine. In aerospace we actually use HW based system to prevent sandboxes from playing with other sandboxes. But, it comes at a cost. Back then..the cost was VERY high in terms of performance and $. With silicon being so capable now and actually a body knowledge and very smart people, we might actually be able to start creating better secure computing platforms at the HW level that still perform well. The issue with this is people might become complacent and use this to shift the blame away from other flaws/issues.


To quote our commandchild in chief, "WRONG".... Keeping your browser updated is not going to completely protect you from JS exploits.... They are always playing a game of catch up, and that is only for known exploits. So don't assume you are safe just because you have your browser updated and haven't downloaded shady plugins.....
 
But this is the Internet, and unwarranted hysteria is the norm.

The problem isn't really the home user IMHO.

The real danger comes from the enterprise end were companies are renting server access. The flaw can be executed from anyone with server access. Meaning I can rent legit server space on a cluster with thousands of other customers, exploit the vulnerability, dump the memory of everyone on the server. You don't need to "hack": your way into many of these systems. You just give therm a few bucks and they let you right in, that's what makes this so scary.
 
this exploit is not easily exploited and the risk is very low...I would not worry about it in most cases...apparently the user also needs to actively allow the exploit to run on their computer much like typical malware/virus...so as long as you practice normal safe habits this is a non-issue
 
The problem isn't really the home user IMHO.

The real danger comes from the enterprise end were companies are renting server access. The flaw can be executed from anyone with server access. Meaning I can rent legit server space on a cluster with thousands of other customers, exploit the vulnerability, dump the memory of everyone on the server. You don't need to "hack": your way into many of these systems. You just give therm a few bucks and they let you right in, that's what makes this so scary.
My understanding is that if the server resource vendor puts you under your own hypervisor, that no one else is using, the only data you could access with this hack is your own.
Not that scary, but maybe not as efficient a work-around as the resource vendor would like.
 
How much do you want to bet that "typical users" doesn't include gamers? I want to see updated benchmarks and see what impact this is having on games!

As I understand it the performance hit happens when switching to the kernel and back and so gaming shouldn't be affected much. I forgot where I read this.
 
To quote our commandchild in chief, "WRONG".... Keeping your browser updated is not going to completely protect you from JS exploits.... They are always playing a game of catch up, and that is only for known exploits. So don't assume you are safe just because you have your browser updated and haven't downloaded shady plugins.....

Pedantic fuckery is boring. I could hit by a bus today, a meteor could fall from the sky on my car as I drive to work. Shit..somebody could decide my wallet looks nice and stab me causing a stroke making me an invalid in a hospital for the rest of my life costing me everything I have earned and put a massive hurt on the taxpayer to pay for my long term care. I don't assume i'm safe..but i'm not a paranoid schmuck who lives to hyperbolic chicken-little everything in order to think they have relevance in the universe.

Take basics steps manage obvious risks and move on with life. Again....the amount of shit around this issue is just amazing. Guess the media need a change of pace before they start going after Trump again. Allows people in technical academics to have their 5 minutes of fame on TV or radio as they try and explain it is "simple terms" while at the same time making it sound scary but giving hope. This is media profiteering and people are lapping it up.

The only reason why we know about this issue at this exact point is that there is an agreed reasonable plan to mange it. It was kept very tight lipped and probably 100's of very bright people worked on it for months.
 
Pedantic fuckery is boring. I could hit by a bus today, a meteor could fall from the sky on my car as I drive to work. Shit..somebody could decide my wallet looks nice and stab me causing a stroke making me an invalid in a hospital for the rest of my life costing me everything I have earned and put a massive hurt on the taxpayer to pay for my long term care. I don't assume i'm safe..but i'm not a paranoid schmuck who lives to hyperbolic chicken-little everything in order to think they have relevance in the universe.

Take basics steps manage obvious risks and move on with life. Again....the amount of shit around this issue is just amazing. Guess the media need a change of pace before they start going after Trump again. Allows people in technical academics to have their 5 minutes of fame on TV or radio as they try and explain it is "simple terms" while at the same time making it sound scary but giving hope. This is media profiteering and people are lapping it up.

The only reason why we know about this issue at this exact point is that there is an agreed reasonable plan to mange it. It was kept very tight lipped and probably 100's of very bright people worked on it for months.
Take a look at the person you quoted. Then remember Intel's CEO came out as pro-Trump (meaning he didn't relentlessly bash Trump 24/7). The picture becomes stupidly clear, even if you don't want it to be.
 
I have MS's patch but no software patches or firmware updates around this as of yet. So far I haven't been able to notice a real impact with the system in my signature.
 
To quote our commandchild in chief, "WRONG".... Keeping your browser updated is not going to completely protect you from JS exploits.... They are always playing a game of catch up, and that is only for known exploits. So don't assume you are safe just because you have your browser updated and haven't downloaded shady plugins.....

As someone who writes JS for a living I always tell people to just disable it but no one ever listens to me.
 
Worst bit is I have a feeling that those of us with older hardware are gonna get royally fucked in all this. I'll eat my hat if I see a firmware/microcode update from Asus or Intel.

Asus is the absolute worst for abandoning older motherboards.
 
Like keeping your browser updated? If your browser is up to date and don't use plugins from less that reputable sources...these two issues are zero issue. The real issue is when you don't have control (e.g. cloud computing) of who is playing on your HW and in what way.

Honestly...i'm glad that this happened NOW. Flaws will always exist in any system at any level. Whether or not those flaws can be exploited is often very hard to determine. In aerospace we actually use HW based system to prevent sandboxes from playing with other sandboxes. But, it comes at a cost. Back then..the cost was VERY high in terms of performance and $. With silicon being so capable now and actually a body knowledge and very smart people, we might actually be able to start creating better secure computing platforms at the HW level that still perform well. The issue with this is people might become complacent and use this to shift the blame away from other flaws/issues.


"Browser is up to date and don't use plug ins from less reputable sources" So what about the other 2 Billion people?
 
"Intel has release a PR statement."

Okay good enough for me, I feel all warm and safe now.

Yeah but it came with a nice patch thru windows update that will somehow enable new telemetry to keep track of who is "warm and safe now" ;)
 
As someone who writes JS for a living I always tell people to just disable it but no one ever listens to me.

IT manager for years and recently moved to devops, all at sofware dev companies. I always use an internet condom (noscript) to avoid any diseases from the shady JS hanging around the corners on some sites.....
 
"Browser is up to date and don't use plug ins from less reputable sources" So what about the other 2 Billion people?
Do you really care about them?
I don't. I don't even know who they are.

Compared to the threat of IoT bot networks, this is all piddling.
 
To quote our commandchild in chief, "WRONG".... Keeping your browser updated is not going to completely protect you from JS exploits.... They are always playing a game of catch up, and that is only for known exploits. So don't assume you are safe just because you have your browser updated and haven't downloaded shady plugins.....

lol... troll much troll?

.
 
Worst bit is I have a feeling that those of us with older hardware are gonna get royally fucked in all this. I'll eat my hat if I see a firmware/microcode update from Asus or Intel.
Be careful what you say...
 
Vistiting questionable sites without addons blocked or disabled?

As it's been mentioned, it's not always questionable websites. Security patches come after an exploit, so it's never safe to assume you're 100% secure on unquestionable sites.

It wasn't too long ago that a crafty user using some key escape characters could execute JavaScript within a comment box on a website. Heck, I still come across reputable (as in, not porn/drug related) websites that are vulnerable to injection. Some of this stuff can be patched by the browser (e.g. cross-script) after they know about it.
 
Back
Top