BitDefender Researchers Discover "Terrifying" Security Vulnerability in Intel CPUs

Are you just blabbing this out of your ass or do you actually have proof to the contrary? We know Intel can and does do shady things but one thing they cannot do is outright lie to their customers. Especially now when they're trying to rebuild their image.
Intel 64, Family 6, Model 158, Stepping 12.... Is more Software mitigation than hardware (which is the group of 9 Series processors I use). Furthermore the Coffee Lake Processors that have the mitigations in them are only Intel64 Family 6 Model 142 Stepping 12 & Intel64 Family 6 Model 142 Stepping 11 (which aren't even the desktop processors we use) That data is from May 14th, 2019 from Intel directly. You can look it up yourself. Relying on OS patching and BIOS patching than actually correcting the flaws in the actual silicon. If this currently reported security vulnerability is any indication, Intel knew about today's issue over a year ago and said nothing about it, nor did they bother to roll out the patches in Microcode & Software in advance... Why is that? Because it all slows their processors down. Most of these issues are so serious they would require Intel to completely redesign their processors and they're not going to do that. The way they work they might as well flush Hyperthreading down the toilet. They're not going to do that either.

What corporation doesn't outright lie to their customers? Honestly, what world are you living in? Everyone does this. I use whatever processor suits my needs the best. I'm not just pointing the finger solely at Intel here. I am simply stating that the impact of hardware level mitigation would suck the life out of Intel's lineup when compared to AMD's upcoming product stack. That being said, both AMD and Intel have lied to their customers before on numerous occasions. Nvidia does it, Walmart does it, every car company does it, our legislators do it, most of the women I have dated do it, most the men and women I know do it, etc.

Now getting to rebuilding that image... If Intel actually delivers a product that doesn't bend it's clientele over a table without asking permission or kissing them first... We will have to wait and see about that. Intel's image enhancement hasn't been impacted by much of shit as of lately. People like Kyle are probably working their asses off fighting their way through years of corporate bullshit and attempting to dilute it enough to actually effect that kind of change. Just because a company says they're going to do something doesn't instantaneously make them the shining paragon of the entire industry. Change takes time. People take years to change and at a corporate level Intel will not be so different than that.
 
Last edited:
  • Like
Reactions: N4CR
like this
With the release of this news, all the head-hunting from other competitor companies makes much more sense as well, both within their graphics division and not (like Jim Keller).
 
Edit: NVM, misread.

As long as Intel can reasonably mitigate the exploit, things would be fine. Let's see how much of a performance impact the fixes have first.

The correct response is, my apologies for making a knee jerk, combative response to a factually correct post that I misread.
 
I know this is a bit different then spectre and meltdown... but it sounds like the cause is the same.

Intel engineers haven't respected ring 0 kernel mode security for ages. Its why their hyper threading has major issues... I mean their unpatched chips basically don't bother to check if bits have permission to be there until after they execute. (just saying it out loud even complete laypersons know that is bad... lets unlock the door and then check and see if that shady looking dude had a key)

I didn't go and read all the deep dives on MDS but it sure sounds like the same flawed design thinking is the main issue.

Also just have to note... all these companies like MS and google saying "we will work with effected hardware manufacturers" I love how no one wants to name Intel. Makes me hope AMD can 100% confirm this has nothing to do with them and add it to their repertoire of sales material. Intel is 10% faster if you run it as set by the factory... but expect to be owned, and/or loose 10% of your performance annually as Intel is forced to patch their hardware cheats. lol
 
I know this is a bit different then spectre and meltdown... but it sounds like the cause is the same.

Intel engineers haven't respected ring 0 kernel mode security for ages. Its why their hyper threading has major issues... I mean their unpatched chips basically don't bother to check if bits have permission to be there until after they execute. (just saying it out loud even complete laypersons know that is bad... lets unlock the door and then check and see if that shady looking dude had a key)

I didn't go and read all the deep dives on MDS but it sure sounds like the same flawed design thinking is the main issue.

Also just have to note... all these companies like MS and google saying "we will work with effected hardware manufacturers" I love how no one wants to name Intel. Makes me hope AMD can 100% confirm this has nothing to do with them and add it to their repertoire of sales material. Intel is 10% faster if you run it as set by the factory... but expect to be owned, and/or loose 10% of your performance annually as Intel is forced to patch their hardware cheats. lol

Nice to see some people enjoying this all.
 
Nice to see some people enjoying this all.

Well I wouldn't wanna be a told ya so of course. ;) lol

Honestly anyone that was still buying Intel after S&M last year is a moron.

They pointed out the biggest issue with going Intel... a complete shit sales first culture.

It was obvious why S&M happened. Some engineer (or far worse some team of engineers) hit a performance bottle neck and instead of taking the proper amount of time to find a better way... or say this is the wall for this design marketing be damned. Someone actually said... hmm what if the chip simply moves the code into Ring 0 first runs the code... and IF that code ends up needed lets check the key at that point. Saves us 20-30% key lookups and boom we hit our performance target. Bonuses for everyone !!!

With that type of culture it should be obvious the next major issue is just down the road. Now that MDS is out and will likely erode another 5-15% performance (best case) anyone wanna bet how long it will be until the next OH Crap flaw is discovered ? My money is on 6 months... as its clear Intels engineering teams, have been giving tight timelines, and hefty performance goals. Too hit them the have been willing to cut some serious corners and their bosses are either laypeople that have no idea, or worse they know and are all about the $.

Like it or not.... these corners are not being cut at the competition, and if a lazy or incapable engineer over there tried to cut a corner by saying lets just skip this and move everything to kernel mode. They would have to slide it past a boss that didn't come up through the sales channel and knows more about CPU design then they do.
 
Well I wouldn't wanna be a told ya so of course. ;) lol

Honestly anyone that was still buying Intel after S&M last year is a moron.

They pointed out the biggest issue with going Intel... a complete shit sales first culture.

It was obvious why S&M happened. Some engineer (or far worse some team of engineers) hit a performance bottle neck and instead of taking the proper amount of time to find a better way... or say this is the wall for this design marketing be damned. Someone actually said... hmm what if the chip simply moves the code into Ring 0 first runs the code... and IF that code ends up needed lets check the key at that point. Saves us 20-30% key lookups and boom we hit our performance target. Bonuses for everyone !!!

With that type of culture it should be obvious the next major issue is just down the road. Now that MDS is out and will likely erode another 5-15% performance (best case) anyone wanna bet how long it will be until the next OH Crap flaw is discovered ? My money is on 6 months... as its clear Intels engineering teams, have been giving tight timelines, and hefty performance goals. Too hit them the have been willing to cut some serious corners and their bosses are either laypeople that have no idea, or worse they know and are all about the $.

Like it or not.... these corners are not being cut at the competition, and if a lazy or incapable engineer over there tried to cut a corner by saying lets just skip this and move everything to kernel mode. They would have to slide it past a boss that didn't come up through the sales channel and knows more about CPU design then they do.
I will take that bet and ante up, I am guessing that another flaw has already been detected and the people that reported it have to wait another year before releasing it. As far as the performance hits are concerned, I have to agree. There's something else I didn't say before. All the mitigation's to these security flaws come after the CPUs have already been benchmarked. Kind of like how AAA developers will wait to introduce micro-transactions until a game has already been reviewed and releases to massive fanfare. It's all staged to show their processors in the best possible light. The average lay person wouldn't know that you're looking at a processor that is going to be dog slow if the hardware manufacturer actually implements all the fixes for their architecture. I wonder what the final, actual, performance of these chips will be like fully patched vs what they were before.
 
Do we have any benchmarks showing the cumulative performance impact of all the mitigations?
 
Oh this is good... as much as I hate referencing The Verge, Intel is currently facing 32 lawsuits regarding Spectre and Meltdown and that was back at the beginning of 2018. (Source) How much do you want to bet that the number of lawsuits is much larger now? Yeah...
 
It's not just hyper threading though. It's the entire out of order execution pipeline that is the problem. Essentially it's like going to Atom level performance.


Intel tried Netburst and ultimately failed. Athlon 64 ate its breakfast. Intel could not take back the performance lead without abandoning Netburst and going back to re-engineer their PPro to use a more efficient but smaller pipeline. They also made a concious decision to sacrifice security for the sake of performance. It worked. For a time.

Now they're reaping what they sowed.
 
After the software patch, do you still need HT disabled? haven't had much time to read this week
 
Don't run untrusted code, seems like the best advice regardless of where the vulnerability is. Browser people need to wake up and stop running Javascript willy nilly.
 
  • Like
Reactions: N4CR
like this
After the software patch, do you still need HT disabled? haven't had much time to read this week
I don't honestly know. However after reading other companies mitigations of the issues there are instances where they say you still have to disable it. The big one I looked at today was Google and their mitigations required disabling HT on certain server implementations.

It also depends on how fast our respective motherboard manufacturers get the microcode patch out. That could be a really long time... Especially if Intel says they patched it and then tells vendors to wait to roll it out. Even if thats not the case, most MB manufacturers will roll the BIOS out in QA and Beta prior to actually releasing the full update.
 
The problem is, that even if vendors start switching to AMD en mass, AMD will not be able to supply the volume that's required to handle anywhere close to the volume Intel can.
 
  • Like
Reactions: Auer
like this
The problem is, that even if vendors start switching to AMD en mass, AMD will not be able to supply the volume that's required to handle anywhere close to the volume Intel can.

I suspect a lot of large scale Intel customers will simply ride it out rather than switching completely over.
 
The problem is, that even if vendors start switching to AMD en mass, AMD will not be able to supply the volume that's required to handle anywhere close to the volume Intel can.

that's true intel really does have 14nm(+++++++++++) in the bag.
 
  • Like
Reactions: Auer
like this
Intel 64, Family 6, Model 158, Stepping 12.... Is more Software mitigation than hardware (which is the group of 9 Series processors I use). Furthermore the Coffee Lake Processors that have the mitigations in them are only Intel64 Family 6 Model 142 Stepping 12 & Intel64 Family 6 Model 142 Stepping 11 (which aren't even the desktop processors we use) That data is from May 14th, 2019 from Intel directly. You can look it up yourself. Relying on OS patching and BIOS patching than actually correcting the flaws in the actual silicon. If this currently reported security vulnerability is any indication, Intel knew about today's issue over a year ago and said nothing about it, nor did they bother to roll out the patches in Microcode & Software in advance... Why is that? Because it all slows their processors down. Most of these issues are so serious they would require Intel to completely redesign their processors and they're not going to do that. The way they work they might as well flush Hyperthreading down the toilet. They're not going to do that either.

What corporation doesn't outright lie to their customers? Honestly, what world are you living in? Everyone does this. I use whatever processor suits my needs the best. I'm not just pointing the finger solely at Intel here. I am simply stating that the impact of hardware level mitigation would suck the life out of Intel's lineup when compared to AMD's upcoming product stack. That being said, both AMD and Intel have lied to their customers before on numerous occasions. Nvidia does it, Walmart does it, every car company does it, our legislators do it, most of the women I have dated do it, most the men and women I know do it, etc.

Now getting to rebuilding that image... If Intel actually delivers a product that doesn't bend it's clientele over a table without asking permission or kissing them first... We will have to wait and see about that. Intel's image enhancement hasn't been impacted by much of shit as of lately. People like Kyle are probably working their asses off fighting their way through years of corporate bullshit and attempting to dilute it enough to actually effect that kind of change. Just because a company says they're going to do something doesn't instantaneously make them the shining paragon of the entire industry. Change takes time. People take years to change and at a corporate level Intel will not be so different than that.

As you suggested, I looked it up. Family 6 Model 158 Stepping 13 has full hardware mitigation for MDS, and is basically the current desktop 9th gen chip. Stepping 12 has partial hardware mitigation. Model 142 Stepping 12 appears to be wholly mobile chips, and there is some overlap on SKUs for both Model 158 and Model 142. What can be reasonably inferred is that Intel incorporated these changes over the product cycle of these chips, and new ones being made now should have full hardware mitigation.

Yes, it is misleading for them to say 8th and 9th gen chips have hardware mitigation and then mean that only current revisions have them. However, that is completely different from an outright lie, which would get them into legal trouble not only with consumers, but big dogs like Google and Microsoft. There is a huge difference between lying and misleading. All companies do the latter, companies that do the former eventually get caught and face big lawsuits. "We can neither confirm nor deny" and "No comment" are not lying statements.

It seems like you don't have a good understanding of how software security works. Working out a software solution to a vulnerability takes time. You have to make sure that the vulnerability is eliminated with the patch while also minimizing performance impacts. If there is no indication that the exploit is actively being used, it will always be kept quiet until everyone is ready to roll out the updates. You can see this was a coordinated one with patches from Redhat, Ubuntu, Google, Apple, and Microsoft ready to go the moment Intel made the announcement. A company never says "Here's an exploit, hang on to your beer while we work out a fix" unless they found the exploit already being utilized.
 
As you suggested, I looked it up. Family 6 Model 158 Stepping 13 has full hardware mitigation for MDS, and is basically the current desktop 9th gen chip. Stepping 12 has partial hardware mitigation. Model 142 Stepping 12 appears to be wholly mobile chips, and there is some overlap on SKUs for both Model 158 and Model 142. What can be reasonably inferred is that Intel incorporated these changes over the product cycle of these chips, and new ones being made now should have full hardware mitigation.

Yes, it is misleading for them to say 8th and 9th gen chips have hardware mitigation and then mean that only current revisions have them. However, that is completely different from an outright lie, which would get them into legal trouble not only with consumers, but big dogs like Google and Microsoft. There is a huge difference between lying and misleading. All companies do the latter, companies that do the former eventually get caught and face big lawsuits. "We can neither confirm nor deny" and "No comment" are not lying statements.

It seems like you don't have a good understanding of how software security works. Working out a software solution to a vulnerability takes time. You have to make sure that the vulnerability is eliminated with the patch while also minimizing performance impacts. If there is no indication that the exploit is actively being used, it will always be kept quiet until everyone is ready to roll out the updates. You can see this was a coordinated one with patches from Redhat, Ubuntu, Google, Apple, and Microsoft ready to go the moment Intel made the announcement. A company never says "Here's an exploit, hang on to your beer while we work out a fix" unless they found the exploit already being utilized.

There was an article I read today about how the upcoming. I think it was "Whiskey Lake" will have no hardware mitigations in it. None of us can take it on faith for Intel to do the right thing for future releases.

Microcode + Software is not a hardware fix. I don't expect we will see hardware resolutions to all of these if they destroy the performance of the processors. Also, the latest estimates of the patches that were just released say that on the server side of the spectrum these mitigations slow server workloads down by up to 9% in certain work loads. I would be interested in seeing a "to date" speed penalty these are applying in real world tasks to desktop enthusiasts.

I understand that the security takes time to implement. Thus Intel reached out to it's big partners and informed them of the security issue. So, they've had over a year to patch for this. The article in question doesn't read all that "warm and fuzzy" for the wonderfully transparent company that Intel is supposed to be. Seeing as at least one claim says Intel tried bribing the people that discovered the security flaw into silence and downplaying the severity of the issue. Most of the people that explore the vulnerabilities afford the processor manufacturer about a year. Why not circumvent the article all together and release the information themselves? After the stuff is patched. Why allow the bad PR to even hit them if they were ready and waiting in the wings with a microcode mitigation they would then have to send to motherboard manufacturers after the story aired? Their current approach to transparency is bullshit. So, Kyle and the other guys going over there to work on that image are going to have one helluva time changing that environment.
 
I'm just happy that this is forcing the major vendors to start putting out and pushing AMD systems. Hoping Dell starts shipping Optiplex systems with a Ryzen in the near future.

Who still buys prebuilt desktops these days?

In the enrerprise world, every job I've been in in the last 10 years pretty much everyone has been issued laptops. Production floor type people have been using various types of thin clients.

The consumer world is mostly a sea of crappy $250 laptop specials and chromebooks.

I just assumed that outside of the enthusiast and "gamer" communities where people tend to build their own, the desktop was essentially dead. You can't even give away a couple of year old prebuilt desktop on Craigslist for free...
 
Last edited:
Who still buys prebuilt desktops these days?

In the enrerprise world, every job I've been in in the last 10 years pretty much everyone has been issued laptops. Production floor type people have been using various types of thin clients.

The consumer world is mostly a sea of crappy $250 laptop specials and chromebooks.

I just assumed that outside of the enthusiast and "gamer" communities the desktop was essentially dead. You can't even give away a couple of year old prebuilt desktop on Craigslist for free...
I have a healthy mix, most of my desktops are now all in ones, I have a decreasing number of Windows and OSX laptops because they are mostly being replaced with Chromebooks/Chromebox and Citrix, so I can't disagree with that at all but their sales are still pretty large especially in the mini tower formats. I am still trying to figure out a way to sell accounting on the idea that I need a new Threadripper desktop for my office to work as an emergency server in the case of a massive failure though ....
 
There was an article I read today about how the upcoming. I think it was "Whiskey Lake" will have no hardware mitigations in it. None of us can take it on faith for Intel to do the right thing for future releases.

Microcode + Software is not a hardware fix. I don't expect we will see hardware resolutions to all of these if they destroy the performance of the processors. Also, the latest estimates of the patches that were just released say that on the server side of the spectrum these mitigations slow server workloads down by up to 9% in certain work loads. I would be interested in seeing a "to date" speed penalty these are applying in real world tasks to desktop enthusiasts.

I understand that the security takes time to implement. Thus Intel reached out to it's big partners and informed them of the security issue. So, they've had over a year to patch for this. The article in question doesn't read all that "warm and fuzzy" for the wonderfully transparent company that Intel is supposed to be. Seeing as at least one claim says Intel tried bribing the people that discovered the security flaw into silence and downplaying the severity of the issue. Most of the people that explore the vulnerabilities afford the processor manufacturer about a year. Why not circumvent the article all together and release the information themselves? After the stuff is patched. Why allow the bad PR to even hit them if they were ready and waiting in the wings with a microcode mitigation they would then have to send to motherboard manufacturers after the story aired? Their current approach to transparency is bullshit. So, Kyle and the other guys going over there to work on that image are going to have one helluva time changing that environment.
We will see a hardware fix when Intel releases a new architecture, in the mean time there is no way to fix the issue at a hardware level for these chips as it seems to be inherently flawed. Software & microcode is about the only way to go about this for the time being.
 
I have a healthy mix, most of my desktops are now all in ones, I have a decreasing number of Windows and OSX laptops because they are mostly being replaced with Chromebooks/Chromebox and Citrix, so I can't disagree with that at all but their sales are still pretty large especially in the mini tower formats. I am still trying to figure out a way to sell accounting on the idea that I need a new Threadripper desktop for my office to work as an emergency server in the case of a massive failure though ....

Yeah, since my first professional job after college in 2003, I've gone from one Dell Latitude with a dock, to another Dell Latitude with a dock.

I've never been in a non Dell shop, and never not had a Latitude with a dock. :p
 
Yeah, since my first professional job after college in 2003, I've gone from one Dell Latitude with a dock, to another Dell Latitude with a dock.

I've never been in a non Dell shop, and never not had a Latitude with a dock. :p
I am not a fan of their new USB-C based docks for the latitudes, it just kind of floats around the desk and doesn't really give the laptop a proper home like the old ones with the slot on the bottom, but the new Latitudes are pretty.

Would be prettier running a Ryzen though ...
 
Last edited:
I am not a fan of their new USB-C based docks for the latitudes, it just kind of floats around the desk and doesn't really give the laptop a proper home like the old ones with the slot on the bottom, but the new Latitudes are pretty.

Would be prettier running a Ryzen though ...

I saw one of those new docks, but I don't have one myself.


I thought to myself: "Gee I hope this is just another option, and they haven't gotten rid of their traditional docks". I meant to look it up but never did.

I gather they are gone then? That is a shame.

As far as them being pretty though? I guess. Doesn't really matter to me.

I currently have a i7-6600u based Latitude E7470 with 8GB of RAM . I kind of hate the Ultrabook style of laptops. I consider it too thin, and the 1440p screen is way too high resolution for it's 14". For some bizarre reason it also has a touch screen which I have never intentionally used, and only causes problems when I accidentally come in contact with it.

I'm actually MUCH happier with my old school thick Latitude E6430s I use at home. everything just works. The 1366x768 screen is perfect for it's size, it fits a HUGE battery, and everything can be worked on, drives easily removed and replaced, RAM upgraded, etc. etc.

I just don't like the obsession with devices being thin and light, having stupidly high resolutions and touch screens.

No one ever asks me what hardware I want at work. It just shows up. While I have been very happy with my Latitudes of the past dating back to my first one, a D620, I would likely have chosen something different this time around if given a choice...
 
Who still buys prebuilt desktops these days?

I personally have access to three corporate desktops: 2 12-core Mac Pros (different years) and a 16 core HP workstation. One of the two Mac Pros is supposedly retired (well beyond IS&T's support bubble) but I'm not about to throw away a good 12-core machine when I can still do video rendering on it...

I was slated to get one of the new iMac Pros but they decided that a laptop was good enough until we get our entire workflow into the cloud which obviates the need for hefty bare iron.

The huge irony of all this multi-core goodness coming out is less of a need to get it when companies are pushing workflows outside of desktops workstations.
 
My decision to dump my ivy bridge based server and "downgrade" to an Opteron isn't looking so stupid now.
 
I have a skylake i5. This security shit sucks. I also don't need anything faster right now. I'm really torn.

I'll probably ride it out and take the risk. Next system will not be Intel.
 
If I switch to AMD now something terrible will happen to them too next year so I'm gonna save ya all and stay with Intel.
 
Maybe we just turn the PC's off for good? Toss the phones as well since there watching and listening everything we do.. toss the smart TV's since there spying on us as well.. Nest thermostat.. did I leave anything out? Oh yeah.. OnStar since the patriot act allows them to listen to our every words as well.

Go back to 1980 tech and find something better to do?
 
Maybe we just turn the PC's off for good? Toss the phones as well since there watching and listening everything we do.. toss the smart TV's since there spying on us as well.. Nest thermostat.. did I leave anything out? Oh yeah.. OnStar since the patriot act allows them to listen to our every words as well.

Go back to 1980 tech and find something better to do?

Go to bed.
 
Who still buys prebuilt desktops these days?

In the enrerprise world, every job I've been in in the last 10 years pretty much everyone has been issued laptops. Production floor type people have been using various types of thin clients.

The consumer world is mostly a sea of crappy $250 laptop specials and chromebooks.

I just assumed that outside of the enthusiast and "gamer" communities where people tend to build their own, the desktop was essentially dead. You can't even give away a couple of year old prebuilt desktop on Craigslist for free...
Well to answer your anecdote with my own anecdote, my friend went from a job in insurance (serving Canada wide, and backed out of London ie not small) where employees had desktops. Then recently switched to a new office job, also with actual desktops.

Places still do the desktop thing.

Different anecdote my mom works the vets office. About 14 years ago they replaced their desktops (Pentium 2) with Windows XP desktops. I think they may have done that once more and got up to Windows 10. Small business of course but they update infrequently and have stuck with desktops.

But, anecdotes.
 
Back
Top