Intel ‘Downfall’: Severe flaw in billions of CPUs leaks passwords and much more

“This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.”
Intel is already providing microcode updates to plug the security hole. “Intel recommends that users of affected Intel Processors update to the latest version firmware provided by the system manufacturer that addresses these issues,” the company says.


This can lead to a loss of performance of up to 50 percent under certain circumstances, however, as Moghimi warns. Intel comments on the side effects of the microcode updates here. There’s an opt-out mechanism available to avoid applying the patch.
Both consumer and server processors from Intel show the gap. For consumers, all PCs or laptops with Intel Core processors of the 6th “Skylake” generation up to and including the 11th-gen “Tiger Lake” chips contain the vulnerability. This means that the vulnerability has existed since at least 2015, when Skylake was released.
Intel’s newer 12th-gen and 13th-gen Core processors are not affected.




The downfall vulnerability now discovered is reminiscent of the legendary Meltdown and Spectre vulnerabilities from 2018.
Stolen from PCWorld
https://www.pcworld.com/article/202...ns-of-intel-cpus-how-to-protect-yourself.html
TL;DR
I wouldn't worry too much about this as long as you are not sharing your PC with the Taliban or Red October.
 
"Firmware updates can fix it, but at a potential significant performance loss (up to 50% under certain circumstances)"
 
Wow, that much performance hit, this is when I wish we had consumer protection laws that would force intel to cough up new CPUs not affected to replace those that are for those who are impacted by 50% performance hit, because you are not longer getting the product you paid for.
Makes you wonder how much intel knows about these side channel attacks and just shoved em under the rug to try and keep their performance crown....

But, in reality , to be exploited by this, and get actual useful data from it...seems very very difficult. I mean, a malicious actor could just buy some instances across multiple regions and providers and run their tools to exploit this sending out the data collected and see what they get...
 
I'd like to see firmware give options in the BIOS about whether to enable or disable certain mitigations, as opposed to the only option being to remain on an older firmware. Even better would be the ability to exclude mitigations from certain tasks, such as gaming.

Hate to say it, but I think that Intel is just fine with this status quo. Most people don't pay much attention to these things, and the effect is that your computer basically gets slower over time - sort of a form of planned obsolencense so people aren't keeping their 2500k for 10 years anymore, etc. It makes benchmarks for their new CPUs look that much better when the older CPUs are gimped by mitigations.
 
The government pays both Intel and AMD to put backdoors in for the government lol
 
