Intel Releasing Updates That Immunize Systems Against Meltdown and Spectre

Discussion in 'HardForum Tech News' started by DooKey, Jan 5, 2018.

  1. DooKey

    DooKey [H]ard DCOTM x4

    Messages:
    7,869
    Joined:
    Apr 25, 2001
    Intel has released a PR statement saying they have released updates for Meltdown and Spectre that make systems immune from both exploits. Supposedly they are doing this with firmware and software patches. Also, they will have updates issued for 90% of the processors introduced over the last 5 years by the end of next week. They appear to be confident that performance impact will be able to be worked around with additional software updates. However, I'll take all of this with a grain of salt until independent sources confirm these claims.

    Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.
     
  2. oROEchimaru

    oROEchimaru [H]ardness Supreme

    Messages:
    4,658
    Joined:
    Jun 1, 2004
    Wonder how it would be rolled put when 99% of intel users will be unaware or forget in a month... Windows updates?
     
    SticKx911 likes this.
  3. BigJayDogg3

    BigJayDogg3 [H]ard|Gawd

    Messages:
    1,679
    Joined:
    Jul 21, 2009
    PCPer ran early tests and the differences between them were minimal. In one instance, an increase of performance was had. I'd guess that's margin of error territory though.

    They were of the opinion the performance hit would be unnoticeable unless you run huge compute clusters on the scale of Amazon or Microsoft.

    Still, I'll hold final judgement until I see more than talk in the podcast and/or other sources confirming those results.
     
  4. gxp500

    gxp500 Gawd

    Messages:
    867
    Joined:
    Mar 4, 2015
    Those rebate cheques are going to have a lot of zero's in them.
     
    Krenum likes this.
  5. jnemesh

    jnemesh [H]ard|Gawd

    Messages:
    1,084
    Joined:
    Jan 21, 2013
    How much do you want to bet that "typical users" doesn't include gamers? I want to see updated benchmarks and see what impact this is having on games!
     
    mynamehere likes this.
  6. JDanser

    JDanser Limp Gawd

    Messages:
    248
    Joined:
    Feb 9, 2012
    Worst bit is I have a feeling that those of us with older hardware are gonna get royally fucked in all this. I'll eat my hat if I see a firmware/microcode update from Asus or Intel.
     
    Verado likes this.
  7. Bigdady92

    Bigdady92 [H]ardness Supreme

    Messages:
    5,768
    Joined:
    Jun 20, 2001
    I can't wait for the recalls so I can get a 32 core Xeon for $100. That will be so worth any 'performance' hit i'll take.
     
    Bigshrimp, IdiotInCharge and mashie like this.
  8. mashie

    mashie Mawd Gawd

    Messages:
    4,176
    Joined:
    Oct 25, 2000
    So are firmware updates delivered in BIOS updates?
     
  9. Trepidati0n

    Trepidati0n [H]ardForum Junkie

    Messages:
    8,816
    Joined:
    Oct 26, 2004
    Home users don't have a lot to fear from this. Remember, for this to work...something bad already has to be there to do something bad.
     
  10. mashie

    mashie Mawd Gawd

    Messages:
    4,176
    Joined:
    Oct 25, 2000
    Like JavaScript on a webpage?
     
  11. Bigdady92

    Bigdady92 [H]ardness Supreme

    Messages:
    5,768
    Joined:
    Jun 20, 2001

    I'm guessing some of the updates will be BIOS updates, but there is NO 100% fix for this flaw that can be corrected by any type of update, only mitigated till the next flaw is found.
     
  12. Napoleon

    Napoleon Gawd

    Messages:
    988
    Joined:
    Jan 27, 2003
    so for the last 5 years only... basically creating obsolescence of older yet still functional computers since they are open to this security flaw...
     
  13. Trepidati0n

    Trepidati0n [H]ardForum Junkie

    Messages:
    8,816
    Joined:
    Oct 26, 2004
    Like keeping your browser updated? If your browser is up to date and don't use plugins from less that reputable sources...these two issues are zero issue. The real issue is when you don't have control (e.g. cloud computing) of who is playing on your HW and in what way.

    Honestly...i'm glad that this happened NOW. Flaws will always exist in any system at any level. Whether or not those flaws can be exploited is often very hard to determine. In aerospace we actually use HW based system to prevent sandboxes from playing with other sandboxes. But, it comes at a cost. Back then..the cost was VERY high in terms of performance and $. With silicon being so capable now and actually a body knowledge and very smart people, we might actually be able to start creating better secure computing platforms at the HW level that still perform well. The issue with this is people might become complacent and use this to shift the blame away from other flaws/issues.
     
    Chimpee and IdiotInCharge like this.
  14. Nukester

    Nukester [H]ard|Gawd

    Messages:
    1,429
    Joined:
    Mar 21, 2016
    I just don't know about this whole thing. I mean, this is a big deal. There has to be a way to prevent these exploits on a high level like the browser, since it is web based. This whole hacking business over the past year is accelerating at an astonishing pace. We can't keep up.
     
  15. dandirk

    dandirk [H]ard|Gawd

    Messages:
    1,828
    Joined:
    Jun 5, 2004
    I saw a decent video on YouTube benchmarking the Windows Updates(s)... Obviously onces the microcode is released things could be different.
     
    BigJayDogg3 and jnemesh like this.
  16. drescherjm

    drescherjm [H]ardForum Junkie

    Messages:
    14,297
    Joined:
    Nov 19, 2008
    Microsoft and linux also deliver microcode updates for CPUs in the OS which get loaded during the OS boot.
     
  17. pcgeekesq

    pcgeekesq [H]ard|Gawd

    Messages:
    1,403
    Joined:
    Apr 23, 2012
    Not really. It's a hard to do hack that leaks random info from memory very slowly. It doesn't crash the system or elevate the attacker's privilege. And you have to give the attacker access, such as surfing an infected web page with an unpatched browser or downloading an infected application.

    But this is the Internet, and unwarranted hysteria is the norm.
     
    Last edited: Jan 5, 2018
    auntjemima likes this.
  18. vegeta535

    vegeta535 2[H]4U

    Messages:
    2,915
    Joined:
    Jul 19, 2013
    I'm guessing it is through a bios update. I don't see see how it is safe to push a micro code update for cpu through windows update. If something goes wrong during the update would brick your cpu?
     
  19. drescherjm

    drescherjm [H]ardForum Junkie

    Messages:
    14,297
    Joined:
    Nov 19, 2008
    No. Microcode updates are loaded each boot. When you power off the CPU the update is gone. This is already happening for years to correct for the long list of errata that Intel and AMD both have in their CPUs.

    https://wiki.archlinux.org/index.php/microcode
     
  20. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,209
    Joined:
    Nov 16, 2009

    To quote our commandchild in chief, "WRONG".... Keeping your browser updated is not going to completely protect you from JS exploits.... They are always playing a game of catch up, and that is only for known exploits. So don't assume you are safe just because you have your browser updated and haven't downloaded shady plugins.....
     
  21. Kardonxt

    Kardonxt 2[H]4U

    Messages:
    2,858
    Joined:
    Apr 13, 2009
    The problem isn't really the home user IMHO.

    The real danger comes from the enterprise end were companies are renting server access. The flaw can be executed from anyone with server access. Meaning I can rent legit server space on a cluster with thousands of other customers, exploit the vulnerability, dump the memory of everyone on the server. You don't need to "hack": your way into many of these systems. You just give therm a few bucks and they let you right in, that's what makes this so scary.
     
  22. polonyc2

    polonyc2 [H]ardForum Junkie

    Messages:
    16,336
    Joined:
    Oct 25, 2004
    this exploit is not easily exploited and the risk is very low...I would not worry about it in most cases...apparently the user also needs to actively allow the exploit to run on their computer much like typical malware/virus...so as long as you practice normal safe habits this is a non-issue
     
  23. pcgeekesq

    pcgeekesq [H]ard|Gawd

    Messages:
    1,403
    Joined:
    Apr 23, 2012
    My understanding is that if the server resource vendor puts you under your own hypervisor, that no one else is using, the only data you could access with this hack is your own.
    Not that scary, but maybe not as efficient a work-around as the resource vendor would like.
     
  24. Tak Ne

    Tak Ne [H]ard|Gawd

    Messages:
    1,233
    Joined:
    Jan 28, 2008
    As I understand it the performance hit happens when switching to the kernel and back and so gaming shouldn't be affected much. I forgot where I read this.
     
    jnemesh likes this.
  25. Trepidati0n

    Trepidati0n [H]ardForum Junkie

    Messages:
    8,816
    Joined:
    Oct 26, 2004
    Pedantic fuckery is boring. I could hit by a bus today, a meteor could fall from the sky on my car as I drive to work. Shit..somebody could decide my wallet looks nice and stab me causing a stroke making me an invalid in a hospital for the rest of my life costing me everything I have earned and put a massive hurt on the taxpayer to pay for my long term care. I don't assume i'm safe..but i'm not a paranoid schmuck who lives to hyperbolic chicken-little everything in order to think they have relevance in the universe.

    Take basics steps manage obvious risks and move on with life. Again....the amount of shit around this issue is just amazing. Guess the media need a change of pace before they start going after Trump again. Allows people in technical academics to have their 5 minutes of fame on TV or radio as they try and explain it is "simple terms" while at the same time making it sound scary but giving hope. This is media profiteering and people are lapping it up.

    The only reason why we know about this issue at this exact point is that there is an agreed reasonable plan to mange it. It was kept very tight lipped and probably 100's of very bright people worked on it for months.
     
    Spartacus and BigJayDogg3 like this.
  26. jeremyshaw

    jeremyshaw [H]ardForum Junkie

    Messages:
    12,041
    Joined:
    Aug 26, 2009
    Take a look at the person you quoted. Then remember Intel's CEO came out as pro-Trump (meaning he didn't relentlessly bash Trump 24/7). The picture becomes stupidly clear, even if you don't want it to be.
     
  27. Grimlaking

    Grimlaking 2[H]4U

    Messages:
    2,780
    Joined:
    May 9, 2006
    I have MS's patch but no software patches or firmware updates around this as of yet. So far I haven't been able to notice a real impact with the system in my signature.
     
  28. vxspiritxv

    vxspiritxv [H]ard|Gawd

    Messages:
    1,463
    Joined:
    Feb 10, 2001
    Ugh more Trump talk, kinda love how this guy has everyone's panties in a bunch.
    Anyways back on topic... ESX has been patched since November, for the most part.
    A table of patches can be viewed here:
    http://byounghee.me/2018/01/04/meltdown-spectre-for-esxi/
    Any sysadmin with a descent patch schedule should have already patched.
     
  29. dgz

    dgz [H]ardness Supreme

    Messages:
    5,099
    Joined:
    Feb 15, 2010
    As someone who writes JS for a living I always tell people to just disable it but no one ever listens to me.
     
    86 5.0L, face2palm, Chimpee and 2 others like this.
  30. Master_shake_

    Master_shake_ [H]ardForum Junkie

    Messages:
    8,425
    Joined:
    Apr 9, 2012
  31. face2palm

    face2palm Gawd

    Messages:
    578
    Joined:
    Sep 16, 2011
    Asus is the absolute worst for abandoning older motherboards.
     
  32. Lenard

    Lenard Limp Gawd

    Messages:
    288
    Joined:
    Aug 16, 2017

    "Browser is up to date and don't use plug ins from less reputable sources" So what about the other 2 Billion people?
     
  33. RealBeast

    RealBeast Gawd

    Messages:
    648
    Joined:
    Aug 4, 2010
    "Intel has release a PR statement."

    Okay good enough for me, I feel all warm and safe now.
     
    86 5.0L and Verado like this.
  34. MMitch

    MMitch Gawd

    Messages:
    648
    Joined:
    Nov 29, 2016
    Yeah but it came with a nice patch thru windows update that will somehow enable new telemetry to keep track of who is "warm and safe now" ;)
     
  35. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,209
    Joined:
    Nov 16, 2009
    IT manager for years and recently moved to devops, all at sofware dev companies. I always use an internet condom (noscript) to avoid any diseases from the shady JS hanging around the corners on some sites.....
     
  36. BigJayDogg3

    BigJayDogg3 [H]ard|Gawd

    Messages:
    1,679
    Joined:
    Jul 21, 2009
    Considering most browsers autoupdate, it isn't really a big deal.
     
  37. pcgeekesq

    pcgeekesq [H]ard|Gawd

    Messages:
    1,403
    Joined:
    Apr 23, 2012
    Do you really care about them?
    I don't. I don't even know who they are.

    Compared to the threat of IoT bot networks, this is all piddling.
     
  38. Spartacus

    Spartacus [H]ard|Gawd

    Messages:
    1,915
    Joined:
    Apr 29, 2005
    lol... troll much troll?

    .
     
  39. KazeoHin

    KazeoHin [H]ardness Supreme

    Messages:
    7,788
    Joined:
    Sep 7, 2011
    Be careful what you say...
     
  40. Sparky

    Sparky 2[H]4U

    Messages:
    3,195
    Joined:
    Mar 9, 2000
    NoScript ftw!