Intel Spectre Vulnerabilities Now Have a Release Schedule

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
19,928
Intel has adopted a release schedule for new Spectre vulnerability disclosures. According to The Register, starting today new patches will be released quarterly to patch the latest exploits. This is akin to the Windows Patch Tuesday. I never thought that hardware would have a patch release schedule, but on the bright side, organizations can now plan in advance. I would manually set a restore point after reading this.....

The new Spectre-class side-channel vulnerability to be disclosed today in Intel's processors can be exploited through bounds-check bypass store attacks. This means malicious code already running on an Intel-powered computer can leverage speculative execution to potentially alter function pointers and return addresses in other threads to hijack applications. At that point, the malware can extract secrets from the system, and cause other merry mischief. The good news is that software mitigations available today for Spectre variant 1 will thwart bounds-check bypass store attacks. Thus, web browsers and other applications employing anti-Spectre mechanisms should be safe.

UPDATE: Intel did send over its statement and we wanted to make sure and share that with you.

“As we continue working with industry researchers, partners and academia to protect customers against evolving security threats, we are streamlining security updates and guidance for our industry partners and customers when possible. With this in mind, today we are providing mitigation details for a number of potential issues, including a new sub-variant of variant 1 called Bounds Check Bypass Store, for which mitigations or developer guidance have been released. More information can be found on our product security page. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel.”
 
Last edited by a moderator:

Azphira

[H]ard|Gawd
Joined
Aug 18, 2003
Messages
1,823
If intel releases a fixed cpu that's $1700 before 2020, I should request an RMA on my warranty.

Betcha it's a LGA 2067 ;)
 

Vercinaigh

Gawd
Joined
Jul 31, 2008
Messages
849
So how much slower is my CPU now compared to a year ago?
Wasn't it said to be around 30% by now? that's painful, it rendered by 1660 v2 useless as it kept hard resetting even at stock as soon as it got a microcode update.
 

TheHobbyist

Hugs Hard Johnnies [H]ard
Joined
Apr 8, 2008
Messages
456
How do you guys feel about running older systems that are unpatched for Meltdown and Spectre?
 

Master_shake_

[H]F Junkie
Joined
Apr 9, 2012
Messages
12,253
i bet intel wishes that it was still 2017.

good luck to everyone on intel patchday.
 

Advil

[H]ard|Gawd
Joined
Jul 16, 2004
Messages
1,875
This has become a caricature of itself.

Quarterly Spectre/Meltdown patches? That means they know this mess is about as "fixable" as JAVA or Flash is, so updates are released frequently just to break the existing exploits while knowing full well the underlying issue isn't fixable.

I think at this point we deserve an answer to these questions:

1) Can a microcode update be released that will fully disable all speculative read features that are related to these issues?

2) And if so, exactly how much performance impact is that?"

Maybe some system admins don't want to play quarterly random disaster with CPU microcode patches...
 

anss123

Weaksauce
Joined
Jan 25, 2009
Messages
88
2) And if so, exactly how much performance impact is that?"
Benchmark the old Intel Atoms, or one of the earlier ARM implementations without spectacular execution, and you should be in the ballpark.
 

SvenBent

2[H]4U
Joined
Sep 13, 2008
Messages
3,166
How do you guys feel about running older systems that are unpatched for Meltdown and Spectre?
From what i understand (and i might be wrong)
I have no qualms running with the bugs enabled on my home computer
Its not an infection vector. aka its software you need to run on your system that can now use a trick to by pass things like VM's to read data.
If you are not running anything in a sandbox anyway. software can read you data and send it without any changes, so the software does not even need this security hole to be present to do its deeds.

Its however for rentals servers, catastrophic though.
 

M76

[H]F Junkie
Joined
Jun 12, 2012
Messages
10,946
From what i understand (and i might be wrong)
I have no qualms running with the bugs enabled on my home computer
Its not an infection vector. aka its software you need to run on your system that can now use a trick to by pass things like VM's to read data.
If you are not running anything in a sandbox anyway. software can read you data and send it without any changes, so the software does not even need this security hole to be present to do its deeds.

Its however for rentals servers, catastrophic though.
That's exactly why I think the patching should be opt in or at least opt out for home users. And not snuck in a windows update.
 

auntjemima

Supreme [H]ardness
Joined
Mar 1, 2014
Messages
6,141
That's exactly why I think the patching should be opt in or at least opt out for home users. And not snuck in a windows update.
I haven't installed any updates to my home systems. I don't expect any issues on them.
 

velusip

[H]ard|Gawd
Joined
Jan 24, 2005
Messages
1,577
I'm sure they will want to log/monitor the effectiveness of the patches. :/
 

Araxie

Supreme [H]ardness
Joined
Feb 11, 2013
Messages
6,434
That's exactly why I think the patching should be opt in or at least opt out for home users. And not snuck in a windows update.
I haven't installed and I will not install any patch related to those bugs. all this whole thing it's over-reacted, people need to have their machines already stupidly compromised and also be a targeted victim to be able to be exploited by any of these bugs.. that's not my case and I can be sure the same will be for most people out there.. my grandma clicking every ad on the web? im not so sure but still believe she will be safe. lol
 

Shaten

Weaksauce
Joined
Sep 15, 2012
Messages
73
For everyone no thinking your home computer in insecure, remember there are some legit ways this code can be run on your computer through your browser.

In reality the only unpatched systems should be those with no network.
 

Mode13

Gawd
Joined
Jun 11, 2018
Messages
828
For everyone no thinking your home computer in insecure, remember there are some legit ways this code can be run on your computer through your browser.

In reality the only unpatched systems should be those with no network.
One could simply use a cheap laptop or old PC that is patched for their browsing and net needs. Also, my 486 rig beside me doesn't need any such patches :p.

The big question is when can we expect an architectural revamp that alleviates the need for software band-aids? I'm not going to upgrade while this is going on though at this point the 4790k in my rig isn't satiating my power hunger any longer. I would love to jump up to the 8 core mainstream chip Intel may or may not have in the works but I doubt it's fixed yet. I suppose whoever has an 8 core first that is sub $400 and fixes spectre/meltdown/etc at the hardware level gets my money.
 
Top