Intel Spectre Vulnerabilities Now Have a Release Schedule

Discussion in '[H]ard|OCP Front Page News' started by cageymaru, Jul 10, 2018 at 7:21 PM.

  1. cageymaru

    cageymaru [H]ard|News

    Messages:
    17,893
    Joined:
    Apr 10, 2003
    Intel has adopted a release schedule for new Spectre vulnerability disclosures. According to The Register, starting today new patches will be released quarterly to patch the latest exploits. This is akin to the Windows Patch Tuesday. I never thought that hardware would have a patch release schedule, but on the bright side, organizations can now plan in advance. I would manually set a restore point after reading this.....

    The new Spectre-class side-channel vulnerability to be disclosed today in Intel's processors can be exploited through bounds-check bypass store attacks. This means malicious code already running on an Intel-powered computer can leverage speculative execution to potentially alter function pointers and return addresses in other threads to hijack applications. At that point, the malware can extract secrets from the system, and cause other merry mischief. The good news is that software mitigations available today for Spectre variant 1 will thwart bounds-check bypass store attacks. Thus, web browsers and other applications employing anti-Spectre mechanisms should be safe.

    UPDATE: Intel did send over its statement and we wanted to make sure and share that with you.

    “As we continue working with industry researchers, partners and academia to protect customers against evolving security threats, we are streamlining security updates and guidance for our industry partners and customers when possible. With this in mind, today we are providing mitigation details for a number of potential issues, including a new sub-variant of variant 1 called Bounds Check Bypass Store, for which mitigations or developer guidance have been released. More information can be found on our product security page. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel.”
     
    Last edited by a moderator: Jul 10, 2018 at 8:55 PM
  2. Azphira

    Azphira [H]ard|Gawd

    Messages:
    1,651
    Joined:
    Aug 18, 2003
    If intel releases a fixed cpu that's $1700 before 2020, I should request an RMA on my warranty.

    Betcha it's a LGA 2067 ;)
     
  3. alxlwson

    alxlwson You Know Where I Live

    Messages:
    4,632
    Joined:
    Aug 25, 2013
    So how much slower is my CPU now compared to a year ago?
     
    John721 likes this.
  4. Vercinaigh

    Vercinaigh Gawd

    Messages:
    744
    Joined:
    Jul 31, 2008
    Wasn't it said to be around 30% by now? that's painful, it rendered by 1660 v2 useless as it kept hard resetting even at stock as soon as it got a microcode update.
     
  5. lostin3d

    lostin3d [H]ard|Gawd

    Messages:
    1,141
    Joined:
    Oct 13, 2016
    i.e. Intel is telling us when to bend over, and then updates as to whether or not Vaseline is applied. I truly understand if this post is banned but that is how Intel's statement feels.
     
  6. TheHobbyist

    TheHobbyist Hugs Hard Johnnies [H]ard

    Messages:
    444
    Joined:
    Apr 8, 2008
    How do you guys feel about running older systems that are unpatched for Meltdown and Spectre?
     
  7. Master_shake_

    Master_shake_ Little Bitch

    Messages:
    6,536
    Joined:
    Apr 9, 2012
    i bet intel wishes that it was still 2017.

    good luck to everyone on intel patchday.
     
  8. Advil

    Advil [H]ard|Gawd

    Messages:
    1,639
    Joined:
    Jul 16, 2004
    This has become a caricature of itself.

    Quarterly Spectre/Meltdown patches? That means they know this mess is about as "fixable" as JAVA or Flash is, so updates are released frequently just to break the existing exploits while knowing full well the underlying issue isn't fixable.

    I think at this point we deserve an answer to these questions:

    1) Can a microcode update be released that will fully disable all speculative read features that are related to these issues?

    2) And if so, exactly how much performance impact is that?"

    Maybe some system admins don't want to play quarterly random disaster with CPU microcode patches...
     
  9. anss123

    anss123 [H]Lite

    Messages:
    84
    Joined:
    Jan 25, 2009
    Benchmark the old Intel Atoms, or one of the earlier ARM implementations without spectacular execution, and you should be in the ballpark.
     
  10. SvenBent

    SvenBent 2[H]4U

    Messages:
    2,137
    Joined:
    Sep 13, 2008
    From what i understand (and i might be wrong)
    I have no qualms running with the bugs enabled on my home computer
    Its not an infection vector. aka its software you need to run on your system that can now use a trick to by pass things like VM's to read data.
    If you are not running anything in a sandbox anyway. software can read you data and send it without any changes, so the software does not even need this security hole to be present to do its deeds.

    Its however for rentals servers, catastrophic though.
     
    Tweak42, Araxie and M76 like this.
  11. Shikami

    Shikami Gawd

    Messages:
    537
    Joined:
    Apr 5, 2010
    Just tired of all this Intel (and nVidia) bullshit lately.
     
    arnemetis and Darth Kyrie like this.
  12. Tiburon1186

    Tiburon1186 Gawd

    Messages:
    554
    Joined:
    Jan 17, 2007
    Because of this, I'm waiting until they have a hardware fix before doing a new upgrade...
     
  13. Brahmzy

    Brahmzy [H]ardness Supreme

    Messages:
    4,631
    Joined:
    Sep 9, 2004
    It's not necessarily your CPU that's slower, it's everything USING your CPU. Storage takes a MASSIVE hit on random performance.
     
  14. M76

    M76 [H]ardness Supreme

    Messages:
    6,938
    Joined:
    Jun 12, 2012
    That's exactly why I think the patching should be opt in or at least opt out for home users. And not snuck in a windows update.
     
    Araxie and auntjemima like this.
  15. auntjemima

    auntjemima Hand Jobs Legend

    Messages:
    3,636
    Joined:
    Mar 1, 2014
    I haven't installed any updates to my home systems. I don't expect any issues on them.
     
  16. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,243
    Joined:
    Nov 15, 2016
    so.. quarterly performance hits, how nice.
     
  17. velusip

    velusip [H]ard|Gawd

    Messages:
    1,310
    Joined:
    Jan 24, 2005
    I'm sure they will want to log/monitor the effectiveness of the patches. :/
     
    alxlwson likes this.
  18. Araxie

    Araxie [H]ardness Supreme

    Messages:
    6,072
    Joined:
    Feb 11, 2013
    I haven't installed and I will not install any patch related to those bugs. all this whole thing it's over-reacted, people need to have their machines already stupidly compromised and also be a targeted victim to be able to be exploited by any of these bugs.. that's not my case and I can be sure the same will be for most people out there.. my grandma clicking every ad on the web? im not so sure but still believe she will be safe. lol
     
  19. alxlwson

    alxlwson You Know Where I Live

    Messages:
    4,632
    Joined:
    Aug 25, 2013
    Paging Grand Master 1o57 How exactly big a deal is all this?
     
  20. PaulP

    PaulP Gawd

    Messages:
    536
    Joined:
    Oct 31, 2016
    If we can't have spectacular execution, can we at least have great execution? :D
     
    SvenBent and /dev/null like this.
  21. Shaten

    Shaten n00bie

    Messages:
    62
    Joined:
    Sep 15, 2012
    For everyone no thinking your home computer in insecure, remember there are some legit ways this code can be run on your computer through your browser.

    In reality the only unpatched systems should be those with no network.
     
  22. Mode13

    Mode13 [H]Lite

    Messages:
    82
    Joined:
    Jun 11, 2018
    One could simply use a cheap laptop or old PC that is patched for their browsing and net needs. Also, my 486 rig beside me doesn't need any such patches :p.

    The big question is when can we expect an architectural revamp that alleviates the need for software band-aids? I'm not going to upgrade while this is going on though at this point the 4790k in my rig isn't satiating my power hunger any longer. I would love to jump up to the 8 core mainstream chip Intel may or may not have in the works but I doubt it's fixed yet. I suppose whoever has an 8 core first that is sub $400 and fixes spectre/meltdown/etc at the hardware level gets my money.