New Processor Vulnerability Discovered

Discussion in '[H]ard|OCP Front Page News' started by rgMekanic, May 21, 2018.

  1. rgMekanic

    rgMekanic [H]ard|News Staff Member

    Messages:
    4,935
    Joined:
    May 13, 2013
    Microsoft and Google Project Zero researchers announced today a new category of processor vulnerability known as a speculative execution side channel vulnerability, or Speculative Store Bypass, that is closely related to the Spectre Variant 1 vulnerability. Microsoft has also released a security advisory for the new vulnerability.

    Impressively, AMD has already released a 5 page whitepaper on the vulnerability, as well as a post on their security updates page outlining that they will be providing updates back to the Bulldozer series of processors. Even more remarkable, is AMD stats that these updates are already in the hands of Microsoft, who is completing final testing and validation and will be released over the standard update process.

    I can't help but just shake my head at yet another CPU vulnerability being discovered, when I still have not gotten a BIOS update for the first Spectre on my X99 system. I must give kudos to AMD though, already having the update going through validation and ready day of release, not just for Windows, the AMD page also notes that Linux distributors are creating the system updates as well. However on the Intel side, is deafening silence. Thanks to cageymaru for the story.

    An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.
     
    Darth Kyrie, scojer, N4CR and 2 others like this.
  2. Kor

    Kor [H]ard|Gawd

    Messages:
    2,044
    Joined:
    Mar 31, 2010
    AMD have been killing it in the this space (well as much as one can succeed anyway) vs Intel it would seem.
     
  3. heatlesssun

    heatlesssun Pick your own.....you deserve it.

    Messages:
    48,311
    Joined:
    Nov 5, 2005
    Asus did release a Spectre V2 patch for my X99 Deluxe II late last month, better late than never. That's a LOT of validation work to do on all of this unfortunately.
     
    rgMekanic likes this.
  4. juanrga

    juanrga Pro-Intel / Anti-AMD Just FYI

    Messages:
    1,947
    Joined:
    Feb 22, 2017
    INTEL
    https://newsroom.intel.com/editorials/addressing-new-research-for-side-channel-analysis/

    https://software.intel.com/sites/de...ative-Execution-Side-Channels-White-Paper.pdf

    ARM
    https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
     
    Last edited: May 21, 2018
    ZeroBarrier, BlueFireIce and Nobu like this.
  5. SickBeast

    SickBeast Limp Gawd

    Messages:
    304
    Joined:
    Jan 29, 2012
    Wow when is this gonna stop?
     
  6. Advil

    Advil [H]ard|Gawd

    Messages:
    1,635
    Joined:
    Jul 16, 2004
    It's pretty apparent that it won't stop until we have a complete architecture redesign.
     
  7. Mazzspeed

    Mazzspeed Limp Gawd

    Messages:
    431
    Joined:
    Dec 27, 2017
    I think we should go back to the abacus as a basis for computing, no vulnerabilities there.
     
    Darth Kyrie and vividshock like this.
  8. EODetroit

    EODetroit [H]ard|Gawd

    Messages:
    1,250
    Joined:
    Oct 20, 2004
    Not buying a new CPU until all this stuff plays out and I can get one that I can reasonably expect to be unaffected.
     
    qb4ever, DF-1 and heatlesssun like this.
  9. DukenukemX

    DukenukemX 2[H]4U

    Messages:
    3,613
    Joined:
    Jan 30, 2005
    Time to copy and paste this image.

    1497164443072.png
     
  10. Chas

    Chas [H]ardness Supreme

    Messages:
    6,502
    Joined:
    Oct 31, 2005
    Okay, it's time to roll everyone back to the 386!
     
  11. Jovian

    Jovian Limp Gawd

    Messages:
    313
    Joined:
    Jun 8, 2004
    Im due for an upgrade this year but I dont want to purchase a known broken CPU. Now intel has delayed their next consumer CPU architecture to 2019. Wonder if that new architecture just got delayed another 6 months due to this
     
  12. [21CW]killerofall

    [21CW]killerofall Aliens...

    Messages:
    2,397
    Joined:
    Mar 16, 2006
    You might be waiting years for that to happen, assuming more aren't found in the meantime. It takes a long time to develop new hardware from scratch and release it to the public.
     
    Darth Kyrie and IdiotInCharge like this.
  13. heatlesssun

    heatlesssun Pick your own.....you deserve it.

    Messages:
    48,311
    Joined:
    Nov 5, 2005
    Intel, AMD and others have know about Meltdown and Spectre for almost a year know and probably understood the other flaws were going to be discovered. I think for consumers that don't need hardware currently, it'd be tough to do an upgrade with something that you know is flawed.
     
    IdiotInCharge likes this.
  14. ZippZ

    ZippZ n00bie

    Messages:
    19
    Joined:
    Nov 9, 2016
    There will always be flaws. If you buy a Meltdown and Spectre fixed CPU in the future, they'll find another CPU flaw a couple years after you buy it. It's a never ending battle.

    Then there are also flaws you will never know about....
     
  15. T_A

    T_A Limp Gawd

    Messages:
    326
    Joined:
    Aug 4, 2005
    So some researchers are finding vulnerabilities that no private citizen or even a non-government organization can ever exploit , and we all get punished by diminished performance due to patches
    as if there aren't hundreds of other exploits in our system that those big security organizations / governments can use already.
     
  16. ltron

    ltron n00bie

    Messages:
    30
    Joined:
    Oct 2, 2016
    Last edited: May 22, 2018
  17. ltron

    ltron n00bie

    Messages:
    30
    Joined:
    Oct 2, 2016
  18. Skylinestar

    Skylinestar Limp Gawd

    Messages:
    380
    Joined:
    Jun 14, 2011
    I upgraded my ASRock Z170 BIOS to the latest and it breaks SkyOC.
    :cry:
     
    Shadowed likes this.
  19. ole-m

    ole-m Limp Gawd

    Messages:
    309
    Joined:
    Oct 5, 2015
    I had the experience of having issues with CSM disabled on new bios boards and it would break OC entirely, even memory above 2666 mhz was a dead end.
    Enable CSM and 3600 CL16... hmmmmm...
     
  20. Whach

    Whach [H]ard|Gawd

    Messages:
    1,101
    Joined:
    Dec 22, 2011
    So I can expect that all of these patches will bring down my perf by at least 15%? And also may break an OC........>_<


    I haven't applied any of these fixed so far, wondering if I should even bother if the problems/exploits just keep on rolling out every couple of months.

    I can't imagine the issues with laptops That don't get regular updates in the first place.
     
  21. jpm100

    jpm100 [H]ardness Supreme

    Messages:
    6,926
    Joined:
    Oct 31, 2004
    2-3 years or longer
     
  22. lostin3d

    lostin3d [H]ard|Gawd

    Messages:
    1,064
    Joined:
    Oct 13, 2016
    Seems to be par for the course lately with this stuff. Also makes me wonder how many of their original engineers who may have spoken up about this back in the day are still with them and able to provide credible solutions. Considering how long it's still taking for the ones that came almost a year ago I'm guessing closer to none. Yet more reasons I'm looking forward to an AMD based rig in 2-4 years when I might need one.
     
    Darth Kyrie likes this.
  23. mashie

    mashie Mawd Gawd

    Messages:
    4,125
    Joined:
    Oct 25, 2000
    It is a shame these exploits doesn't translate to cheaper 2nd hand Xeon CPUs yet. I would love to pick up a 22 core for $100.
     
  24. daglesj

    daglesj [H]ardness Supreme

    Messages:
    4,755
    Joined:
    May 7, 2005
    I reckon the whole Intel X86 is borked from top to bottom.
     
    Darth Kyrie likes this.
  25. Dead Parrot

    Dead Parrot [H]ard|Gawd

    Messages:
    1,655
    Joined:
    Mar 4, 2013
    For those wondering if there is an end to these, probably not. Even after countless patches and now deprecation, new Flash exploits keep appearing. Anyone expect an end to javascript hacks? Or folks finding new ways to exploit https traffic? This is the world of tech. It has flaws. Bad folk exploit the flaws for personal gain. All most of us can do is perform a risk of breach, cost of breach, cost of mitigation analysis and react accordingly.

    Given the low cost of a basic machine these days, might be worth it to pick one up for use as your banking, on line ordering, email, etc machine and patch the crap out of it and accept the performance losses.

    Skip the performance harming patches on your retina detaching performance gaming rig and accept that you might have to do the occasional wipe and reinstall.
     
    Smoeki likes this.
  26. DukenukemX

    DukenukemX 2[H]4U

    Messages:
    3,613
    Joined:
    Jan 30, 2005
    I would wait until someone makes a virus or malware that exploits this and then steals tons of data, cause we all know these "fixes" just fix the demo that shows the exploit and not the exploit itself. Best yet, Intel rushes a fix and it ends up breaking all the servers that applied it for over a week. We'll call it the black internet week. I guarantee you those Xeon chips will be $100 or less after that situation.
     
  27. kilroy67

    kilroy67 Gawd

    Messages:
    556
    Joined:
    Oct 16, 2006
    I know this affects AMD also, Im just wondering if it includes the 2nd Gen Ryzen CPUs?
     
  28. velusip

    velusip [H]ard|Gawd

    Messages:
    1,262
    Joined:
    Jan 24, 2005
    I suppose after all the vulnerabilities are discovered and the patches are applied, every processor will perform about the same since the bulldozer. ;)
     
  29. M76

    M76 [H]ardness Supreme

    Messages:
    6,638
    Joined:
    Jun 12, 2012
    I agree, we're not running banking systems in our homes. These performance impacting patches should be strictly op-in. I prefer to keep whatever little performance I can afford. I'm not a target for corporate espionage, and I make backups. And honestly what are we talking about? If someone wants it bad enough they'll just get physical access or kidnap you and torture you for the password.
     
  30. Dk975

    Dk975 Gawd

    Messages:
    811
    Joined:
    Sep 24, 2005
    This sounds like another of the Spectre variants they were going to release earlier in the month. Great, I have a fairly secure OS on my desktop, but flawed hardware (Win10 & i3 4330), but my smartphone has clean hardware but an insecure OS (Snapdragon 425, 4x A53s & Android 7).
     
  31. Sparky

    Sparky 2[H]4U

    Messages:
    3,115
    Joined:
    Mar 9, 2000
    Finally Asrock has updated my X99E BIOS.
     
  32. rgMekanic

    rgMekanic [H]ard|News Staff Member

    Messages:
    4,935
    Joined:
    May 13, 2013
  33. zexelon

    zexelon n00bie

    Messages:
    39
    Joined:
    Jul 16, 2006
    Anyone else think the graphics in that video look a lot like the old Chip's Challenge game? I am sure that game is the origin of all these architectural bugs!
     
    Nobu likes this.
  34. Prisoner849

    Prisoner849 Gawd

    Messages:
    521
    Joined:
    May 5, 2016
    Message paid for by Please Don't Sue Us Again.org
     
  35. Squall_Rinoa89

    Squall_Rinoa89 Limp Gawd

    Messages:
    357
    Joined:
    May 4, 2011
    This is exactly why I decided not to upgrade this year, keep my i7 4790K with my 2 1080 Ti's and wait it out till Intel releases a whole new architecture without these faults.

    While AMD IS Appealing, my personal history with AMD Based CPU's keeps me from EVER going back. I had major issues with my AMD Athlon 2400+ and would NEVER switch back.

    Burned that bridge a long time ago.
     
  36. velusip

    velusip [H]ard|Gawd

    Messages:
    1,262
    Joined:
    Jan 24, 2005
    With a late model 4790K, I don't blame you for holding out a while longer. Nothing new is really compelling.

    However, I think it's time to drop the Thoroughbread grudge. AMD has come a long way, but more importantly, so have motherboard manufacturers. All the problems with the Athlons were related to abysmal knockoff components on the motherboard.
     
  37. Zareek

    Zareek [H]Lite

    Messages:
    67
    Joined:
    Sep 5, 2011
    Agreed... The 2400+ was a gem during that time period. Unfortunately, there where several ways to make them look awful. Bad motherboard designs and components where way too common, the chipset support was less than inspiring, many badly made cooling solutions and there was an abundance of garbage power supplies. Get anyone of the three and it was a nightmare.
     
    commodork6510 likes this.
  38. Dayaks

    Dayaks [H]ardness Supreme

    Messages:
    5,747
    Joined:
    Feb 22, 2012
    I was actually impressed with the Ryzen 1400 so I felt fine getting the 2700x for my main rig (replacing a 5960x, mobo started acting up). It’s my first AMD CPU since the K6-2 350Mhz and it’s been rock solid.

    I stayed away from AMD for the reasons you mentioned. Seems like they have that ironed out with Zen+.

    I understand the mentality though. I had 3/3 EVGA 1080ti Hybrids shit the bed. I won’t be buying from EVGA again. Hybrids anyways. I love their PSUs with the single 12V rails.