New Processor Vulnerability Discovered

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
Microsoft and Google Project Zero researchers announced today a new category of processor vulnerability known as a speculative execution side channel vulnerability, or Speculative Store Bypass, that is closely related to the Spectre Variant 1 vulnerability. Microsoft has also released a security advisory for the new vulnerability.

Impressively, AMD has already released a 5 page whitepaper on the vulnerability, as well as a post on their security updates page outlining that they will be providing updates back to the Bulldozer series of processors. Even more remarkable, is AMD stats that these updates are already in the hands of Microsoft, who is completing final testing and validation and will be released over the standard update process.

I can't help but just shake my head at yet another CPU vulnerability being discovered, when I still have not gotten a BIOS update for the first Spectre on my X99 system. I must give kudos to AMD though, already having the update going through validation and ready day of release, not just for Windows, the AMD page also notes that Linux distributors are creating the system updates as well. However on the Intel side, is deafening silence. Thanks to cageymaru for the story.

An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.
 
I can't help but just shake my head at yet another CPU vulnerability being discovered, when I still have not gotten a BIOS update for the first Spectre on my X99 system.

Asus did release a Spectre V2 patch for my X99 Deluxe II late last month, better late than never. That's a LOT of validation work to do on all of this unfortunately.
 
Microsoft and Google Project Zero researchers announced today a new category of processor vulnerability known as a speculative execution side channel vulnerability, or Speculative Store Bypass, that is closely related to the Spectre Variant 1 vulnerability. Microsoft has also released a security advisory for the new vulnerability.

Impressively, AMD has already released a 5 page whitepaper on the vulnerability, as well as a post on their security updates page outlining that they will be providing updates back to the Bulldozer series of processors. Even more remarkable, is AMD stats that these updates are already in the hands of Microsoft, who is completing final testing and validation and will be released over the standard update process.

I can't help but just shake my head at yet another CPU vulnerability being discovered, when I still have not gotten a BIOS update for the first Spectre on my X99 system. I must give kudos to AMD though, already having the update going through validation and ready day of release, not just for Windows, the AMD page also notes that Linux distributors are creating the system updates as well. However on the Intel side, is deafening silence. Thanks to cageymaru for the story.

An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.

INTEL
https://newsroom.intel.com/editorials/addressing-new-research-for-side-channel-analysis/

https://software.intel.com/sites/de...ative-Execution-Side-Channels-White-Paper.pdf

ARM
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
 
Last edited:
It's pretty apparent that it won't stop until we have a complete architecture redesign.
 
Time to copy and paste this image.

1497164443072.png
 
Okay, it's time to roll everyone back to the 386!
 
Im due for an upgrade this year but I dont want to purchase a known broken CPU. Now intel has delayed their next consumer CPU architecture to 2019. Wonder if that new architecture just got delayed another 6 months due to this
 
You might be waiting years for that to happen, assuming more aren't found in the meantime. It takes a long time to develop new hardware from scratch and release it to the public.

Intel, AMD and others have know about Meltdown and Spectre for almost a year know and probably understood the other flaws were going to be discovered. I think for consumers that don't need hardware currently, it'd be tough to do an upgrade with something that you know is flawed.
 
Intel, AMD and others have know about Meltdown and Spectre for almost a year know and probably understood the other flaws were going to be discovered. I think for consumers that don't need hardware currently, it'd be tough to do an upgrade with something that you know is flawed.

There will always be flaws. If you buy a Meltdown and Spectre fixed CPU in the future, they'll find another CPU flaw a couple years after you buy it. It's a never ending battle.

Then there are also flaws you will never know about....
 
So some researchers are finding vulnerabilities that no private citizen or even a non-government organization can ever exploit , and we all get punished by diminished performance due to patches
as if there aren't hundreds of other exploits in our system that those big security organizations / governments can use already.
 
Last edited:
I can't help but just shake my head at yet another CPU vulnerability being discovered, when I still have not gotten a BIOS update for the first Spectre on my X99 system.
I upgraded my ASRock Z170 BIOS to the latest and it breaks SkyOC.
:cry:
 
I upgraded my ASRock Z170 BIOS to the latest and it breaks SkyOC.
:cry:

I had the experience of having issues with CSM disabled on new bios boards and it would break OC entirely, even memory above 2666 mhz was a dead end.
Enable CSM and 3600 CL16... hmmmmm...
 
So I can expect that all of these patches will bring down my perf by at least 15%? And also may break an OC........>_<


I haven't applied any of these fixed so far, wondering if I should even bother if the problems/exploits just keep on rolling out every couple of months.

I can't imagine the issues with laptops That don't get regular updates in the first place.
 
However on the Intel side, is deafening silence.

Seems to be par for the course lately with this stuff. Also makes me wonder how many of their original engineers who may have spoken up about this back in the day are still with them and able to provide credible solutions. Considering how long it's still taking for the ones that came almost a year ago I'm guessing closer to none. Yet more reasons I'm looking forward to an AMD based rig in 2-4 years when I might need one.
 
For those wondering if there is an end to these, probably not. Even after countless patches and now deprecation, new Flash exploits keep appearing. Anyone expect an end to javascript hacks? Or folks finding new ways to exploit https traffic? This is the world of tech. It has flaws. Bad folk exploit the flaws for personal gain. All most of us can do is perform a risk of breach, cost of breach, cost of mitigation analysis and react accordingly.

Given the low cost of a basic machine these days, might be worth it to pick one up for use as your banking, on line ordering, email, etc machine and patch the crap out of it and accept the performance losses.

Skip the performance harming patches on your retina detaching performance gaming rig and accept that you might have to do the occasional wipe and reinstall.
 
It is a shame these exploits doesn't translate to cheaper 2nd hand Xeon CPUs yet. I would love to pick up a 22 core for $100.
I would wait until someone makes a virus or malware that exploits this and then steals tons of data, cause we all know these "fixes" just fix the demo that shows the exploit and not the exploit itself. Best yet, Intel rushes a fix and it ends up breaking all the servers that applied it for over a week. We'll call it the black internet week. I guarantee you those Xeon chips will be $100 or less after that situation.
 
I know this affects AMD also, Im just wondering if it includes the 2nd Gen Ryzen CPUs?
 
I suppose after all the vulnerabilities are discovered and the patches are applied, every processor will perform about the same since the bulldozer. ;)
 
So some researchers are finding vulnerabilities that no private citizen or even a non-government organization can ever exploit , and we all get punished by diminished performance due to patches
as if there aren't hundreds of other exploits in our system that those big security organizations / governments can use already.
I agree, we're not running banking systems in our homes. These performance impacting patches should be strictly op-in. I prefer to keep whatever little performance I can afford. I'm not a target for corporate espionage, and I make backups. And honestly what are we talking about? If someone wants it bad enough they'll just get physical access or kidnap you and torture you for the password.
 
This sounds like another of the Spectre variants they were going to release earlier in the month. Great, I have a fairly secure OS on my desktop, but flawed hardware (Win10 & i3 4330), but my smartphone has clean hardware but an insecure OS (Snapdragon 425, 4x A53s & Android 7).
 
Anyone else think the graphics in that video look a lot like the old Chip's Challenge game? I am sure that game is the origin of all these architectural bugs!
 
  • Like
Reactions: Nobu
like this
This is exactly why I decided not to upgrade this year, keep my i7 4790K with my 2 1080 Ti's and wait it out till Intel releases a whole new architecture without these faults.

While AMD IS Appealing, my personal history with AMD Based CPU's keeps me from EVER going back. I had major issues with my AMD Athlon 2400+ and would NEVER switch back.

Burned that bridge a long time ago.
 
This is exactly why I decided not to upgrade this year, keep my i7 4790K with my 2 1080 Ti's and wait it out till Intel releases a whole new architecture without these faults.

While AMD IS Appealing, my personal history with AMD Based CPU's keeps me from EVER going back. I had major issues with my AMD Athlon 2400+ and would NEVER switch back.

Burned that bridge a long time ago.

With a late model 4790K, I don't blame you for holding out a while longer. Nothing new is really compelling.

However, I think it's time to drop the Thoroughbread grudge. AMD has come a long way, but more importantly, so have motherboard manufacturers. All the problems with the Athlons were related to abysmal knockoff components on the motherboard.
 
With a late model 4790K, I don't blame you for holding out a while longer. Nothing new is really compelling.

However, I think it's time to drop the Thoroughbread grudge. AMD has come a long way, but more importantly, so have motherboard manufacturers. All the problems with the Athlons were related to abysmal knockoff components on the motherboard.

Agreed... The 2400+ was a gem during that time period. Unfortunately, there where several ways to make them look awful. Bad motherboard designs and components where way too common, the chipset support was less than inspiring, many badly made cooling solutions and there was an abundance of garbage power supplies. Get anyone of the three and it was a nightmare.
 
This is exactly why I decided not to upgrade this year, keep my i7 4790K with my 2 1080 Ti's and wait it out till Intel releases a whole new architecture without these faults.

While AMD IS Appealing, my personal history with AMD Based CPU's keeps me from EVER going back. I had major issues with my AMD Athlon 2400+ and would NEVER switch back.

Burned that bridge a long time ago.

I was actually impressed with the Ryzen 1400 so I felt fine getting the 2700x for my main rig (replacing a 5960x, mobo started acting up). It’s my first AMD CPU since the K6-2 350Mhz and it’s been rock solid.

I stayed away from AMD for the reasons you mentioned. Seems like they have that ironed out with Zen+.

I understand the mentality though. I had 3/3 EVGA 1080ti Hybrids shit the bed. I won’t be buying from EVGA again. Hybrids anyways. I love their PSUs with the single 12V rails.
 
inb4 5% ipc increase per year is too much so tocks mean patching 4 of these bugs and ticks patch 2 more. also, kudos to the people finding these.
 
Back
Top