Intel “Kernel Memory Vulnerability” is going to hit all of us

Topic

New Reply

I first read about the problem in an article in The Reg yesterday from John Leyden and Chris Williams: A fundamental design flaw in Intel’s processor
[See the full post at: Intel “Kernel Memory Vulnerability” is going to hit all of us]

8 users thanked author for this post.

JDeC, jelson, SueW, Elly, AJNorth, MrBrian, FakeNinja

Reply | Quote

Replies

Forcing a redesign on the Windows kernel? Wow, this is huge. Microsoft better not ignore Windows 7 and 8.1 as usual. I’m sure they will come up with some excuse to why they can’t patch older Windows. Looks like we’re just gonna have to wait for the next Windows patches.

Reply | Quote

Windows 8.1 is still in mainstream support until this Patch Tuesday :).

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

Yeah well, Microsoft is stlll blocking Windows 8.1 on newer processors even though it’s in mainstream support so you never know with Microsoft. And this CPU exploit is a major critical security flaw which Microsoft SHOULD fix on Win 7 and 8.1

Reply | Quote

I’m not sure I’ll be that bothered if they do ignore Windows 7, this sounds like one forthcoming update I could happily sit out for a while, not least if MS unnecessarily apply it to my AMD gaming machine and not just my Intel browsing/Office 2010 machine. I could take a performance hit on the latter, but not on the former.

1 user thanked author for this post.

JDeC

Reply | Quote

Up to 30% slower for all Intel CPUs? What the…??? Seriously now? And hasty kernel changes, those seem very likely to cause all sorts of problems.

Reply | Quote

There is a topic under the “Code Red” Forum by @BillC (referenced by a link in the main blog article) that has more information.

1 user thanked author for this post.

woody

Reply | Quote

I really wish I could pull those posts into this thread… but the site isn’t working right.

Sigh.

1 user thanked author for this post.

Kirsty

Reply | Quote

I would really like to say something, but it would break Woody’s no swearing rule!

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

1 user thanked author for this post.

Cybertooth

Reply | Quote

I wonder if there will be emergency patches for XP and Vista as well.

1 user thanked author for this post.

woody

Reply | Quote

? says:

humm…

https://en.wikipedia.org/wiki/Protection_ring

and:

http://www.alex-ionescu.com/

Reply | Quote

Ionescu has some more info. Sounds like he’s getting a blog post ready.

Reply | Quote

I’d like to see a list of processors affected by the bug. I’m running several PC’s that have 10 year old processors..which may give the option of declining the patch. I’m dead certain the patch won’t discriminate between intel processors  and probably won’t exclude AMD processors that don’t have the flaw given Microsoft isn’t exactly sensitive to user experience and Intel will get the blame.

This is a less technical summary of the problem: https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html

Intel offers a detection tool to see if your processor is vulnerable https://downloadcenter.intel.com/download/27150

Unfortunately, the output on my elderly PC wasn’t helpful: “This system may be vulnerable, either the Intel(R) MEI/TXEI driver is not installed (available from your system manufacturer) or the system manufacturer does not permit access to the ME/TXE from the host driver.” YMMV

8 users thanked author for this post.

Lori, gkarasik, woody, wdburt1, OscarCP, SueW, Elly, Bill C.

Reply | Quote

I saw Ivy Bridge mentioned. That was what 2011 or 2012?

1 user thanked author for this post.

OscarCP

Reply | Quote

Q2/12 > Q1/14 🙂

Reply | Quote

PKCano,

My PC laptop Win 7 Pro, SP1, x64, which I bought in June 2011, has an Ivy Bridge I7-2630QM CPU.

I do not know if that is good or bad. Perhaps someone here could clarify this with an actual list of all CPU affected. Or offer a link to one? Pretty please?

***Mac users beware! This should also be a problem with a Mac, as Macs, for many years now, also have had Intel processors. My new one has an I-7 (I just checked).***

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Oscar, your CPU is a Sandy Bridge.

All ix 2xxx series are Sandy, ix 3xxx Ivy, ix 4xxx Haswell, etc.

Reply | Quote

Satrow,

 

Thanks for reminding me: my CPU is a proto-Ivy Bridge. I’d forgotten that.

My question remains, though: Is that good or bad?

Also: I hope that when Intel releases a list of CPUs affected, they do so with all the letters and numbers in their names, not some generic “I5′, “I-7″…

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I’m pretty sure that Intel detection tool is for the previous IME/AMT issues, not the current one.

Reply | Quote

I believe the Intel download mentioned above is for the Management Engine and its Active Management Technology, not the current CPU vulnerability.

From the website: Versions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVE’s only affect systems with Intel Active Management Technology (Intel AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later, to help verify the status of their system in regards to the INTEL-SA-00086 Security Advisory.

I too have an older CPU (original i7-960) which I hope is not covered, but I believe is affected by the kernal leak. It is NOT however vulnerable to the Intel ME or AMT issue.

I am so glad I postponed my Linux build. I was going to go Intel, but will wait and now probably go AMD Ryzen.

2 users thanked author for this post.

HiFlyer, Elly

Reply | Quote

The download was linked in this 11/20 article where the US Govt warns businesses to take the security flaw seriously https://www.reuters.com/article/us-intel-cyber-vulnerability/u-s-government-warns-businesses-about-cyber-bug-in-intel-chips-idUSKBN1DM01R

This warning had way less visibility than the current disclosure, but I believe it refers to the same flaw.

Regarding the insider sales, note that the CEO sold 9 days after this disclosure so his a*** is covered.

I sold 100% of intel today at a higher price than the CEO..primarily because this flaw and the resulting slowdown really p***** me off.

Reply | Quote

MrToad28 said:
I’m running several PC’s that have 10 year old processors..which may give the option of declining the patch.

Intel’s advisory describes my CPU (Intel Core i5) as amongst those affected, & advises user to install the OEM-supplied BIOS/UEFI patch or ME/SPS/TXE firmware update, & possibly an updated Intel ME Driver as well.

However, even though my OEM laptop’s security page for the said Intel CPU bug sorts the various PC models into Affected vs. Not Affected vs. Researching (ie. status not known yet), there is no listing for my laptop model (released in 2010). In other words, I don’t even get to decide to reject installing the patches.

As such, are “elderly” PCs not affected by the Intel bug, or are OEMs declining to offer critical security patches for them?

Also, how does Microsoft’s upcoming (all-in-one ?) patch differ from those offered by OEMs? (The latter is what Intel advised users to approach for updates regarding the CPU bug.) Do Win OS users need to install patches from both the OEM & Microsoft?

1 user thanked author for this post.

JDeC

Reply | Quote

Those earlier patches for Intel’s IME and AMT issues are different; we won’t know much more about the details and extent of the current CPU/kernel vulnerabilities and which CPUs are affected until Intel goes public (which might be as soon as tomorrow – if their stocks continue dropping 😉 ).

Reply | Quote

satrow said:
Those earlier patches for Intel’s IME and AMT issues are different

Thanks for the clarification. So for clarity, the bugs are as follows:-

• • INTEL ME – elevation of privilege, requires BIOS & Intel ME driver patches
  • INTEL CPU – Meltdown kernel bug, requires firmware & multiple software patches
  • INTEL/AMD/etc CPUs – Spectre kernel bug, no patch, requires changing CPU

Do the Meltdown & Spectre bugs affect only 32-bit (x86) CPUs ? I keeping seeing the term “x86 architecture” being mentioned in articles about Meltdown & Spectre.

If yes, does it mean that those using x64 CPU + x64 OS + x64 programs are safe ? What about the case of using 32-bit programs on x64 OS powered by x64 CPU ?

I just checked my laptop OEM’s security advisory website again for firmware patches wrt Meltdown. Oddly though, zero news there — compared to the uproar elsewhere (even on mainstream newspapers & TV).

 

Reply | Quote

anonymous wrote:

Do the Meltdown & Spectre bugs affect only 32-bit (x86) CPUs ?

No, Meltdown and Specter affect both x86 and x64 since Pentium Pro (1995).

There are software patches being released. But these vulnerabilities require both software and hardware fixes.

 

1 user thanked author for this post.

SueW

Reply | Quote

The Intel ME/AMT/XE vulnerabilities were disclosed during 2017 are are quite separate from the vulnerabilities all over the news currently.

x86 CPU architecture is the generic term for the majority of CPU types over the last few decades, most current CPUs are x86 32-bit (x86) and x86 64-bit (x64 – which is really AMD64!).

Details are still sketchy on Meltdpwn and Spectre but it looks like very few AMD/ARM processors are susceptible to Meltdown.

Spectre looks like it will be an ongoing issue: firmware and OS patches look certain to be required but perhaps more importantly, 3rd party internet-facing software will also need to be patched.

We really don’t know enough details as yet, the vulns. were disclosed early, resulting in something of a panic release of details/patches by the affected companies, which should level out and get clarified/updated further during the coming weeks.

OEM’s like your notebook maker were also caught on the hop by the news leak, they should have BIOS/firmware and patches in testing but they (hopefully) won’t release them until they know they won’t brick machines.

1 user thanked author for this post.

MrBrian

Reply | Quote

satrow said:
OEM’s like your notebook maker were also caught on the hop by the news leak, they should have BIOS/firmware and patches in testing but they (hopefully) won’t release them until they know they won’t brick machines.

Thanks for the clear explanation regarding “x86 CPU architecture”, etc.!

As for whether my laptop’s OEM was caught off-guard … BBC News reported that the IT industry (including OEMs, I suppose, since it involves the CPU) has known about Meltdown & Spectre for the past 6 months.

http://www.bbc.com/news/technology-42562303
The BBC understands the tech industry has known about the issue for at least six months – and that everyone involved, from developers and security experts had signed non-disclosure agreements. The plan, it seems was to try to keep things under wraps until the flaws had been fully dealt with.

 

Anyway, I checked my laptop OEM’s security advisory page again, & as of 05 Jan 2018, they finally have a page for CPU patches.

However, my laptop (released: 2010, Intel CPU) is again NOT listed amongst the list of Affected, Not Affected & (still) Researching models. The situation is similar to the recent case for the Intel Management Engine bug (Dec 2017). I think the OEM is not supporting my laptop model anymore. I suppose this means that I won’t be able to protect my laptop against the 2 latest Intel firmware bugs (Intel ME & Intel Meltdown-Spectre).

So if there is no Intel CPU microcode patch available, is it advisable (or even useful) to install Microsoft’s 03/04 Jan 2018 kernel patch ? Are they dependent on (or independent of) each other ? I wonder what’s the point of letting MS’s software patch slow down the PC, when the firmware patch is not even available …

List of OEMs & Software Vendors affected by Meltdown-Spectre side-channel attacks:
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=584653&SearchOrder=4

2 users thanked author for this post.

SueW, Lori

Reply | Quote

Tweet from Alex Ionescu‏: “It’s worth pointing out that not only does Windows have KPTI/KVA shadowing enabled for AMD processors as well, it even has specialized shadow system call entry stubs for AMD vs Intel. This either suggests they know how to embargo properly or that Tom’s PR is not entirely accurate”

Reply | Quote

From https://twitter.com/kyREcon/status/948579303851249664:

“Is there a specific list of Intel CPUs that are affected, or is it just basically about all of them for the past decade?

[Answer from Alex Ionescu] Pentium Pro and later”

8 users thanked author for this post.

DrBonzo, woody, SueW, MrToad28, Elly, OscarCP, satrow, Seff

Reply | Quote

Just for future reference: https://en.wikipedia.org/wiki/List_of_Intel_CPU_microarchitectures.

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

3 users thanked author for this post.

David F, DrBonzo, woody

Reply | Quote

***Mac users beware! This should also be a problem to anyone with a Mac, as Macs, for many years now, also have had Intel processors. For example, mine (MacBook Pro 2015) has an I-7 (I just checked).***

As to how far back the problem goes: When I bought, i n June 2011, my (now) old  PC (Win 7 Pro, SP1, x64), it already had an I-7 CPU.

Perhaps someone could post here a complete list of all CPUs affected, or offer a link to a site with such a list?

Pretty please?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

>Microsoft better not ignore Windows 7 and 8.1 as usual
If this flaw is as huge as they’re making it out to be, it would be ridiculous not to have a patch for Windows 7 since at least 40% of machines are still running it.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Pentium Pro was kicked off in 1995 https://en.wikipedia.org/wiki/Pentium_Pro way more than the 10 years quoted in articles…gotta wonder if Alex has the real scoop on this.

This from securities analyst covering Intel: “The firmware issue impacts most of INTC’s microprocessor products ranging from its “Core” PC family (gens 1-8), “Xeon” servers (E3-1200 v5 & v6, Scalable, and W families), to others – in other words, this could impact most processors manufactured by INTC over the last 10 years.” …not saying Alex is wrong..just that most reporting differs.

Reply | Quote

Please stop repeating details that are only applicable to earlier Intel IME/AMT exploits (https://www.askwoody.com/forums/topic/intel-identifies-security-vulnerabilites-me-sps-txe/ and https://www.askwoody.com/forums/topic/researchers-say-intels-management-engine-feature-can-be-switched-off/ and https://www.askwoody.com/forums/topic/intel-amt-lets-hackers-bypass-windows-firewall/), we don’t know the full details of what CPUs are affected, that list has yet to be released.

3 users thanked author for this post.

SueW, woody, MrToad28

Reply | Quote

Honestly, and personally, I hope that the fix for win7 is going to be enough “separate” that will allow to avoid installing it.
I prefer my current performances vs a supposed possible future risk.

Maybe is not the right attitude but…

Edit
unless they do a good job optimizing the patch and reducing the impact to max 5% ( no, I don’t believe anymore in santa, but miracles can happen I guess )

1 user thanked author for this post.

HiFlyer

Reply | Quote

Honestly I believe much of the fix won’t be felt by most users. Could be wrong, but I am certain you could really regret not applying the fix. Once this get’s out its not going to be difficult to craft something to exploit it. This has been kept very hush within Intel which is very unusual. A definite concern they must have that any hint of the details could allow a zero day exploit to affect a lot of devices before a fix is in place. I’ll take my chances on a little slowdown which I doubt I will probably notice.

Reply | Quote

Yeh well, you’re probably right and we’re going to just speculate until we see some real benchmarks.
Then the debate can be about optimization… aka if linux kernel patches are well designed and optimized ( same reasoning can be done for windows ).

Reply | Quote

A thirty percent slowdown? If the vunlerabilty affects Celeron processors you might not like your shiny new Intel based Chromebooks and other cheaper home computers using Windows 10 or GNU/Linux after the patch. I already dread hearing or reading about any complaints.

Oh, how will this affect the already lengthy time wasting Windows Update process? Interesting Times indeed…

EDIT html to text

Reply | Quote

Sounds like this will affect a lot of Intel CPU’s in recent years. Still remains to be seen what affect it has on function and speed. One companies mess is another’s gold mine, which I am sure AMD is thinking right now. First the engine management mess, now a even bigger mess which is not so easily fixed. I wonder how far back Intel knew this was a problem?

Reply | Quote

Well, it tool 10 years to be found out… but would be interesting to know how they found it, and how it got leaked.

This said, it’s not the first time intel has a flaw in a design, but those few other times they resorted in a microcode fix in the bios, if I remember right.

Reply | Quote

Good technical explanation: What’s behind the Intel design flaw forcing numerous patches?

6 users thanked author for this post.

SueW, DrBonzo, Cascadian, OscarCP, woody, satrow

Reply | Quote

From that link: “And which Intel processors are affected? Again it’s not entirely clear, but indications are that every Intel chip with speculative execution (which is all the mainstream processors introduced since the Pentium Pro, from 1995) can leak information this way.”

1 user thanked author for this post.

DrBonzo

Reply | Quote

Wow, well this is a nice start to 2018 isn’t it? If this is going to be as big a performance hit on older systems as expected then i can see i’m going to be avoiding this month’s patches. As i’m sure a lot of people will choose to do unfortunately.

-T

Reply | Quote

Most people have OEM systems and one can expect the OEMs to provide very specific information on their respective support websites as to what is affected and what is not (i.e. product type and system model number). Intel is not going to do that. I’m sure that the OEMs/Intel/AMD have coordinated with MS/Apple/Linux in regards to the patching candidates.

I suppose there will be people who will prefer to not install the patch due to the perceived performance hit, so I would not be surprised if Microsoft pulls the same sneaky maneuver that they deployed with the patch for the KRACK WPA2 vulnerability. It was in the security bundle but not disclosed as to where it was.

The results (fallout, whatever), is going to be very interesting. The Intel CEO had better get out of Dodge. Dumping as much stock as he did, when he did, looks bad no matter the circumstances.

1 user thanked author for this post.

BobbyB

Reply | Quote

MrToad28 wrote:

I’d like to see a list of processors affected by the bug. I’m running several PC’s that have 10 year old processors..which may give the option of declining the patch. I’m dead certain the patch won’t discriminate between intel processors and probably won’t exclude AMD processors that don’t have the flaw given Microsoft isn’t exactly sensitive to user experience and Intel will get the blame. This is a less technical summary of the problem: https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html Intel offers a detection tool to see if your processor is vulnerable https://downloadcenter.intel.com/download/27150 Unfortunately, the output on my elderly PC wasn’t helpful: “This system may be vulnerable, either the Intel(R) MEI/TXEI driver is not installed (available from your system manufacturer) or the system manufacturer does not permit access to the ME/TXE from the host driver.” YMMV

Thanks for the link to the Intel vulnerability checker. My OptiPlex 780s show as not vulnerable. We’ll just have to wait and see if the forthcoming patch installs on non-vulnerable systems, or if we have to intercept/hide it.

I don’t know if it’s practical, but it would be useful to have a list of the results of the Intel vulnerability checker. My Opti 780s: Not vulnerable. My Thinkpad T61s: Indeterminate. (The vulnerability checker won’t run because it doesn’t play nicely with the T61s’ implementation of AMT.)

GaryK

Reply | Quote

Again, just to remind everyone, the link to the Intel download center for SA-00086 is NOT for the leak vulnerability that is the title of this thread.

5 users thanked author for this post.

Lori, HiFlyer, SueW, Cascadian, satrow

Reply | Quote

Are you sure that vulnerability checker you are running is not the one for the Management Engine. I don’t think the info is available yet on the kernel vulnerability.

5 users thanked author for this post.

HiFlyer, SueW, Cascadian, satrow, DrBonzo

Reply | Quote

I wonder how this patch/fix will effect Intel’s legacy processor lines?

Reply | Quote

Windows 10 and 8.1 security updates have been made available today. I expect a Windows 7 security update will arrive soon.

1 user thanked author for this post.

DrBonzo

Reply | Quote

@MrBrian

Everything I’ve read about the Meltdown fix either says that systems with a heavy workload could see up to a 30% slowdown or that most home users probably won’t notice any or very little change. My questions are these: What exactly would count as a heavy workload for a system? (Please be as detailed as you can with your answer, I’ve entered “utterly clueless” territory with this kind of thing.) My second question is considering my desktop has a lower end and old processor (Intel Pentium dual E2108) what symptoms could I expect if my PC were to get that system slowdown?

Reply | Quote

Anon #155855 said:
What exactly would count as a heavy workload for a system?

I’m curious to know as well.

For example, would the following tasks be considered as inducing a heavy workload on a machine with an Intel Core i5 (2.67 GHz) CPU, 4 GB RAM & 1 TB 5400 rpm platter-harddisk (more than 90% empty), while the indoor ambient temperature is a balmy 30-35 deg C (86-95 deg Fahrenheit) ?

1. Multi-layer image editing (eg. using Photoshop)
2. Multi-frame video editing (eg. using Adobe or Nero)
3. Audio/ Video format conversion
4. Batch filesize optimizing (eg. using FileOptmizer)

The CPU usage on my laptop — even with newly-installed Win 7 x64 on a new HDD (ie. no accumulated junk)  — would go over 30% when carrying out something as simple as task (4). And I can’t perform another moderately intensive task at the same time, without fearing a (literal) meltdown from the generated heat (especially with no aircon here).

Can’t imagine what would happen if the Meltdown bug patch were to slow things down by up to 30%. And I suppose, with even more heat generated in the process ? (Ah, perhaps that’s why the bug is called Meltdown …)

Reply | Quote

Okay, an update to my own curious question above (#156207).

A regular/consumer workload implies casual internet browsing, sending emails, & maybe editing a small/moderately-sized text/doc file (say, less than 50 MB).

http://www.bbc.com/news/technology-42562303

[Bryan Ma, a senior analyst at technology consultancy IDC] agreed that for most regular users – who rely on their computer for web browsing and email – the security fixes were unlikely to slow their computer.

The above suggests that I’m probably really NOT a regular PC user. (And I haven’t even mentioned playing 3D games.) So the Meltdown kernel patch is likely to have a substantial slowdown impact & possibly make my machine quite unusable (or extremely frustrating) for the tasks I often carry out.

Reply | Quote

From “Meltdown” and “Spectre”: Every modern processor has unfixable security flaws: “Now we know what the flaw is. And it’s not great news, because there are in fact two related families of flaws with similar impact, and only one of them has any easy fix.”

3 users thanked author for this post.

SueW, AlexEiffel, DrBonzo

Reply | Quote

Intel Responds to Security Research Findings
News Byte | January 3, 2018

 
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.

 
Reproduced in full from Intel

7 users thanked author for this post.

Bill C., Jan K., SueW, AlexEiffel, DrBonzo, MrBrian, Cybertooth

Reply | Quote

In response, from theregister.co.uk (be warned, language may offend):

Security
We translated Intel’s c*** attempt to spin its way out of CPU security bug PR nightmare
As Linus Torvalds lets rip on Chipzilla
By Thomas Claburn | January 4, 2018

You can read it here

5 users thanked author for this post.

SueW, Elly, satrow, AlexEiffel, DrBonzo

Reply | Quote

For every Intel CPU there are lots of errata that Intel have mark as ‘won’t fix’, for now I cannot openly find such information for AMD or ARM. (Perhaps if one reads though the Linux kernel source there might be comments about such design errors.)

Reply | Quote

For those technically inclined, it is worth your time to click through The Register’s linked Linus Torvalds mailing list thread about this meltdown processor problem.

Reply | Quote

ADV180002 | Vulnerability in CPU Microcode Could Allow Information Disclosure – Security Advisory

Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

2 users thanked author for this post.

AlexEiffel, DrBonzo

Reply | Quote

From the first link (my bolding): “Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 need to apply both firmware and software updates.”

2 users thanked author for this post.

SueW, DrBonzo

Reply | Quote

From Protect your device against chip-related security flaws: “Microsoft is aware of the recently discovered security flaw that impacts chips from several different manufacturers. Many devices and applications will be affected by this flaw, including any operating systems such as Windows that run on the affected chips. To get all available protections, get the latest updates for both software and hardware. Take the following steps:”

1 user thanked author for this post.

DrBonzo

Reply | Quote

If a customer is on Linux, and the computer vendor makes firmware updates that can only be installed via Windows, I wonder whether (and how) the customer can update the firmware?

Or are firmware updates “universally” applicable somehow?

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

It varies by vendor and model, but my Intel NUC gets its firmware updates independently of the OS. My ASUS tablet is SoC and WIMBoot. If it ever gets a firmware update, the new BIOS must be installed through the OS (Windows 10 Pro currently). It may not be worth updating an old tablet, so this may be the death-knell for that tablet.

I run both Linux and Windows on the NUC but only have to apply firmware updates once. It is done through the BIOS Setup, which is pre-boot.

-- rc primak

1 user thanked author for this post.

Cybertooth

Reply | Quote

Mitigations landing for new class of timing attack (for Firefox)

2 users thanked author for this post.

AlexEiffel, DrBonzo

Reply | Quote

…and will be mitigated over time.

Hehe, in other words, we’ll “get used” to the slowdown and so won’t notice it anymore. Some mitigation LOL

1 user thanked author for this post.

OscarCP

Reply | Quote

My first PC came with Windows 98.

That system used to crash every day; some times it missed one day, so the next day it crashed twice.

Over time, I become less infuriated by this. So we could say the problem was mitigated,

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Highly technical post: Reading privileged memory with a side-channel.

1 user thanked author for this post.

DrBonzo

Reply | Quote

Vendor statements:

An Update on AMD Processor Security

Arm Processor Security Update: Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism

1 user thanked author for this post.

DrBonzo

Reply | Quote

From US-CERT: Meltdown and Spectre Side-Channel Vulnerabilities.

3 users thanked author for this post.

SueW, AJNorth, DrBonzo

Reply | Quote

Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities

2 users thanked author for this post.

SueW, DrBonzo

Reply | Quote

Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer

Actions Required to Mitigate Speculative Side-Channel Attack Techniques (Chrome)

2 users thanked author for this post.

SueW, DrBonzo

Reply | Quote

I found this plain English article useful…my notes below link:

https://www.cnet.com/news/Spectre-Meltdown-Intel-Arm-Amd-Processor-Cpu-Chip-Flaw-Vulnerability-FAQ/
major vulnerabilities, called Spectre and Meltdown, could let an attacker capture information they shouldn’t be able to access, like passwords and keys.
The good news is that hackers would first need to install malicious software on your computer in order to take advantage of these flaws..they need to select their targets and hack each one of them before running a sophisticated attack to steal a computer’s sensitive information.

So good security practices…antivirus, avoiding phish attacks and updating should mitigate threat risks.

Reply | Quote

Unfortunately web browsers seem to be an attack vector, at least for Spectre.

Reply | Quote

Copied from @Bill-C’s initial topic, Kernel memory leaking’ Intel processor design flaw:

Bill C. wrote:

Kernel memory leaking’ Intel processor design flaw forces Linux, Windows redesign

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

First the Management Engine (ME) issues and now this. This looks very serious. Lots of links in a Google search.

adubz wrote:

Microsoft (apparently) already has an OS level fix slated for upcoming patch Tuesday (Yay?) but it’s expected to cause performance hits from 15-30%. That’s pretty terrible. Not Microsoft’s fault they are just trying to patch the hole. Apple hasn’t commented yet that I can find and Open GNU communities are already scrambling with patches too it seems.

The [gist] of this is someone at Intel is fired.

Kirsty wrote:

A Huge Intel Security Hole Could Slow Down Your PC Soon

by Chris Hoffman | January 2nd, 2018

Intel chips have a massive design flaw, and both Microsoft and the Linux kernel developers are scrambling to fix it. The security hole can be patched, but the patches will make PCs (and Macs) with Intel chips slower.

We don’t know how much slowdown you’ll see yet, but one developer says a 5% slowdown will be fairly typical—at least on Linux—while certain tasks could experience slowdowns as high as 30%.

What’s Going On?
We don’t know the exact security flaw yet, as it hasn’t been publicly revealed. But we can deduce much of what’s going on from the changes being made in the Linux kernel, where development happens publicly. Microsoft is also making similar changes to Windows, which are currently active in Insider Preview builds. Apple will be forced to make similar changes to macOS, as this is a flaw in Intel CPUs.

Read the full article here

satrow wrote:

Some performance impact benchmarks from the Linux x86 patch at Phoronics.

Linux Gaming Performance Doesn’t Appear Affected

Given that the El Reg piece said “More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.” and the above tests were using CPUs from the last ~2 years, one wonders how big the performance hit might be on earlier CPUs affected.

Tip o’ the hat to Tomaso for the link.

Reply | Quote

As to Macs, it looks like Apple has already prepared “mitigating” patches for the latest version of its Mac Os:  Mac OS 10.13.2 “High Sierra”, and is working on some more to complete the job:

https://www.macrumors.com/2018/01/03/intel-design-flaw-fixed-macos-10-13-2/

The previous two versions still supported: 10.11.x “El Capitan” and 10.12.x “Sierra” are not mentioned, yet, anywhere I looked in.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

That doesn’t necessarily have anything to do with this. This is very common for CEOs to do, especially at the end of the year for tax reasons etc. But I agree that the timing does seem a little strange.

Reply | Quote