Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[roseway]

A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug. Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

[Ronski]

There's going to be a lot of very annoyed users if we do see a 30% performance hit. I won't be happy having invested a lot in many Intel systems if they all slow down.

[sevenlayermuddle]

I was reading random stuff about this earlier.   Thought I saw a mention that MacOS had already released a fix, presumably without disclosing what it did.  I can’t find that story again, maybe I imagined it.   But if true, the relevance would be that I don’t remember any complaints about Mac performance after recent updates?

Danger is that whilst the 30% hit makes a great news story, it also becomes a self-fulfilling prophecy.   We all know that systems often appear to degrade over time as people install more and more rubbish.   After this, they’ll have a scapegoat to blame for such degradations...

[broadstairs]

That's handy that I've been running AMD processors now for some years on my desktop. Sadly I do have 3 Intel laptops, all running Linux.

Stuart

[22over7]

The register thread was fascinating. Virtual memory handling seems like skating on ice. In olden days, VM "worked" if stuff ran (by the skin of its teeth) without crashing.  Nowadays, the security side is so much more important, and the attack-surface so much larger, and prominent. Winging it doesn't work. Processor design seriously needs a dose of the quivering horrors, and more professional attitude. With floating-point units, that happened in the 90's, but only because the alternative was stingingly expensive (for Intel again, IIRC). Let's hope this is expensive too.

I'm not sure (phones? central heating?), but the only amd cpu in the house that I'm aware of is a raspberry pi. Bloody hell. And who knows what lurks in that.

[sevenlayermuddle]

Have to say, I have no idea what CPU lurks within my smart TV, or my smart Blu Ray player, both
Linux based and fully exposed to the big bad Internet.  Still under warranty so I will resist taking them apart to see what’s inside.

Even if they are Intel, I certainly shan’t be pinning my hopes on a kernel update.

[adrianw]

... fully exposed to the big bad Internet. ...

What, no firewall blocking unsolicited input?
Brave, very brave.

[sevenlayermuddle]

What, no firewall blocking unsolicited input?
Brave, very brave.

Firewall is largely irrelevant here.

Of course I have a NAT firewall that would make incoming attacks difficult, but I have no control over the exchanges that are initiated by the devices themselves.   I know the TV phones home to Panasonic for example, each time I try to access Netflix, though I don’t know why.   Out of the box, it phoned home even when I simply switched freeview channels, though I figured out how to disable that. 

Even without phoning home, I regularly view sources such as Netflix and IPlayer.   We should not rely on that material, or the data that is streamed, to free from malware.

These devices also run a whole proliferation of third party Apps, some I have installed, some came bundled.   I use hardly any but I have no idea how or why these Apps might be launched, or what sort of traffic exchanges these Apps may initiate.

[burakkucat]

Intel Responds to Security Research Findings

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.

  

[sevenlayermuddle]

With Apols to B’Cat, as I see his post has crossed while I type....

Intel’s response.

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Time will tell but sounds to me like they are in a rather dangerous denial mode, and very afraid.

They name AMD and ARM as if to imply them too, in carefully chosen words that say nothing slanderous (probably), but possibly a well contrived smoke screen.   

Then again, the whole story has yet to emerge.   Let’s watch with interest.

[burakkucat]

With Apols to B’Cat, as I see his post has crossed while I type....

b*cat performs one of his best Japanese style bows in 7LM's direction.

Time will tell but sounds to me like they are in a rather dangerous denial mode, and very afraid.

They name AMD and ARM as if to imply them too, in carefully chosen words that say nothing slanderous (probably), but possibly a well contrived smoke screen.   

So I am not the only one to "sense those vibrations".

Then again, the whole story has yet to emerge.   Let’s watch with interest.

Yes, definitely. Who knows what may eventually "scuttle out of that hole".

[banger]

MS Patch for Win 10 released today.

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892

Use at own risk but my 2 machines seem ok.

[adrianw]

There is some interesting discussion at https://forums.freenas.org/index.php?threads/intel-is-well-and-thoroughly-screwed.60331/
One person with cloud contacts believes that the cloud industry is in a panic about the performance impact.

As with the Atom problem, Intel seems to be relying on NDAs again to try to keep the lid on. Vis this in a recent FreeBSD security announcement:
The FreeBSD Security Team recently learned of the details of these
issues that affect certain CPUs. Details could not be discussed
publicly, but mitigation work is in progress.

Intel's CEO selling $24 million of shares after the problem became known to Intel seems rather iffy too. http://uk.businessinsider.com/intel-ceo-krzanich-sold-shares-after-company-was-informed-of-chip-flaw-2018-1?r=US&IR=T

I already have 4 Atom based machines machines (NASs and firewalls) with their probably shortened life. Now it looks as if they, and the rest of my stable of desktops and a laptop, may start to have performance problems.

As I recall, Fred Hoyle and John Elliot's 1961 A For Andromeda mentions a different organisation called Intel as being most evil. Prescient.

[adrianw]

Firewall is largely irrelevant here.

Of course I have a NAT firewall that would make incoming attacks difficult, but I have no control over the exchanges that are initiated by the devices themselves.   I know the TV phones home to Panasonic for example, each time I try to access Netflix, though I don’t know why.   Out of the box, it phoned home even when I simply switched freeview channels, though I figured out how to disable that. 

Even without phoning home, I regularly view sources such as Netflix and IPlayer.   We should not rely on that material, or the data that is streamed, to free from malware.

These devices also run a whole proliferation of third party Apps, some I have installed, some came bundled.   I use hardly any but I have no idea how or why these Apps might be launched, or what sort of traffic exchanges these Apps may initiate.

Mmm, yes. Who knows what software is telling, and getting, when it phones home.

[Weaver]

Luckily I still have a non-smart TV. If I have to get a new one I suppose I can either refuse to allow it into the LAN, or segment it off somehow onto a second, untrusted LAN, so as to stop it from getting near my other boxes or even attacking LAN infrastructure.

There is definitely going to be some serious arse-kicking at Intel, I would hope. What were they thinking? I wonder about sneaky unchecked writes to supervisor space?

I know all about what speculative execution is, even though I am a very old machine code programmer, but I would very much like to see some of the Dutch PhD student’s code to give me a concrete example.

I am hoping that Intel will put in a 'bug fixed' flag in CPUID, so that operating systems can skip all the wasteful nonsense that they are having to put in just now. I wonder if they have already made such a definition now ahead of time, so o/s's won't have to be re-released yet again merely to pick up the CPUID awareness thing. It would also be nice if we could have a boot option to opt out of this mod for the special case where if we only ever have trusted code in our boxen. And I'm assuming the o/s designers will put in a different code path, or better a different build altogether, for AMD CPUs right now.

If it is true that Apple has already fixed the bug (when?) then perhaps the performance impact isn't quite as bad as asserted (seeing as no-one has complained), or perhaps the hit is only as bad as 17%-30% or whatever if you have a peculiar app that does a huge number of ring transitions to kernel mode.