Eight New Meltdown-Like Flaws Found

An anonymous reader quotes Reuters: Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday. The magazine, called c't, said it was aware of Intel Corp's plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan's Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable... The magazine said Google Project Zero, one of the original collective that exposed Meltdown and Spectre in January, had found one of the flaws and that a 90-day embargo on going public with its findings would end on May 7...

"Considering what we have seen with Meltdown and Spectre, we should expect a long and painful cycle of updates, possibly even performance or stability issues," said Yuriy Bulygin, chief executive officer of hardware security firm Eclypsium and a former Intel security researcher. "Hopefully, Meltdown and Spectre led to improvements to the complicated process of patching hardware."
Neowin now reports that Intel "is expected to release microcode updates in two waves; one in May, and the other in August."

Well which is it?

[ravenshrike]

MELTDOWN or SPECTRE? Because the effects of SPECTRE flaws that aren't like MELTDOWN can be almost completely mitigated through good program design. MELTDOWN class flaws however mean that once exploited anything the computer is doing can be exploited and program design doesn't matter.

Re:Well which is it?

Good program design severely limits the total access of a SPECTRE type flaw. However the access granted by a standard SPECTRE exploit will still give out some information. Thus through good program design you can avoid giving away important information like passwords or cryptography keys even if someone is using a SPECTRE type exploit on your system. Whereas there is no real protection against a MELTDOWN flaw once it is exploited. At that point the person running the exploit has access to everything going on in the system.

“Good program design” means breaking high resolution timers for scripts and plugins? Sorry, SPECTRE mitigation goes way outside normal design considerations unless we’re winding back to “don’t run untrusted code/plugins/script ever”, meaning go back to Web 1.0

Re:Well which is it?

unless we’re winding back to “don’t run untrusted code/plugins/script ever”

That was always good advice. Like lots of good advice, much grief has been caused by the myriad efforts to avoid it.

Re:Explain

[drinkypoo]

Also are the new ones in the category of silicon fix (halve a year cycle time at best) or microcode??

It depends on which CPU you've got. Intel has already announced that they are never going to fix a whole bunch of CPUs with microcode updates, in spite of having fixed some other CPUs which are about the same age. Some have stated that they believe this means that they can't fix them in microcode. Personally, I suspect that they can, but the performance impact would be beyond anything we've seen so far, so they're simply refusing to do so.

I'd like to see Intel outright forced to issue a fix for any processor where it is possible, for those customers who can accept the performance impact. Remember, Intel abused their market position over AMD — and that market position was based on a competitive speed advantage which was in turn based on compromising security! Not forcing them to fix it in every possible case is literally rewarding them for bad behavior. I would go so far as to say that they should also pay for replacement of any system compromised; they should pay a percentage of the new system price based on the industry average percentage cost of the CPU.

Re:Price down

[Lonewolf666]

It may take a while for AMD to get to the point where customers trust them more overall than they trust Intel.

From all I read on forums like this (not being in the "decider" circles myself), it takes time to build up a good reputation in the server market. Now AMD was almost out of the server business until a year ago, because their Opterons were quite a bit behind in performance. They were also not completely untouched by Spectre, albeit looking better than Intel in that regard.

Now AMD have an strong new line of server processors with Epyc, and they have left a better impression than Intel in the whole Meltdon/Spectre affair. So expect them to get quite a bit of interest by customers for Epyc's performance, and also a boost in getting to the point of "less distrusted than Intel".
But I still think it will be a relatively slow shift in the market, compared to the whims of the consumer market ;-)

Re:Bigger picture for me?

[Lonewolf666]

Well, there is AMD which appears quite competitive again.

If you are buying stuff like an i7-3930K CPU @ 3.20GHz Ã-- 12, I'd guess you are probably among those enthusiasts who are following the news and read stuff like the AMD Ryzen reviews. So you should know they have a pretty competitive processor again.
Considering the Meltdown/Spectre debacle, AMD are not completely untouched but still looking better than Intel right now.

Performance wise and to my surprise, the Intel Core i7 7820X (Skylake X 8-core + Hyperthreading) is indeed not that much faster than the i7-3930K, according to what comparisons I can find on the net.
If your workloads are massively multithreaded, the AMD Threadripper might be worth a look...

Re:I have an invincible AMD CPU!!

[drinkypoo]

AMD seems to be immune to this class of exploits, but never believe that they don't have exploits of their own. Nothing that complex is without flaws.

They were being deliberately silly, but it's still a fact that Intel deliberately did bounds checking at the wrong time for a performance advantage, and AMD didn't. What else has Intel done wrong with their designs in order to get ahead of AMD?