Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google and Microsoft Disclose New CPU Flaw, and the Fix Can Slow Machines Down (theverge.com)

Posted by BeauHD on from the screeching-halt dept.

An anonymous reader quotes a report from The Verge: Microsoft and Google are jointly disclosing a new CPU security vulnerability that's similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says "these mitigations are also applicable to variant 4 and available for consumers to use today." However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won't see negative performance impacts.

"If enabled, we've observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems," explains Leslie Culbertson, Intel's security chief. As a result, end users (and particularly system administrators) will have to pick between security or optimal performance. The choice, like previous variants of Spectre, will come down to individual systems and servers, and the fact that this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.

83 comments

  1. Perverse way to drive future CPU upgrades by JoeyRox · · Score: 5, Interesting

    Or perhaps that's just the skeptic in me talking.

    1. Re:Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 1

      Just to note, commercially available computers are buggy, insecure POS's

      This has been noted before, particularly in reviews for acceptable levels of security that used to require a PC have no network, keyboard or monitor, and be in a locked room in order to be considered secure.

      Why this surprises anybody is beyond me, maybe the gov will slip up and let us all have the specs for whatever Multics led to

    2. Re:Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 0

      Found this on wikipedia, but it begs the question, where is the follow-on project?

    3. Re:Perverse way to drive future CPU upgrades by misnohmer · · Score: 2

      Close, it's a great way for Intel to marginalize used PC/server market as none of the old machines get the microcode/BIOS patches. All old servers are now for air-gapped applications only.

    4. Re: Perverse way to drive future CPU upgrades by viperidaenz · · Score: 3, Insightful

      The flaws impact the CPU's in Apple products.

    5. Re:Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 5, Informative

      Or perhaps that's just the skeptic in me talking.

      I'm replying AC because this affects my company but Intel basically says in the advisory that the one mitigation that DOES affect CPU performance is not really necessary if you have a modern OS and modern web browser. I'm not certain this is true, I am not affiliated with Microsoft, GPZ, or Intel, but I do know that this issue has been researched by Intel, Microsoft, and GPZ for many months. In fact, the initial indications suggested that it was worse than it actually is after applying January microcode updates and updating OS and browser.

      That update is going to be enabled/disabled by the user based on a BIOS or OS toggle and Intel recommends it be disasbled under most circumstances. I don't know when they recommend that you enable it, but I assume it is going to be important for cloud hosting providers.

    6. Re: Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 0

      Liar.

    7. Re:Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 3, Interesting

      Close, it's a great way for Intel to marginalize used PC/server market as none of the old machines get the microcode/BIOS patches. All old servers are now for air-gapped applications only.

      Responding as AC but... they have provided beta microcode back to the first core processor. I've personally seen it. The people who are NOT providing microcode updates are the hardware vendors that ship your motherboard. However, there are other ways to update the microcode, such as through your operating system. From what I have seen in beta testing, the update does not seem to affect the stability of machines with old BIOS but obviously there is no way to be certain until it starts rolling out.

    8. Re: Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 1

      Only if you hold it The wrong way

    9. Re:Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 0

      Here is something that will REALLY slow down your processor:

      Acknowledging the fact that an Intel, AMD, and ARM processors are black boxes can contain vulnerabilities baked in (as we're seeing! and these aren't even the "fun" bugs that may have been baked in on purpose by govts!)

      Once you've realized you're screwed by these companies, use an open cores (like open source) processor. Of course, since these don't have mainstream adoption, you'll be stuck buying a much slower processor for more money. This is how your processor can "really slow down", by wanting to have open standards.

    10. Re:Perverse way to drive future CPU upgrades by AmiMoJo · · Score: 3, Informative

      It's hard to take anything that Intel says seriously. Last time they said the hit would be a few percent, and people were seeing 60%.

      Best to avoid them altogether. And sue in small claims court of you are already a victim.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re: Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 0, Informative

      That is not simply true. Intel have provided microcode updates only back to haswell

    12. Re:Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 0

      Nothing perverse about it, the hardware industry was tanking. I'd expect and I'm sure Intel knows, their next major chip will sell not because it's better, but some companies can't have known, exploitable hardware. They'll have no choice but to upgrade and Intel is banking quite literally on it.

      Likely why you're not seeing any real Government stepping in. Plus it gives them an excuse to make sure their next round of backdoors are in place and usable for the next decade. I fully believe Google was aware of this and more, many years ago which is why they started deploying their own hardware.

    13. Re:Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 0

      Are you sure? I know a lot of people that have decided NOT to upgrade to future CPUs because they may not be fixed. I think this hurts future CPUs.

    14. Re:Perverse way to drive future CPU upgrades by thegarbz · · Score: 3, Insightful

      To be honest I struggle to get upset about this speculative execution business, but then I don't fall into the categories of people who need to worry. For most of these cases the exploit requires a significant chunk of privileged code to already be running. On nearly everyone's PC you have already lost. Your system is at this point no longer yours.

      Where this would be scarier is on virtual machines where one OS can break the isolation that the hypervisor provides. A computer where it's function is to give strangers access to running code on your machine.

      Frankly I think Intel is right about most of this and so is Microsoft and the Linux kernel devs when they made the various fixes for the various speculative execution bugs optional.

    15. Re: Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 0

      That is simply true. You are the liar here, the official documentation supports GP's claims: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

    16. Re: Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 0

      This is correct. If, as a shopper, you hold an Apple product in the store it will work normally. However, once you buy the product, leave the store, and hold it as the owner it will begin to degrade until you purchase next year's model.

  2. Speed Reduction by mentil · · Score: 5, Interesting

    After all the speculative execution flaws are found and fixed (in hardware or software) the question won't be how much of a slowdown those fixes cause, but how much of a speedup from speculative execution remains.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:Speed Reduction by Anonymous Coward · · Score: 0

      I've been disabling hyper-threading since day 1... truly real-time software is impossible to write on any CPU that supports speculative execution of any kind.

    2. Re:Speed Reduction by AmiMoJo · · Score: 4, Insightful

      The problem for Intel is that they sold these processors with certain features and performance, and now have found design defects in them.

      That's a classic consumer protection scenario. Car engine fails catastrophically after 50k km due to badly designed part? Under EU law you should not be out of pocket.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Speed Reduction by macraig · · Score: 4, Insightful

      Intel has been getting a free pass from such consumer protections for decades now. Are we finally so enlightened that we can take away their hoard of Get Out Of Jail Free cards and make them pay for their failures rather than profit from them?

    4. Re:Speed Reduction by Anonymous Coward · · Score: 1

      On on any machine that uses SMM, for the matter.

    5. Re:Speed Reduction by AmiMoJo · · Score: 1

      Yes. I took then to small claims court and won.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Speed Reduction by thegarbz · · Score: 1

      Car engine fails catastrophically after 50k km due to badly designed part? Under EU law you should not be out of pocket.

      The car engine didn't fail catastrophically. What did happen is you applied an optional fix to a problem that under a very small set of specific circumstances would cause the car door to unlock and then after you put your car with its optional fix on a dyno you discovered you actually had 10 horsepower less than you thought.

      You'll be hard pressed getting that through even an EU regulator.

    7. Re:Speed Reduction by Anonymous Coward · · Score: 0

      So back to pre-386SL, got it.

    8. Re:Speed Reduction by ravenshrike · · Score: 1

      Yes and no. You could with new model cars that they knew they were going to be applying the fix to in the coming months but sold under the old numbers. Specifically that would be fraud, so anyone who bought Coffee Lake before the fixes were published is arguably entitled to a full refund.

    9. Re:Speed Reduction by thegarbz · · Score: 1

      so anyone who bought Coffee Lake before the fixes were published is arguably entitled to a full refund

      Not really because Intel don't publish performance figures, hence it isn't fraud. Not only that but the processor itself still does exactly what it said on the box. The fact that someone else can use those feature nefariously and that Intel gives you an option for added security at the cost of performance doesn't change what the processor is now and what it will be after the optional fix gets released.

      The key part here is that you still have every bit the same device that was advertised and sold to you doing exactly what it says on the box.

      It may not be moral, but you will almost certainly fail to prove a fraud case.

    10. Re:Speed Reduction by jwhyche · · Score: 2

      I see where you are going with this. Basically, we have been sold a flawed product that isn't performing as advertised.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
    11. Re:Speed Reduction by macraig · · Score: 1

      And if we individually sued them for something that is a collective wrong, we'd tie up the judicial system for decades with a waiting list encircling the globe several times, wouldn't we? I'm glad "you got yours", but that's not a solution for the societal wrong, is it?

    12. Re:Speed Reduction by AmiMoJo · · Score: 1

      I'm such cases the judges usually start fast tracking decisions based on previous cases, and then to save paying court and legal fees the company just pays out without contest in future.

      It sucks but there is no other option.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Give Consumers The Option to Choose... by ad454 · · Score: 3, Interesting

    ... Security or Performance.

    Not everyone is a gamer, video editor, etc.

    Many people would gladly sacrifice 50% CPU performance, in exchange for more secure and stable processors.

    But Intel and its OEMs are reluctant to even give us consumers the choice to obtain decent microcode security fixes that slow down our computers too much.

    Intel already provides the NSA with the ME backdoor, so why won't they at least try harder to close the other security holes?

    1. Re:Give Consumers The Option to Choose... by jittles · · Score: 2

      ... Security or Performance.

      Not everyone is a gamer, video editor, etc.

      Many people would gladly sacrifice 50% CPU performance, in exchange for more secure and stable processors.

      But Intel and its OEMs are reluctant to even give us consumers the choice to obtain decent microcode security fixes that slow down our computers too much.

      Intel already provides the NSA with the ME backdoor, so why won't they at least try harder to close the other security holes?

      Read the advisory. They DID give you the option to choose and recommend that vendors ship with it disabled as it's only needed in specific circumstances.

    2. Re:Give Consumers The Option to Choose... by Tablizer · · Score: 1

      Not everyone is a gamer, video editor, etc.

      But who doesn't re-edit their porn to match their own stroke rate?

      --
      Table-ized A.I.
    3. Re:Give Consumers The Option to Choose... by Anonymous Coward · · Score: 0

      Google and Microsoft are shielding Intels reputational damage, Intel should be making these announcements, and with detail.
      Intel dont appear keen to supply owners of defective cpus with the tools to choose, but trickle bios settings to verndor who may or maynot retrofit to 10 year old product. My generic chromebook/laptop whose brand went belly up going to be fixed?

      I want to know what other CPU's were affected. I suggest the performance decrease is measured AFTER MS and Goolge recompiled speculative bits out of their base code, so the slowdown figures are less than a like for like.

      Intel may actually profit from defective design. Who knows when Intel knew this, and if they did, why did the propogate that design to others, Just wait untl Google takes apart the now vulnerable ME engine with disclosures. If they dont, others will.

      Now if the ME engine does not have speculative execution and other known CVE's then the why questions become interesting.

    4. Re:Give Consumers The Option to Choose... by Anonymous Coward · · Score: 0

      It doesn't at all seem like your opinion is biased. After-all, this problem is Intel-specific, isn't it? Oh, no? It's not, you say? Well, I'll be damned.

    5. Re:Give Consumers The Option to Choose... by Anonymous Coward · · Score: 0

      You do have the option. You can use processors of a more simplistic design which do fewer "weird" optimizations such as speculative execution. But you won't like the price/performance ratio. The market as a whole chooses performance to play games and download porn 0.015% faster over security every single time. So that's what is broadly and cheaply available.

      More importantly, this is the societal cost of an Intel monoculture. Instead of bad hardware bugs affecting 10-20% of hosts, every single event becomes a pants-on-fire global emergency.

    6. Re:Give Consumers The Option to Choose... by Bert64 · · Score: 1

      If one vendor cuts corners to improve performance the other vendors will look like their products are slower until such time as the corner cutting is identified and can be proven to be detrimental.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    7. Re:Give Consumers The Option to Choose... by thegarbz · · Score: 1

      Not everyone is a gamer, video editor, etc.

      Pfft amateurs. What do they need a decent CPU for. Real men need Real CPUs for Real workloads like running McAfee.

    8. Re: Give Consumers The Option to Choose... by Anonymous Coward · · Score: 0

      You don't like the price/performance of ARM designs or the Intel Atom? I think it's the maximum performance you don't like; the price is fine.

    9. Re:Give Consumers The Option to Choose... by Killall+-9+Bash · · Score: 1

      The market as a whole chooses performance to play games and download porn 0.015% faster over security every single time. So that's what is broadly and cheaply available.

      The market was not given a choice. No one said "Intel chips are 50% faster, but possibly vulnerable to security exploits". NO ONE, if they were informed, would have made this choice.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
    10. Re:Give Consumers The Option to Choose... by bluefoxlucid · · Score: 1

      This will never be in OpenBSD. Back in 2005, Theo de Raadt would not give any ground when I implored him to build with position independent executables. He maintained that PIE was "very expensive"--the overall impact on x86 is about 0.06% additional CPU usage, so about 2.16 seconds lost per hour pegged at 100% CPU usage, minus any time spent not at 100% CPU usage.

      8%? He'll never accept that. It's way too performance-expensive.

      --
      Support my political activism on Patreon.
    11. Re: Give Consumers The Option to Choose... by bn-7bc · · Score: 1

      You are right, but rgere are far more intel costumers thst care about performance than gamers and wideo editors, SaAS providers, metreologists, intel sells to other costumers than consumers. i would imagine rhat googlebwould not be thrilled if the 1000s of servers they run in a Dc dropped even 1% in performance, that would potenttionsly mean 100s of extra servers to do the same amount of work wit extra switchports power an cooling, not cheap

    12. Re:Give Consumers The Option to Choose... by Anonymous Coward · · Score: 0

      Real men mining coin with CPUs!

    13. Re:Give Consumers The Option to Choose... by jittles · · Score: 1

      Google and Microsoft are shielding Intels reputational damage, Intel should be making these announcements, and with detail.

      Intel has no right to announce this. Microsoft and Google both found the issue. They reported it to Intel. Intel did make a disclosure, albeit not a very detailed one. Microsoft and Google receive the accolades for telling the world about this problem. This is how it always works in the world of security research. The researcher agrees to postpone publishing while the issue is mitigated and the company they reported to agrees to keep the research in the strictest confidentiality until they publish. It’s only fair.

      Intel dont appear keen to supply owners of defective cpus with the tools to choose, but trickle bios settings to verndor who may or maynot retrofit to 10 year old product. My generic chromebook/laptop whose brand went belly up going to be fixed?

      Your manufacturer will likely not update the BIOS for any system more than 2-3 years old unless a longer support contract was previously established. However, the fix can be delivered through your OS. Intel has plans to release microcode back to the second gen core processors (sandy bridge). That’s 8-10 years of mitigation.

      I want to know what other CPU's were affected.

      Intel and ARM. Likely AMD also but no one has said either way to my knowledge. Any other processor? YOu might want to perform the research yourself as less common platforms like PPC and MIPS are not likely to receive much attention from researchers.

      I suggest the performance decrease is measured AFTER MS and Goolge recompiled speculative bits out of their base code, so the slowdown figures are less than a like for like.

      So update your microcode and OS and enable and disable the change and test for yourself. Everyone’s usage scenarios will be different. It’ll depend entirely on how you use your computer. Whether you need the mitigation enabled or disabled depends entirely on how you use your computer, too.

      Intel may actually profit from defective design. Who knows when Intel knew this, and if they did, why did the propogate that design to others,

      This type of attack has been known of in theory since the first Pentium (the first processor with this type of speculative execution). But nobody thought it was actually possible until someone proved it was possible. Just like scientists knew about nuclear fission in theory but didn’t know if a nuclear bomb was possible until the first one was built.

      Just wait untl Google takes apart the now vulnerable ME engine with disclosures. If they dont, others will.

      Now if the ME engine does not have speculative execution and other known CVE's then the why questions become interesting.

      There have been PLENTY of advisories related to Intel ME, AMD PSP, and most likely ARM TrustZone. I have seen advisories for the first two. So people are already attacking the ME engine. The same mitigations that are used for side-channel analysis can also be used to mitigate the secure processor on all of those platforms. However, I am positive that more vulnerabilities still exist

  4. President Madagascar is the smart one. by Anonymous Coward · · Score: 0

    SHUT EVERYTHING DOWN.

  5. Or just don't... by Anonymous Coward · · Score: 0

    Install security patches?

    Turned off windows updates years ago and never looked back, running ad-block/webmail removes most attack vectors anyway. I've never seen a lot of value in patching already known flaws, at the end of the day it's a zero-sum game.

  6. And he laughed... by DivineKnight · · Score: 1

    And my professor laughed when I held the single-cycle CPU design to be the holy grail of the industry...

    1. Re:And he laughed... by Anonymous Coward · · Score: 0

      And my professor laughed when I held the single-cycle CPU design to be the holy grail of the industry...

      I should hope so. a CPU designed to be replaced after running a single cycle seems like a labor, no matter how many instructions it could execute in one cycle.

  7. AI by Anonymous Coward · · Score: 0

    AI techniques and advancements should be be able to correct all negative side effects and performance hits in the very near future.

    1. Re:AI by Anonymous Coward · · Score: 0

      Unless of course, you AI has a sense of humor (i.e. is Evil)

  8. I suggested this years ago... by Anonymous Coward · · Score: 0

    When Palladium failed to catch on like they wanted, a series of difficult to exploit bugs started being pushed into tech. Once Intel ME, ARM Trustzone and similar were in place, as permanent methods of user-control lockout and backdoors to the encryption keys/code running on the system, all they would have to do is release the ignored/well hidden exploits to the public and use them to kill off the last generations of processors of sufficient performance that still empowered the user.

    Cue today: That is exactly what has happened. 10 years of processors with code signing that the owner of the hardware doesn't really control or own. Serial numbers on every item in the system that can be used to fingerprint the users system to such a scarily high degree of accuracy once will have few chances to remain anonymous under normal usage conditions.

    The dangers of the future are here today, and without a large and collective financial push by us little guys, the final opportunity to rebel against technological enslavement will be lost, resulting instead in ever dwindling puddles of tech rebelliousness that will be inexorably quashed out, one at a time until all that remains is a bunch of dry lake beds surrounded by technological dystopia.

  9. Lemon Law by Anonymous Coward · · Score: 0

    How do I get a refund for being sold a defective product?

    Seriously, how are continuing issues with the same CPU or software not covered by some sort of lemon law?

  10. We need new benchmarks by goombah99 · · Score: 2

    The benchmark sites need to start using or disclosing speeds with the "feature" turned on.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:We need new benchmarks by Anonymous Coward · · Score: 0

      They already had and the results are hilarious. That and HPET can amount to 75% difference in games: https://www.anandtech.com/show/12678/a-timely-discovery-examining-amd-2nd-gen-ryzen-results

  11. Re: Trump will die in prison either way by Anonymous Coward · · Score: 0

    Hillary will die in prison.

  12. Expectations by Anonymous Coward · · Score: 0

    I have for most of my life assumed processors had an infinite well of side channels vendors have not the will to ever address with exploitation of cache/prediction schemes being obvious.

    I know for a fact people have been talking about this for decades. You can find publically available examples as this 2006 article attacking RSA using branch predictor side channel. https://eprint.iacr.org/2006/2...

    Then we have all of the Power/RF tempest crap.

    Vendors should address this with a holistic secure design rather than endless piecemeal drip drip drip of look what I found lets slap a label on it and slow shit down even more.

    Vendors releasing unreliable code that makes things worse. Or solutions requiring new BIOS updates that manufacturers won't bother pushing or users won't bother installing leaving a bunch of people randomly vulnerable. The piecemeal reactionary approach sucks ass.

  13. Great! by Anonymous Coward · · Score: 1

    When this is all done and dusted I will be left with a z80

    1. Re: Great! by Bing+Tsher+E · · Score: 1

      I have several tubes of Z80s and two working systems that use that processor.

  14. Re: Trump will die in prison either way by comodoro · · Score: 0

    Kids, do not fight. As a compromise, they will both be put in a box together. Then they will fight to the death. To make things even, Hillary will get a screwdriver.

  15. Buy AMD by Anonymous Coward · · Score: 0

    The really are the better option atm.
    As it seems from all three big archs (ARM, Intel x86, AMD x86) amd seems to be the least affected due to their design.
    And also for the time being they seem to be the nice guys, first their boards last 4 processor generations
    secondly, their processors kick ass and kick Intels ass in most real life scenarios and have a fair price. It is about time that more people buy their stuff. Ryzen and AMD
    really deserves it.

    1. Re:Buy AMD by Anonymous Coward · · Score: 0

      No they are not. The advisory says AMD is just as fucked as Intel, yet you recommend AMD because it's a "better" option. What's wrong? The cat got your logic and took a dump in your brain? On any topic with Intel in its name there's a bot like you advising readers to buy AMD. I wonder how much is AMD paying for this aggressive social media promotion campaign.

    2. Re: Buy AMD by Anonymous Coward · · Score: 0

      I doubt OP was referring to this specific flaw. In the context of recent security flaws (spectre and meltdown), AMD, so far, appears to be least affected. Not immune to all variants, just fewer. Post references if you feel otherwise. This may change in future with further research.

    3. Re: Buy AMD by Anonymous Coward · · Score: 0

      Only if you ignore ryzenfall, etc. It looks like amd lucked out with spectre, but their response has been worse then Intel in most measures. They've taken longer to release mitigations, they haven't patched as far back and they've both had problems. The response to ryzenfall has been mediocre with heavy pr. CTS Labs came out looking bad at first but the AMD response has largely proven them right, to the point where they're nearly gloating at amdflaws.com.

    4. Re: Buy AMD by Killall+-9+Bash · · Score: 1

      I ignore Ryzenfall because I don't expect the processor to protect me if hackers already have admin on my box.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  16. Newspeak by Anonymous Coward · · Score: 1

    > The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won't see negative performance impacts.

    Devices will remain insecure by default to protect our brand image and shareholders. How the f* do you think it is a good idea to set a security patch as off-by-default?

    1. Re:Newspeak by campuscodi · · Score: 0

      Because original Meltdown and Spectre mitigations already cover this one as well. This is a secondary layer of protection that comes with a performance impact. That's why.

  17. cpuid by l3v1 · · Score: 2

    So, in the future CPU makers don't need to invent new names. We'll just identify CPUs with the name of the newest vulnerabilities they have :) it'll be much easier :)

    --
    I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
    1. Re:cpuid by Wolfrider · · Score: 3, Informative

      > So, in the future CPU makers don't need to invent new names. We'll just identify CPUs with the name of the newest vulnerabilities they have :)

      --You joke, but the Linux kernel already does this when you do ' cat /proc/cpuinfo ':

      model name : Intel(R) Core(TM) i5-x400 CPU @ 2.70GHz
      bugs : cpu_meltdown spectre_v1 spectre_v2

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
  18. Too names for these chips since Pentium era. by Anonymous Coward · · Score: 0

    i8086
    i8080
    i80286
    i80386SX
    i80486SX
    i80486DX
    Pentium
    Pentium II
    Pentium ... ...
    Xeon

    Can anybody explain us why are there many CPU names/families in short time?

    Moreover, If these chips are vulnerable and have hidden backdoors then many enterprises do question how make safe/sure/trust their systems?

    Intel/AMD/Apple chips are not the solution. They will look for another solutions.

    1. Re:Too names for these chips since Pentium era. by nctritech · · Score: 2

      You just listed off a couple of decades worth of Intel CPUs asking "why so many names so fast?" and none of those have the flaws being discussed nor are in common use today. What are you even talking about? I don't think you have a clue what you're saying. Every different chip has a different model number and that's a problem? What?

      ARE YOU A ROBOT

  19. Again differences... by DrYak · · Score: 1

    This time it depends on both the CPU and the OS.

    This is basically a "read-after-write" situation, where the CPU tries to speculate before the write is actually known.

    Depending on your CPU + OS combo, this will be limited to data you already have full read/write access to anyway.
    (AMD doesn't speculated pass memory protection, Intel does(*).
    Linux use a copy-on-write memory allocation scheme, that grantees that all memory page seen by an application are magically pre-filled with zero, meaning that an application can never(*) see some other application's remaining data. But other OSes may differ - I have no idea and don't bother enough to check).

    So on AMD arch + Linux OS, all you're ever going to see it is the apps own (non overwritten) data.
    (Well unless there's a new "kernel stack information leak" that gets discovered - basically the kernel leaving dangerous stuff lingereing on the stack)

    So it mostly affect situation like browsers where 3rd party provided code (eg.: internet downloaded javascript) could run in the same process context as some critical bits of information (say a password management plugin).

    It should not effect kernel or hypervisor.

    ---

    (*) + (*) I'm almost ready to bet that somebody will find discover an intel-specific exploit to speculatively execute around page faults.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Again differences... by jittles · · Score: 1

      It should not effect kernel or hypervisor.

      I know for a fact that Intel notified VMWare of these vulnerabilities and told them they needed to patch ESXi. These can be exploited through a hypervisor.

  20. Where is Firefox? by short · · Score: 1

    "Safari, Edge, and Chrome" - but where is Firefox? Then also Chromium but that is assumed to be patched along with Chrome. Nobody cares about Free software anymore?

    1. Re:Where is Firefox? by Anonymous Coward · · Score: 0

      Firefox was only barely vulnerable in the first place due to only the bleeding edge even having the shared array buffer thinger. They also added the same resolution limit on the timing function that all the other browsers did.

      The phrasing was taken from the article, which is on theverge, which is Vox media. I can't quite trace their ownership with a glance (I'm sure someone can), but wikipedia does at least highlight decent investment from NBCUniversal, which is Comcast (one of the five or six media conglomerates that controls basically all information). To my knowledge, this particular corporate ladder isn't invested in the idea of smearing free software to any degree, so I suspect the blurb was just listing common browsers and left off firefox. I wouldn't get out the pitchforks over that.

  21. Re: Trump will die in prison either way by Killall+-9+Bash · · Score: 0

    All the screwdrivers in the world won't help her when Trump grabs her by the pussy.

    --
    "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  22. Re:mo3 down by Killall+-9+Bash · · Score: 1

    WARNING: this link goes to domain squatting malware shitware, not a graphic pic of a horse-fucker stretching out his anus. You may be disappointed.

    --
    "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  23. Re:mo3 down by Anonymous Coward · · Score: 0

    Touch decision... how to decide?

  24. protection set to off-by-default by Anonymous Coward · · Score: 0

    Linus rant incoming in 3.. 2.. 1..

  25. Re: Trump will die in prison either way by Anonymous Coward · · Score: 0

    Zing!

  26. Fixes should be called Melter and SpecDown by technosaurus · · Score: 1

    Planned obsolescence at its best.