Slashdot Mirror
Google and Microsoft Disclose New CPU Flaw, and the Fix Can Slow Machines Down (theverge.com)
An anonymous reader quotes a report from The Verge: Microsoft and Google are jointly disclosing a new CPU security vulnerability that's similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says "these mitigations are also applicable to variant 4 and available for consumers to use today." However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won't see negative performance impacts.
"If enabled, we've observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems," explains Leslie Culbertson, Intel's security chief. As a result, end users (and particularly system administrators) will have to pick between security or optimal performance. The choice, like previous variants of Spectre, will come down to individual systems and servers, and the fact that this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.
"If enabled, we've observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems," explains Leslie Culbertson, Intel's security chief. As a result, end users (and particularly system administrators) will have to pick between security or optimal performance. The choice, like previous variants of Spectre, will come down to individual systems and servers, and the fact that this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.
The flaws impact the CPU's in Apple products.
The problem for Intel is that they sold these processors with certain features and performance, and now have found design defects in them.
That's a classic consumer protection scenario. Car engine fails catastrophically after 50k km due to badly designed part? Under EU law you should not be out of pocket.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Intel has been getting a free pass from such consumer protections for decades now. Are we finally so enlightened that we can take away their hoard of Get Out Of Jail Free cards and make them pay for their failures rather than profit from them?
To be honest I struggle to get upset about this speculative execution business, but then I don't fall into the categories of people who need to worry. For most of these cases the exploit requires a significant chunk of privileged code to already be running. On nearly everyone's PC you have already lost. Your system is at this point no longer yours.
Where this would be scarier is on virtual machines where one OS can break the isolation that the hypervisor provides. A computer where it's function is to give strangers access to running code on your machine.
Frankly I think Intel is right about most of this and so is Microsoft and the Linux kernel devs when they made the various fixes for the various speculative execution bugs optional.