Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google and Microsoft Disclose New CPU Flaw, and the Fix Can Slow Machines Down (theverge.com)

Posted by BeauHD on from the screeching-halt dept.

An anonymous reader quotes a report from The Verge: Microsoft and Google are jointly disclosing a new CPU security vulnerability that's similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says "these mitigations are also applicable to variant 4 and available for consumers to use today." However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won't see negative performance impacts.

"If enabled, we've observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems," explains Leslie Culbertson, Intel's security chief. As a result, end users (and particularly system administrators) will have to pick between security or optimal performance. The choice, like previous variants of Spectre, will come down to individual systems and servers, and the fact that this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.

4 of 83 comments (clear)

  1. Perverse way to drive future CPU upgrades by JoeyRox · · Score: 5, Interesting

    Or perhaps that's just the skeptic in me talking.

    1. Re:Perverse way to drive future CPU upgrades by Anonymous Coward · · Score: 3, Interesting

      Close, it's a great way for Intel to marginalize used PC/server market as none of the old machines get the microcode/BIOS patches. All old servers are now for air-gapped applications only.

      Responding as AC but... they have provided beta microcode back to the first core processor. I've personally seen it. The people who are NOT providing microcode updates are the hardware vendors that ship your motherboard. However, there are other ways to update the microcode, such as through your operating system. From what I have seen in beta testing, the update does not seem to affect the stability of machines with old BIOS but obviously there is no way to be certain until it starts rolling out.

  2. Speed Reduction by mentil · · Score: 5, Interesting

    After all the speculative execution flaws are found and fixed (in hardware or software) the question won't be how much of a slowdown those fixes cause, but how much of a speedup from speculative execution remains.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  3. Give Consumers The Option to Choose... by ad454 · · Score: 3, Interesting

    ... Security or Performance.

    Not everyone is a gamer, video editor, etc.

    Many people would gladly sacrifice 50% CPU performance, in exchange for more secure and stable processors.

    But Intel and its OEMs are reluctant to even give us consumers the choice to obtain decent microcode security fixes that slow down our computers too much.

    Intel already provides the NSA with the ME backdoor, so why won't they at least try harder to close the other security holes?