Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Intel CEO Pledges Commitment to Security Following Meltdown and Spectre Vulnerabilities
- Thread starter MacRumors
- Start date
- Sort by reaction score
Intel DID create a new architecture -- Itanium. It was only ever in servers, but it was totally different than x86. Opteron hit with 64bit support, the IMC, and the high-speed CPU interconnect, and that helped push x86 over the edge in most markets (Intel responded in kind). Who knows if IA64 would have ever been found in desktops.
Edit:
https://www.anandtech.com/show/1243/5
Apple's Secure Enclave seems to be a different take that I haven't seen other device makers utilize... a secure hardware space that not even the operating system has access to. How they achieved that is a curiosity, but it may represent a solution to different use cases... secure processing spaces for different applications or scopes, like password handling, etc.
The industry will learn from this revelation and the hardware will benefit as a result of that. That is a fact we can't deny.
I am also curious why the Apple Watch is not susceptible... does it not use or even have speculative processing? Maybe not since that would possibly consume more battery power.
I'd buy Intel stock now. It went down on the news when it should have gone up. Their problem lately has been that people stick with their old CPUs forever because they're good enough. Intel will release new non-vulnerable CPUs, and everyone will suddenly be looking to buy them.
I don't see it that way. Just because no reports "in the wild" have happened (thus far) doesn't mean it wasn't dangerous. Your car might skid a little on a twisty road at night, and you think it's no big deal. Then you later learn there was a 1,000 foot cliff lurking in the darkness.
Meltdown (and especially Spectre) may be the most profound security vulnerabilities in the history of computing.
Imagine an 8-socket Xeon server running multiple virtual machines, each one a SQL Server or Oracle database engine, each of those supporting 3,000 concurrent users. By using Spectre, a malicious app can break out of a virtual machine, compromise the hypervisor and access data from any vm on the entire server.
The same thing can happen on an IBM System Z mainframe since the Z14 CPU is also vulnerable to Spectre.
The good thing is key teams at tech companies have been working furiously behind the scenes for six months to contain this problem and it now appears they may succeed. But we don't really know since (unlike Meltdown), Spectre is a more general method of which two specific variants are now known. There may be other variants yet to be discovered.
No CPU architect on earth thought this was possible, and even after it was discovered they didn't at first believe it. When security researcher Anders Fogh stumbled over the possibility last summer, despite outlining the basic process he made a tiny error in his replication scenario and simply gave up. He was convinced such a vulnerability was impossible: https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/
https://www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-flaw-discovery/
If anyone wants to read a popular-level account of ring protection systems (which are compromised by Meltdown and Spectre) and how computers use them, this is covered in the 1981 book Soul of a New Machine, which won a Pulitzer prize: http://a.co/4EzfAvy
As an Amazon Associate, MacRumors earns a commission from qualifying purchases made through links in this post.
My point isn’t that they shouldn’t know, it is that there is too much to know.
[doublepost=1515718737][/doublepost]
Pretty sure three CVSS 5.5 topping CVEs are not a big deal in the long run. Speculative execution attacks being pioneered here is a big deal, provided that more are coming in the future. (Im sure there are.)
As an Amazon Associate, MacRumors earns a commission from qualifying purchases made through links in this post.
I know Apple has addressed these issues because I'd not seen the spinning beachball in quite some time on my Mac Pro!
Good job TimMAY!
Not that I favor it, but I predict another Class Action storm brewing.
Good job TimMAY!
Not that I favor it, but I predict another Class Action storm brewing.
What about earlier versions of MacOS or iOS?
I’m feeling let down by Apple.
I’m feeling let down by Apple.
"On Monday, The Oregonian reported that Krzanich has shuffled top executives to create a new internal security group called Intel Product Assurance and Security, headed by human resources head Leslie Culbertson."
This is a joke right? They put the head of Human Resources as the head of Security? How serious can they be taking this?
http://www.oregonlive.com/silicon-forest/index.ssf/2018/01/intel_reorganizes_amid_fervor.html
http://www.theregister.co.uk/2018/0...t_meltdown_and_spectre_may_slow_servers_down/
This is a joke right? They put the head of Human Resources as the head of Security? How serious can they be taking this?
http://www.oregonlive.com/silicon-forest/index.ssf/2018/01/intel_reorganizes_amid_fervor.html
http://www.theregister.co.uk/2018/0...t_meltdown_and_spectre_may_slow_servers_down/
Last edited:
Yes - what about macOS 10.11 and 10.12?What about earlier versions of MacOS or iOS?
I’m feeling let down by Apple.
Oh please. If it were up to people like you, we’d have nothing because you’d close great company’s doors for minor mistakes that are just part of life.
Intel makes incredible products, has great manufacturing ability, and incredibly leadership. No company is perfect and this is just the cost of doing things that are so difficult and technologically advanced. You can’t plan for very eventuality, particularly with other geniuses trying to exploit your tech. All you can do is manage risk and solve the problems which is what they are doing.
You’ll buy stuff with Intel inside, so don’t act like you’re ready to boycott a company that made a mistake. No conspiracy, no coverup, just a mistake.
Sorry the didn’t have a press conference announcing a security flaw with no solution.
[doublepost=1515723440][/doublepost]
He doesn’t understand what’s going on and just wants to complain.
We have to remember that people run these companies.
Does apple really only patch High Sierra? Do they just leave the other supposably "supported" os's out in the cold?
WTF Apple
WTF Apple
From the article:
For Apple customers, macOS and iOS devices have been patched with protection against Spectre and Meltdown. Meltdown was addressed in macOS High Sierra 10.13.2 and iOS 11.2, while Spectre mitigations were introduced in a macOS 10.13.2 supplemental update and iOS 11.2.2, both of which were released this week. The vulnerabilities have also been addressed in older versions of macOS and OS X.
Is this true? I've seen nothing to support this.
For Apple customers, macOS and iOS devices have been patched with protection against Spectre and Meltdown. Meltdown was addressed in macOS High Sierra 10.13.2 and iOS 11.2, while Spectre mitigations were introduced in a macOS 10.13.2 supplemental update and iOS 11.2.2, both of which were released this week. The vulnerabilities have also been addressed in older versions of macOS and OS X.
Is this true? I've seen nothing to support this.
so intel cheated by allowing this backdoor and boosted performance over privacy compared to AMD and now it has come to bite them in the ass.
why is intel's CEO talk about mac os and ios patch as if he was the one that orchestrated the entire thing? tim should be taking credit about this instead of that crook.
can't believe he is still CEO with no repercussion. really goes to show that money can buy anything including your way out.
why is intel's CEO talk about mac os and ios patch as if he was the one that orchestrated the entire thing? tim should be taking credit about this instead of that crook.
can't believe he is still CEO with no repercussion. really goes to show that money can buy anything including your way out.
Tech industry disagrees with you. Azure was patching all of their servers within a day or two after the exposure. Microsoft wouldn't be pulling people from their vacation and off other projects to push the patches so quickly if their security team didn't think it was necessary.
Also, to further expose how off you are, you claimed in your other post that Ice Lake would likely be patched against these exploits. Considering that Ice Lake is a few months out, it's highly doubtful that it will have the necessary changes to block against these issues. It's important to note that to protect against these exploits it will require major changes to the architecture of modern CPUs... something not done in a few months time.
Not that vulnerable and AMD released firmware updates. They said ZERO impact.
Im talking about successfully created architecture. Itanium totally failed. Right now, servers are using x86 with Xeon CPU not Itanium. There is another architecture that Intel made: Netburst which is also failed. Now what, they are doom now.
As far as I understand it, AMD CPUs are only affected by Spectre V1, but Intel CPUs affected by Spectre V1, Spectre V2 and Meltdown. All the Intel CPUs from 1st generation to 8th generation affected by this, but only old AMD Bulldozer, Piledriver CPUs are affected by Spectre V1, and only in Linux under non-default kernel settings. No Ryzen CPUs are affected by this.
Moreover, Specter V1 can be fixed through software. Specter V2 only affects Intel CPUs and cannot be fixed; it requires a hardware change.
Meltdown affects only Intel CPUs and can be patched in software, but this caused a performance hit. We now know Intel's 8th Gen CPUs experience a ~10% performance hit but older processors like Haswell will experience greater performance decreases.
I found another poster's chart to be helpful:
Hothardware has a number of informative articles, including two on the performance hit on 8th Gen Intel CPUs and on Haswell CPUs.
Edit: As others have pointed out, AMD is also susceptible to Spectre V2. Please note this discrepancy when viewing the chart.
Last edited:
This doesn't address older machines, or the existence of lower level software such as Minix, or the ability of vendors to play with UEFI, thus potentially creating further mayhem down the track. Meltdown and Spectre are the tip of the iceberg.
Intel CEO Brian Krzanich today wrote an open letter to Intel customers following the "Meltdown" and "Spectre" hardware-based vulnerabilities that impact its processors.
In the letter, Krzanich says that by January 15, updates will have been issued for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder coming at the end of January.
For Apple customers, macOS and iOS devices have been patched with protection against Spectre and Meltdown. Meltdown was addressed in macOS High Sierra 10.13.2 and iOS 11.2, while Spectre mitigations were introduced in a macOS 10.13.2 supplemental update and iOS 11.2.2, both of which were released this week. The vulnerabilities have also been addressed in older versions of macOS and OS X.
According to Krzanich, going forward, Intel promises to offer timely and transparent communications, with details on patch progress and performance data. Because Spectre and Meltdown are hardware-based vulnerabilities, they must be addressed through software workarounds. In some cases, these software patches cause machines to perform more slowly.
Apple users do not need to worry about performance impacts. According to Apple, Meltdown had no measurable reduction in performance on devices running macOS and iOS across several benchmarks. Spectre, fixed through a Safari mitigation, had no measurable impact on most tests, but did impact performance by less than 2.5% on the JetStream benchmark. Apple says it plans to continue to refine its mitigations going further.
In addition to remaining transparent about the performance impact of the software fixes, Krzanich says Intel will commit to disclosing security vulnerabilities and sharing hardware innovations that will, in the future, prevent such attacks.For those who missed the news last week, Spectre and Meltdown are serious hardware-based vulnerabilities that take advantage of the speculative execution mechanism of a CPU, potentially allowing hackers to gain access to sensitive information.
Spectre and Meltdown impact all modern processors, including those used in Mac and iOS devices, and these two vulnerabilities will continue to be an issue for the foreseeable future as addressing them entirely requires new hardware design. Apple has prevented Spectre and Meltdown from affecting customers through software updates, but all hardware and software manufacturers will need to be wary of additional speculative execution attacks going forward.
Apple customers should make sure to keep their Macs and iOS devices up to date with the latest software to remain protected from malicious attacks that might take advantage of the exploits.
Article Link: Intel CEO Pledges Commitment to Security Following Meltdown and Spectre Vulnerabilities
