Intel Claims Security Flaw Also Impacts Non-Intel Chips, Exploits Can't Corrupt, Modify or Delete Data [Updated]

Quick...lets move all Macs to ARM as ARM chips aren't vulner....

Oh. S***.

"mobile chip designer ARM Holdings said its chips were also affected and that it was working with Intel and AMD (AMD, +6.19%) on a fix. That helped Intel shares claw back some of the drop and the stock closed down only 3%, while AMD ended with a 5% gain."

http://fortune.com/2018/01/03/intel-kernel-security-flaw-amd/

 

Steve Jobs iphone 4 antennagate approach FAIL!!

Nice try intel

 

If the Intel problem could be fixed by a software updated with no impact "damage" to the end user (i.e., no speed penalty) then it's one of those no harm no foul issues and most everyone will move on.

But if the software fix results in a speed reduction (a form a damage to the end user), get ready for a class action lawsuit against Intel. Look at how fast the lawsuit was filed against Apple for their IOS speed throttling to deal with older batteries.

 

Incompetence Inside
da-ding-a-ding

 

Now Apple knows how it feels when developers have to work around manufacturer defects. But at least Intel is admitting it's their bug instead of pointing fingers at outside developers.

 

Ok, first of all, you don't use the press release about how every processor you've made for over a decade gives unauthorized access to privileged data to assert that you're "the most secure in the world".

Second, AMD could have used language that was more clear than "we aren't affected by all three". All I know from that statement is that you're affected by between 0 and 2 of the known exploits.

------

I asked this in an earlier thread, but I'll ask here too. Anyone familiar enough with how XNU works to know if the hybrid design works to Apple's advantage or disadvantage in this case?

 

So we have the same “flaw” in two different chip architectures. ..... I stand firm that this was a three letter agency backdoor.

 

It's an OS patch to a hardware SNAFU. AMD is suggesting they aren't susceptible to it, so there is a possible hardware fix they could have implemented had they known.

 

There is a flaw, but I don't hear anyone explain how hard it is to actually get hold of meaningful sensitive data.

 

The hybrid design makes no difference.

--- Post Merged, Jan 3, 2018 ---

The real world hit won't be anywhere near 50%.

AFAIK, 30% was the worst that anyone found, and that was worst case scenario with essentially a feedback loop on the loopback interface while writing to disk (metric crap ton of syscalls). A 10-17% hit seems more realistic. Postgres for instance was benched 10-15% slower as you said.

Still sucks though. Undoubtedly this will hurt everyone, especially Intel.

 

I worked on the reservation stations for ultrasparc v. Doubt it would be particularly vulnerable.

--- Post Merged, Jan 3, 2018 ---

It’s also a micro architectural issue, not an architectural issue. And micro architecture varies from company to company and often chip to chip.

 

So it only affects every computer manufactured in the Internet era, apparently.

 

I have to agree to this. LOL

But in serious note,

No software or hardware is 100% Perfect. There will always be bugs. Nothing is also secure.

There are always vulnerabilities. People just need to find and catch those then fix it. (like a Legendary Pokemon that is hard to catch)

 

Now there's a name I've not heard in a long, long time.

 

One of the vulnerabilities is hard to fix, so who knows how high the performance impact will be.

 

Strange how many of these CEOs manage to "unfortunately" sell their stock right before some bad news comes out

Who else remembers the Equifax CTO and CEO selling millions of dollars worth of stock just before the news of the massive data breach came out at the end of last year?

These guys have access to inside information months before it becomes public. Easy to say it was a long-planned sale and nothing to do with the bad news

 

I hope that ****er gets a nice long stay in jail, but....America.

 

Backdoors exist.

 

This really doesn't sound like a design flaw, this sounds like it's working as designed. Putting speculative execution under access control means a slowdown, which most likely mitigates any benefit of speculative execution. This has been in their chips for so long that it has to have been an explicit speed vs security tradeoff.

When the "fix" comes, I hope I can turn it off. I generally don't run shared workloads, but I'd have to evaluate it on all my machines here.

 

That's what I was trying to point out, that it seems convenient that the CEO sold this before this news. But it was pointed out by others on here that it's just bad timing. I think there's no way to prove otherwise. It's just extremely convenient it seems.

 

They could always let AMD and ARM speak for themselves. Instead they throw them into the mix to deflect blame. Classy.

 

From AMD's statement:
"AMD is not susceptible to all three variants."
If written by a native English speaker, this is a VERY curious wording. Does this really mean that AMD is not susceptible to ANY of the three variants, or does it mean that AMD might be susceptible to one or two of the variants?

 

I bet the folk in the PowerPC-based Mac forums are quite happy with themselves right now.

 

... Who use Intel, AMD and ARM powered computers/devices.

--- Post Merged, Jan 3, 2018 ---

Or use stand alone domains/workgroups/networks that have no access to the outside world. This is common practice in a lot of government based facilities/contractors.

 

That's actually not how it should work. Someone made the same complaint about Intel's submission for a patch for Linux.

In the patch, Intel applied it to all X86 processors. With would have slowed all processors. AMD responded saying they aren't impacted and whitelisted their processors.

That's exactly how it should work. Don't assume others aren't vulnerable. If the issue might impact more than just Intel processors, apply it to all and let others whitelist themselves as they determine they aren't impacted.

It's much safer to assume everyone is vulnerable until proven otherwise rather than assume only a single group is vulnerable and hope the rest test.

--- Post Merged, Jan 3, 2018 ---

No it's not. It's incredibly uncommon actually.

Source: Work in forensics and work with government agencies around the world.