But what is the likelihood of similar, as-of-yet undiscovered flaws in the ARM (and/or AMD) architecture, I wonder?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
New 'ZombieLoad' Vulnerability Affects Intel Chips Dating Back to 2011, Apple Released Patch in macOS 10.14.5 [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
But what is the likelihood of similar, as-of-yet undiscovered flaws in the ARM (and/or AMD) architecture, I wonder?
macOS 10.14.4, and the check says I'm upto date,
Manage to get it to see the update after 5 mins, now 10.14.5
Apple go ARM all in, intel x86 and x64 have reached the limit, the CISC is proving to be a thorn in its side preventing it to make it into smartphones and other issues
RISC has been proven the right choice after all, and ARM invented by Acorn a UK company will go down in history inventing the CPU that runs the world, and others like Intel, MOS, Motorola, Zilog tried but in the end they can only be one ARRRRRMMMM
have you never heard of RISCV? its coming, you'll see.
arm don't own the RISC concept.
Totally unrelated train of thought coming down the tracks here... What you said reminded me of how old Atari ST computers handled software compatibility with Macs. You could get emulators that plugged into the cartridge port that would allow you to run Mac software if you had Mac ROMs to plug into the cartridge.
Can someone explain to the amateurs what is the actual threat, the Macrumors article failed to report how these security holes could be exploited. I realize it is all theory since no known exploits are in the wild but how could the hackers utilize this?
Do they need physical access to our home computers? Do we need to click a link? Please further explain, thank you.
From theregister.com: "Unfortunately for Apple customers with older Macs, Intel has not made microcode fixes available for Mac models from 2010 or earlier.". It's not that you don't need to patch the problem, it's that you can't.
[doublepost=1557909840][/doublepost]
They don't need physical access, but they need to run code on your computer. If you have a Mac used by a single user, and a hacker can run his software under that user, then all data of that user is compromised, with or without that attack. So your risk hasn't really increased - if a hacker can run their code on your single user Mac, anything that is important to you is at risk anyway.
What this attack adds is that _other_ users on the same machine are also compromised. So if your kids download software that they shouldn't in _their_ user account, it's not just their account that is compromised, it's yours as well.
But where it is really bad is for servers. You may have a server with ten virtual machines running. These virtual machines should be safe from each other. If one installs malware on one virtual machine, then obviously that machine is compromised but the other nine would be fine. With this exploit, they are all compromised. And if ten people installed virtual machines on the server, there is the risk that one of them actually installs this on their machine intentionally.
PS. "Run code on your computer" happens when you run JavaScript in your browser. So Apple has some specific code in the browser to stop this from happening. All these exploits rely on extremely precise timing, and Apple interferes with that timing when running JavaScript.
I’m sure internally, Apple couldn’t wait to dump intel. From late delivery of chipsets, tick tick tock product cycle, the recent modem debacle, and now this, Apple is probably counting down their days with intel. Luckily for intel Tim Cook seems to be a more diplomatic CEO. Jobs probably would’ve shoehorned Apple’s own Ax chip on Macs quite early just to piss at intel (just like how they adopted the early 32-bit only intel core Duo chips to transition from power PC).
No. Everything older than 2011 cannot be patched.
[doublepost=1557910168][/doublepost]
The exact exploits don't work on ARM. Doesn't mean ARM doesn't have similar problems, only that nobody has publicly demonstrated them.
Did you work on PC hardware meant for consumers? Or was it for more specialized embedded stuff?
Also, I often wonder whether Intel is solely to blame here. Shouldn't kernel developers have started to get suspicious about this kind of stuff as well?
Disabled HT on my Mid-2014 MBP i5. https://support.apple.com/en-us/HT210108
Thanks Apple! Let me know when you kick INTC to the curb and switch to AMD/ARM, similar to what you did for QCOM 5G modem chips.
While I've done this at home,
as someone who runs a bank data centre? This is just not something that's terribly reasonable right now. Though, would be a nice.
But holy crap, Intel. WHUT R U DOIN. we cannot afford to have constant security holes, nevermind 15-20% reported data centre performance hits from this fix.
I worked at AMD.
[doublepost=1557925102][/doublepost]
Slim. This current threat seems to rely on hyperthreading.
Yeah the last year theres been all these security issues mostly with Intel CPUs, and a lot of the time it affects almost a decades worth of CPUs. Doesn't give me much faith that if I upgrade with another Intel CPU that there won't be issues in the future. Ryzen is 90% of the performance of a similar Intel CPU at 50% of the price. Theres not much good argument for buying an Intel CPU as a consumer or even prosumer right now.
I've moved AMD at home a little while back (only way to get 8 cores for reasonable price)
But work/office/datacentre is really not so easy. Such infrastructure upgrades are few and far between and are extremely costly. In addition, server / infrastructure vendors don't seem to want to provide many options for AMD.
Then there's potential compatibility issues with AMD vs INtel. While rare, can severely hamper a migration off Intel.
last year I upgraded our core database application server. There were no reasonable AMD offerings that suited the requirements from our vendors. In addition, our DB engine platform told me "we don't validate on AMD so use at own risk"... which is unfortunately something I cannot risk given the nature of our business.
But for home users? Right now I build and recommend AMD options. The only time I can really recommend current Intel lineup is if you're looking for the absolutely maximum and 100% best throughput (or at least up till these bugs get patched).
For gaming for example, AMD is what? 90% of the performance for 50% the cost? or somthing similar. But if you NEED that 10% difference for some reason. Intel is still the best option.
Ryzen is already way cheaper in every tier (2-4-8-16 cores). With the IPC increase that leaks put it around 10-13% plus clock speed increase, Ryzen will have better single core performance (the only lead Intel had till now).
At this point I can say for sure FU Intel, I'm building my next tower with Zen 2.
Edit: oh, forgot to mention the bribe try Intel pulled to make VU University Amsterdam hide all this stuff instead of making it public. I see intel hasn't change that much since they were bribing OEMs to only use their CPUs instead of AMD's ones.
Thank you for responding, but what are the most likely ways for an attacker to run code on your computer, is it still the traditional ways one can be infected by malware?
Lol, and go with what cpu? It's not that simple. You have contract obligations and millions of current intel spec'ed hardware to support. You don't just go ok, I'll go with your competition instead. We're not talking about a few hundred PC's.
If they were to migrate away from Intel CPU hardware, Tim Crook would've had this in his "upcoming pipeline" ages ago. The fact these hardware flaws keep showing up for Intel CPU's tells you how badly designed Intel CPU's are in general.
I would take a processor that is a bit slower than a fast one that has constant new exploits being found any day. This would hurt the server business more than any consumer cpu upgrade. If they are business smart they would contract out with AMD (lower cost contracts vs intel) and I'm sure you would also get lower thermals than these constant throttling Intel CPU garbage.
But we have a bean counter at the helm and so we end up here today with a half performance laptop for 2x the price all thanks to Intel.
lol Apple is already preparing for the migration from Intel to ARM for laptop series. AMD Ryzen is available so I have no idea what you are talking about. Both of them are x86 and already compatible.
AMD wouldn't be a terrible choice overall to migrate to to keep x86 either. Apple is already using AMD GPU's. A move to AMD APU would bring consistency, and performance
What is the difference between the AMD and Intel implementations that makes Intel vulnerable?
We never had hyperthreading. When you have hyperthreading, you have a single core that pretends to be multiple cores. But to do that you have to switch back and forth between different threads. When you do that, you leave behind partial results from the old thread in various internal memory structures (buffers, registers, etc.). I don’t yet know the details of this new exploit, but it seems to me that if you aren’t careful, you can give away information from one thread to another because of this. Even if you are careful about zero’ing out these structures between threads, you can still give away information using side-channels. For example, a particular operation in thread B may complete 1 cycle faster if the last instruction run in thread A produced a positive number. Etc.
If instead of hyperthreading you have separate structures for each thread, you aren’t as efficient but you have very clean interfaces that you can guard between the threads.
Yeah, AMD can provide more cores and similar clock speed after 3rd gen release. Since Apple can optimize any parts, using AMD CPU wouldn't be a problem. Thunderbolt interface is the only issue.
From reading about all of these issues (from spectre/meltdown to now), it seems that Intel basically ignored access control while performing speculative execution for performance reasons. To me it looked like a design decision, because the speed loss of the mitigations basically removes the SE performance bump...and at that point what's the point of SE?
If anything, it shows that there's a definite market split between fast and insecure vs slower and more secure. My machines are basically single-user, so fast and insecure is fine (i3/i5/i7/i9). Server side (Xeons etc) need the more secure versions...or some server-side systems need more secure CPUs (VM) and some need less (DB).
In the end the problem will always be that if you are maximally efficient you inevitably leak information through side channels. I think back, for example, to a multiplier I designed. I designed it so it always took as few pipeline cycles as possible. That meant that depending on what you were multiplying, it might take 3, 4 or 5 cycles. Taking the minimum time necessary is good for performance. But doing that always leaks information - every time I multiply I can tell a little bit about the arguments to the multiplication without seeing the result. It’s a fairly harmless example (i hope), but that kind of thing is everywhere in CPU design. Access control can work perfectly well, but if I can time how long it takes for a thread to switch, and repeat that a billion times, eventually I can derive the private key. Etc.