1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Intel confirms Meltdown while Spectre hits everyone

Discussion in 'Article Discussion' started by bit-tech, 4 Jan 2018.

  1. bit-tech

    bit-tech Supreme Overlord Lover of bit-tech Administrator

    Joined:
    12 Mar 2001
    Posts:
    3,676
    Likes Received:
    138
    Read more
     
  2. yuusou

    yuusou Multimodder

    Joined:
    5 Nov 2006
    Posts:
    2,852
    Likes Received:
    916
    I guess AMDs' "it not AMD then apply PTI" patch for the linux kernel was rejected then?
    Even if AMDs and ARMs are only affected by one vulnerability, there's only one way to protect end users from it, correct?
     
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,084
    Likes Received:
    6,635
    That patch is only for Meltdown, as I understand it.
     
  4. Hustler

    Hustler Minimodder

    Joined:
    8 Aug 2005
    Posts:
    1,039
    Likes Received:
    41
    I bet this will annoy the security services, they've probably been using it for years to get in to places they shouldn't have been...
     
    GravitySmacked likes this.
  5. Aterius Gmork

    Aterius Gmork smell the ashes

    Joined:
    25 Sep 2007
    Posts:
    1,823
    Likes Received:
    73
  6. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,084
    Likes Received:
    6,635
    No, there's no danger: if the flag isn't set (because you either have no anti-virus installed or the anti-virus you have would break with the Meltdown patch applied) Windows Update will run fine but not offer you the patch (leaving you vulnerable); the patch will only appear in Windows Update if the registry entry is present.
     
    Aterius Gmork likes this.
  7. tristanperry

    tristanperry Minimodder

    Joined:
    22 May 2010
    Posts:
    922
    Likes Received:
    41
    This feels like a biggie (to probably state the obvious).

    https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2 - pre and post patch benchmarks showing some fairly big performance decreases (in certain CPUs, in certain cases)
    https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ - AWS have been rolling out mandatory reboots of affected instances
    https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript - a possible Javascript exploit for this (potentially allowing websites to read your memory?)
     
  8. loftie

    loftie Multimodder

    Joined:
    14 Feb 2009
    Posts:
    3,173
    Likes Received:
    262
    WRT the antivirus, does that only include 3rd party software or does Windows Defender add the reg entry?
     
  9. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,084
    Likes Received:
    6,635
    Windows Defender adds the registry entry: Microsoft's official solution to the patch not rolling out to Windows Server installations is to install Windows Defender on 'em first.
     
  10. loftie

    loftie Multimodder

    Joined:
    14 Feb 2009
    Posts:
    3,173
    Likes Received:
    262
    OK, ta. Was expecting it not to :p
     
  11. play_boy_2000

    play_boy_2000 ^It was funny when I was 12

    Joined:
    25 Mar 2004
    Posts:
    1,617
    Likes Received:
    146
    So I can see why this is a huge problem for virtualized servers, shared hosting and the like, but what's the risk to the average desktop user? Is it more to do with how leaked kernel memory can form the basis of further attacks or is there something else of value in kernel memory?
     
  12. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,084
    Likes Received:
    6,635
    In the other thread in Hardware I posted a demo of a password being stolen by a user space application as it was being typed - and, remember, this is exploitable through the browser. Serious stuff.
     
    MLyons likes this.
  13. wolfticket

    wolfticket Downwind from the bloodhounds

    Joined:
    19 Apr 2008
    Posts:
    3,556
    Likes Received:
    646
  14. Anfield

    Anfield Multimodder

    Joined:
    15 Jan 2010
    Posts:
    7,059
    Likes Received:
    970
    Speculative execution of code across VM boundaries, I wouldn't want to be a Microsoft Azure PR rep:lol:
     
  15. Guest-16

    Guest-16 Guest

    Yea no one is gonna turn off Javascript. Every site relies on it.

    Plus it's not just a single exploit. This is a new category that exploits the fundamental performance enhancement of speculative OoO execution in EVERY ISA, not just x86: MIPS, SPARC, zPOWER, POWER etc - all affected by Spectre style attack. Pandora's box.

    On the flip side if you're a distopian authoritarian government, make money from selling people's private details or in infosec, good times!
     
  16. jb0

    jb0 Minimodder

    Joined:
    8 Apr 2012
    Posts:
    555
    Likes Received:
    93
    Yeah, my understanding is it makes friggin' Heartbleed look like a niche issue.
     
  17. somidiot

    somidiot Minimodder

    Joined:
    18 Aug 2009
    Posts:
    115
    Likes Received:
    1
    Will you guys (bit-tech) be doing your own set of benchmarks on performance hits? From what I've read games and most things regular people do won't take that big a hit. Although I'm still curious about handbrake, video editing software and zip performance.
     
  18. adidan

    adidan Guesswork is still work

    Joined:
    25 Mar 2009
    Posts:
    19,736
    Likes Received:
    5,501
    I caught the headline of the FT (I think) saying something along the lines of companies should upgrade all their hardware to be fully safe.

    But what is the go to 100% safe hardware option out there? Yes, i'd go AMD as they're least affected (that is no Meltdown) but that's still not 100% - will Ryzen 2 be and what of the next iteration of Intel's line?
     
  19. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,084
    Likes Received:
    6,635
    Right now, if you want absolutely cast-iron 100% safe, your only option is to find a chip that doesn't include speculative execution - which ain't easy, considering everyone is using it to boost performance.

    Pre-1995 chips and selected Atoms are about your only option for the desktop right now. The Cortex-M family is safe, but not designed for desktop workloads. Most implementations of RISC-V are safe, too, but again we're talking off-the-shelf parts being designed for embedded use and running at 300MHz.

    If you fancy getting really clever, stick the RISC-V RocketChip design (which doesn't have speculative execution) on an expensive FPGA and see how far up you can crank the clocks, then shove Linux on there. 100% protection against Spectre!

    If you're stuck in the x86 ecosystem, though, you're SOL: anything you can buy now is vulnerable, and I'd be surprised if the next generation wasn't vulnerable too - trying to change the design at this late stage is going to be a right bugger.
     
    adidan likes this.
  20. adidan

    adidan Guesswork is still work

    Joined:
    25 Mar 2009
    Posts:
    19,736
    Likes Received:
    5,501
    Speculative execution, hm, I should do more reading - from a naive pov shouldn't it be possible to allow speculative execution but have it so there are things you just can't speculate about unless specific conditions are met?

    That in itself is a bit of an IF question and i'm giving myself a meltdown. Best read up abit.

    Now I'm wishing I still had that BBC Model B and my copy of Elite :)

    I do have a netbook with an Atom in it, will have to check which one, now is perhaps the time to dig it out and put a distro on it.

    Just glad I held back on an upgrade, prefer tp be with a 3770 and not 100% safe than being out of pocket and not 100% safe.

    Hang on a minute, what about consoles - completely forgot about them, will have to check their cpus.
     
Tags: Add Tags

Share This Page