News Intel confirms new Spectre 1.1, 1.2 vulnerabilities

Time to air-gap everything. This internet thing is maybe more trouble than it's worth

 

Ffs

 

Quick, look over there!

I wonder which modern OSs aren't affected? Also if most are would a microcode update not be a better idea than requiring most OSs to be updated - unless the patches for different OSs are basically the same?

 

Microcode updates require OEMs to care enough to release updates BIOS/UEFI with the updated microcode. You just need to look at the original round of spectre updates to see how relying on OEM updates pans out.

Updating at the microcode level is preferable, updating at the OS level is less grief in the long run and covers those OEMs who can't [or won't] provide an updated BIOS/UEFI.

 

For one vulnerability? Maybe.

But SPECTRE isn't just "a" vulnerability, it's a whole new class of vulnerabilities, so expect to see a lot more where this came from! You wouldn't expect a CPU to detect and avoid all possible buffer underrun vulnerabilities, you rely on the OS and software to be written to mitigate that avenue of vulnerability. You would not demand that CPUs eliminate buffers, as it would result in unaceptable performance regression. Likewise, you would not demand speculative execution be eliminated, but instead write software to avoid that vulnerability being used in practice.