What do you guys think about the MASSIVE Intel CPU bug? Design flaw that leaves entire memory vulnerable to hackers?

KennyS on 04/01/2018 - 00:30
Last edited 04/01/2018 - 00:56
tl;dr This is very bad. The patch causes performance degradation, but not patching is worse.

Here's everything I've been able to find so far:

  • The issue impacts all modern Intel CPUs. (Edit: It's been confirmed that the latest unaffected CPU is the original Pentium.) According to an AMD engineer, "AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault." In short, AMD does not have the bug.

  • If successfully exploited, it could allow any program running on your computer (including a webpage with JavaScript) to access memory used by the operating system, giving it total control over your computer.

  • There is a patch in the works for both Windows and Linux that protects against this. However, the patch can cause a large impact on performance. It slows down any "syscalls" - function calls where the program talks directly to the operating system. This includes everything from opening files to communicating over the network; it is almost impossible to write a modern program without them.

  • The performance impact seen depends on the amount of syscalls the application makes. Raw number-crunching applications will see very little performance impact, whereas applications that have to talk to the OS a lot can see a large impact.

  • Raw numbers are hard to find due to the secretive nature of these patches, but here are some basic benchmark impacts we've seen so far:

Linux, on an i7 6700, calling the getpid syscall 100,000,000 times:
Before the patch: ~3.8 seconds.
After the patch: ~15 seconds.

PostgreSQL, a database application, i7-6820HQ, SELECT 1 benchmark:
Before the patch: 420490.162391 transactions per second
After the patch: 350746.065039 transactions per second

How bad is it? The intel CEO sold 39.2M in stocks last November with averaging price of $44… while considering that Intel CFO Robert Swan reportedly said in a memo seen by The Oregonian that the company aims to boost its market capitalization to $300 billion (implying a share price north of $60) by 2021. Its big enough that the intel CEO is willing take his chances with insider trading charges…

VIDEO EXPLANATION - https://www.youtube.com/watch?v=9xhNY7v1R80

Computing

Comments

  • tebbybabes on 04/01/2018 - 00:53

    I don't know enough to have an educated opinion but I am very very very concerned. Thankfully, main PC's are running AMDs but I still have 3 laptops that run in Intels and 2 of them are expected to be of a reasonably secure nature.

    • Scab on 04/01/2018 - 11:12

      AMD are also affected by similar: https://goo.gl/datKAN

      • tebbybabes on 04/01/2018 - 12:49

        Thanks for sharing. Damn. :(

    • trongy on 04/01/2018 - 15:35
      +1

      It's not really an issue for personal computer users - just don't install software that you don't trust (and use a malware scanner).

      The real issue is for cloud providers where multiple customers have virtual servers running on the same Intel CPU. By exploiting this vulnerability, a user on one virtual server could access the contents of the other customers' virtual servers.

  • payton on 04/01/2018 - 01:12
    +1

    a wild guess
    potential lawsuits and class action? Depends how long Intel have known about this bug yet still keep making/selling vulnerable processors

  • psyren89 on 04/01/2018 - 01:19
    +1

    Welp, guess I'm going the AMD route for my next upgrade :\

  • scrimshaw on 04/01/2018 - 02:27
    +2

    Looks like AMD's stock prices just surged too

  • Axelstrife on 04/01/2018 - 02:56
    +1

    I think i love my decision to save some money and get a AMD Ryzen 7 1700 instead of Intel I7 8th gen even more now.

    • wheretobuychocettes on 04/01/2018 - 12:44

      Maybe don't get too ahead of yourself: https://security.googleblog.com/2018/01/todays-cpu-vulnerabi…

      Understandably there's a lot of uncertainty and perhaps misinformation as it's fairly early days in all of this. I would be inclined to think that initial fixes may have a more 'severe' impact on certain tasks/programs, but with time it would be smoothed out with further updates - and also in time a new generation of CPUs that perhaps don't suffer from these issues and performance will peak once again.

  • iforgotmysocks on 04/01/2018 - 04:24
    +3

    Great, so hackers can now take over my computer while I'm trolling OzBargain and blogging erotic "The Chase Australia" fan-fiction. Is nothing sacred anymore?

    • Scab on 04/01/2018 - 11:13
      +2

      I'm worried in case someone pinches my free Ozbargain Domino's pizza codes.

      • skegger on 10/01/2018 - 16:04

        Mah targeted codes! Mah precious targeted codes!

  • Lando on 04/01/2018 - 09:59

    I don't care. My workplace has thousands of intel based computers with sensitive data. If they are not worried, why should I be?

    • Scab on 04/01/2018 - 12:16

      You have a great attitude, are you in the public service?

    • psyren89 on 05/01/2018 - 12:19

      Post the business here so that the rest of us never have anything to dowith them.

      • tonyjzx on 05/01/2018 - 13:04

        all of them

        you might be surprised to hear that the govt. utilties transport military are all like this

        please try to not have 'anything to do with them'

  • c0balt on 04/01/2018 - 14:45

    This is actually incredibly serious and will affect everyone with an Intel CPU.

    The fix will be to add another layer to Kernel operations resulting in up to 30% performance decrease for all Intel CPUs.

    I was planning on getting an 8700k to upgrade from my 4670k, looks like Ryzen will be my next CPU.

    https://techcrunch.com/2018/01/03/a-major-kernel-vulnerabili…

    "AMD said that its processors are not subject to the vulnerability."

    • wheretobuychocettes on 04/01/2018 - 15:05
      +1

      Except AMD is affected: https://security.googleblog.com/2018/01/todays-cpu-vulnerabi…

      Edit: The real takeaway from all of this is to wait out the rumours and news and see what actually happens in the coming days/weeks/months before any purchases.

      • c0balt on 04/01/2018 - 15:09

        Google says AMD are affected but AMD says they are not affected :/

        • wheretobuychocettes on 04/01/2018 - 15:14

          AMD came out saying they're clean a few hours before(?) Google came out with their disclosure.

          Not sure why they said they weren't impacted, possibly to keep share prices happy in light of all the news articles singling out Intel? Dunno, but I doubt Google would point the finger wrongfully. Again, wait out rumours and make informed decisions once it's all aired out. :)

        • trongy on 04/01/2018 - 20:20
          +3

          @rloos:

          According to an article in The Age there are actually two different CPU flaws. One, called Meltdown only affects Intel CPUs. The second, called Spectre affects Intel, AMD and ARM CPUs.

          Slow-downs expected as security flaws in Intel, AMD, ARM chips put virtually all devices at Risk

  • hawkeye on 04/01/2018 - 16:36

    """"If successfully exploited, it could allow any program running on your computer (including a webpage with JavaScript) to access memory used by the operating system, giving it total control over your computer""""""

    Hope I get exploited I'd welcome any new pron on my pc any day

    • scrimshaw on 04/01/2018 - 21:52
      +1

      I wouldn't expect anything good to come out of your computer being hacked. If anything you might lose data to ransomware and everything to be encrypted.

      Hide yo data

      • Scab on 05/01/2018 - 07:56
        -1

        Hide yo data

        I like it when you speak ghetto, Scrimshaw.

        It makes me get jiggy wiv it.

  • tonyjzx on 05/01/2018 - 13:00

    didnt apple patch this already without any fanfare

    so did they get complaints of slowdowns and the like? so why would we expect the end of the world in the windows android linux circle?

    • scrimshaw on 05/01/2018 - 17:27

      Apple did have a blog post about Meltdown and Spectre which affects all their x86 and ARM-based devices.

      https://support.apple.com/en-us/HT208394

      Testing is still underway in lab conditions for performance impacts — which Apple should reveal later.

      Google is working on "Retpoline" which is a technique that can mitigate spectre attacks, with minimal processor overhead. So the exact amount of CPU overhead isn't known until they complete their work and it's been rolled out.

  • AlienC on 09/01/2018 - 11:26

    This is why I android tablet. Ripperino shintels.

    • scrimshaw on 10/01/2018 - 12:08
      +2

      Arm devices also suffer from Spectre

      • AlienC on 10/01/2018 - 21:49

        Oh shit.

        • alvian on 11/01/2018 - 02:31

          Don't worry, only affects high end AMD processors. Just stick to cheapie phones and tablets and you'll be safe.

        • alvian on 11/01/2018 - 06:17

          @alvian: ARM, not AMD. I should've give to bed instead of replying. Low end ARM processors can't execute instructions out-of-order, and so are immune from SPECTRE.

        • AlienC on 13/01/2018 - 06:58

          @alvian: Kirin HiSilicon 950 in the HUAWEI Mediapad M3?

        • alvian on 13/01/2018 - 17:08

          @AlienC: Kirin HiSilicon 950 uses four Cortex-A53 and four Cortex-A72 cores in big.LITTLE configuration. A53 uses in-order execution and is immune to SPECTRE. A72 uses out-of-order speculative execution and is affected by SPECTRE.

          So the Kirin 950 is not affected when it is doing little work (uses A53 cores) but is affected when it starts to get busy (uses A72 cores). Since SPECTRE is a timing attack, so there will be instructions to keep the CPU busy.

        • AlienC on 14/01/2018 - 10:48

          @alvian: what kind of symptoms will I be able to see?

          I game a lot and multitask heavily so no doubt I will use those affected cores.

          What kind of performance impact and system issues or security issues will I see or maybe at risk at?

        • alvian on 14/01/2018 - 15:20

          @AlienC: Symptoms — None as yet because no one has written a SPECTRE virus, and if one day there exists such a virus, it had better hide its symptoms or the victim would notice. In general, your device would become less responsive, uses more electricity and generates more heat as the CPU executes the virus codes.

          Performance impact — Unknown as yet because no one has written a SPECTRE virus. The victim might notice a more sluggish device if a future SPECTRE virus is badly written, or hardly any changes at all for a well designed virus. SPECTRE currently exists only as proofs-of-concept. Nobody knows how much the security patches will impact on performance until the patches are written and benchmarked.

          System issues — None because a SPECTRE attack results in information disclosure (read-only). It cannot tamper with the proper running of the system. What might happen after the information is disclosed is up to the imagination of the (potential) virus author.

          Security issues — Information loaded into RAM and CPU registers can be disclosed to an attacker. People are most concerned with the leaking of system and user security credentials. What might happen after the credentials are leaked is up to the imagination of the (potential) virus author.

          For details please see ARM's whitepaper and Google's Project Zero blog.

        • AlienC on 14/01/2018 - 16:34

          @alvian: mostly worried about dangerous overwriting of hardware safety precautions and causing my battery to explode or something.

          A mobile equivalent bsod would also be terrible and bad. But if it's just minor memory leaks I'll be fine.. for now..

  • Scab on 10/01/2018 - 12:48

    https://goo.gl/aZkRQ2

    This line is a joke:

    Intel said a typical home and business PC user should not see significant slowdowns in common tasks such as reading email, writing a document or accessing digital photos.

    I could do that on a 486 computer.

  • NVidia Sucks on 13/01/2018 - 11:26

    some bugs are intentional definitely!!!

  • BadGiraffe on 16/01/2018 - 14:22

    So if I'm thinking of upgrading, should I wait for new chips to come out for phones and PCs, and if so… how long until they release fixed CPUs?

Login or Join to leave a comment
Login Join