+ Reply to Thread
Page 1 of 4 1 4 LastLast
Results 1 to 20 of 66

Thread: CPU Security Holes affecting Intel and AMD CPUs

  1. Link to Post #1
    France On Sabbatical
    Join Date
    7th March 2011
    Location
    Brittany
    Posts
    16,763
    Thanks
    60,315
    Thanked 95,891 times in 15,481 posts

    Default CPU Security Holes affecting Intel and AMD CPUs

    ‘Meltdown’: Google team flags Intel bug that may affect billions of devices

    RT
    Published time: 4 Jan, 2018 04:53
    Edited time: 4 Jan, 2018 10:21
    Get short URL


    © 4kodiak / Getty Images

    Information stored on every desktop computer, smartphone and cloud server since 1995 could be accessed by hackers if two hardware bugs are exploited, a new report has warned.

    On Wednesday, security researchers at Google Project Zero disclosed technical details on two security flaws that allow hackers to engage in unauthorized reads of a computer’s memory data, which may contain sensitive information such as passwords.

    The researchers discovered that the vulnerabilities affect many CPUs, including those from Intel, Advanced Micro Devices (AMD) and ARM Holdings, as well as the devices and operating systems running on it.

    The first method of attack, known as Spectre, can be exploited by hackers to dissolve the barrier that separates different applications and trick otherwise error-free applications into leaking information stored on their memory.

    Last year, researchers demonstrated how hackers could utilize “speculative execution” – a technique used by most modern processors to optimize performance – to gain access to sensitive information.

    In order to improve speeds, modern processors execute certain functions speculatively, or before it is known whether they are needed. The technique prevents the delay that would come from executing the functions after they are requested.

    Jann Horn, a lead researcher for Project Zero who first reported both vulnerabilities, discovered that attackers can take advantage of this technique in order to read information on the system’s memory that should be inaccessible.

    In the original report, researchers said the vulnerability affects “billions of devices” that use microprocessors from Intel, AMD, and ARM.

    The second flaw, known as Meltdown, allows hackers to “melt” security boundaries between user applications and the operating system normally enforced by hardware. Hackers can exploit the vulnerability to gain access to the memory of other programs and the operating system, which could include passwords and other sensitive data.

    Quote
    Michael Schwarz‏ @misc0110

    Using #Meltdown to steal passwords in real time #intelbug #kaiser #kpti /cc @mlqxyz @lavados @StefanMangard @yuvalyarom https://meltdownattack.com/

    (click on above picture to view animation)
    4:03 PM - 3 Jan 2018
    64 replies 4,932 retweets 4,444 likes
    In the original report, researchers said the vulnerability affects “virtually every user of a personal computer.” However, researchers at Google’s Project Zero have only been able to show that ‘Meltdown’ affects Intel microprocessors.

    Daniel Gruss, one of the researchers who originally discovered Meltdown, told Reuters the flaw is “probably one of the worst CPU bugs ever found.”

    Gruss said Meltdown was the more serious attack, because it was easier for hackers to take advantage of. However, he said that Spectre was much harder to patch, and would be a bigger problem in the future.

    In an overview of the attacks, researchers said it would be “unusual” for either attack to be blocked by an antivirus, since they are “hard to distinguish from regular benign applications.” Google said, however, that an attacker must first be able to run a malicious code on a computer before they can exploit the vulnerability.

    Researchers also warned it would be nearly impossible to detect if hackers had exploited the weakness, since the attack would not leave “any traces in traditional log files.”

    In a blog posted Wednesday, Matt Linton, senior security engineer at Google, said there is “no single fix for all three attack variants,” but many vendors made several patches available Wednesday.

    Google provided a list of their products that are vulnerable to the attacks, as well as their mitigation status. The company said as soon as they discovered the vulnerabilities, their security teams updated their systems and affected products to protect against the attacks.

    Researchers also provided a link to software patches for Linux Windows, and OS X that guard against Meltdown attacks.

    Microsoft released a patch Wednesday to protect customers against the vulnerabilities. However, the company said some anti-virus vendors will need to update their software to be compatible with the new patches.

    Quote
    Alex Ionescu‏ @aionescu

    Microsoft Patch is out: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 …. Note that your AV vendor must set a special registry key! "Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY."

    3:21 PM - 3 Jan 2018
    8 replies 156 retweets 177 likes
    The company has also released an emergency update for all devices running Windows 10, and further updates are planned. Microsoft also said they are in the process of deploying mitigations to cloud services. However, the fixes will also rely on firmware updates from Intel, AMD, and ARM.

    Microsoft said they have not received “any information to indicate that these vulnerabilities had been used to attack our customers,” according to a statement to The Verge.

    Amazon has also reportedly said they have protected most of their cloud servers from the vulnerabilities.

    AppleInsider reports that Apple has already deployed a partial fix for the bug in MacOS 10.3.2 that was released last month.

    Quote
    Alex Ionescu‏ @aionescu

    The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 -- and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle








    (click on picture to view larger version)
    9:39 AM - 3 Jan 2018
    35 replies 1,139 retweets 1,311 likes
    The report also said that tests show the update does not cause any notable slowdowns.

    On Tuesday, The Register first reported on the vulnerabilities, saying the patches to fix the problem would slow computers by 30 percent.

    While researchers do not know how much the updates could slow the performance of older processors, Intel released a statement Wednesday that said the updates will not “significantly” slow computers for the average user.

    “Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."

    Intel rejected claims that either of the vulnerabilities were unique to their products, adding that it affects “many types of computing devices – with many different vendors’ processors and operating systems – are susceptible to these exploits.”

    However, AMD said their products were not vulnerable to any of the attacks.

    “Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time,” representatives of the company told CNBC.

    ARM also released a statement Wednesday that said the “majority” of their products are “not impacted by any variation” of the Spectre attack.

    Related:

    UK spies boast ‘over-achievement’ in developing arsenal of hacking tools
    Last edited by Hervé; 4th January 2018 at 15:57.
    "La réalité est un rêve que l'on fait atterrir" San Antonio AKA F. Dard

    Troll-hood motto: Never, ever, however, whatsoever, to anyone, a point concede.

  2. The Following 22 Users Say Thank You to Hervé For This Post:

    Alpha141 (10th January 2018), Bill Ryan (4th January 2018), bluestflame (6th January 2018), Callista (6th January 2018), ceetee9 (4th January 2018), Daughter of Time (4th January 2018), Foxie Loxie (5th January 2018), gaiagirl (4th January 2018), Harley (4th January 2018), justntime2learn (4th January 2018), Lettherebelight (5th October 2018), mab777 (6th January 2018), meeradas (25th May 2018), Michelle Marie (4th May 2018), Navigator (4th January 2018), petra (4th January 2018), Sophocles (4th January 2018), StandingWave (4th January 2018), Star Tsar (4th January 2018), TargeT (4th January 2018), Victoria (28th December 2019), wnlight (5th January 2018)

  3. Link to Post #2
    Canada Avalon Member
    Join Date
    7th July 2016
    Location
    Newfoundland, Canada
    Age
    44
    Posts
    1,549
    Thanks
    5,933
    Thanked 5,372 times in 1,413 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    So.... this hole has existed since 1995... and people are just finding it now? Or pardon me, just disclosing it now? How embarrassing.

    There's a hole in my bucket, Dear Liza Dear Liza,
    There's a hole in my bucket, Dear Liza,
    A hole

  4. The Following 9 Users Say Thank You to petra For This Post:

    Bill Ryan (4th January 2018), bluestflame (6th January 2018), Callista (6th January 2018), Foxie Loxie (5th January 2018), Hervé (4th January 2018), justntime2learn (5th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018), Navigator (4th January 2018)

  5. Link to Post #3
    Canada Avalon Retired Member
    Join Date
    17th December 2017
    Age
    50
    Posts
    76
    Thanks
    236
    Thanked 341 times in 74 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

     
     
    It seems Intel had a hand in writing that article? (wouldn't be unusual)


    Intel is claiming that AMD and ARM CPUs are also affected by the "Intel processor Kernel bug" ...

    AMD denied their processors were affected yesterday ...
    Quote "AMD has confirmed that its own processors are not affected by this security bug. “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” explains Tom Lendacky, an AMD engineer. AMD stocks have soared this morning as a result of Intel’s processor flaw. Intel has not yet publicly commented on the security problem."
    https://www.theverge.com/2018/1/3/16...-windows-linux

    But I'm waiting to hear AMD's response to Intel's latest claim since Intel's "official press" on the topic ...



    Intel claims there will be no performance hit, others differ on that ... A test with a PostgresSQL database showed significant hits ...
    Quote PostgreSQL SELECT 1 with the KPTI workaround for Intel CPU vulnerability https://www.postgresql.org/message-i...p3.anarazel.de

    Best case: 17% slowdown
    Worst case: 23%
    https://www.theregister.co.uk/2018/0...u_design_flaw/


    Other tests have indicated that most home user use won't have a significant slowdowns for basic web browsing and gaming though -- it'll be database servers that will take the greatest hit.

    Intel is in damage control mode, first the Management Engine security flaw (which will cost us a fair bit of off hours resources at my work to get patched), now this kernel bug, which will likely have relatively large performance hits in databases and servers, and AMD's Ryzen refresh out in (rumoured) 2-3 months with Epyc getting ramped up in 2018. Ouch. Bad timing ...

    As mentioned though, I am waiting to hear from AMD to now either backtrack and confirm Intel's claim, or to continue to deny that the "Intel Kernel Bug" does indeed affect their CPUs and what, if any, performance hit their processes will sustain from the patch being applied. If AMD can't prove that their CPUs aren't affected, even if no one can prove that they are, Microsoft will broadly apply the patch to all CPUs - potentially affecting performance for all CPUs - whether the bug is actually present or not.
    Last edited by Navigator; 4th January 2018 at 17:36.

  6. The Following 10 Users Say Thank You to Navigator For This Post:

    Bill Ryan (4th January 2018), Callista (6th January 2018), Foxie Loxie (5th January 2018), Harley (4th January 2018), Hervé (4th January 2018), justntime2learn (5th January 2018), Michelle Marie (4th May 2018), muxfolder (5th January 2018), TargeT (4th January 2018), wnlight (5th January 2018)

  7. Link to Post #4
    United States On Sabbatical
    Join Date
    30th June 2011
    Location
    The Seat of Corruption
    Age
    44
    Posts
    9,177
    Thanks
    25,610
    Thanked 53,658 times in 8,694 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Intel CEO sold 24m in stocks before the announcement.......


    This makes me think it's an actual flaw instead of an engineered back door.

    Last edited by TargeT; 4th January 2018 at 20:14.
    Hard times create strong men, Strong men create good times, Good times create weak men, Weak men create hard times.
    Where are you?

  8. The Following 8 Users Say Thank You to TargeT For This Post:

    bluestflame (6th January 2018), Callista (6th January 2018), ceetee9 (4th January 2018), Foxie Loxie (5th January 2018), Hervé (4th January 2018), justntime2learn (5th January 2018), Michelle Marie (4th May 2018), Navigator (4th January 2018)

  9. Link to Post #5
    Canada Avalon Retired Member
    Join Date
    17th December 2017
    Age
    50
    Posts
    76
    Thanks
    236
    Thanked 341 times in 74 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Re: What processors are affected? 

    It's a bit more complex than just that ...

    In its default kernel configuration state, the bug does not affect AMD CPUs at all. Only "if the BPF JIT is enabled", which is a non-default configuration for AMD PRO CPUs (and thus likely Ryzen) and possibly ARM, then AMD CPUs are susceptible to variant 1 (Spectre) of the three variants of attack types this bug leaves. Variant 1 types of vulnerabilities can be software patched and have no performance impact. I don't know the possibility of having the kernel config changed from it's default, but AMD is asserting "near zero risk to any AMD CPUs", Google's testing seems to confirm this to be true - with only a configuration change to the kernel itself allowing only variant 1 type of attack (out of the three) which can be easily software patched without any performance hit.

    The two other variants, called simply variants 2 and 3 (Meltdown), affect only Intel and ARM processors and these are the major issues. These issues are apparently caused by an Intel hardware implementation for their specific pre-emptive prediction branch that attempts to identify what type of code will be run next, speeding up some processes. It seems that part of what makes Intel processors fast, is also leaving them vulnerable, hence the potentially large performance hit with this type of patch - Intel will have to disable parts of this feature with a hardware firmware patch on existing chips to fix - OS update alone is not going to fix it. Future produced chips should see this fixed at the hardware level without that performance hit (or see it mitigated).

    Here's Googles take on the situation and some of their test results: https://wccftech.com/intel-affected-...l-bug-amd-hit/ <-- (this site generally is NOT a good resource, but the article wasn't too bad.)

    EDIT: Here's a better article from a better site that explains the flaw well: https://www.wired.com/story/critical...ost-computers/


    The odd thing about the Intel ME bug recently and now this one, is that it takes well over six months for any official notice. I first heard of the ME issue about six months before Intel officially announced it, and Google had discovered this flaw and let Intel know almost a year ago ... why so long to address these issues?
    Last edited by Navigator; 4th January 2018 at 23:50. Reason: clarity / accuracy / spelling

  10. The Following 7 Users Say Thank You to Navigator For This Post:

    Callista (6th January 2018), Foxie Loxie (5th January 2018), Hervé (4th January 2018), justntime2learn (5th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018), onevoice (23rd January 2018)

  11. Link to Post #6
    Canada Avalon Retired Member
    Join Date
    17th December 2017
    Age
    50
    Posts
    76
    Thanks
    236
    Thanked 341 times in 74 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Quote Posted by TargeT (here)
    Intel CEO sold 24m in stocks before the announcement.......


    This makes me think it's an actual flaw instead of an engineered back door.
    It seems like an engineering flaw. But potentially faster chips seem to be the result of its expense. Makes you wonder if it wasn't a choice that was made at some point ...

    Quote As the researchers put it at the end of the the Spectre paper:

    The vulnerabilities in this paper, as well as many others, arise from a longstanding focus in the technology industry on maximizing performance. As a result, processors, compilers, device drivers, operating systems, and numerous other critical components have evolved compounding layers of complex optimizations that introduce security risks. As the costs of insecurity rise, these design choices need to be revisited, and in many cases alternate implementations optimized for security will be required.
    Last edited by Navigator; 4th January 2018 at 19:33.

  12. The Following 7 Users Say Thank You to Navigator For This Post:

    Bill Ryan (5th January 2018), Callista (6th January 2018), Foxie Loxie (5th January 2018), Hervé (4th January 2018), justntime2learn (5th January 2018), Michelle Marie (4th May 2018), TargeT (4th January 2018)

  13. Link to Post #7
    England Avalon Member Did You See Them's Avatar
    Join Date
    15th October 2015
    Age
    59
    Posts
    1,088
    Thanks
    4,744
    Thanked 6,876 times in 1,034 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Back to the drawing board.

  14. The Following 5 Users Say Thank You to Did You See Them For This Post:

    Callista (6th January 2018), Foxie Loxie (5th January 2018), Hervé (4th January 2018), justntime2learn (5th January 2018), Michelle Marie (4th May 2018)

  15. Link to Post #8
    France On Sabbatical
    Join Date
    7th March 2011
    Location
    Brittany
    Posts
    16,763
    Thanks
    60,315
    Thanked 95,891 times in 15,481 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    From Jim Stone January 3, 2018:

    SANDY BRIDGE/COREVPRO HAS (FINALLY) BITTEN INTEL IN THE BUTT

    They produced a porous crappy system on behalf of the NSA that has compromised security at the hardware level (a topic I have brought up repeatedly).

    Now that all the NSA hackware got released to the public by various hacker groups, Microsoft and Linux developers have realized just how bad the security flaws are and have started writing their software to circumvent the problems that were an NSA inspired root design feature ever since CoreVpro/Sandy Bridge.


    As a result, it is taking an average of 30 percent of the main processor's power to overcome the security problems of the Vpro core and AMD IS KICKING INTEL GOOD NOW AS A RESULT.

    My only surprise with this is that software developers actually cared about the processor being a porous piece of crap.

    This echoes back a decade now, as it turns out, even though AMD processors trailed Intel by about 10 percent for equivalent models over the last 10 years, now that people realize just how bad the security is on Intel processors, all models of AMD processors are now far more superior to Intel than Intel was ever perceived to be over AMD.

    Due to knowing how bad the security was on Intel for the last 10 years, I have not bought Intel since the 90's (AMD was superior until the mid 2000's and when Intel "pulled ahead" they had buggable crap).

    At any rate, I have been saying this for years, and now an enormous scandal is out in the open, Programmers now realize INTEL IS CRAP. Intel sold out to the NSA and thanks to good hearted hackers it chewed their behinds like a great white.

    Thanks Intel!!


    Update 2018-01-05

    AMD CPU's also affected by bug


    Evidently AMD has it's own variant, and neither bug is an admission of the CoreVpro back door. When it is admitted that back door is there, then it will be time to rejoice.

    As it turns out, every processor made by AMD, ARM, and INTEL has the same exploitable bug, and you can't tell me that happened as coincidence!


    The software "patch" which is supposed to circumvent the hardware bug will be "patched" only after the proper back door for the NSA is put right back into the system a different way.
    "La réalité est un rêve que l'on fait atterrir" San Antonio AKA F. Dard

    Troll-hood motto: Never, ever, however, whatsoever, to anyone, a point concede.

  16. The Following 6 Users Say Thank You to Hervé For This Post:

    Bill Ryan (5th January 2018), Callista (6th January 2018), Foxie Loxie (5th January 2018), Harley (6th January 2018), Michelle Marie (4th May 2018), Navigator (5th January 2018)

  17. Link to Post #9
    France On Sabbatical
    Join Date
    7th March 2011
    Location
    Brittany
    Posts
    16,763
    Thanks
    60,315
    Thanked 95,891 times in 15,481 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Apple confirms 'Meltdown' & 'Spectre' flaws affect all Macs and iOS devices

    RT
    Fri, 05 Jan 2018 16:32 UTC


    © Regis Duvignau / Reuters

    All Mac systems and iOS devices are vulnerable to the recently discovered security flaws known as Spectre and Meltdown, Apple has confirmed. The tech giant said that mitigations are on the way and some have been already issued.

    The flaws, which allow hackers unauthorized access to a computer's memory and sensitive data, were discovered by security researchers at Google Project Zero on Wednesday. Security vulnerabilities called Meltdown and Spectre affect almost all modern CPUs, including those produced by Intel, Advanced Micro Devices (AMD) and ARM Holdings.


    "All Mac systems and iOS devices are affected," Apple acknowledged in a statement on Thursday, adding that no cases had yet been reported of customers being affected by the security flaws.

    Apple has issued updates for the iOS 11.2, macOS 10.13.2 and tvOS 11.2 systems to protect against Meltdown, which the company believes "has the most potential to be exploited." The tech giant added that Apple Watch is not affected by the flaw, which allows hackers to "melt" security boundaries between user applications and the operating system.

    Patches to protect users from another vulnerability, Spectre, are expected to be released "in coming days." While the flaw's techniques "are extremely difficult to exploit," it can still potentially affect devices in JavaScript running in a web browser, according to Apple. Spectre can be used by hackers to dissolve the barrier that separates different applications and trick otherwise error-free applications into leaking information stored in their memory.

    Both security flaws require a malicious app to be loaded on the device operating on Mac systems or iOS, so the general recommendation from Apple is to avoid downloading software from suspicious sources and use only trusted ones such as the App Store.
    "La réalité est un rêve que l'on fait atterrir" San Antonio AKA F. Dard

    Troll-hood motto: Never, ever, however, whatsoever, to anyone, a point concede.

  18. The Following 7 Users Say Thank You to Hervé For This Post:

    Bill Ryan (5th January 2018), Callista (6th January 2018), Foxie Loxie (6th January 2018), Harley (6th January 2018), Michelle Marie (4th May 2018), Navigator (5th January 2018), TargeT (19th January 2018)

  19. Link to Post #10
    Canada Avalon Retired Member
    Join Date
    17th December 2017
    Age
    50
    Posts
    76
    Thanks
    236
    Thanked 341 times in 74 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

     
    Interesting timing ...

    VIA return to the CPU fray against Intel and AMD with Zhaoxin x86 chips


    Quote VIA used to be a confident third-place team in the x86 CPU game, but their position has been almost entirely squeezed out of the market as of late due to the engorged bodies of AMD and Intel. Conveniently, however, VIA still hold the relevant licenses required to get a functioning modern CPU into the market, and are getting back in the game through their co-owned semiconductor manufacturer, Zhaoxin.
    https://www.pcgamesn.com/via-x86-cpu


    Old x86 CPU rival and chipset maker VIA still has its old licenses, and will be producing new x86 CPUs as an alternate to Intel and AMD. Their Prime markets is expected to be China and Russia to get away from being forced to use the "West's" engineered processors. One can only imagine why they they have motivation to stop using Intel ...




    I'm not 100% sold on Jim's take that this is a 100% purposefully engineered backdoor, as the flaw is a result of branch prediction and having data related to that being stored in an unsecured cache, as explained in the "wired" article I linked to above. However I would be inclined to believe that this issue was known long ago and exploited, possibly by letter agencies.

    It should be also noted that the bug has three variants, 1, 2, and 3, - 1 being the "spectre" category and 2 and 3 being "meltdown" -- Variant one is the only one that has the possibility of affecting AMD CPUS and only if the kernel is configured in a non-default mode for some reason. Intel CPUS are susceptible to all three and ARM to variant's 2 and 3, I believe. So they don't all have the same issue - the issue with AMD CPUs is quite different. Intel needed to try to throw everyone under the bus equally though in their press release as damage control.

  20. The Following 7 Users Say Thank You to Navigator For This Post:

    Bill Ryan (5th January 2018), Callista (6th January 2018), Foxie Loxie (6th January 2018), Harley (6th January 2018), Hervé (5th January 2018), Michelle Marie (4th May 2018), muxfolder (5th January 2018)

  21. Link to Post #11
    Avalon Member Red Skywalker's Avatar
    Join Date
    5th January 2011
    Posts
    221
    Thanks
    125
    Thanked 954 times in 197 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    To me this is old news. I have seen the whole upcoming of the computers, from the first 6502 and Z80 processors to the CPU-monsters now. All have backdoors backed on the chip, for "development purposes" ... This topic tells only about CPU's in computers, but many printers and other peripheral equipment is probably affected too. Why? Because it could and would be useful when needed.
    (You can run a webserver on a relative old printer, if you are handy enough. Of course no references, maybe on darknet?)
    Last edited by Red Skywalker; 5th January 2018 at 19:37.

  22. The Following 8 Users Say Thank You to Red Skywalker For This Post:

    Callista (6th January 2018), Foxie Loxie (6th January 2018), Hervé (5th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018), muxfolder (5th January 2018), Navigator (6th January 2018), SieS (6th January 2018)

  23. Link to Post #12
    United States Administrator ThePythonicCow's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Language
    English
    Age
    76
    Posts
    28,579
    Thanks
    30,499
    Thanked 138,429 times in 21,488 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Quote Posted by Hervé (here)
    vulnerabilities called Meltdown and Spectre affect almost all modern CPUs, including those produced by Intel, Advanced Micro Devices (AMD) and ARM Holdings.
    Quote Posted by Navigator (here)
     It should be also noted that the bug has three variants, 1, 2, and 3, - 1 being the "spectre" category and 2 and 3 being "meltdown" -- Variant one is the only one that has the possibility of affecting AMD CPUS and only if the kernel is configured in a non-default mode for some reason. Intel CPUS are susceptible to all three and ARM to variant's 2 and 3, I believe. So they don't all have the same issue - the issue with AMD CPUs is quite different. Intel needed to try to throw everyone under the bus equally though in their press release as damage control.
    Type 3 is the one of the types called Meltdown ... it is the most serious ... providing the easiest means for the code running in one process to spy on the data in another process.

    I agree with Navigator's post in that my understanding (and apparently the understanding of Linus and those working this on the Linux kernel) is that AMD processors are not vulnerable to Meltdown of the type 3 variant.

    I disagree with the above quoted line from the article that Hervé posted, which implies that all 3 vulnerabilities effect all three of Intel x86, AMD, and ARM.

    Full disclosure: I am happily running on a Ryzen7 CPU from AMD, so I have some motivation to "defend" AMD processors .
    Last edited by ThePythonicCow; 5th January 2018 at 19:52.
    My quite dormant website: pauljackson.us

  24. The Following 7 Users Say Thank You to ThePythonicCow For This Post:

    Callista (6th January 2018), Foxie Loxie (6th January 2018), Harley (6th January 2018), Hervé (5th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018), Navigator (6th January 2018)

  25. Link to Post #13
    Canada Avalon Retired Member
    Join Date
    17th December 2017
    Age
    50
    Posts
    76
    Thanks
    236
    Thanked 341 times in 74 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Quote Posted by Paul (here)
    Quote Posted by Hervé (here)
    vulnerabilities called Meltdown and Spectre affect almost all modern CPUs, including those produced by Intel, Advanced Micro Devices (AMD) and ARM Holdings.
    Quote Posted by Navigator (here)
     It should be also noted that the bug has three variants, 1, 2, and 3, - 1 being the "spectre" category and 2 and 3 being "meltdown" -- Variant one is the only one that has the possibility of affecting AMD CPUS and only if the kernel is configured in a non-default mode for some reason. Intel CPUS are susceptible to all three and ARM to variant's 2 and 3, I believe. So they don't all have the same issue - the issue with AMD CPUs is quite different. Intel needed to try to throw everyone under the bus equally though in their press release as damage control.
    Type 3 is the one of the types called Meltdown ... it is the most serious ... providing the easiest means for the code running in one process to spy on the data in another process.

    I agree with Navigator's post in that my understanding (and apparently the understanding of Linus and those working this on the Linux kernel) is that AMD processors are not vulnerable to Meltdown of the type 3 variant.

    I disagree with the above quoted line from the article that Hervé posted, which implies that all 3 vulnerabilities effect all three of Intel x86, AMD, and ARM.

    Full disclosure: I am happily running on a Ryzen7 CPU from AMD, so I have some motivation to "defend" AMD processors .

    Fully concur; Intel (not unexpectedly) just tried to throw AMD and ARM under the same bus that was freight-training right for them in an attempt to protect their stocks -- their method was obviously to pay for the press and article headlines to not single them out. Notice how they are almost all the same headlines? Unfortunately most people won't be tech savvy enough to understand the actual risks - what Intel is counting on.

    AMD's official security statement is here: https://www.amd.com/en/corporate/speculative-execution

    For AMD processors Variant 1 (Spectre) has already already been patched (by OS or vendor provided updates) with negligible performance effects (although I will do some benchmarks - I have put the update on hold), Variant two and three do not affect default configured AMD CPUs at all.

    ARM has also said that only some of their processors are affected and has made corrective statements to Intel's "paid for" press headlines.



    "When F00F bug hit 20 years ago, Intel reacted the same way"
    https://www.itwire.com/security/8132...-same-way.html

    Quote "One interesting aspect of all this is how well both Intel and Microsoft have mastered the art of damage control via management of on-line bug information. This is really a much more serious bug than the infamous Pentium math bug, but never quite crossed over from geekdom into the public consciousness."

    He said both companies had waited "until their more clueful customers' complaints reached an adequate volume ... "


    ¤=[Post Update]=¤

    Quote Posted by Red Skywalker (here)
    To me this is old news. I have seen the whole upcoming of the computers, from the first 6502 and Z80 processors to the CPU-monsters now. All have backdoors backed on the chip, for "development purposes" ... This topic tells only about CPU's in computers, but many printers and other peripheral equipment is probably affected too. Why? Because it could and would be useful when needed.
    (You can run a webserver on a relative old printer, if you are handy enough. Of course no references, maybe on darknet?)
    This specific issue isn't really a "backdoor". But your reference certainly applies to the Intel ME. It was never a "bug" until the vulnerability became known - before that it was a "special feature" for high level IT managers and "law enforcement agencies" to utilize
    Last edited by Navigator; 6th January 2018 at 00:25.

  26. The Following 8 Users Say Thank You to Navigator For This Post:

    Bill Ryan (6th January 2018), Callista (6th January 2018), Foxie Loxie (6th January 2018), Harley (6th January 2018), Hervé (6th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018), ThePythonicCow (6th January 2018)

  27. Link to Post #14
    France On Sabbatical
    Join Date
    7th March 2011
    Location
    Brittany
    Posts
    16,763
    Thanks
    60,315
    Thanked 95,891 times in 15,481 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Jim Stone concurs re the AMD fake news from Microsoft:

    WARNING: RECENT MICROSOFT UPDATE TO PATCH INTEL "PROBLEM" MAY RUIN AMD SYSTEMS - SEE TOP POSTED REPORT BELOW

    IN LIGHT OF THE LATEST RUMOR, WHERE THE UPDATE TO FIX THE "MEMORY HOLE" PROBLEM ON INTEL SYSTEMS WRECKS AMD,

    IF YOU HAVE AMD DO NOT "FIX" ANYTHING WITH ANY UPDATE FROM MICROSOFT UNTIL OTHER PEOPLE HAVE SUFFERED ON YOUR BEHALF REVEALING WHAT THE PROBLEM WITH IT IS.

    FULL REPORT BELOW, UNDER Jan 6


    [...]
    _________________________________________________________ 6 Jan 2018

    WARNING: RECENT MICROSOFT UPDATE TO FIX SECURITY HOLE ON INTEL SYSTEMS MAY WRECK AMD SYSTEMS

    IF YOU HAVE AMD, THE RECENT SECURITY PROBLEM IS NOT SERIOUS, WAIT FOR THE DUST TO SETTLE BEFORE DOING ANYTHING

    HERE IS THE LATEST ON THIS TOPIC:

    AMD user issues stern warning:

    UPDATE: THIS NOW APPLIES TO WINDOWS 10 ALSO, THE UPDATE TO FIX THE MEMORY VULNERABILITY MAY BE A TRAP!!!

    Windows 7 AMD users:

    !*******DO NOT INSTALL KB4056894*******!

    This will BSOD your AMD machine.

    OR:

    BEWARE! This "update" can **** your system, as it has mine.
    My user account with admin rights now acts like a standard user account. I cannot login as Administrator in any way. I cannot access many directories (e.g. Documents and Settings). I cannot run CMD as Administrator. I cannot run regedit. I cannot run Setup from the DVD. When I boot to Safe Mode, there is no keyboard nor mouse response.

    I had no idea this morning that I would need to wipe my HD and start all over again. Thanks, microjerk, for this wonderful kick to the nutsack.

    Does anybody have any suggestions on how to deal with or, even better, remove this POS update? All the standard ways of removal either do not work, or are inaccessible.

    IN LIGHT OF THE LATEST RUMOR, WHERE THE UPDATE TO FIX THE "MEMORY HOLE" PROBLEM ON INTEL SYSTEMS WRECKS AMD, IF YOU HAVE AMD DO NOT "FIX" ANYTHING WITH ANY UPDATE FROM MICROSOFT UNTIL OTHER PEOPLE HAVE SUFFERED ON YOUR BEHALF REVEALING WHAT THE PROBLEM WITH IT IS.

    UPDATE: THE AMD VULNERABILITY IS A HOAX BY INTEL, THE LATEST BUGS DO NOT AFFECT AMD IN ANY MEANINGFUL WAY WHATSOEVER.

    If you have an AMD processor yes, you might somehow have, on rare occasion, a tiny amount of ram hackable for a split second, but with INTEL your @ss is hanging out in it's entirety ALL THE TIME.

    It is virtually impossible to exploit AMD to such an extent, no one would bother. Intel on the other hand is an intelligence agency/hacker playground.

    Remember that big dump of NSA hackware that happened about six months ago? That is, after all, what this is about - average people getting ahold of NSA tools Intel cooperated in the development of, and now the people the tool was made for are crying because they themselves can be hacked with their own stuff, let alone all the government computers that can be hacked with their own stuff, and yada yada.

    I will do NOTHING (zero) to patch my AMD systems. It is not important for AMD (at least in the context of the current problem of the day.) That is not to say AMD does not have an entirely different back door (who would know) but for the current problem, WHATEVER.
    "La réalité est un rêve que l'on fait atterrir" San Antonio AKA F. Dard

    Troll-hood motto: Never, ever, however, whatsoever, to anyone, a point concede.

  28. The Following 10 Users Say Thank You to Hervé For This Post:

    Bill Ryan (6th January 2018), Callista (6th January 2018), Foxie Loxie (6th January 2018), Harley (6th January 2018), Lettherebelight (5th October 2018), mab777 (6th January 2018), Michelle Marie (4th May 2018), Navigator (6th January 2018), SieS (6th January 2018), ThePythonicCow (6th January 2018)

  29. Link to Post #15
    Canada Avalon Retired Member
    Join Date
    17th December 2017
    Age
    50
    Posts
    76
    Thanks
    236
    Thanked 341 times in 74 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    As Jim's article above so elegantly stated ...

    Anyone running Windows 7 and an older AMD processor (Athlon / Turion / Opteron) that installs update KB4056894 could end up with a brick (but I don't think this affects Ryzens - mind you very few are running on Win 7). You may get a "BSOD stop: 0x000000c4" on reboot. Can't rollback an update if you computer won't boot ...

    A solution to remove this update has been posted on this Reddit thread for anyone affected: https://www.reddit.com/r/sysadmin/co...lup_kb4056894/

    Microsoft forum discussion here: https://answers.microsoft.com/en-us/...=1515190079156
    Last edited by Navigator; 6th January 2018 at 20:51.

  30. The Following 7 Users Say Thank You to Navigator For This Post:

    Bill Ryan (6th January 2018), Foxie Loxie (6th January 2018), Harley (6th January 2018), Hervé (6th January 2018), Michelle Marie (4th May 2018), muxfolder (7th January 2018), ThePythonicCow (6th January 2018)

  31. Link to Post #16
    United States Administrator ThePythonicCow's Avatar
    Join Date
    4th January 2011
    Location
    North Texas
    Language
    English
    Age
    76
    Posts
    28,579
    Thanks
    30,499
    Thanked 138,429 times in 21,488 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Quote Posted by Navigator (here)
    Anyone running Windows 7 and an older AMD processor (Athlon / Turion / Opteron) ...
    Thanks, Navigator.

    Anyone running Windows 7 on an older AMD processor (Athlon / Turion / Opteron) will want (need) to pay close attention to this.
    My quite dormant website: pauljackson.us

  32. The Following 6 Users Say Thank You to ThePythonicCow For This Post:

    Bill Ryan (6th January 2018), Harley (6th January 2018), Hervé (7th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018), Navigator (6th January 2018)

  33. Link to Post #17
    Australia Avalon Member
    Join Date
    23rd June 2011
    Age
    44
    Posts
    1,189
    Thanks
    263
    Thanked 4,462 times in 950 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    http://www.tomshardware.com/forum/id...or-access.html
    “Intel actually embedded the 3G radio chip in order to enable its Anti Theft 3.0 technology. And since that technology is found on every Core i3/i5/i7 CPU after Sandy Bridge, that means a lot of CPUs, not just new vPro, might have a secret 3G connection nobody knew about until now,”reports Softpedia.

    holy freak ****...turn out to be true after these years that have talked about regarding backdoor spying on people. it as became Conspiracy FACT

  34. The Following 5 Users Say Thank You to apokalypse For This Post:

    Bill Ryan (19th January 2018), ByTheNorthernSea (7th January 2018), Hervé (7th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018)

  35. Link to Post #18
    Canada Avalon Retired Member
    Join Date
    17th December 2017
    Age
    50
    Posts
    76
    Thanks
    236
    Thanked 341 times in 74 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Quote Posted by Paul (here)
    Quote Posted by Navigator (here)
    Anyone running Windows 7 and an older AMD processor (Athlon / Turion / Opteron) ...
    Thanks, Navigator.

    Anyone running Windows 7 on an older AMD processor (Athlon / Turion / Opteron) will want (need) to pay close attention to this.
    Apparently it is patch KB4056892 that is affecting older AMD cpus, not the update first indicated in Jim's response above. MS has halted the update until they get it fixed - has something to do with certain old AMD chipsets not having good enough documentation - at least that is what MS is saying.

    Quote UPDATE Microsoft’s fix for the Meltdown and Spectre bugs may be crocking AMD-powered PCs.

    A lengthy thread on answers.microsoft.com records numerous instances in which Security Update for Windows KB4056892, Redmond’s Meltdown/Spectre patch, leaves some AMD-powered PCs with the Windows 7 or 10 startup logo and not much more.

    Users report Athlon-powered machines in perfect working order before the patch just don’t work after it. The patch doesn’t create a recovery point, so rollback is little use and the machines emerge from a patch in a state from which rollback is sometimes not accessible. Some say that even re-installing Windows 10 doesn’t help matters. Others have been able to do so, only to have their machines quickly download and install the problematic patch all over again …
    https://www.theregister.co.uk/2018/0...d_powered_pcs/

  36. The Following 5 Users Say Thank You to Navigator For This Post:

    Bill Ryan (19th January 2018), Hervé (10th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018), ThePythonicCow (10th January 2018)

  37. Link to Post #19
    France On Sabbatical
    Join Date
    7th March 2011
    Location
    Brittany
    Posts
    16,763
    Thanks
    60,315
    Thanked 95,891 times in 15,481 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    Jim Stone's jubilation:

    BUSTED: RECENT INTEL PROCESSOR (MELTDOWN) SCANDAL INVOLVES INTEL PROCESSORS ONLY, THEY ARE TRYING TO DRAG AMD AND ARM INTO THIS, DON'T BUY THE B.S.

    Spectre is such a small problem I would not worry about it on an AMD or ARM platform. I would worry about it on an Intel platform though.

    They released to the public a lie to cover for the fact that Intel's Vpro core was an intentional back door for the NSA.

    The memory vulnerability, (if it exists at all) is a sideshow, and ARM and AMD were back stabbed with claims they had the same problems just to either help Intel, or cover for the fact that the vulnerability was intrinsic to hardware, and specifically the separate Vpro processor that was onboard every Intel chip from Sandy Bridge forward. If you want to be realistic about things, the Spectre bug is simply a no show on AMD and ARM, because it is simply too hard to do to them for it to mean anything, and AMD and ARM are not affected by the Meltdown bug AT ALL.

    In 2011 I outlined the problem in a report titled "Is Intel's Sandy Bridge on a road to nowhere?"

    I pointed out the problem - a second on-chip processor that was always on, even when the power was turned off, and this processor could clandestinely switch on any part of the computer when it received a remote command. Intel marketed this as "making the administrator's job easier" because an administrator could install updates and get data while all employees were at home asleep, and everyone would simply arrive to work the next day with everything updated because even if their power was turned off, their computers could receive updates anyway.

    PROBLEM: All encryption keys - any system had - were held on this second processor, which was not adequately secured AT ALL from the outside world. It allowed a total highway into anyone's system, and I said at that time that the only real reason why this would be done would be to allow intelligence agencies access whenever they wanted, - access no one could stop because the encryption keys were right there for the intelligence agencies to use. Sandy Bridge, and all processors forward, A TOTAL OF 1,487 different models of Intel chips had this, right up to every Intel chip made today.

    So everything was fine and dandy, as long as only a few ex NSA people who could be acceptably contained tried to spread the word on sites like this one and no one got the NSA tools that are used to access these processors.

    After all, if it was only me blowing the whistle in 2011, they could just blow it off.

    PROBLEM: About 8 months ago, someone inside the NSA released all these tools to the public in a "wiki" type release, and now, 8 months later hacker Joe is playing NSA and the NSA simply does not want that.

    This is the ONLY REASON, AND I MEAN ONLY reason why the "bug" was "mysteriously found" by some hoax fraud jackass who "read thousands and thousands of pages of Intel processor manuals, and found it".

    YEAH RIGHT, BULL****.



    So I knew, from early 2011, that everything from now on had to be AMD. HERE IS PROOF, STATED BY THE MSM 6 YEARS LATER THAN I SAID IT:
    "For the past seven years, millions of Intel chips have harbored a security flaw that can be potentially exploited to remotely control and infect systems with spyware.
    "Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products.
    "That means it is possible for hackers to log into a vulnerable computer's hardware - right under the nose of the operating system - and silently tamper with the machine, install virtually undetectable malware, and so on, using AMT's features. This is potentially possible across the network because AMT has direct access to the computer's network hardware.

    "These insecure management features have been available in various, but not all, Intel chipsets for nearly a decade, starting with 2010's Intel Q57 (sandy bridge) family, all the way up to this year's Kaby Lake Core parts.
    - My [Jim Stone's] insert: Correction: It started with Centrino, long before this but Centrino was not a common platform. -

    "Crucially, the vulnerability lies at the very heart of a machine's silicon, out of sight of the operating system, its applications and any antivirus.

    "The programming blunder can only be fully addressed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world.

    "The vulnerable AMT service is part of Intel's vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the computer's AMT controls and hijack them. If AMT isn't provisioned, a logged-in user can still potentially exploit the bug to gain admin-level powers. If you don't have vPro or AMT present at all, you are in the clear."
    Six years after I said it, it made it into the MSM

    Many times I got into arguments with Intel fans, who were thrilled about the passmark scores on their Intel processors, and said AMD just can't stack up to Intel because "equivalent" AMD processors were 10 - 15 percent slower.

    I always said it was their loss, because they were hacked full time.

    AND NOW I GET THE FINAL TAUNT:

    HEY INTEL LACKEYS WHO WERE SO SMART, IT SEEMS INTEL IS ALL FULL OF HOLES. HOW ARE YOUR PASSMARK SCORES LOOKING NOW THAT THE FIX FOR VULNERABILITIES I WARNED YOU ABOUT IS EATING MORE CPU THAN ANY ADVANTAGE YOU PREVIOUSLY HAD WITH INTEL? HOW DO YOU FEEL ABOUT HAVING EVERYTHING RAPED SINCE 2011 ALL THE WHILE I WAS AN IDIOT "CONSPIRACY THEORIST"?

    The problem is SO BAD Intel is recommending people ****can any processor they bought in 2016 or earlier because the fix will destroy performance so badly.

    HEY ALL YOU BACK STABBERS OUT THERE WHO HAVE TRIED TO DESTROY THIS WEB SITE:

    HOW THE * DID I KNOW INTEL HAD THIS PROBLEM IF I WAS NOT NSA? I was always a step ahead of Snowden, and now proof has come out that I smoked him like a pack of Marlboros.

    I gotta say, I am not disappointed.
    Intel knowingly cooperated with the NSA on purpose to rape everyone and for that Intel deserves to die.

    The current description for the problem is a lie.

    All you have to do to know it, is see what processor series are "most affected". They are:

    EVERYTHING SANDY BRIDGE FORWARD, PLUS CENTRINO (not mentioned by anyone) BECAUSE THAT IS WHEN THE BUGS WENT IN.

    CENTRINO WAS DESIGNED IN ISRAEL, AND WAS THE BEGINNING OF THE END FOR INTEL. (At the time Centrino came out, not all Intel processors were bugged like this, only Centrino was. Sandy bridge was the turning point.) ALL PROCESSORS SANDY BRIDGE FORWARD GOT AN ENHANCED VERSION OF THE CENTRINO HACK. That's where the root of the problem is, but with anything Sandy Bridge and later, the problem got a heck of a lot worse.


    Yeah, yeah, I know about the so-called "memory vulnerability". That's just cover for the real problem. The series of processors involved proves it. Sandy Bridge. Ivy bridge. Sky Lake. Kaby Lake. DING DING DING DING DING. NAILED IT.

    If you have an old Intel in the closet that is prior to Centrino, IT IS NOT HACKED THE WAY THEY SAY, THEY JUST WANT YOU TO GET RID OF ANYTHING THAT IS NOT A PLAYGROUND FOR THEM, DO NOT THROW IT AWAY, DO NOT EAT THE BULL****.



    Final comments on this topic:

    Don't expect links to sources when I was the original whistle blower on this problem. When I was the first to say anything on this topic. And when I am now proven right. They are not being honest about what the real problem is right now, but that matters not, it suffices to know that as I stated, Intel processors are the BIG problem. Arm and AMD basically have nothing wrong with them and were dragged into this for the sole purpose of bull****ting the public about what the real problem is.

    If ARM and AMD had similar problems, the fix would hit them with a 50 percent processor downgrade. It has not. There are NO ISSUES AT ALL WITH THEM, which means THEY DID NOT HAVE THE PROBLEM. That alone proves my point.
    "La réalité est un rêve que l'on fait atterrir" San Antonio AKA F. Dard

    Troll-hood motto: Never, ever, however, whatsoever, to anyone, a point concede.

  38. The Following 6 Users Say Thank You to Hervé For This Post:

    Bill Ryan (19th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018), Navigator (21st January 2018), Star Tsar (19th January 2018), thunder24 (19th January 2018)

  39. Link to Post #20
    Avalon Member Carmody's Avatar
    Join Date
    19th August 2010
    Location
    Winning The Galactic Lottery
    Posts
    11,389
    Thanks
    17,597
    Thanked 82,316 times in 10,234 posts

    Default Re: CPU Security Holes affecting Intel and AMD CPUs

    I knew about purpose built cpu backdoors in 1993, approximately. Custom telecom chips.


    I can tell you - that the situation was global. Yes, in the mid 1990's, it was fully global.

    This is many times done with many a large scale chip, depending on intended usage. Same for complex software that runs said systems. A single piece of software for a backbone system might have the original programmer's secret back door (which any programmer worth their pay will make for themselves), the corporate backdoor system (which the corporation demanded) and then the NSA purpose built backdoor (that the NSA demanded). Each may be a derivative of the fundamental.

    the more complex the chip and software the more likely the backdoor exists and that there may be multiple paths.
    Last edited by Carmody; 19th January 2018 at 02:31.
    Interdimensional Civil Servant

  40. The Following 7 Users Say Thank You to Carmody For This Post:

    Bill Ryan (21st January 2018), Ewan (29th January 2018), Hervé (19th January 2018), Lettherebelight (5th October 2018), Michelle Marie (4th May 2018), muxfolder (22nd January 2018), thunder24 (19th January 2018)

+ Reply to Thread
Page 1 of 4 1 4 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts