Check out the TB2K CHATROOM, open 24/7               Configuring Your Preferences for OPTIMAL Viewing
  To access our Email server, CLICK HERE

  If you are unfamiliar with the Guidelines for Posting on TB2K please read them.      ** LINKS PAGE **



*** Help Support TB2K ***
via mail, at TB2K Fund, P.O. Box 24, Coupland, TX, 78615
or


ALERT A major kernel vulnerability and its fix are going to slow down all Intel processors!
+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 40 of 64
  1. #1
    Join Date
    May 2010
    Location
    Where its wet alot
    Posts
    5,845

    A major kernel vulnerability and its fix are going to slow down all Intel processors!

    A major kernel vulnerability is going to slow down all Intel processors

    A significant vulnerability has been discovered in all Intel processor chips and it’s going to have a huge impact going forward. The Register first noticed this major design flaw in Linux kernel patch notes. All operating systems will have to be updated (Linux distributions, Windows, macOS…).

    And the worst part is that this patch is going to affect your computer performances. Based on a few benchmarks, The Register thinks computers running Intel chips are going to be slower by 5 to 30 percent.
    Related Searches
    Intel ProcessorsI7 ProcessorFood ProcessorsAmd ProcessorsFirewood Processor

    So what happened exactly? This vulnerability is quite nasty because it’s a widespread hardware bug. Updating your computer can’t make the problem disappear altogether. That’s why operating system vendors are currently redesigning some of the core functionalities of your computer as a workaround.

    The bug allows normal user programs to access the protected memory in the kernel. A kernel is the core of an operating system. It’s a process that handles the most sensitive tasks in your system.

    For instance, the kernel controls the interaction between an application and the file system. It’s basically the gatekeeper that is going to allow a program to read and write files. It also manages memory and peripherals, such as your keyboard and your camera.

    In other words, the kernel can do everything on your computer by design. But you don’t want the kernel to be compromised — it is one of the most serious attack vectors in modern operating systems.

    Interactions between user processes and the kernel have been made as efficient as possible through various hardware and software optimizations.

    Because of a design flaw, user programs with low privileges can read protected kernel memory. If an attacker or an intelligence agency can find a way to install a normal program on your computer, they could then be able to read passwords stored in the kernel memory, private encryption keys, files cached from the hard drive and more.

    This is even worse on shared systems. Many cloud hosting platforms, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform share computer resources between multiple clients — multiple clients use the same hardware components. With today’s bug, one client could access sensitive information about another client using this kernel exploit.

    Developers working on the Linux kernel have been working hard on a fix for a while. Their discussions are public, but details of the design flaw are still unclear. According to Python Sweetness, the security bug is under embargo. Intel will reveal more information about it once Microsoft, Apple and the Linux team have released patches.

    Microsoft has been working on a patch since November. Apple is also working on a similar fix.

    The bad news is that the Kernel Page Table Isolation fix makes everything run slower on Intel x86 processors. AMD said that its processor are not subject to the vulnerability. So if your computer appears slower than it should be, it’s because it is.

    This article originally appeared on TechCrunch.

    https://www.yahoo.com/news/major-ker...175836474.html
    JOHN 3:16 / John 8:32 And ye shall know the truth, and the truth shall make you FREE.

  2. #2
    Join Date
    May 2010
    Location
    Where its wet alot
    Posts
    5,845

    Intel Chips Have a Major Design Flaw and the Fix Means Slower PCs

    Intel Chips Have a Major Design Flaw and the Fix Means Slower PCs
    By Matthew Humphries 4 Jan 2018, 12:13 a.m.

    Patches for Linux, Windows, and macOS are required, with the side effect potentially being a major system performance hit.

    Over the next few weeks there's a very good chance your PC or laptop is going to take a significant performance hit. The worst case scenario being it will get 30 per cent slower. Worse than that is the fact you can do nothing about it, as the slowdown is a side effect of fixing a major design flaw in Intel processors.

    If your computer uses an Intel processor produced in the last decade, then it probably contains the design flaw. I can't tell you exactly what the flaw is yet because Intel is keeping the details under lock and key until operating system patches have been released. Those patches will have to be made for Linux, Windows, and macOS.

    As The Register reports, the flaw is thought to allow user programs to gain access to protected kernel memory areas. The kernel is the core of an operating system which controls anything and everything running on a system. It is therefore extremely important the kernel memory remains secure due to the sensitive information it can contain.

    Although nobody outside of Intel knows the specifics, the flaw is thought to be so serious it could allow any software — even a bit of JavaScript running in a web browser — to access and steal data stored in the protected kernel memory. So that includes your passwords, login keys, or any files that happen to be cached when unauthorised access occurs.

    The vulnerability alone is bad enough, but the fix makes the situation even worse. Closing the security hole made possible by the chip design flaw will result in a significant performance hit to each system. Current estimates suggest that performance hit could be as high as 30 per cent. You read that right, once your system is patched it may run 30 per cent slower for certain tasks.

    There is no way around this if your system uses an Intel chip. Some newer processor models are thought to be immune, or at least better able to work around the flaw, but until Intel releases specifics we can't confirm which ones. If you are running an AMD processor, you're fine. AMD confirmed its processors are not vulnerable.

    Linux kernel patches are already available, with Microsoft expected to roll out the Windows patch for the next Patch Tuesday happening next week. Also keep in mind this flaw will impact all of Intel's major corporate customers. Imagine how many Intel chips are running inside Amazon's or Facebook's data centres, for example, and what a performance hit will mean for them.

    http://au.pcmag.com/intel/51116/news...ix-means-slowe
    JOHN 3:16 / John 8:32 And ye shall know the truth, and the truth shall make you FREE.

  3. #3
    I hate computers. I really do.
    "Why not stay awake now? Who wants to sleep now with so much happening, so much to see? Life used to be dull you see...and you don't have to sleep alone, you don't even have to sleep at all; and so, all you have to do is show the stick to the dog now and then and say, 'Thank God for nothing.'"

    Drusilla, "The UNVANQUISHED. William Faulkner

  4. #4
    Join Date
    May 2001
    Location
    Little cabin in da big woods.
    Posts
    27,633
    Ok so is this for all systems or just the I7"s ? My current puter is an I5 and I am pretty sure dh's is also.

    Crap, yeah, we are running 86x....... sigh.


    In his heart a man plans his course, but the Lord determines his steps.

    Proverbs 16:9




  5. #5
    Join Date
    May 2010
    Location
    Where its wet alot
    Posts
    5,845
    I've got a Qualcom Chip in my smart phone, if worst comes to worst I have that as an alternative.

    Watch AMD stock rocket up.
    JOHN 3:16 / John 8:32 And ye shall know the truth, and the truth shall make you FREE.

  6. #6
    Join Date
    Apr 2004
    Location
    Northwest Rockies
    Posts
    9,782
    Running AMD here, except one laptop with a core i-7.

  7. #7
    Join Date
    Jan 2006
    Location
    Houston
    Posts
    14,826
    Quote Originally Posted by Hacker View Post
    Running AMD here, except one laptop with a core i-7.
    I have two i7 units. I hope this sucks a lot less than they are making it sound...
    Your levity is good, it relieves tension and the fear of death.

    The Frigid Times - http://www.frigidtimes.blogspot.com/
    Civil Defense Reborn - http://cdreborn.blogspot.com/
    Believe what you will, but the Russian nuclear threat is far from dead. It ain't even sick. - Brutus

  8. #8
    Join Date
    Dec 2002
    Location
    Atlantic Canada
    Posts
    8,910
    And Microsoft will release a patch to fix the problem.... yeah, can see that ending well! Wanna bet it will only be released for Win 10?

    1Pe 4:7 But the end of all things is at hand: be ye therefore of sound mind, and be sober unto prayer

    Joh 3:16 For God so loved the world that He gave His only-begotten Son, that whoever believes in Him should not perish but have everlasting life.
    Joh 3:17 For God did not send His Son into the world to condemn the world, but so that the world might be saved through Him.


  9. #9
    Join Date
    Mar 2009
    Location
    A Socialist State
    Posts
    16,886
    I don't have an iPhone or android, but just a flip phone with no internet capabilities.

    I turned off all Windows updates (am running Win 7) back in 2015. Would this affect me???
    Don't just go to church. BE THE CHURCH!

  10. #10
    Quote Originally Posted by Buick Electra View Post
    I don't have an iPhone or android, but just a flip phone with no internet capabilities.

    I turned off all Windows updates (am running Win 7) back in 2015. Would this affect me???
    Good question!
    "Why not stay awake now? Who wants to sleep now with so much happening, so much to see? Life used to be dull you see...and you don't have to sleep alone, you don't even have to sleep at all; and so, all you have to do is show the stick to the dog now and then and say, 'Thank God for nothing.'"

    Drusilla, "The UNVANQUISHED. William Faulkner

  11. #11
    As I understand it the flaw is at the chip level, 'baked in' so to speak. So all OS's would be affected.

  12. #12
    Quote Originally Posted by TheSearcher View Post
    I have two i7 units. I hope this sucks a lot less than they are making it sound...
    Well now Intel charges $350.00 for an I7 CPU with certain specifications. Because of a flaw in there design the CPU is no longer going to come close to those specifications. Who fault is that? Intel's at Fault.

    It sounds like Intel would be legally obligated to offer an updated replacement CPU in exchange for the old one. If the cob it up fix really slow things by 30% then I expect a class action lawsuit is just around the corner.
    But not likely to die free

  13. #13
    Quote Originally Posted by BornFree View Post
    Well now Intel charges $350.00 for an I7 CPU with certain specifications. Because of a flaw in there design the CPU is no longer going to come close to those specifications. Who fault is that? Intel's at Fault.

    It sounds like Intel would be legally obligated to offer an updated replacement CPU in exchange for the old one. If the cob it up fix really slow things by 30% then I expect a class action lawsuit is just around the corner.
    Was pondering this same thing - trouble may be in the hardware details - is the i7 ALWAYS removeable WITHOUT de-soldering from the motherboard?

    For instance, say, the Apple iMacs - in order to gain Apple-only access (not something performed by most folks without training and tools) to the i7 on the iMac motherboard for replacement, an Apple tech is going to have to disassemble the iMac - that, alone, is going to cost $200-$300+ just to open/close the iMac, PLUS the cost of the replacement upgraded i7 CPU, presuming Intel even goes this route - they may not.

    Same story for Intel-powered laptops - EVERY laptop manufacture has an i7 CPU option - I believe that those laptop i7 CPUs are all soldered to their laptop motherboards.

    As an aside - most (?) Apple iMacs, as well as NON-Macs, are NOT using the i7 - it is an upgraded CPU option in most cases - the majority of the Macs/iMacs/non-Apple machines are powered by the i3/i5 CPUs - or, the much older Intel CoreDuo-series of CPU.

    Going to be expensive for Intel, methinks.


    intothegoodnight
    Last edited by intothatgoodnight; 01-03-2018 at 06:05 PM.
    "Do not go gentle into that good night.
    Rage, rage against the dying of the light."

    — Dylan Thomas, "Do Not Go Gentle Into That Good Night"

  14. #14
    Join Date
    Jan 2008
    Location
    WI - On the scene, like a sex machine.
    Posts
    35,326
    Whew,

    AMD Phenom II X4 805 Processor 2.5 Ghz on my desktop.
    "The most intriguing point for the historian is that where history and legend meet."

    "None are more hopelessly enslaved than those who think they are free."

    Johann Wolfgang von Goethe


  15. #15
    Join Date
    Nov 2004
    Posts
    925
    Intel has had an issue with their virtualization stuff for at least a decade. Now there is a really bad problem. The class action stuff won't be for home users, as for the most part they don't use that stuff (well maybe AV?). Businesses on the other hand... Dell / HP are gonna be SLAMMED with RMAs for their enterprise class stuff.

  16. #16
    Join Date
    Mar 2007
    Location
    West Virginia
    Posts
    34,875
    Software Korn.

  17. #17
    Join Date
    May 2001
    Location
    Behind Enemy Lines
    Posts
    149,698
    Software Bourne...

  18. #18
    Join Date
    May 2004
    Location
    Central Va
    Posts
    15,943
    I have found two different lists being copied around the internet as far as what chips are affected:

    From: https://thehackernews.com/2017/11/in...set-flaws.html (and a few other sites)

    Affected Intel Products

    Below is the list of the processor chipsets which include the vulnerable firmware:

    6th, 7th and 8th Generation Intel Core processors
    Xeon E3-1200 v5 and v6 processors
    Xeon Scalable processors
    Xeon W processors
    Atom C3000 processors
    Apollo Lake Atom E3900 series
    Apollo Lake Pentiums
    Celeron N and J series processors

    Intel has issued patches across a dozen generations of CPUs to address these security vulnerabilities that affect millions of PCs, servers, and the internet of things devices, and is urging affected customers to update their firmware as soon as possible.

    The chipmaker has also published a Detection Tool to help Windows and Linux administrators check if their systems are exposed to any threat.
    But from Intel's site it seems a lot worse: https://www.intel.com/content/www/us.../software.html

    Intel has identified security vulnerabilities that could potentially impact certain PCs, servers, and IoT platforms.

    Systems using Intel ME Firmware versions 6.x-11.x, servers using SPS Firmware version 4.0, and systems using TXE version 3.0 are impacted. You may find these firmware versions on certain processors from the:

    1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th generation Intel® Core™ Processor Families
    Intel® Xeon® Processor E3-1200 v5 and v6 Product Family
    Intel® Xeon® Processor Scalable Family
    Intel® Xeon® Processor W Family
    Intel Atom® C3000 Processor Family
    Apollo Lake Intel Atom® Processor E3900 series
    Apollo Lake Intel® Pentium® Processors
    Intel® Pentium® Processor G Series
    Intel® Celeron® G, N, and J series Processors
    I have used the test tool (first link) on some of my system, and 1st Gen I7s and I5s are failing the test, so it does not just start with 6th Gen and newer. 3rd Gen I3s, I5s, and I7s also fail, as well as quite a lot of my Xeon systems.

    I have not checked any of my Core2Duo or other processors, but will post back once I have.

    I'm wondering how long China (or others) knew about this security hole? Remember the Fake Cisco routers from China?

    This is bad, real bad.

    Loup

    (Ask yourself: What's in your Wallace?)

  19. #19
    Join Date
    Mar 2003
    Location
    Hawaii
    Posts
    309
    Quote Originally Posted by Red Baron View Post
    Whew,

    AMD Phenom II X4 805 Processor 2.5 Ghz on my desktop.
    Don't breath to easily...

    https://www.howtogeek.com/338269/a-h...-your-pc-soon/

    Update: An earlier version of this article stated that this flaw was specific to Intel chips, but that isn’t the whole story. According to the New York Times, two major vulnerabilities have actually been discovered here, now dubbed “Meltdown” and “Spectre”. Meltdown is specific to Intel processors, and affects all CPU models from the past few decades. Meltdown’s patch will close the vulnerability, but likely decrease the performance of these chips on Windows, macOS, and Linux.

    Spectre, on the other hand, is a “fundamental design flaw” that exists in every CPU on the market—including those from AMD and ARM. There is currently no software fix, and will likely require a complete hardware redesign for CPUs across the board—though thankfully it is more difficult to exploit, according to security researchers.
    The rest of the article rehashes earlier reports...

  20. #20
    Join Date
    May 2001
    Location
    Behind Enemy Lines
    Posts
    149,698
    It appears that my Surface Pro PC passed everything except the temperature test.

  21. #21
    Quote Originally Posted by JF&P View Post
    Watch AMD stock rocket up.
    You beat me to it.

  22. #22
    Join Date
    Apr 2004
    Location
    Broomfield, Colorado
    Posts
    1,302
    Well that pisses me off. I paid top dollar for a high performance I7 in this laptop which is not even a year old. If their going to slow it down by 30 percent they owe me. My other laptop has an I3 which I regret buying because it's already to damn slow. They slow it down more an it'll be tough to live with.

  23. #23
    I wish they'd be a bit more specific how Spectre is present in "virtually all" CPUs ... even the ARM, that has an architecture and instruction set that's nothing like the x86. How is that possible?

  24. #24
    Join Date
    Dec 2017
    Location
    Swimming in sea quarks
    Posts
    3,767
    Don't know about y'all, but I'm smelling a rat of the government type mixed in here. This flaw crosses AMD, Intel, and ARM designs? Probability of that being a cross design, cross platform accidental flaw is right up there with back to back powerball wins.
    Facts?? We don't need no stinkin facts...

  25. #25
    Quote Originally Posted by Rayku View Post
    Don't know about y'all, but I'm smelling a rat of the government type mixed in here. This flaw crosses AMD, Intel, and ARM designs? Probability of that being a cross design, cross platform accidental flaw is right up there with back to back powerball wins.
    Shades of the Pentium III "back door" allegations, circa 1998.


    intothegoodnight
    "Do not go gentle into that good night.
    Rage, rage against the dying of the light."

    — Dylan Thomas, "Do Not Go Gentle Into That Good Night"

  26. #26
    Join Date
    Mar 2003
    Location
    Hawaii
    Posts
    309
    This guy has ran tests on Windows performance after updating the system with the Meltdown patch for Windows. As expected, Linux server performance has a significant decrease in speed. However, for the average Windows user, whether its office programs or gaming, there is negligible performance differences.

    The video has numerous benchmarks on scores both before and after the patch. Yes, it is only 1 CPU type he tested. Yes its on the latest i7. However these test should show that regardless of the CPU, regular desktop performance for the average user should not differ too much.

    Benchmarking The Intel CPU Bug Fix, What Can Desktop Users Expect?
    https://www.youtube.com/watch?v=_qZksorJAuY


  27. #27
    Join Date
    Dec 2017
    Location
    Swimming in sea quarks
    Posts
    3,767
    Quote Originally Posted by intothatgoodnight View Post
    Shades of the Pentium III "back door" allegations, circa 1998.


    intothegoodnight
    A bit more than just a shade from the look of it.
    Facts?? We don't need no stinkin facts...

  28. #28
    Join Date
    May 2001
    Location
    Behind Enemy Lines
    Posts
    149,698
    Quote Originally Posted by Mercury3 View Post
    Well that pisses me off. I paid top dollar for a high performance I7 in this laptop which is not even a year old. If their going to slow it down by 30 percent they owe me. My other laptop has an I3 which I regret buying because it's already to damn slow. They slow it down more an it'll be tough to live with.
    My I7 passed.

  29. #29
    Join Date
    Mar 2002
    Location
    Alabama
    Posts
    14,567
    going on 6 year old desk top system and the results are..............................

    Processor Name: Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz
    OS Version: Microsoft Windows 7 Professional
    Engine: Intel(R) Management Engine
    Version: 7.0.4.1197
    SVN: 0
    Status: This system is not vulnerable.
    All love is unrequited-Cmdr. Susan Ivanova //Y'all got on this boat for different reasons, but y'all come to the same place. So now I'm asking more of you than I have before. Maybe all. Sure as I know anything, I know this - they will try again. Maybe on another world, maybe on this very ground swept clean. A year from now, ten? They'll swing back to the belief that they can make people... better. And I do not hold to that. So no more runnin'. I aim to misbehave. - Capt. Mal remember boys and girls ATFTRAF I used to run with giants, now I wait to be zombie road kill.

  30. #30
    Join Date
    Mar 2003
    Location
    Hawaii
    Posts
    309
    The tests that you folks are doing are for an earlier vulnerability do not necessarily check for Meltdown and Spectre. According to his link: https://thehackernews.com/2017/11/in...set-flaws.html, the page covers CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5706, CVE-2017-5707, CVE-2017-5709 and CVE-2017-5710.

    Meltdown and Spectre have been assigned CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754.

    Here's a summary of Meltdown and Spectre:

    http://www.theregister.co.uk/2018/01...vulnerability/

    Meltdown

    This is the big bug reported on Tuesday.

    It can be exploited by normal programs to read the contents of private kernel memory.

    It affects potentially all out-of-order execution Intel processors since 1995, except Itanium and pre-2013 Atoms. It definitely affects out-of-order x86-64 Intel CPUs since 2011. There are workaround patches to kill off this vulnerability available now for Windows, and for Linux. Apple's macOS has been patched since version 10.13.2. Installing and enabling the latest updates for your OS should bring in the fixes. You should go for it. If you're a Windows Insider user, you're likely already patched. Windows Server admins must enable the kernel-user space splitting feature once it is installed; it's not on by default.

    Amazon has updated its AWS Linux guest kernels to protect customers against Meltdown. Google recommends its cloud users apply necessary patches and reboot their virtual machines. Microsoft is deploying fixes to Azure. If you're using a public cloud provider, check them out for security updates.

    The workarounds move the operating system kernel into a separate virtual memory space. On Linux, this is known as Kernel Page Table Isolation, or KPTI, and it can be enabled or disabled during boot up. You may experience a performance hit, depending on your processor model and the type of software you are running. If you are a casual desktop user or gamer, you shouldn't notice. If you are hitting storage, slamming the network, or just making a lot of rapid-fire kernel system calls, you will notice a slowdown. Your mileage may vary.

    It also affects Arm Cortex-A75 cores, which aren't available yet. Qualcomm's upcoming Snapdragon 845 is an example part that uses the A75. There are Linux kernel KPTI patches available to mitigate this. The performance hit isn't known, but expected to be minimal.

    Additionally, Cortex-A15, Cortex-A57 and Cortex-A72 cores suffer from a variant of Meltdown: protected system registers can be accessed, rather than kernel memory, by user processes. Arm has a detailed white paper and product table, describing all its vulnerable cores, the risks, and mitigations.

    Meltdown does not affect any AMD processors.

    Googlers confirmed an Intel Haswell Xeon CPU would allow a normal user program to read kernel memory.

    It was discovered and reported by three independent teams: Jann Horn (Google Project Zero); Werner Haas, Thomas Prescher (Cyberus Technology); and Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology).

    Spectre

    Spectre allows, among other things, user-mode applications to extract information from other processes running on the same system. Alternatively, it can be used by code to extract information from its own process. Imagine malicious JavaScript in a webpage churning away using Spectre bugs to extract login cookies for other sites from the browser's memory.

    It is a very messy vulnerability that is hard to patch, but is also tricky to exploit. It's hard to patch because just installing the aforementioned KPTI features is pointless on most platforms – you must recompile your software with countermeasures to avoid it being attacked by other programs, or wait for a chipset microcode upgrade. There are no solid Spectre fixes available yet for Intel and AMD parts.

    In terms of Intel, Googlers have found that Haswell Xeon CPUs allow user processes to access arbitrary memory; the proof-of-concept worked just within one process, though. More importantly, the Haswell Xeon also allowed a user-mode program to read kernel memory within a 4GB range on a standard Linux install.

    This is where it gets really icky. It is possible for an administrative user within a guest virtual machine on KVM to read the host server's kernel memory in certain conditions. According to Google:

    When running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian's distro kernel running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM.
    AMD insists its processors are practically immune to Variant 2 Spectre attacks. As for Variant 1, you'll have to wait for microcode updates or recompile your software with forthcoming countermeasures described in the technical paper on the Spectre website.

    The researchers say AMD's Ryzen family is affected by Spectre. Googlers have confirmed AMD FX and AMD Pro cores can allow arbitrary data to be obtained by a user process; the proof-of-concept worked just within one process, though. An AMD Pro running Linux in a non-default configuration – the BPF JIT is enabled – also lets a normal user process read from 4GB of kernel virtual memory.

    For Arm, Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75 cores are affected by Spectre. Bear in mind Cortex-R series cores are for very specific and tightly controlled embedded environments, and are super unlikely to run untrusted code. To patch for Arm, apply the aforementioned KPTI fixes to your kernel, and/or recompile your code with new defenses described in the above-linked white paper.

    Googlers were able to test that an Arm Cortex-A57 was able to be exploited to read arbitrary data from memory via cache sniffing; the proof-of-concept worked just within one process, though. Google is confident ARM-powered Android devices running the latest security updates are protected due to measures to thwart exploitation attempts – specifically, access to high-precision timers needed in attacks is restricted. Further security patches, mitigations and updates for Google's products – including Chrome and ChromeOS – are listed here.

    Discovered and reported by these separate teams: Jann Horn (Google Project Zero); and Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61).

    We're told Intel, AMD and Arm were warned of these security holes back in June last year. Our advice is to sit tight, install OS and firmware security updates as soon as you can, don't run untrusted code, and consider turning on site isolation in your browser (Chrome, Firefox) to thwart malicious webpages trying to leverage these design flaws to steal session cookies from the browser process.

    If you are using the Xen hypervisor, you should grab security patches when they become available. Intel and AMD processors are affected, and they're still checking whether Arm is.

    "Xen guests may be able to infer the contents of arbitrary host memory, including memory assigned to other guests," due to these processor security holes, according to the hypervisor project team. If you've experienced a mass reboot – or are scheduled for one – by your public cloud provider, this may be why.

    Meanwhile, VMware's ESXi, Workstation and Fusion hypervisors need patching to counteract the underlying hardware design flaws.

    Finally, if you are of the opinion that us media types are being hysterical about this design blunder, check this out: CERT recommends throwing away your CPU and buying an non-vulnerable one to truly fix the issue.

  31. #31
    Join Date
    Mar 2003
    Location
    Hawaii
    Posts
    309
    Here's a video showing Meltdown in action

    https://twitter.com/twitter/statuses/948706387491786752

  32. #32
    Join Date
    May 2001
    Location
    Behind Enemy Lines
    Posts
    149,698
    I am unimpressed IJM. There is actually COMMERCIAL software out there that will let you see the clear-text of a password. One doesn't need to use any exploits to do it. (I learned this and many other absolutely frightening things from a "Certified Ethical Hacker" class I took a few years ago. Enough to give you the shakes.

    THERE IS NO REAL SECURITY IF YOU USE A COMPUTER.

    Internalize that...

  33. #33
    Join Date
    Mar 2003
    Location
    Hawaii
    Posts
    309
    Quote Originally Posted by Dennis Olson View Post
    THERE IS NO REAL SECURITY IF YOU USE A COMPUTER.
    I agree 100%. That's why I'm not worried about this vulnerability. There is only so much you can do. A lot of the security is out of your control. Just like in real life, you cannot control the actions of others or the outside influences.

    Just do what you can and go on with your life. That's really all you can do otherwise you'll not enjoy living...

    Just my two cents...

  34. #34
    Join Date
    Dec 2001
    Location
    North Carolina
    Posts
    5,694
    Jan 4, 3PM EDT.
    Intel just downloaded and installed update files for my I7 processor.
    Very low key and not immediately obvious what it is.
    PPL may discount it as a virus, the way it bullies in.

  35. #35
    Join Date
    Feb 2003
    Location
    Eau Claire, WI
    Posts
    693
    It seems to me Intel is guilty of fraudulent business practices. I did not agree to buy a processor with 30 per cent less speed than advertised.

    I know, "sue" is an overused word, but I truly hope there is some type of class action suit I/we can be part of. I also was told the CEO sold all the Intel stock he legally could last November.

    What a cheat.

  36. #36
    Join Date
    Dec 2017
    Location
    Swimming in sea quarks
    Posts
    3,767
    Quote Originally Posted by Dennis Olson View Post
    I am unimpressed IJM. There is actually COMMERCIAL software out there that will let you see the clear-text of a password. One doesn't need to use any exploits to do it. (I learned this and many other absolutely frightening things from a "Certified Ethical Hacker" class I took a few years ago. Enough to give you the shakes.

    THERE IS NO REAL SECURITY IF YOU USE A COMPUTER.

    Internalize that...
    Only greater and lesser degrees of difficulty getting in.
    Facts?? We don't need no stinkin facts...

  37. #37
    http://www.breitbart.com/tech/2018/0...re-of-cpu-bug/

    NOTE: Comments at the Breitbart link above may be helpful in understanding the issue and provide more info...

    Report: Intel CEO Sold $24 Million in Stock While Company Was Aware of Massive CPU Bug



    by Lucas Nolan4 Jan 2018100


    A new report states that Intel CEO Brian Krzanich sold $24 million in stocks in November shortly after the company was made aware of a massive vulnerability in the computing giant’s processors.

    Business Insider reports that the CEO of Intel, Brian Krzanich, sold $24 million in stocks and options in November after Intel was informed by Google of a security vulnerability in almost all CPU’s, including Intel’s products. The recently revealed vulnerability could give hackers access to user’s passwords, financial data, browsing history and many other records stored on their computer, resulting in panic amongst operating system developers who are quickly working to patch the bug. While the vulnerability was made public recently, tech companies were made aware of the issue months ago. According to an Intel representative, Google informed Intel of the vulnerability in June 2017.

    This allegedly means that Intel CEO Brian Krzanich was aware of the vulnerability when he sold approximately $24 million in stocks and options in November. The sudden sale was considered quite odd as it left Krzanich with only 250,000 shares of Intel stock, the minimum amount that Intel requires Krzanich to hold as part of his employment agreement. An Intel representative claims that Krzanich’s sale had nothing to do with the new vulnerability and was pre-planned, but that plan of sale was only entered on October 30th, after Intel was informed of the CPU bug. “Brian’s sale is unrelated,” the representative said in a statement to Business Insider, stating that Krzanich “continues to hold shares in line with corporate guidelines.”

    The CPU targeting bugs were discovered by Jann Horn, a security researcher with Google Project Zero, Google’s digital security team. The details of the bugs, named Meltdown and Spectre, were to be revealed next week but Google decided to publish the details immediately, “because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation.” According to Horn, the issue with the CPU is a hardware one which will require firmware updates to be issued by CPU vendors and software fixes from both operating system and application manufacturers.

    Google described the two exploits as the following:

    Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

    Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

    The meltdown bug was given that codename because according to Google “the bug basically melts security boundaries which are normally enforced by the hardware.” Google stated that the Spectre codename “is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time,” Google says. “Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.”

    Currently, detecting attacks using the exploit is extremely hard, “the exploitation does not leave any traces in traditional log files,” said Google. They did note that antivirus software should, in theory, be able to detect and prevent attacks. Google currently believes that, “every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013) is affected by Meltdown.”

    Some companies have begun issuing bug fixes, a list of them can be found here.

    Microsoft has recommended all Windows users take the following actions,

    Verify you are running a supported antivirus (AV) application before installing OS or firmware updates. Check with your antivirus software vendor for compatibility information.
    Apply all available Windows operating system updates including the January 2018 Windows security updates.
    Apply the applicable firmware update provided by your device manufacturer.
    There are two types of people in this world.
    1) Those that can extrapolate from incomplete data

  38. #38
    https://www.pcmag.com/news/358249/in...ix-means-slowe


    Chip Design Flaw Not Limited to Intel, Researchers Say

    UPDATE: In a statement, Intel said the problem isn't unique to Intel products and denied that it would drag down performance for the average computer user.


    By Matthew Humphries and Michael Kan
    January 3, 2018 6:59PM EST



    UPDATE 2: The Intel flaw involves two vulnerabilities that can be used to steal your passwords, emails, and any other sensitive data you have on your computer, according to the security researchers who uncovered the bugs.

    Intel also isn't the only vendor affected. One vulnerabilty, named Spectre, was found in AMD and ARM-based chips, too. The other vulnerability, dubbed Meltdown, was found mostly in Intel processors as far back as 1995; it's unclear whether AMD or ARM-based chips have the same problem.

    Both bugs can essentially help malware grab data stored in sensitive programs, including a password manager or browser. "While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs," the researchers wrote.

    Meltdown Spectre Exploit 3

    Desktops, laptops, cloud servers, and smartphones are affected by one or both vulnerabilities, the researchers warn. Attacks that exploit the two vulnerabilities are also difficult to detect and don't leave any traces.

    The risk is especially severe for cloud computing providers, which lease their servers to different clients. Both Meltdown and Spectre can essentially erode the boundaries in a machine that seperate one client's data from another.

    The public can find more details about the vulnerabilities on a new website the researchers created detailing the issue.

    Android devices with the latest security update from Jan. 2018 are protected from the vulnerabilities, Google wrote in a blog post.

    As for Microsoft, it's been rolling out a patch for Windows PCs that should arrive on Wednesday.

    Unfortunately, the Microsoft fix may result in some performance dips. "For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer," the company said.

    Despite the patching, the security researchers say the Spectre security flaw, although harder to exploit, is also more difficult to fully patch. Software-based solutions can act as a stop-gap measure against the threat, but until vendors update their chip designs, Spectre will remain a problem.

    UPDATE: In a statement, Intel said the upcoming fix shouldn't drag down performance for the average computer user.

    "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," the company insisted.

    The chip maker didn't go into detail about the exact problem, but suggested Intel products aren't the only ones affected. "Based on the analysis to date, many types of computing devices — with many different vendors' processors and operating systems — are susceptible to these exploits," it said.

    Furthermore, "Intel believes these exploits do not have the potential to corrupt, modify or delete data."

    The company originally decided to disclose the bug next week, but opted to release a statement on Wednesday to address what it considered to be inaccurate media reports. It's now delivering the software and firmware fixes to its partners.

    "Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available," Intel said.

    Original story:
    Over the next few weeks there's a very good chance your PC or laptop will take a significant performance hit, possibly up to 30 percent slower. Worse is the fact you can do nothing about it, as the slowdown is a side effect of fixing a major design flaw in Intel processors.

    If your computer uses an Intel processor produced in the last decade, it probably contains the design flaw. Intel has not yet released a list of affected chips; it's keeping the details under lock and key until operating system patches have been released for Linux, Windows, and macOS.

    As The Register reports, the flaw is thought to allow user programs to gain access to protected kernel memory areas. The kernel is the core of an operating system and controls anything and everything running on it. It is therefore extremely important the kernel memory remains secure due to the sensitive information it can contain.

    Although nobody outside of Intel knows the specifics, the flaw is thought to be so serious it could allow any software, even a bit of JavaScript running in a web browser, to access and steal data stored in the protected kernel memory. So that includes your passwords, login keys, or any files that happen to be cached when unauthorized access occurs.

    The vulnerability alone is bad enough, but the fix makes the situation even worse. Closing the security hole will result in a significant performance hit to each system. Current estimates suggest that hit could be as high as 30 percent. You read that right, once your system is patched it may run 30 percent slower for certain tasks.
    Related

    The Best Desktop Computers of 2018
    The Best Desktop Computers of 2018

    There is no way around this if your system uses an Intel chip. Some newer processor models are thought to be immune, or at least better able to work around the flaw, but until Intel releases specifics we can't confirm which ones. If you are running an AMD processor, you're fine. AMD confirmed its processors are not vulnerable.

    Linux kernel patches are already available, with Microsoft expected to roll out the Windows patch with next week's Patch Tuesday. Also keep in mind this flaw will impact all of Intel's major corporate customers. Imagine how many Intel chips are running inside Amazon's or Facebook's datacenters, for example, and what a performance hit will mean for them.
    There are two types of people in this world.
    1) Those that can extrapolate from incomplete data

  39. #39
    I just got the Linux kernel firmware update. I get delta RPM's for updating-this looked like a full rpm package instead. Took a while, Looks like it updated my firewall as well.
    My laptop is a Lenovo W500 workstation laptop, T9900 Intel core duo cpu, 3.06 ghz slightly overclocked
    8 gig memory.running SUSE Leap 42.3 OS.
    I don't notice any slowdown, thankfully.

    Intel should be raked over the coals for this bug.

  40. #40
    Join Date
    Jul 2004
    Location
    State of confusion
    Posts
    2,726
    Quote Originally Posted by Dennis Olson View Post
    I am unimpressed IJM. There is actually COMMERCIAL software out there that will let you see the clear-text of a password. One doesn't need to use any exploits to do it. (I learned this and many other absolutely frightening things from a "Certified Ethical Hacker" class I took a few years ago. Enough to give you the shakes.

    THERE IS NO REAL SECURITY IF YOU USE A COMPUTER.

    Internalize that...
    I thought any decent system would store passwords hashed and salted?
    "...Cry 'Havoc' and let slip the cats of war..."
    Razor sharpening while you wait - Occam
    If it works, it doesn't have enough features. - Windows 10 design philosophy.
    Forget the beer, I'm just here for the doom!
    Humans, just a tool for amino acids to make Swiss watches.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts


NOTICE: Timebomb2000 is an Internet forum for discussion of world events and personal disaster preparation. Membership is by request only. The opinions posted do not necessarily represent those of TB2K Incorporated (the owner of this website), the staff or site host. Responsibility for the content of all posts rests solely with the Member making them. Neither TB2K Inc, the Staff nor the site host shall be liable for any content.

All original member content posted on this forum becomes the property of TB2K Inc. for archival and display purposes on the Timebomb2000 website venue. Said content may be removed or edited at staff discretion. The original authors retain all rights to their material outside of the Timebomb2000.com website venue. Publication of any original material from Timebomb2000.com on other websites or venues without permission from TB2K Inc. or the original author is expressly forbidden.



"Timebomb2000", "TB2K" and "Watching the World Tick Away" are Service Mark℠ TB2K, Inc. All Rights Reserved.