Eight new Spectre Variant Vulnerabilities for Intel Discovered - four of them critical

Thanks, after i wrote my request i realized something like this exists. It increased score with any benchmark i used, not by much, but every boost counts

 

Here we go again, more bad news!
Working now in cybersecurity is either very lucrative for evil doers and a pure nightmare for sysadmins and the whole world.

 

Yep i'm afraid we will do soon or later another wave of security patching for our customer.

 

There are orders of magnitude more hacking bots than there are humans doing it.
Bots can do extremely complex jobs with utmost precision, very fast, hidden and without any effort once programmed.
There is nothing to limit how many can run simultaneously.
When they locate a valuable resource a human can take over and decide how best to handle it.
You can be sure you are entered in a database for later use or to be sold to anyone.
You might never know your identity has been stolen until you see a credit report. It can screw your life up trying to sort it out... if you truly can.
Thats just one thing, it is cause for worry.

 

It was asked earlier what there was to worry about these exploits.

The biggest issue comes in the form of multipart exploit kits. These "kits" use a whole toolbox of exploits to gain access to your system typically with the goal of downloading and executing payload without user interaction.

The more exploitable components in your system (OS, browser, hardware) the easier it is to "drive by" infect your system.

In the worst cases 100% safe sites can become compromised with exploit born malware and you can be a 100% "safe surfer" and still get infected.

It was several years ago now but there was an ISP with a compromised webmail page. Simply opening your webmail page would infect you directly if you were vulnerable. The exploit was silent and so was the payload (added your system to a botnet).

 

Yes, bots can do great damage. But by their very nature can only be effective if spreading across large numbers of PCs which increases their chance of being detected in the wild by AV or malware companies. Secondly, bots still need 'humans' to make sense out of any useful data out of the millions of PCs they sift through.

This topic is so funny because lots of people were recently arguing and boasting about how they dont need AV or ant-malware products, that they "know what they are doing" and can spot any malware, bots or other threats just by "being careful" and observant with what they click on or what goes on with their PCs.

So we have 2 extremes of viewpoints, the alarmists vs the "experts" who are aware of every little thing that goes on in their PCs and are "safe" simply due to that and dont need no fricking AVs. I'm happy to sit in the middle and watch all these contradictory arguments unfold.

 

Obsolescence.

 

Last time I checked, a botnet needs to have access / exploit a security vulnerability on the operating system, not on the CPU. So if a company is susceptible to a botnet / has no AV ... it doesn't matter what vulnerabilities the CPUs it has. Security will still be compromised.

 

Security researchers have pointed out that AVs are given access to everything and malware can simply target vulnerabilities in the AVs themselves to get access to the PC, and we have seen AVs getting updates to prevent that from happening.

I agree that the so-called power users are too extreme with what they think they control, but the argument of AVs' safety is also questioned.

 

Many years ago on Win XP, some malware got through and used my AVs scanning engine to spread itself throughout my PC. So the more I scanned looking for it, the more it spread itself. It was a rather crude malware that targeted exe files and corrupted them. Caused a lot of damage, had to format my entire PC. Fortunately we've come a long way since then.

 

Hehe yeah, they now encrypt the whole PC straight away.

 

Could be my ex, but she isn't called Intel ...

 

All this security issues one after the other. By the time we get all this fix we all will go back to core 2 duo performance....lol.

 

Dude do not make such comments while people drinking morning coffee ! I spiled coffee all over my carpet! (Yes i was fast enough to save my keyboard!!!)

 

Last time I checked, 60% of systems in botnets get infected by person clicking something containing malicious code. Like link in browser where add contains spectre/meltdown code or something exploiting bug in browser.

You assume OS level vector and think that CPU level vector means nothing. But if CPU level vector exists then OS level protection for other things is good for nothing. Same goes for antivirus. Because those exploits are about gaining access to either protected data in memory or admin privileges which are then used to install whatever / cripple protections.

 

It does not work that way. All that is required is for the vulnerable component to be passed specifically crafted data to trigger an unintended outcome. If the vulnerable component is not patched to correctly handle this malformed data it will malfunction as the attacker intends.

These CPU exploits wont be attacked on their own, they will be attacked in a multipart exploit attack. Think of data injection paired with permission elevation paired with unauthorized access...... That is how exploits work, they come in the form of a multi-part kit.

It is likely that these CPU exploits would be pretty far down the execution chain meaning that other exploits would open the door and then these CPU exploits would attain root access. Exploits that already exist but are not used due to limited functionality could be weaponized with these CPU exploits to make them actually useful.

Exploits also come with 2 variations. First is the exploit itself can be refactored with different code to attain the same objective, this makes it hard to block with security software. On top of that is the obfuscation layer. This layer does not change the core functionality of the exploit but it does change how the exploit package "looks" further impeding security software.

 

+1 This ^ , i still have 2 Intel running PCs at home and 2 AMD

 

Unfortunately this could be a concern. While most things are not too seriously affected Intel did screw another Intel product, Optane. I have done some limited testing and my 900P lost 25% of its 4KQ1T1 performance after patching the BIOS.

I am building a new workstation soon with a 905P drive for the OS/apps. I will be testing 1709 base + old BIOS VS 1803 updated + newest BIOS to see just how bad the drop is.

 

Keep us updated on your findings. thanks in advanced.

Kind Regards: Chispy

 

Can someone please explain in plain English what Specture and meltdown do exactly? Other then security issues do you also loose cpu performance with these attacks? If so what % of gaming performance would a person loose buying a 8700k for example? I am having a hard time understanding why all this crap is happening,Hackers trying to exploit Intel and Amd for $ I assume?