Eight new Spectre Variant Vulnerabilities for Intel Discovered - four of them critical

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, May 3, 2018.

  1. jaggerwild

    jaggerwild Master Guru

    Messages:
    780
    Likes Received:
    279
    GPU:
    EVGA RTX 2070 SUP
    Plus the fact I can not update my GPU, is there any wonder why people are finding new hobbies. (NO Offense to anyone here!!)It is very depressing visiting a site for hardware, but no new stuff. I think they wont be happy till they chit all over each others company and nobody will buy there stuff. I started to buy a X99 CPU for my board, but now Im gonna sell it and be done.
     
    nz3777 likes this.
  2. nosirrahx

    nosirrahx Master Guru

    Messages:
    240
    Likes Received:
    76
    GPU:
    HD7700
    Microprocessors attempt to predict what needs to be processed ahead of time and pre-process this data to increase performance.

    Microprocessor makers did not do enough to ensure that this pre-processed data was inaccessible in unauthorized ways.

    By manipulating this pre-processing an attacker can gain access to data that should be out of reach and use this access to gain unauthorized control over a system.

    In fixing this issue with patches this pre-processing is less efficient than it was before and certain tasks have become slower.

    A modern OS and modern CPU should be affected on a level that benchmarks can see but the user typically won't notice this decrease in performance.

    Older OSes and older CPUs might see a noticeable hit and certain specific tasks like high IO on Optane drives also have a noticeable drop in performance.
     
    yasamoka and nz3777 like this.
  3. nz3777

    nz3777 Ancient Guru

    Messages:
    2,446
    Likes Received:
    206
    GPU:
    Gtx 980 Strix
    Very well put sir thank you for that.So before I upgrade so I know which route to take Intel vs And but I am relieved to hear the performance hit is small.
     
    nosirrahx likes this.
  4. Mufflore

    Mufflore Ancient Guru

    Messages:
    11,909
    Likes Received:
    867
    GPU:
    1080Ti + Xtreme III
    You are fortunate to have 2 great alternative hobbies there.
     

  5. Ray

    Ray New Member

    Messages:
    4
    Likes Received:
    2
    GPU:
    GTX 1070 / 8GB
    Can't wait to see the benchmarks when the patches are released :(:(:(
     
    fantaskarsef likes this.
  6. Fox2232

    Fox2232 Ancient Guru

    Messages:
    10,502
    Likes Received:
    2,514
    GPU:
    5700XT+AW@240Hz
    On unpatched system, attacker may get your private data (bank stuff, emails, game accounts). May get elevated privileges execution and as such launch secondary vector attacks (locally installed spyware, malware, ransomware, put you into botnet, ...)

    Being "under attack" or already infected does not exactly cost you much of performance. But patches preventing undesirable execution, those will cost something.
    But if i7-8700k is supposed to be used only for gaming, it is safe to say that those patches will not put it under Ryzen 2700X as those chips have very similar IPC, but 2700X OCs to like 4.25GHz while 8700k does comfortably over 5GHz. That's still 17% gaming performance reserve. (Which may be utilized on some high-end GPU in future on some poorly coded game.)
    If you are considering 2700X, I'll tell you that current BIOSes are far from perfect and there is some kind of misbehavior / missing features. And AMD's update for their "vulnerabilities" is incoming. So, you can wait 2 weeks to see what will be effect.
     
    nz3777 likes this.
  7. nz3777

    nz3777 Ancient Guru

    Messages:
    2,446
    Likes Received:
    206
    GPU:
    Gtx 980 Strix
    Roger that Fox I am in no hurry whatsoever. Waiting only pays off in situations like this. Thank you for the reply.
     
  8. jaggerwild

    jaggerwild Master Guru

    Messages:
    780
    Likes Received:
    279
    GPU:
    EVGA RTX 2070 SUP
    Please do tell, I need a distraction from reality!!!
     
  9. Fox2232

    Fox2232 Ancient Guru

    Messages:
    10,502
    Likes Received:
    2,514
    GPU:
    5700XT+AW@240Hz
    I bet those 'hobbies' are quite handy... based on your avatar :D
     
    Mufflore and jaggerwild like this.
  10. Mufflore

    Mufflore Ancient Guru

    Messages:
    11,909
    Likes Received:
    867
    GPU:
    1080Ti + Xtreme III
    I'd play with them all day!
     
    jaggerwild likes this.

  11. jaggerwild

    jaggerwild Master Guru

    Messages:
    780
    Likes Received:
    279
    GPU:
    EVGA RTX 2070 SUP
    :p Gonna get her kicked out,Shh!
     
    Mufflore likes this.
  12. chispy

    chispy Ancient Guru

    Messages:
    8,841
    Likes Received:
    963
    GPU:
    RTX 2080Ti - RX 590
  13. Turanis

    Turanis Ancient Guru

    Messages:
    1,630
    Likes Received:
    344
    GPU:
    Gigabyte RX500
    Security researchers from Google and Microsoft have publicly disclosed today a third and fourth variant of the industry-wide issue known as the Spectre vulnerability, which could let attackers gain access to sensitive information on vulnerable systems.
    They are identified as CVE-2018-3640 and CVE-2018-3639

    Dubbed Spectre Variant 3a and Spectre Variant 4, the two security vulnerabilities are identified as Rogue System Register Read (CVE-2018-3640) and Speculative Store Bypass (CVE-2018-3639). While Spectre Variant 3a lets a local attacker to obtain sensitive information by reading system parameters via side-channel analysis, the Spectre Variant 4 vulnerability lets unprivileged attackers read older memory values from memory or the CPU stack.

    According to the security researchers who found the two vulnerabilities, the implementation of the Spectre Variant 4 side-channel vulnerability is complex, but it could let attackers using less privileged code to exploit the "speculative bypass" and either read arbitrary privileged data or execute older commands speculatively, which may result in cache allocations that could let them exfiltrate data if they use standard side-channel methods.

    "Spectre Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information," reads the security advisory.
    "Spectre Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations."

    https://news.softpedia.com/news/sec...e-spectre-security-vulnerability-521225.shtml

    https://news.softpedia.com/news/speculative-store-bypass-flaw-patches-to-slow-down-pcs-521228.shtml

    From Intel:
    INTEL-SA-00115
    Q2 2018 Speculative Execution Side Channel Update

    https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

    Recommendations:
    Most leading browser providers have recently deployed mitigations in their Managed Runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser. These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB.

    Intel has released Beta microcode updates to operating system vendors, equipment manufacturers, and other ecosystem partners adding support for Speculative Store Bypass Disable (SSBD). SSBD provides additional protection by providing a means for system software to completely inhibit a Speculative Store Bypass from occurring if desired. This is documented in whitepapers located at Intel’s Software Side-Channel Security site. Most major operating system and hypervisors will add support for Speculative Store Bypass Disable (SSBD) starting as early as May 21, 2018.

    The microcode updates will also address Rogue System Register Read (RSRR) – CVE-2018-3640 by ensuring that RDMSR instructions will not speculatively return data under certain conditions. This is documented in whitepapers located at Intel’s Software Side-Channel Security site. No operating system or hypervisor changes are required to support the RDMSR change.

    It is expected beta microcode updates will be fully production qualified in the coming weeks. Intel recommends end users and systems administrators check with their OEM and system software vendors and apply any available updates as soon as practical.

     
    Last edited: May 22, 2018

Share This Page