Researchers reveal Variant 4 of Spectre vulnerability

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, May 22, 2018.

  1. tsunami231

    tsunami231 Ancient Guru

    Messages:
    10,804
    Likes Received:
    641
    GPU:
    EVGA 1070Ti Black
    all these researches popoing up and disclosing this stuff to public it not issue with never been known about and never disclosed to public years, but one idiots blab it out to public it becomes nightmare for ever one. which what i issue with. cause that is when people start looking for ways to exploit it
     
    schmidtbag likes this.
  2. Denial

    Denial Ancient Guru

    Messages:
    13,085
    Likes Received:
    2,532
    GPU:
    EVGA 1080Ti
    The hackers already knew a problem existed when the vector for vulnerability was disclosed in 2016 at blackhat conference. The better part of the netsec community knew about the vulnerability in relation to all Intel processors weeks before the disclosure, it was all over /r/netsec. That's my point - you aren't keeping this secret, the cat was out of the bag on both these exploits literally two years before it was disclosed and fully leaked and understood by the wider community two to three weeks before disclosure. So what exactly is the benefit of saying "we need to keep it secret for longer" when everyone knew about it weeks before the secret was up? It's not just kernel devs that need to know about exploits of this kind, its also architecture engineers designing hardware fixes, system validation engineers and software developers validating that the kernel devs are actually fixing the issue and not breaking a million other things, etc. It's across like 6+ different hardware vendors if not more when you consider Nvidia and whatnot also had to make changes in order to mitigate the problem in their drivers, plus countless other security vendors that implement ARM based SoCs in switches/firewalls/etc - they all need to be updated and patched and in order to do that they need to be fully knowledgeable about the exploit. By the time you're done 10K+ if not more people know about it - a portion of those people are engaged in the netsec community and it leaks everywhere. Which is exactly what happened.

    So idk, you're not keeping it secret and honestly even if you could I don't think the advantages outweigh the negatives. I want to know when my hardware/software is insecure and I want to be able to demand that companies fix it or know I need to replace hardware in order to be secure. I don't trust Intel to do it behind the scenes - hell even under public pressure to get it done they've dropped the ball and announced that half their hardware isn't even receiving a patch and countless delays.

    180 days is generous and that itself is the exception, as the disclosure is typically 90 (unless your AMD then it's 24 hours looooool) - the extra time isn't even going to matter because the devices will never be patched regardless.
     
    alanm, schmidtbag and yasamoka like this.
  3. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    5,387
    Likes Received:
    1,941
    GPU:
    HIS R9 290
    I wasn't aware of any of that. I've only heard how companies like Google, Intel, and MS knew of the problem. So at that point yes, I don't see a point in keeping it a secret any further (largely because at that point, it isn't a secret anymore) and therefore I would have to agree with everything else you said in previous posts.
     
  4. Athlonite

    Athlonite Maha Guru

    Messages:
    1,305
    Likes Received:
    36
    GPU:
    Pulse RX5700 8GB
    BLAH BLAH BLAH until someone actually gets hacked via Spectre or Meltdown then I'd rather not keep hearing about it thanks we all know by now that all of the Spectre attack paths require local machine access and considerable knowledge and effort to affect a machine but that's it one machine big deal
     
    warlord likes this.

  5. warlord

    warlord Ancient Guru

    Messages:
    2,824
    Likes Received:
    944
    GPU:
    Null
    It is tiring and irrelevant to guru3d. We are not a cybersec or hacking tips site. I can only tolerate this rubbish only for performance loss meaning benchmarks. Anything more it is headache and food for nerds or no lifers.

    HH please stop these kind of news as they are uninteresting for the real life pc user / gamer.
     
  6. alanm

    alanm Ancient Guru

    Messages:
    9,754
    Likes Received:
    1,942
    GPU:
    Asus 2080 Dual OC
    It is very relevant to G3D. Our hardware is the target of these sort of threats. We need to know all there is to know as quickly as we can whenever such threats may exist.
     
  7. TheDeeGee

    TheDeeGee Ancient Guru

    Messages:
    6,748
    Likes Received:
    1,028
    GPU:
    NVIDIA GTX 1070
    I actually flashed back to Microcode 22 for my CPU, cuz the Spectre Fix causes all kinds unexplainable issues.
     
    Last edited: May 22, 2018
  8. user1

    user1 Ancient Guru

    Messages:
    1,607
    Likes Received:
    546
    GPU:
    hd 6870
    performance hit is up to 8%
    on intel cpus.


    i find it concerning the reaction time of intel and microsoft has been so slow to these problems

    patches for linux are already available for all the stable kernel kernels, just waiting on intel to provide microcode,



    it should be noted that this exploit can be mitigated the same way as some of the other spectre exploits, lowering the timer resolution makes it much more difficult to use, web browsing should still be relaticely safe even on machines without the required microcode
     
  9. Irenicus

    Irenicus Master Guru

    Messages:
    571
    Likes Received:
    97
    GPU:
    1070Ti OC
    Thankfully this will never affect me nor most users

    Nope, but I know it has affected databases and other systems in some companies, but for a regular user/gamer it's not really something you need to worry about
     
  10. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    11,800
    Likes Received:
    3,790
    GPU:
    2080Ti @h2o
    And you still comment on it then although you're not interested in hearing about it? ;)



    No wonder nobody can do a real perfromance review of the crippled Intel CPUs, because not only @Hilbert Hagedoorn would probably need a week just for doing that, but he can't since before he'd be finished he'd need to start all over because of another Intel CPU sec flaw :D
     

  11. Sergio

    Sergio Master Guru

    Messages:
    254
    Likes Received:
    7
    GPU:
    Asus 760 DirectCU II OC
    I seriously don't believe this crap anymore. Just ignore this kind news. Will they patch and protect all their hardwares? NO!?.. Why not??! Are we safe with Linux already? YES?.. Wake the fk up!
     
  12. slyphnier

    slyphnier Master Guru

    Messages:
    770
    Likes Received:
    60
    GPU:
    GTX1070
    knowing the problem important, but no matter what .... there no perfect-secure anyway
    human-build will always have flaw... and there cat&mouse play, between exploit and patches

    no other way than accept it... and just let those chip-maker/designer+software programer solve issue after issues

    if cant accept it, then exile yourself in offline-world
     
  13. jaggerwild

    jaggerwild Master Guru

    Messages:
    783
    Likes Received:
    281
    GPU:
    EVGA RTX 2070 SUP
    In other news, there are hackers but we can't seem to find any of them making a living doing this. but to be safe we should all toss out our computers before they become infected.
     
  14. waltc3

    waltc3 Maha Guru

    Messages:
    1,145
    Likes Received:
    355
    GPU:
    AMD 50th Ann 5700XT
    Just thought I'd mention that InSpectre #8, latest version as of five minutes ago when I double checked, does not appear to check for Spectre 3a and Spectre 4 at all, as of the present moment. So, fat lot of good that does at the moment--but this is obviously not the author's fault--read on...I certainly share everyone's obvious disdain for all of this and wonder what's really going on here--I mean, the way it is supposed to work is that the Project Zero hackers (Google, et al) are supposed to let AMD, Intel, and Microsoft, and whom else may be affected, know about these conjectured and theoretical "vulnerabilities" a whole 90-days before the information is made public, and even the 90-days is not written in stone, the hackers could actually give the companies a year or more if they wanted. The *only* reason that I can see for discovering this stuff and two days/two weeks later making it public is because of malware discovered in circulation that actually depends on the vulnerability in order to function as some type of malware. So...*why* all of this rush to fix vulnerabilities without any known incidents of Spectre/Meltdown malware having been discovered anywhere in public domain circulation? The answer to that question will tell us a lot, imo. I'm not sure we are going to *get* a straight answer on that, unfortunately.

    The entire idea of these things being some kind of back-door for the NSA, or FBI, or KGB, whomever, is, I think, very much mistaken simply because in that case the manufacturers of the cpus would certainly *know* about them as they'd have to be designed into the cpus deliberately prior to them being manufactured and shipped. Obviously, nothing like that is going on.

    My opinion for what it's worth is as follows: I don't mind the patches, Windows or cpu microcode via bios updates, so long as cpu performance is not sacrificed--my personal threshold for cpu degradation is a 1-2% absolute maximum slowdown for these cpu microcode fixes, under a very narrow set of conditions, and of course preferably no performance loss at all. I also prefer bios microcode updates to OS-delivered microcode updates because then the fixes remain in place when the OS is reinstalled or when another OS is employed on the same general hardware and cpu. I was pleased to see that MSI rectified the Spectre 2 cpu microcode slowdown imposed by their first attempt via a bios update--I was concerned after their first attempt because the performance penalties were stiff in certain cases and I had no trouble demonstrating or repeating them. Next bios release fixed 99% of it! This gives me hope that at least on my current AMD hardware the Spectre4 (AMD says it hasn't found any vulnerabilities to 3a as of yet) cpu microcode patches applied in a bios release won't exact stiff performance penalties after all.

    I conclude by saying that it's obvious that most of us find the performance so far of the "project zero" people to be very amateurish, and that's being flattering to them, I think. I can see by the tone and tenor of the posts ahead of mine that we are all pretty much sick and tired of this kind of thing. To add insult to injury, next we have to put up with fraudulent "companies" sprouting up from literally nowhere to make all kinds of bogus claims--like for instance calling access to a machine plus administrator rights a "vulnerability" when in fact that is exactly what Admin mode is supposed to supply the end user--access to his own computer/workstation..! So who is doing this for various shady financial reasons, etc.? We know the outright frauds are doing it for that motive, obviously. But what about the rest? What a mess Google has helped make, imo. Someone has declared war on x86 PC cpus for some reason, apparently. Motive speculations anyone?
     
    fantaskarsef likes this.
  15. chispy

    chispy Ancient Guru

    Messages:
    8,868
    Likes Received:
    1,024
    GPU:
    RTX 3090 - RX 590
    Oh dear , will this ever end :/
     

  16. user1

    user1 Ancient Guru

    Messages:
    1,607
    Likes Received:
    546
    GPU:
    hd 6870
    few things, the first of these exploits were disclosed to hw vendors 6 months prior to public disclosure, project zero has been very professional about the whole thing, they have provided extensions to their deadlines frequently when asked,they even provided a way to mitigate spectre and spectre 2 (retpoline) without needing a microcode update on most cpus, it is microsoft and intel who have been slow to fix their their products.

    the fact that the latest stable linux kernels already has support for spectre v4/3a mitigation and amd already had microcode available for it goes to show how slow microsoft and intel are to react. there is no excuse, intel and microsoft arent putting as high of a priority on this as they should , thats the fact of the matter.

    The main reason for putting deadlines on these things is so that they actually attempt to fix their products, there have been plenty of times where Microsoft ignored serious security problems for months, and only fixed it once it became public. this is not their first rodeo.

    the inspectre tool couldn't detect spectre mitigation for v3a/4 even if it wanted too since the windows patches are not available yet,
    and when they do land they will be disabled by default since the perf hit is expected to be up to 8% in some senarios on intel cpus

    I do think its good that this stuff is disclosed, it means that eventually we might have cpus that aren't swiss cheese one day.

    also, The fun part about this is that these aren't the high risk exploits that intel received a deadline extension for.

    Wonder how much performance those will eat.
     
    fantaskarsef likes this.

Share This Page