Intel claims most consumer software shouldn’t see much impact, outside of image and video editing workloads..
But that's, like the one place other than games where consumers are looking for performance. What's left, web browsing and MS Office?
"whew* my horrible bubble sort implementation is safe from performance impacts
May I suggest using miracle sort instead? It has the most stable performance of all.
I just skimmed through the article and it seems like this vulnerability is only really meaningful on multi-user systems. It allows one user to access memory dedicated to other users, letting them read stuff they shouldn't. I would expect that most consumer gaming computers are single-user machines, or only have user accounts for trusted family members and whatnot, so if this mitigation causes too much of a performance hit I expect it won't be a big risk to turn it off for those particular computers.
Would it mean that a malicious application being run in non-admin mode by one user could see data/memory in use by an admin user?
It would indeed imply that which is why this vulnerability is also serious for single user contexts.
The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible.
All these kind of CPU level vulnerabilities are the same, they are only really "risky" if there is malicious software running in the computer in the first place.
The real problem is that these CPU-level vulnerabilities all break one of the core concepts of computers, which is process separation and virtual memory. If process separation is broken then all other levels of security become pointless.
While for desktops this isn't a huge problem (except when sometimes vulnerabilities might even be able to be exploited though browsers), this is a huge problem for servers, where the modern cloud usually has multiple users in virtual machines in a single server and a malicious user could steal information across virtual machines.
Your first paragraph isn't quite right.
Modern hacks/cracks aren't a "do this and suddenly you are in" type deal.
It's a cascade chain of failures of non-malicious software.
Saying "don't have a virus" is absolutely correct, however that's not the concern here.
The concern is about the broadening of the attack surface.
A hacker gets minor access to a system. Leverages some CVE to get a bit more access, and keeps poking around and trying CVEs (known or unknown) until they get enough access to run this CVE.
And then they can escape the VM onto the host or other VMs on the same system, which might then give them access to a VM on another host, and they can escape that VM to get access to another VM, and on and on.
Very quickly, there is a fleet of VMs that are compromised. And the only sign of someone poking around is on the first VM the hacker broke into.
All other VMs would be accessed using trusted credentials.
ETA:
Infact, it doesn't even need to be a hacker.
It could be someone uploading a CI/CD task using their own account. It extracts all API keys, usernames and passwords it can find.
Suddenly, you have access to a whole bunch of repositories and APIs.
Then you can sneak in some malicious code to the git repo, and suddenly your malicious code is being shipped within legit software that gets properly signed and everything.
It allows memory access across virtual machines as well, meaning the all cloud VMs are vulnerable.
The machines that are running cloud VMs should obviously be patched. I wasn't talking about those.
Processes that run on the same system can run as different users (including kernel) which is used for privilege separation. This can still allow a program in userland to peer into otherwise restricted system processes or the kernel. Every system is a "multi-user" system, even if there is only a single human user.
Yes, but all the data that I care about is in my single human user's account already. If I install malicious software then I'm already hooped regardless.
Look, I'm not saying this is no biggie. There are plenty of systems out there that will have to install this patch. Single-user computers probably should too. The situation I'm addressing is the case where a gaming computer has its performance as a gaming measurably harmed by the patch's overhead, which is reportedly significant in some cases. In those cases it's reasonable to weigh the merits and decide that this vulnerability isn't all that big a problem.
Disagree. For non-security conscious users who install that helper tool or plugin for their game, it can now read bank credentials from the browser.
If you're a non-security-conscious user installing malicious software on your computer then I don't think there's much that could help you.
But these are the people we (the security community) should be helping. If we don't help those who don't have the skills to help themselves, scammers have a large target and keep on scamming. We are not a target.
Granted, this post isn't necessarily about that, but they'll be the one's targeted regardless. Sometimes the best way to reduce the attack vector is about people, not software.
this vulnerability is only really meaningful on multi-user systems
Well, that says it all. CPU manufacturers have no incentive at all to secure the computations of multiple users on a single CPU (or cores on the same die)... why would they? They make more cash if everyone has to buy their own complete unit, and they can outsource security issues to 'the network' or 'the cloud'...
Years ago when I was in University this would have been a deathblow to the entire product line, as multi-user systems were the norm. Students logged into the same machines to do their assignments, employees logged into the same company servers for daily tasks.
I guess that isn't such a thing any more. But wow, what a sh*tshow modern CPU architecture has become, if concern for performance has completely overridden proper process isolation and security. We can't even trust that a few different users on the same machine can be separated properly due to the design of the CPU itself?
I'm not happy with what's happening and I know that corporations are money making evil machines.
But to say that chip makers have no incentive at all to secure their hardware is quite the hyperbole.
Fair enough, probably was hyperbole :) But performance does seem to be a higher priority than security; they can always spin PR after the next exploit, after all, users already have the CPU in their system, they've made their money; what are users really gonna do if an issue comes up after they've bought their box?
What they will do is not buy from that company again.
Yeah, but we live in cpu monopoly. Intel and Amd
Both companies put backdoors and all sort of shit in their cpus.
We don't live in CPU monopoly. Arm and SoCs are also in the game.
Im out of the loop with those. Are Arm and socs viable alternative for home computing?
Last time I checked I could not build a pc with Arm. Post above is right intel and amd are dominating home user market.
I have a macbook air m1 and this arm chips is imo just amazing. No fan no issues, fast as fuck. Id like to build a pc with arm. Maybe when Linux and windows show more support for arm64?
Oh, for desktops? I don't know. I was referring to macbooks and mac minis.
Linux supports ARM64 very well. Windows also has had ARM support for a quite a while. The main obstacles are 3rd party binary software (particularly on Windows) and lack of available hardware.
Are you aware that the majority of cpus sold today go to cloud computing? Believe it or not, but that is an application space with multiple users on the same machine.
Even on a single user machine, multiple users are very much a thing. Even Apple has left behind the DOS-like architecture where everything runs with the same rights. All current systems run with multiple concurrent users, notably root (or the Windows equivalent) and the keyboard operator (as well as dedicated ones for the various services, although that's maybe more a thing in Unix/Linux than Windows).
Good point. But I think performance is still a greater priority for those who make purchasing decisions, rather than basic security, and that's the problem.
Not at the enterprise level.
Security means compliance, which means getting/keeping contracts and not getting sued.
And they care more about performance-per-watt and density.
Processor manufacturers target their devices and sales towards cloud computing so they have a huge incentive to avoid having issues like these. It’s ridiculous to suggest otherwise.
I see the reasoning, fair enough. Just grumpy this evening I suppose :p.
You're reading an awful lot into what I said that wasn't put in there.
There's nothing wrong with multi-user systems existing, there's plenty of use for such things. This bug is really bad for those sorts of things. I was explicitly and specifically talking about consumer gaming computers, which are generally single-user machines. Concern for performance is a very real and normal thing on a gaming computer, it's not some kind of weird plot. An actual multi-user system would obviously need to be patched.
I am so incredibly happy that those terrible multi-user systems are a thing of the past. Multiple seconds wait time for every mouse click are no fun.
Hey! I'll have you know that a 68000 based server was good enough for about 60 users running X11 desktops back in the day!
Kids today with their vodoo cards and whatnot.
When I was in university, they were probably running the same server, but with Ubuntu and for 500 sessions at the same time. That crap was totally unusable.
Install backdoors and sell that info to governments and companies, then years later reveal the issue to justify downgrading performance of older CPUs to encourage people to upgrade.
This does sound like planned obsolescence to me...
Oop CPU sales are down! Leak one of our critical flaws to force people to upgrade!
Just feels like Prism all over again.
Anti virus companies has also been caught making viruses.
A lot of shady shit happens when there is money and power to be had.
I heard that rumor before, is there any source to this? Like, which antivirus companies?
Just look into John McAfee’s eyes and tell me it isn’t true.
I guess that's my fault for not specifically asking for reliable sources.
Just look into John McAfee’s baby blues and tell me he isn’t reliable!
His program was more of a virus than a lot of computer viruses out there.
I haven't found any evidence of this, but that's to be expected... How would that evidence look like even.
But there has always been rumors of this. And since there is money involved... I think it's not unlikely.
The argument against this is always "there are so many viruses, antivirus companies can't create them all". And nobody is saying that. It's enough to create one high profile virus and you will sell your anti virus software very easily.
But I think it was more common in the past. Today all companies will buy anti virus software, so it's guaranteed sales.
Lmao I wish this was a heroin needle since those are often colloquially called "works" in some localities.
Yeah but heroin doesn't make you cray the way meth does
Yeah I know, but the wordplay still makes it funny to me.
If there is no evidence then stop spreading misinformation.
According to him, billions of Intel processors are affected, which are used in private user computers as well as in cloud servers.
Update: Intel’s Downfall was closely followed by AMD’s Inception, a newfound security hole affecting all Ryzen and Epyc processors.
so both desktop and server chips are affected on both cpu manufacturers products. can't take any measures if your password is online on some server.
I was going to say, AMD had a flaw of similar severity. And they won't have a fix for a few months for most affected CPUs, and that fix will likely incur a loss in performance.
Basically it sounds like both of these flaws are due to the security chip. I can't help but feel like these flaws are by design. /tinfoil
Downfall was disclosed to Intel a year ago but was on embargo until this week. Can't help but suspect that Intel waited for AMD to be impacted by a similar event to reveal downfall
From what I’m reading, Inception is a pretty minor vulnerability, especially compared to downfall.
It took them a year for a microcode fix and it still has a performance loss of 50% in some cases? Ew
So they created a massive vulnerability by misimplementing speculative execution which promised a, what, 10% speed gain tops and now that it was discovered you have to patch it and lose 50%? Genius.
And they get to keep the money from the purchase.
Next gen is going to be 40% faster.
50% 💀
If you get caught we've never met.
Good supplier for an offline supercluster 😄 I'll let my grant manager know.
Ha-ha. My chip's too old to be affected. I don't see my architecture on the list.
I knew putting off upgrading for around a decade would pay off. (Windows Update tells me my PC is not "ready" for Windows 11 due to its hardware, either. Oh no, whatever shall I do.)
Dont the older chips suffer from a greater performance drop from spectre and meltdown vulnerabilities?
This inspires confidence with my 2010 ass toshiba sattelite with an i5 and 8gb DDR3. I need to look and see if mine is too old lol.
Well, maybe you can pirate Cortana and whatever other bloatware to catch up.
I hate Intel as much as the next person, but I don't want them to disappear overnight generating a unimaginably large processor shortage.
Then subsidize them for the recall, and take a percentage of their profits every year until it's paid back. How is it OK to pass on a manufacturer defect to all consumers?
I'm not saying that it's not a shit sandwich. I am saying that if Intel shut down right now we'd be pretty fucked. It would be far more likely for them to shut down production and walk away, start selling off patents and equipment. The strain it would put on arm to pick up the gauntlet would probably mean you're not going to see a new cell phone, television or new car for the next few years.
What the hell are they going to do for a recall anyway? Are you going to have them go back 5 years and try to recreate every model of CPU between then and now? None of those motherboards are going to support new things.
You get your five or $600 back on your CPU which ends up being $50 by the time it comes out of arbitration, now you need not only a new CPU but a new motherboard.
It's like wrecking your 15-year-old beater car, insurance company gives you $150 and says go find yourself a new car.
edit: Look, Intel is worth 150 billion. if they paid $50 per processor for a couple billion refunds, they'd just go bankrupt. They're going to run for years subsidized making 0 profit and losing all their talent. It wasn't their intent to screw it up, but here we are. There's a patch that makes slow processors slower honestly, that's the end of their responsibility other than to help people get it installed.
Blame the patent duopoly for making them too-big-to-fail™
We have a lot of that going on, but blame won't fix the outcome. Can't pass any laws to fix it, the government is run by the politicians.
Every article is a copy paste of the same bullshit talking about the vulnerability and pointing to the stupid cryptic list of processors that requires you to jump through hoops to read it. You can't just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it? Why with a microcode update of course!!...from where you ask? Well don't worry just look at the cryptic list it will tell you if you need a microcode update!!
Fuck every article about this shit. Anyone wanna bust an Eli5 on how to fix this problem for people? (I was assuming it's a BIOS update but the articles have only confused me further)
ELI5, or ELIAFYCSS (Explain like I'm a first year CS student): modern x86 CPUs have lots of optimized instructions for specific functionality. One of these is "vector instructions", where the instruction is optimized for running the same function (e.g. matrix multiply add) on lots of data (e.g. 32 rows or 512 rows). These instructions were slowly added over time, so there are multiple "sets" of vector instructions like MMX, AVX, AVX-2, AVX-512, AMX...
While the names all sound different, the way how all these vector instructions work is similar: they store internal state in hidden registers that the programmer cannot access. So to the user (application programmer or compiler designer) it looks like a simple function that does what you need without having to micromanage registers. Neat, right?
Well, problem is somewhere along the lines someone found a bug: when using instructions from the AVX-2/AVX-512 sets, if you combine it with an incorrect ordering of branch instructions (aka JX, basically the if/else of assembly) you get to see what's inside these hidden registers, including from different programs. Oops. So Charlie's "Up, Up, Down, Down, Left, Right, Left, Right, B, B, A, A" using AVX/JX allows him to see what Alice's "encrypt this zip file with this password" program is doing. Uh oh.
So, that sounds bad. But lets take a step back: how bad would this affect existing consumer devices (e.g. Non-Xeon, non-Epyc CPUs)?
Well good news: AVX-512 is not available on most Intel/AMD consumer CPUs until recently (13th gen/zen 4, and zen 4 isn't affected). So 1) your CPU most likely doesn't support it and 2) even if your CPU supports it most pre-compiled programs won't use it because the program would crash on everyone else's computer that doesn't have AVX-512. AVX-512 is a non-issue unless you're running Finite Element Analysis programs (LS-DYNA) for fun.
AVX-2 has a similar problem: while released in 2013, some low end CPUs (e.g. Intel Atom) didn't have them for a long time (this year I think?). So most compiled programs wouldn't compile with AVX-2 enabled. This means whatever game you are running now, you probably won't see a performance drop after patching since your computer/program was never using the optimized vector instructions in the first place.
So, the affect on consumer devices is minimal. But what do you need to do to ensure that your PC is secure?
Three different ideas off the top of my head:
BIOS update. The CPU has a some low level firmware code called microcode which is included in the BIOS. The new patched version adds additional checks to ensure no data is leaked.
Update the microcode package in Linux. The microcode can also be loaded from the OS. If you have an up-to-date version of Intel-microcode here this would achieve the same as (1)
Re-compile everything without AVX-2/AVX-512. If you're running something like Gentoo, you can simply tell GCC to not use AVX-2/AVX-512 regardless of whether your CPU supports it. As mentioned earlier the performance loss is probably going to be fine unless you're doing some serious math (FEA/AI/etc) on your machine.
You can't just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it?
I figured out how to do it fairly quickly but it would be a hell of a lot easier if people could just type in "11700K" in a box on a web page or something and it could just tell them. Or they could have added a little bit of code to their CPU ID utility that says "yupp your processor is effected by the flaw". I am mostly annoyed at all this not for me but for all the people who would read those pages and the contents would seem like an insane foreign language to them all while articles are telling them it's a major security flaw that would allow people to steal their encryption keys.
. Or they could have added a little bit of code to their CPU ID utility that says "yupp your processor is effected by the flaw".
That is a fair point.
Are you using Windows or macOS? If so you don’t have to do anything. You can just wait and a new update will be available to you soon.
And, just FYI, the fix is already out for Linux.
It'll probably just be something that happens through ordinary OS updates tbh (though I understand you'd rather know one way or another.)
I just found this on the page where they list effected models:
"Note The latest software can be obtained through operating system or VMM vendors"
Guess it's time for another FPS hit...
While the article says it won't impact most applications, I suspect it's closer to saying "won't impact most applications as much".
Guess it’s time for another FPS hit…
Is it August already? Man, time flies.
My poor aging computer :(
I would say you'll be fine. Most games don't compile with avx-2 anyways since it'll crash if you run it on something that doesn't have them (which is a lot of CPUs) and AVX-512 is straight up only available on Xeons, Epyc and zen 4. Nobody is going to use that for consumer software.
The only game I can think of using AVX is a Skyrim mod for realistic physics, where the author provided binaries for AVX-2/AVX-512. So it won't affect most compiled applications much since you need to compile with it first (which almost nobody does).
This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer.
So just continue not letting people use my computer, got it. Very simple fix.
Shared use of servers is probably the main issue
It appears that users in this case include agents such as software. A bit confusing for the general public.
For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages.
It can theoretically even be exploited via a browser:
[Q] What about web browsers?
[A] In theory, remotely exploiting this vulnerability from the web browser is possible. In practice, demonstrating successful attacks via web browsers requires additional research and engineering efforts.
I think it also means software running can access other software's memory which is probably bad but personally I'm not keen for that performance hit on my desktop
/tinfoilhat
I admittedly stopped reading halfway through but I feel like these newest vulnerabilities being discovered are probably just fucking government back doors the manufacturers have been forced to include.
/tinfoilhat
I can't comment on the general trend, but this specific one seems a bit too circumstantial to be of use for a serious spying effort. You'd have to have the spyware running parallel to the apps usong passwords you want to steal in a specific way.
The risk exists, which is bad enough for stochastic reasons (eventually, someone will get lucky and manage to grab something sensitive, and since the potential damage from that is incalculable, the impact axis alone drives this into firm "you need to get that fix out asap), but probably irrelevant in terms of consistency, which would be what you'd need to actually monitor anyone.
If you manage to grab enough info to crack some financial access data, you can steal money. If you can take over some legit online account or obtain some email-password combo, you can sell it. But if you want to monitor what people are doing in otherwise private systems, you need some way to either check on demand or log their actions and periodically send them to your server.
It would be far more reliable to have injection backdoors to allow you access by virtue of forcing a credential check to come up valid than to hope for the lucky grab of credentials the user might change at an arbitrary moment in time.
Check out the documentary Zero Days (2016) if you haven’t already. That’s not really a tinfoil hat take these days IMO.
Just means they have to intentionally create new ones to be eventually found for the next generation.
On the plus side now we can steal the info from the criminal's computers. The cycle of internet life...
Yikes the performance hit is scary but if you’re running a server, what option do you have?
Intel’s newer 12th-gen and 13th-gen Core processors are not affected.
Oh ok
Isn't that convenient?
Upgrade to get 3% performance gains on paper and no noticeable real performance gain!
Now it's more like "upgrade to maintain your level of performance, because our patched CPUs take a 50% performance hit" (per the article).
That is quite convenient for them. I'm sure not a conspiracy given depth of the issue, just very convenient if people heed the call.
Which most won't. Enterprise is likely already on the newer gens aa part of normal refresh cycles. Maybe this just accelerates that a bit.
Oh don't worry, you'll hear about that vulnerability in two years.
*cries in 11th gen laptop*
Jokes on them. I'm already watched by criminals and am used to companies throttling products.
> Downfall
Is the Intel CEO holed up in a bunker and raging at his chip designers?
If it's anything like the industry that I work in, the CEO would have been informed of the short comings of the design numerous times and given a response along the lines of "does it make our CPUs faster and more powerful though?".
The CEO won't be pissed of at his chip designer, they'll be pissed because they've been caught out.
Given that the AMD vulnerability was called "Inception," maybe they just like using movie titles to name CPU vulnerabilities?
Here we go again....
I'm curious if there's a silver lining of all current DRM keys being accessible through this.
My old-ass Ivy Bridge: Oh no! Anyway...
Bwahaha I'm safe with my i5 3450, gotta look at the brighter side of my dumpster fire of a pc
Good thing my CPU is ancient.
It is by Design for IDF
Seems very similar to Zenbleed in terms of using certain register optimisation and speculative execution to get crippling security exploits. Thus far I haven't read too much into the detail of the attack but This article on Zenbleed, written by the attack's author, describes how the attack in detail and how he came to find it using fuzzing techniques - in this case two sets of instructions that should have had the same result, but they didn't.
...All Ryzen and Epyc processors were found to have a very similar bug not too long ago, it's actually addressed in the article. You might want to read it...
Here is a good write-up of Zenbleed for the Ryzen 2 and up vulnerability. It uses similar register optimisation and speculative execution to get the same effect.
Good thing I'm poor can't afford Intel. AMD for the win 😂
No luck, it's a systemic issue (practice):
Update: Intel’s Downfall was closely followed by AMD’s Inception, a newfound security hole affecting all Ryzen and Epyc processors. The first independent testing of the mitigation microcode patches show that it can drastically lower performance in certain workloads. We’ve included details throughout this post.
Is that the same as zenbleed or in addition? How easy zenbleed was to test and the kind of information gained was terrifying.
Inception differs from other transient execution attacks by inserting new predictions into the branch predictor during the transient window, creating more powerful transient windows that can be used to overflow the Return Stack Buffer and gain control of the CPU. Mitigating the impact of this attack is apparently challenging.
In the wake of Zenbleed, researchers from ETH Zurich have designed a new class of transient execution attacks, dubbed Training in Transient Execution (TTE). Using TTE, the researchers built an end-to-end exploit called Inception. It can leak kernel memory at a rate of up to 39 bytes per second on AMD Zen 4, and the researchers were able to leak /etc/shadow on a Linux machine in 40 minutes. This file contains hashed user account passwords and is safeguarded by the system, only accessible by the root user. In other words, this exploit is really bad.
Damn. I just recently patched up my dedicated box for zenbleed. This seems far worse.
I mean I'm not going to be a high value target. But still, this isn't looking good for either chip maker right now.
My understanding is the newest AMD bug is probably not too much of an issue because it's very limited in how much data it can leak at a time and there's no way to target it at specific data so if you wanted to use it to do something like grab a password it's extremely unwieldy and not really practical.
I got a 10400F because AMD completely abandoned the budget segment at that time.
Downfall, Inception, Meltdown, Spectre, I hate to see new vulnerabilities, but their naming choices are solid.
They should name them after their investors and board members.
Gelsinger, McKeon, and Lavender do have a nice ring to them.
Sounds like Bond movies.
Imagine a bug in the ALU when adding two octal values - Octoplussy
Or a bug in a specific Intel generation - Skylakefall
The next one will be discovered On Her Motherboard’s Secret Processes
All four of those names are movies. Only one is a Bond movie, though.
can't wait for "shellshock", "wildfire" and "collapse".
Shellshock happened in 2014 https://en.m.wikipedia.org/wiki/Shellshock_(software_bug)
oh lol
But that's, like the one place other than games where consumers are looking for performance. What's left, web browsing and MS Office?
"whew* my horrible bubble sort implementation is safe from performance impacts
May I suggest using miracle sort instead? It has the most stable performance of all.
I just skimmed through the article and it seems like this vulnerability is only really meaningful on multi-user systems. It allows one user to access memory dedicated to other users, letting them read stuff they shouldn't. I would expect that most consumer gaming computers are single-user machines, or only have user accounts for trusted family members and whatnot, so if this mitigation causes too much of a performance hit I expect it won't be a big risk to turn it off for those particular computers.
Would it mean that a malicious application being run in non-admin mode by one user could see data/memory in use by an admin user?
It would indeed imply that which is why this vulnerability is also serious for single user contexts.
This
All these kind of CPU level vulnerabilities are the same, they are only really "risky" if there is malicious software running in the computer in the first place.
The real problem is that these CPU-level vulnerabilities all break one of the core concepts of computers, which is process separation and virtual memory. If process separation is broken then all other levels of security become pointless.
While for desktops this isn't a huge problem (except when sometimes vulnerabilities might even be able to be exploited though browsers), this is a huge problem for servers, where the modern cloud usually has multiple users in virtual machines in a single server and a malicious user could steal information across virtual machines.
Your first paragraph isn't quite right.
Modern hacks/cracks aren't a "do this and suddenly you are in" type deal.
It's a cascade chain of failures of non-malicious software.
Saying "don't have a virus" is absolutely correct, however that's not the concern here.
The concern is about the broadening of the attack surface.
A hacker gets minor access to a system. Leverages some CVE to get a bit more access, and keeps poking around and trying CVEs (known or unknown) until they get enough access to run this CVE.
And then they can escape the VM onto the host or other VMs on the same system, which might then give them access to a VM on another host, and they can escape that VM to get access to another VM, and on and on.
Very quickly, there is a fleet of VMs that are compromised. And the only sign of someone poking around is on the first VM the hacker broke into.
All other VMs would be accessed using trusted credentials.
ETA:
Infact, it doesn't even need to be a hacker.
It could be someone uploading a CI/CD task using their own account. It extracts all API keys, usernames and passwords it can find.
Suddenly, you have access to a whole bunch of repositories and APIs.
Then you can sneak in some malicious code to the git repo, and suddenly your malicious code is being shipped within legit software that gets properly signed and everything.
It allows memory access across virtual machines as well, meaning the all cloud VMs are vulnerable.
The machines that are running cloud VMs should obviously be patched. I wasn't talking about those.
Processes that run on the same system can run as different users (including kernel) which is used for privilege separation. This can still allow a program in userland to peer into otherwise restricted system processes or the kernel. Every system is a "multi-user" system, even if there is only a single human user.
Yes, but all the data that I care about is in my single human user's account already. If I install malicious software then I'm already hooped regardless.
Look, I'm not saying this is no biggie. There are plenty of systems out there that will have to install this patch. Single-user computers probably should too. The situation I'm addressing is the case where a gaming computer has its performance as a gaming measurably harmed by the patch's overhead, which is reportedly significant in some cases. In those cases it's reasonable to weigh the merits and decide that this vulnerability isn't all that big a problem.
Disagree. For non-security conscious users who install that helper tool or plugin for their game, it can now read bank credentials from the browser.
If you're a non-security-conscious user installing malicious software on your computer then I don't think there's much that could help you.
But these are the people we (the security community) should be helping. If we don't help those who don't have the skills to help themselves, scammers have a large target and keep on scamming. We are not a target.
Granted, this post isn't necessarily about that, but they'll be the one's targeted regardless. Sometimes the best way to reduce the attack vector is about people, not software.
Well, that says it all. CPU manufacturers have no incentive at all to secure the computations of multiple users on a single CPU (or cores on the same die)... why would they? They make more cash if everyone has to buy their own complete unit, and they can outsource security issues to 'the network' or 'the cloud'...
Years ago when I was in University this would have been a deathblow to the entire product line, as multi-user systems were the norm. Students logged into the same machines to do their assignments, employees logged into the same company servers for daily tasks.
I guess that isn't such a thing any more. But wow, what a sh*tshow modern CPU architecture has become, if concern for performance has completely overridden proper process isolation and security. We can't even trust that a few different users on the same machine can be separated properly due to the design of the CPU itself?
I'm not happy with what's happening and I know that corporations are money making evil machines.
But to say that chip makers have no incentive at all to secure their hardware is quite the hyperbole.
Fair enough, probably was hyperbole :) But performance does seem to be a higher priority than security; they can always spin PR after the next exploit, after all, users already have the CPU in their system, they've made their money; what are users really gonna do if an issue comes up after they've bought their box?
What they will do is not buy from that company again.
Yeah, but we live in cpu monopoly. Intel and Amd Both companies put backdoors and all sort of shit in their cpus.
We don't live in CPU monopoly. Arm and SoCs are also in the game.
Im out of the loop with those. Are Arm and socs viable alternative for home computing?
Last time I checked I could not build a pc with Arm. Post above is right intel and amd are dominating home user market.
I have a macbook air m1 and this arm chips is imo just amazing. No fan no issues, fast as fuck. Id like to build a pc with arm. Maybe when Linux and windows show more support for arm64?
Oh, for desktops? I don't know. I was referring to macbooks and mac minis.
Linux supports ARM64 very well. Windows also has had ARM support for a quite a while. The main obstacles are 3rd party binary software (particularly on Windows) and lack of available hardware.
Are you aware that the majority of cpus sold today go to cloud computing? Believe it or not, but that is an application space with multiple users on the same machine.
Even on a single user machine, multiple users are very much a thing. Even Apple has left behind the DOS-like architecture where everything runs with the same rights. All current systems run with multiple concurrent users, notably root (or the Windows equivalent) and the keyboard operator (as well as dedicated ones for the various services, although that's maybe more a thing in Unix/Linux than Windows).
Good point. But I think performance is still a greater priority for those who make purchasing decisions, rather than basic security, and that's the problem.
Not at the enterprise level.
Security means compliance, which means getting/keeping contracts and not getting sued.
And they care more about performance-per-watt and density.
Processor manufacturers target their devices and sales towards cloud computing so they have a huge incentive to avoid having issues like these. It’s ridiculous to suggest otherwise.
I see the reasoning, fair enough. Just grumpy this evening I suppose :p.
You're reading an awful lot into what I said that wasn't put in there.
There's nothing wrong with multi-user systems existing, there's plenty of use for such things. This bug is really bad for those sorts of things. I was explicitly and specifically talking about consumer gaming computers, which are generally single-user machines. Concern for performance is a very real and normal thing on a gaming computer, it's not some kind of weird plot. An actual multi-user system would obviously need to be patched.
I am so incredibly happy that those terrible multi-user systems are a thing of the past. Multiple seconds wait time for every mouse click are no fun.
Hey! I'll have you know that a 68000 based server was good enough for about 60 users running X11 desktops back in the day!
Kids today with their vodoo cards and whatnot.
When I was in university, they were probably running the same server, but with Ubuntu and for 500 sessions at the same time. That crap was totally unusable.
It’s not they aren’t impacted only you “don’t see the impact” as noticeably.
As a programmer: compile times
Install backdoors and sell that info to governments and companies, then years later reveal the issue to justify downgrading performance of older CPUs to encourage people to upgrade.
This does sound like planned obsolescence to me...
Oop CPU sales are down! Leak one of our critical flaws to force people to upgrade!
Just feels like Prism all over again.
Anti virus companies has also been caught making viruses.
A lot of shady shit happens when there is money and power to be had.
I heard that rumor before, is there any source to this? Like, which antivirus companies?
Just look into John McAfee’s eyes and tell me it isn’t true.
I guess that's my fault for not specifically asking for reliable sources.
Just look into John McAfee’s baby blues and tell me he isn’t reliable!
https://m.youtube.com/watch?v=MH7KYmGnj40
Here is an alternative Piped link(s): https://piped.video/watch?v=MH7KYmGnj40
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
His program was more of a virus than a lot of computer viruses out there.
I haven't found any evidence of this, but that's to be expected... How would that evidence look like even.
But there has always been rumors of this. And since there is money involved... I think it's not unlikely.
The argument against this is always "there are so many viruses, antivirus companies can't create them all". And nobody is saying that. It's enough to create one high profile virus and you will sell your anti virus software very easily.
But I think it was more common in the past. Today all companies will buy anti virus software, so it's guaranteed sales.
Lmao I wish this was a heroin needle since those are often colloquially called "works" in some localities.
Yeah but heroin doesn't make you cray the way meth does
Yeah I know, but the wordplay still makes it funny to me.
If there is no evidence then stop spreading misinformation.
[citation needed]
gestures broadly
so both desktop and server chips are affected on both cpu manufacturers products. can't take any measures if your password is online on some server.
I was going to say, AMD had a flaw of similar severity. And they won't have a fix for a few months for most affected CPUs, and that fix will likely incur a loss in performance.
Basically it sounds like both of these flaws are due to the security chip. I can't help but feel like these flaws are by design. /tinfoil
Downfall was disclosed to Intel a year ago but was on embargo until this week. Can't help but suspect that Intel waited for AMD to be impacted by a similar event to reveal downfall
From what I’m reading, Inception is a pretty minor vulnerability, especially compared to downfall.
It took them a year for a microcode fix and it still has a performance loss of 50% in some cases? Ew
So they created a massive vulnerability by misimplementing speculative execution which promised a, what, 10% speed gain tops and now that it was discovered you have to patch it and lose 50%? Genius.
And they get to keep the money from the purchase.
Next gen is going to be 40% faster.
50% 💀
If you get caught we've never met.
Good supplier for an offline supercluster 😄 I'll let my grant manager know.
Ha-ha. My chip's too old to be affected. I don't see my architecture on the list.
I knew putting off upgrading for around a decade would pay off. (Windows Update tells me my PC is not "ready" for Windows 11 due to its hardware, either. Oh no, whatever shall I do.)
Dont the older chips suffer from a greater performance drop from spectre and meltdown vulnerabilities?
This inspires confidence with my 2010 ass toshiba sattelite with an i5 and 8gb DDR3. I need to look and see if mine is too old lol.
Well, maybe you can pirate Cortana and whatever other bloatware to catch up.
They really should be recalled like they were forced to when the fdiv bug happened https://en.wikipedia.org/wiki/Pentium_FDIV_bug
Recall billions of processors?
I hate Intel as much as the next person, but I don't want them to disappear overnight generating a unimaginably large processor shortage.
Then subsidize them for the recall, and take a percentage of their profits every year until it's paid back. How is it OK to pass on a manufacturer defect to all consumers?
I'm not saying that it's not a shit sandwich. I am saying that if Intel shut down right now we'd be pretty fucked. It would be far more likely for them to shut down production and walk away, start selling off patents and equipment. The strain it would put on arm to pick up the gauntlet would probably mean you're not going to see a new cell phone, television or new car for the next few years.
What the hell are they going to do for a recall anyway? Are you going to have them go back 5 years and try to recreate every model of CPU between then and now? None of those motherboards are going to support new things.
You get your five or $600 back on your CPU which ends up being $50 by the time it comes out of arbitration, now you need not only a new CPU but a new motherboard.
It's like wrecking your 15-year-old beater car, insurance company gives you $150 and says go find yourself a new car.
edit: Look, Intel is worth 150 billion. if they paid $50 per processor for a couple billion refunds, they'd just go bankrupt. They're going to run for years subsidized making 0 profit and losing all their talent. It wasn't their intent to screw it up, but here we are. There's a patch that makes slow processors slower honestly, that's the end of their responsibility other than to help people get it installed.
Blame the patent duopoly for making them too-big-to-fail™
We have a lot of that going on, but blame won't fix the outcome. Can't pass any laws to fix it, the government is run by the politicians.
Every article is a copy paste of the same bullshit talking about the vulnerability and pointing to the stupid cryptic list of processors that requires you to jump through hoops to read it. You can't just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it? Why with a microcode update of course!!...from where you ask? Well don't worry just look at the cryptic list it will tell you if you need a microcode update!!
Fuck every article about this shit. Anyone wanna bust an Eli5 on how to fix this problem for people? (I was assuming it's a BIOS update but the articles have only confused me further)
ELI5, or ELIAFYCSS (Explain like I'm a first year CS student): modern x86 CPUs have lots of optimized instructions for specific functionality. One of these is "vector instructions", where the instruction is optimized for running the same function (e.g. matrix multiply add) on lots of data (e.g. 32 rows or 512 rows). These instructions were slowly added over time, so there are multiple "sets" of vector instructions like MMX, AVX, AVX-2, AVX-512, AMX...
While the names all sound different, the way how all these vector instructions work is similar: they store internal state in hidden registers that the programmer cannot access. So to the user (application programmer or compiler designer) it looks like a simple function that does what you need without having to micromanage registers. Neat, right?
Well, problem is somewhere along the lines someone found a bug: when using instructions from the AVX-2/AVX-512 sets, if you combine it with an incorrect ordering of branch instructions (aka JX, basically the if/else of assembly) you get to see what's inside these hidden registers, including from different programs. Oops. So Charlie's "Up, Up, Down, Down, Left, Right, Left, Right, B, B, A, A" using AVX/JX allows him to see what Alice's "encrypt this zip file with this password" program is doing. Uh oh.
So, that sounds bad. But lets take a step back: how bad would this affect existing consumer devices (e.g. Non-Xeon, non-Epyc CPUs)?
Well good news: AVX-512 is not available on most Intel/AMD consumer CPUs until recently (13th gen/zen 4, and zen 4 isn't affected). So 1) your CPU most likely doesn't support it and 2) even if your CPU supports it most pre-compiled programs won't use it because the program would crash on everyone else's computer that doesn't have AVX-512. AVX-512 is a non-issue unless you're running Finite Element Analysis programs (LS-DYNA) for fun.
AVX-2 has a similar problem: while released in 2013, some low end CPUs (e.g. Intel Atom) didn't have them for a long time (this year I think?). So most compiled programs wouldn't compile with AVX-2 enabled. This means whatever game you are running now, you probably won't see a performance drop after patching since your computer/program was never using the optimized vector instructions in the first place.
So, the affect on consumer devices is minimal. But what do you need to do to ensure that your PC is secure?
Three different ideas off the top of my head:
BIOS update. The CPU has a some low level firmware code called microcode which is included in the BIOS. The new patched version adds additional checks to ensure no data is leaked.
Update the microcode package in Linux. The microcode can also be loaded from the OS. If you have an up-to-date version of Intel-microcode here this would achieve the same as (1)
Re-compile everything without AVX-2/AVX-512. If you're running something like Gentoo, you can simply tell GCC to not use AVX-2/AVX-512 regardless of whether your CPU supports it. As mentioned earlier the performance loss is probably going to be fine unless you're doing some serious math (FEA/AI/etc) on your machine.
This page tells you how to get your CPUID: https://www.intel.com/content/www/us/en/support/articles/000006831/processors/processor-utilities-and-programs.html
Then search for the CPUID here: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
I figured out how to do it fairly quickly but it would be a hell of a lot easier if people could just type in "11700K" in a box on a web page or something and it could just tell them. Or they could have added a little bit of code to their CPU ID utility that says "yupp your processor is effected by the flaw". I am mostly annoyed at all this not for me but for all the people who would read those pages and the contents would seem like an insane foreign language to them all while articles are telling them it's a major security flaw that would allow people to steal their encryption keys.
That is a fair point.
Are you using Windows or macOS? If so you don’t have to do anything. You can just wait and a new update will be available to you soon.
And, just FYI, the fix is already out for Linux.
It'll probably just be something that happens through ordinary OS updates tbh (though I understand you'd rather know one way or another.)
I just found this on the page where they list effected models:
"Note The latest software can be obtained through operating system or VMM vendors"
Guess it's time for another FPS hit...
While the article says it won't impact most applications, I suspect it's closer to saying "won't impact most applications as much".
Is it August already? Man, time flies.
My poor aging computer :(
I would say you'll be fine. Most games don't compile with avx-2 anyways since it'll crash if you run it on something that doesn't have them (which is a lot of CPUs) and AVX-512 is straight up only available on Xeons, Epyc and zen 4. Nobody is going to use that for consumer software.
The only game I can think of using AVX is a Skyrim mod for realistic physics, where the author provided binaries for AVX-2/AVX-512. So it won't affect most compiled applications much since you need to compile with it first (which almost nobody does).
So just continue not letting people use my computer, got it. Very simple fix.
Shared use of servers is probably the main issue
It appears that users in this case include agents such as software. A bit confusing for the general public.
—Official website
It can theoretically even be exploited via a browser:
—FAQ at the official website
I think it also means software running can access other software's memory which is probably bad but personally I'm not keen for that performance hit on my desktop
/tinfoilhat
I admittedly stopped reading halfway through but I feel like these newest vulnerabilities being discovered are probably just fucking government back doors the manufacturers have been forced to include.
/tinfoilhat
I can't comment on the general trend, but this specific one seems a bit too circumstantial to be of use for a serious spying effort. You'd have to have the spyware running parallel to the apps usong passwords you want to steal in a specific way.
The risk exists, which is bad enough for stochastic reasons (eventually, someone will get lucky and manage to grab something sensitive, and since the potential damage from that is incalculable, the impact axis alone drives this into firm "you need to get that fix out asap), but probably irrelevant in terms of consistency, which would be what you'd need to actually monitor anyone.
If you manage to grab enough info to crack some financial access data, you can steal money. If you can take over some legit online account or obtain some email-password combo, you can sell it. But if you want to monitor what people are doing in otherwise private systems, you need some way to either check on demand or log their actions and periodically send them to your server.
It would be far more reliable to have injection backdoors to allow you access by virtue of forcing a credential check to come up valid than to hope for the lucky grab of credentials the user might change at an arbitrary moment in time.
Check out the documentary Zero Days (2016) if you haven’t already. That’s not really a tinfoil hat take these days IMO.
Just means they have to intentionally create new ones to be eventually found for the next generation.
On the plus side now we can steal the info from the criminal's computers. The cycle of internet life...
List of processors without redirect referrer: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
Yikes the performance hit is scary but if you’re running a server, what option do you have?
Oh ok
Isn't that convenient?
Upgrade to get 3% performance gains on paper and no noticeable real performance gain!
Now it's more like "upgrade to maintain your level of performance, because our patched CPUs take a 50% performance hit" (per the article).
That is quite convenient for them. I'm sure not a conspiracy given depth of the issue, just very convenient if people heed the call.
Which most won't. Enterprise is likely already on the newer gens aa part of normal refresh cycles. Maybe this just accelerates that a bit.
Oh don't worry, you'll hear about that vulnerability in two years.
*cries in 11th gen laptop*
Jokes on them. I'm already watched by criminals and am used to companies throttling products.
> Downfall
Is the Intel CEO holed up in a bunker and raging at his chip designers?
If it's anything like the industry that I work in, the CEO would have been informed of the short comings of the design numerous times and given a response along the lines of "does it make our CPUs faster and more powerful though?".
The CEO won't be pissed of at his chip designer, they'll be pissed because they've been caught out.
Given that the AMD vulnerability was called "Inception," maybe they just like using movie titles to name CPU vulnerabilities?
Here we go again....
I'm curious if there's a silver lining of all current DRM keys being accessible through this.
My old-ass Ivy Bridge: Oh no! Anyway...
Bwahaha I'm safe with my i5 3450, gotta look at the brighter side of my dumpster fire of a pc
Good thing my CPU is ancient.
It is by Design for IDF
Seems very similar to Zenbleed in terms of using certain register optimisation and speculative execution to get crippling security exploits. Thus far I haven't read too much into the detail of the attack but This article on Zenbleed, written by the attack's author, describes how the attack in detail and how he came to find it using fuzzing techniques - in this case two sets of instructions that should have had the same result, but they didn't.
The write-up for this one is presumably this one.
Anyway.Run AMD....All Ryzen and Epyc processors were found to have a very similar bug not too long ago, it's actually addressed in the article. You might want to read it...
Here is a good write-up of Zenbleed for the Ryzen 2 and up vulnerability. It uses similar register optimisation and speculative execution to get the same effect.
Sure, buddy
Good thing I'm poor can't afford Intel. AMD for the win 😂
No luck, it's a systemic issue (practice):
Is that the same as zenbleed or in addition? How easy zenbleed was to test and the kind of information gained was terrifying.
yea, it's another one https://www.xda-developers.com/amd-inception/ :/
Damn. I just recently patched up my dedicated box for zenbleed. This seems far worse.
I mean I'm not going to be a high value target. But still, this isn't looking good for either chip maker right now.
My understanding is the newest AMD bug is probably not too much of an issue because it's very limited in how much data it can leak at a time and there's no way to target it at specific data so if you wanted to use it to do something like grab a password it's extremely unwieldy and not really practical.
I got a 10400F because AMD completely abandoned the budget segment at that time.