Oh no.
Intel 'Downfall': Severe flaw in billions of CPUs leaks passwords and much more
Submitted 1 year ago by theunmentionable@lemmy.world to technology@lemmy.world
Comments
ram@feddit.nl 1 year ago
Gsus4@feddit.nl 1 year ago
Good idea for an offline supercluster 😄
AvgJoe@lemmy.world 1 year ago
It took them a year for a microcode fix and it still has a perfamnce loss of 50% in some cases? Ew
Gsus4@feddit.nl 1 year ago
So they created a massive vulnerability by misimplementing speculative execution which promised a, what, 10% speed gain tops and now that it you have to patch it and lose 50%? Genius.
youhavechosenwisely@sh.itjust.works 1 year ago
And they get to keep the money from the purchase.
space@lemmy.dbzer0.com 1 year ago
Next gen is going to be 40% faster.
ljdawson@lemmy.world 1 year ago
50% 💀
dual_sport_dork@lemmy.world 1 year ago
Ha-ha. My chip’s too old to be affected.
I knew putting off upgrading for around a decade would pay off.
atticus88th@lemmy.world 1 year ago
Dont the older chips suffer from a greater performance drop from spectre and meltdown vulnerabilities?
ArcaneSlime@lemmy.dbzer0.com 1 year ago
This inspires confidence with my 2010 ass toshiba sattelite with an i5 and 8gb DDR3. I need to look and see if mine is too old lol.
some_guy@lemmy.sdf.org 1 year ago
Well, maybe you can pirate Cortana and whatever other bloatware to catch up.
RobotToaster@infosec.pub 1 year ago
They really should be recalled like they were forced to when the fdiv bug happened en.wikipedia.org/wiki/Pentium_FDIV_bug
linearchaos@lemmy.world 1 year ago
Recall billions of processors?
I hate Intel as much as the next person, but I don’t want them to disappear overnight generating a unimaginably large processor shortage.
Skates@feddit.nl 1 year ago
Then subsidize them for the recall, and take 10% back every year. How is it OK to pass on a manufacturer defect to all consumers?
RobotToaster@infosec.pub 1 year ago
Blame the patent duopoly for making them too-big-to-fail™
chicken@lemmy.dbzer0.com 1 year ago
This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer.
So just continue not letting people use my computer, got it. Very simple fix.
ryannathans@lemmy.world 1 year ago
Shared use of servers is probably the main issue
salient_one@lemmy.villa-straylight.social 1 year ago
It appears that users in this case include agents such as software. A bit confusing for the general public.
It can theoretically even be exploited via a browser:
[Q] What about web browsers?
[A] In theory, remotely exploiting this vulnerability from the web browser is possible. In practice, demonstrating successful attacks via web browsers requires additional research and engineering efforts.
dbilitated@aussie.zone 1 year ago
I think it also means software running can access other software’s memory which is probably bad but personally I’m not keen for that performance hit on my desktop
FrankFrankson@lemmy.world 1 year ago
Every article is a copy paste of the same bullshit talking about the vulnerability and pointing to the stupid cryptic list of processors that requires you to jump through hoops to read it. You can’t just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it? Why with a microcode update of course!!..from where you ask? Well don’t worry just look at the cryptic list it will tell you if you need a microcode update!!
Fuck every article about this shit. Anyone wanna bust an Eli5 on how to fix this problem for people? (I was assuming it’s a BIOS update but the articles have only confused me further)
stardreamer@lemmy.blahaj.zone 1 year ago
ELI5, or ELIAFYCSS (Explain like I’m a first year CS student): modern x86 CPUs have lots of optimized instructions for specific functionality. One of these is “vector instructions”, where the instruction is optimized for running the same function (e.g. matrix multiply add) on lots of data (e.g. 32 rows or 512 rows). These instructions were slowly added over time, so there are multiple “sets” of vector instructions like MMX, AVX, AVX-2, AVX-512, AMX…
While the names all sound different, the way how all these vector instructions work is similar: they store internal state in hidden registers that the programmer cannot access. So to the user (application programmer or compiler designer) it looks like a simple function that does what you need without having to micromanage registers. Neat, right?
Well, problem is somewhere along the lines someone found a bug: when using instructions from the AVX-2/AVX-512 sets, if you combine it with an incorrect ordering of branch instructions (basically the if/else of assembly) you get to see what’s inside these hidden registers, including from different programs. Oops. Now if a malicious program deliberately put stuff there, or an innocent program accidentally leaves sensitive information there that could be stolen.
So, that sounds bad. But lets take a step back: how bad would this affect existing consumer devices (e.g. Non-Xeon, non-Epyc CPUs)?
Well good news: AVX-512 is not available on most Intel/AMD consumer CPUs until recently (13th gen/zen 4, and zen 4 isn’t affected). So 1) your CPU most likely doesn’t support it and 2) even if your CPU supports it most pre-compiled programs won’t use it because the program would crash on everyone else’s computer that doesn’t have AVX-512. AVX-512 is a non-issue unless you’re running Finite Element Analysis programs (LS-DYNA) for fun.
AVX-2 has a similar problem: while released in 2013, some low end CPUs (e.g. Intel Atom) didn’t have them for a long time (this year I think?). So most compiled programs wouldn’t compile with AVX-2 enabled. This means whatever game you are running now, you probably won’t see a performance drop after patching since your computer/program was never using the buggy instructions in the first place.
So, the affect on consumer devices is minimal. But what do you need to do to ensure that your PC is secure?
Three different ideas off the top of my head:
-
BIOS update. The CPU has a some low level firmware code called microcode which is included in the BIOS. The new patched version adds additional checks to ensure no data is leaked.
-
Update the microcode package in Linux. The microcode can also be loaded from the OS. If you have an up-to-date version of Intel-microcode here this would achieve the same as (1)
-
Re-compile everything without AVX-2/AVX-512. If you’re running something like Gentoo, you can simply tell GCC to not use AVX-2/AVX-512 regardless if your CPU supports it. As mentioned earlier the performance loss is probably going to be fine unless you’re doing some serious math (FEA/AI/etc) on your machine.
-
SymphonicResonance@lemmy.world 1 year ago
You can’t just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it?
This page tells you how to get your CPUID: intel.com/…/processor-utilities-and-programs.html
Then search for the CPUID here: intel.com/…/processors-affected-consolidated-prod…
FrankFrankson@lemmy.world 1 year ago
I figured out how to do it fairly quickly but it would be a hell of a lot easier if people could just type in “11700K” in a box on a web page or something and it could just tell them. Or they could have added a little bit of code to their CPU ID utility that says “yupp your processor is effected by the flaw”. I am mostly annoyed at all this not for me but for all the people who would read those pages and the contents would seem like an insane foreign language to them all while articles are telling them it’s a major security flaw that would allow people to steal their encryption keys.
alekks09@lemm.ee 1 year ago
Are you using Windows or macOS? If so you don’t have to do anything. You can just wait and a new update will be available to you soon.
sin_free_for_00_days@sopuli.xyz 1 year ago
And, just FYI, the fix is already out for Linux.
Piers@lemmy.world 1 year ago
I just found this on the page where they list effected models:
“Note The latest software can be obtained through operating system or VMM vendors”
Piers@lemmy.world 1 year ago
It’ll probably just be something that happens through ordinary OS updates tbh (though I understand you’d rather know one way or another.)
HexesofVexes@lemmy.world 1 year ago
Guess it’s time for another FPS hit…
While the article says it won’t impact most applications, I suspect it’s closer to saying “won’t impact most applications as much”.
ram@feddit.nl 1 year ago
Guess it’s time for another FPS hit…
Is it August already? Man, time flies.
devman@lemm.ee 1 year ago
My poor aging computer :(
stardreamer@lemmy.blahaj.zone 1 year ago
I would say you’ll be fine. Most games don’t compile with avx-2 anyways since it’ll crash if you run it on something that doesn’t have them (which is a lot of CPUs) and AVX-512 is straight up only available on Xeons, Epyc and zen 4. Nobody is going to use that for consumer software.
The only game I can think of using AVX is a Skyrim mod for realistic physics, where the author provided binaries for AVX-2/AVX-512. So it won’t affect most compiled applications much since you need to compile with it first (which almost nobody does).
scottywh@lemmy.world 1 year ago
/tinfoilhat
I admittedly stopped reading halfway through but I feel like these newest vulnerabilities being discovered are probably just fucking government back doors the manufacturers have been forced to include.
/tinfoilhat
luciferofastora@discuss.online 1 year ago
I can’t comment on the general trend, but this specific one seems a bit too circumstantial to be of use for a serious spying effort. You’d have to have the spyware running parallel to the apps usong passwords you want to steal in a specific way.
The risk exists, which is bad enough for stochastic reasons (eventually, someone will get lucky and manage to grab something sensitive, and since the potential damage from that is incalculable, the impact axis alone drives this into firm "you need to get that fix out asap), but probably irrelevant in terms of consistency, which would be what you’d need to actually monitor anyone.
If you manage to grab enough info to crack some financial access data, you can steal money. If you can take over some legit online account or obtain some email-password combo, you can sell it.But if you want to monitor what people are doing in otherwise private systems, you need some way to either check on demand or log their actions and periodically send them to your server.
It would be far more reliable to have injection backdoors to allow you access by virtue of forcing a credential check to come up valid than to hope for the lucky grab of credentials the user might change at an arbitrary moment in time.
deranger@lemmy.world 1 year ago
Check out the documentary Zero Days (2016) if you haven’t already. That’s not really a tinfoil hat take these days IMO.
scottywh@lemmy.world 1 year ago
Just means they have to intentionally create new ones to be eventually found for the next generation.
SocialMediaRefugee@lemmy.world 1 year ago
On the plus side now we can steal the info from the criminal’s computers. The cycle of internet life…
DarkThoughts@kbin.social 1 year ago
List of processors without redirect referrer: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
BettyWhiteInHD@lemmy.world 1 year ago
[deleted]ArcaneSlime@lemmy.dbzer0.com 1 year ago
I’m dumber, can you tell me how to find the numbers after the dash? Mine is an i5, that’s all I know.
AnUnusualRelic@lemmy.world 1 year ago
I’m pretty sure the 8008 is fine.
flamingarms@feddit.uk 1 year ago
Isn’t the i7-7700k a kaby lake processor?
Veedem@lemmy.world 1 year ago
Yikes the performance hit is scary but if you’re running a server, what option do you have?
lowleveldata@programming.dev 1 year ago
Intel’s newer 12th-gen and 13th-gen Core processors are not affected.
Oh ok
madeinthebackseat@lemmy.world 1 year ago
Isn’t that convenient?
1984@lemmy.today 1 year ago
Upgrade to get 3% performance gains on paper and no noticeable real performance gain!
porksoda@lemmy.world 1 year ago
Oh don’t worry, you’ll hear about that vulnerability in two years.
fuckwit_mcbumcrumble@lemmy.world 1 year ago
*cries in 11th gen laptop*
iHUNTcriminals@lemm.ee 1 year ago
Jokes on them. I’m already watched by criminals and am used to companies throttling
nl4real@lemmy.world 1 year ago
My old-ass Ivy Bridge: Oh no! Anyway…
Buddahriffic@lemmy.world 1 year ago
I’m curious if there’s a silver lining of all current DRM keys being accessible through this.
SocialMediaRefugee@lemmy.world 1 year ago
Good thing my CPU is ancient.
Noodle07@lemmy.world 1 year ago
Bwahaha I’m safe with my i5 3450, gotta look at the brighter side of my dumpster fire of a pc
cokane_88@lemmy.world 1 year ago
Good thing I’m poor can’t afford Intel. AMD for the win 😂
Gsus4@feddit.nl 1 year ago
No luck, it’s a systemic issue (practice):
Update: Intel’s Downfall was closely followed by AMD’s Inception, a newfound security hole affecting all Ryzen and Epyc processors. The first independent testing of the mitigation microcode patches show that it can drastically lower performance in certain workloads. We’ve included details throughout this post.
r00ty@kbin.life 1 year ago
Is that the same as zenbleed or in addition? How easy zenbleed was to test and the kind of information gained was terrifying.
DarkThoughts@kbin.social 1 year ago
I got a 10400F because AMD completely abandoned the budget segment at that time.
ndsvw@feddit.de 1 year ago
[deleted]qaz@lemmy.world 1 year ago
I just checked my package updates on my Debian server and there is a new update for the Intel-Microcodes available already.
neoOpus@lemmy.world 1 year ago
It is by Design for IDF
avidamoeba@lemmy.ca 1 year ago
Anyway.
I run AMD.
xaera@sh.itjust.works 1 year ago
Seems very similar to Zenbleed in terms of using certain register optimisation and speculative execution to get crippling security exploits. Thus far I haven’t read too much into the detail of the attack but This article on Zenbleed, written by the attack’s author, describes how the attack in detail and how he came to find it using fuzzing techniques - in this case two sets of instructions that should have had the same result, but they didn’t.
fne8w2ah@lemmy.world 1 year ago
hark@lemmy.world 1 year ago
Install backdoors and sell that info to governments and companies, then years later reveal the issue to justify downgrading performance of older CPUs to encourage people to upgrade.
1984@lemmy.today 1 year ago
Anti virus has also been caught making viruses.
A lot of shady shit happens she there is money and power to be made.
sab@lemmy.world 1 year ago
I heard that rumor before, is there any source to this? Like, which antivirus companies?
Clbull@lemmy.world 1 year ago
[citation needed]
JeffCraig@citizensgaming.com 1 year ago
This does sound like planned obsolescence to me…
Oop CPU sales are down! Leak one of our critical flaws to force people to upgrade!
Dozzi92@lemmy.world 1 year ago
Just feels like Prism all over again.