Hardware fixed in 2019... ... so let's pray that nobody decides to get the exploit working on AMD systems in the next 12 to 18 months?

thatguy91:

It's blocked in firmware and OS, if updated. This is referring to a hardware redesign.

IF you have gotten the firmware for your CPU AND it works properly (which many have not). IF you updated your OS to have it "secure" (which I am not sure they have, did win7 get ALL the fixes?). IF you believe that those firmware and OS updates really help (did you read about what Torvals said about them?) This is a security issue, and as such I don't fancy hearing about IFs that last for 18 months. This whole issue was supposed to be taken care of in 6 to 7 months after being discovered (that time ended last week and we're not that much closer to having real fixes across all platforms and vendors than we were a month ago). More than enough time for any capable programmer to try and up their botnet right now via the IoT crap devices nobody patches. Or consoles. Or smartphones / tablets.

fantaskarsef:

IF you have gotten the firmware for your CPU AND it works properly (which many have not). IF you updated your OS to have it "secure" (which I am not sure they have, did win7 get ALL the fixes?). IF you believe that those firmware and OS updates really help (did you read about what Torvals said about them?)

The vast majority of Ryzen users right now are enthusiasts or are built/maintained by enthusiasts; I'm sure they've ran the updates by now. Due to the deliberate negligence of Windows 8 and older (by either MS or AMD - doesn't really matter who), pretty much all Ryzen users are on Windows 10, Linux, or FreeBSD and likely have their CPU up-to-date. If they're not, well, it wouldn't take much effort to temporarily boot another OS to patch their CPU if they're worried enough. To my recollection, Torvalds was only complaining about Intel's patch. So far, AMD has been pretty wary of having Intel's patches applied to them; a month ago they have requested their CPUs be blacklisted from some changes (at least in Linux, which is what Torvalds is all about).

This is a security issue, and as such I don't fancy hearing about IFs that last for 18 months. This whole issue was supposed to be taken care of in 6 to 7 months after being discovered (that time ended last week and we're not that much closer to having real fixes across all platforms and vendors than we were a month ago). More than enough time for any capable programmer to try and up their botnet right now via the IoT crap devices nobody patches. Or consoles. Or smartphones / tablets.

I agree that this issue should've been taken care of much sooner (or at least these companies should've had well-written and reviewed patches by now). But remember that only Intel is the one to really be worried about, due to the remote access - all other chip manufacturers don't seem to have that glaring issue, which includes ARM, MIPS, IBM, AMD, and Oracle. As for IoT devices, I'm sure exploiting the risks on them isn't worth anyone's time. All connected consoles are likely patched by now. Smartphones and tablets are the major ones to worry about, since many of them "can't" be updated. I don't think there's anything to worry about for upcoming CPUs from all brands. In general, I don't think there's anything to worry about for existing CPUs either, except maybe in smartphones.

From the article: Su specifically mentions that AMD does not believe that Spectre flaws pose a real threat to its processors, regardless, you can expect the Zen 2 architecture for AMD's next processors to be Spectre-proof she adds. The news once again was transcribed from the quarterly earnings conference call. AMD specifically mentioned this news and also reiterates that current generation processors are not vulnerable towards Meltdown, and only partly susceptible to the 2nd variant of Spectre.

That is factually wrong and it's not what AMD said, at least not during the conference call. This is what Lisa said during conference call: As a reminder, we believe Meltdown is not applicable to AMD processors. For Spectre Variant 1, we continue actively working with our ecosystem partners on mitigations, including operating system patches that have begun to roll out. We continue to believe that Variant 2 of Spectre is difficult to exploit on AMD processors. However, we are deploying CPU microcode patches that in combination with OS updates provide additional mitigation steps. Longer term, we have included changes in our future processor cores, starting with our Zen 2 design, to further address potential Spectre like exploits. We continue to collaborate closely with the industry on these vulnerabilities and are committed to protecting AMD users from these and other security threats as they arise. Which is a step down from the "near zero risk" rhetoric which landed them a lawsuit, but apparently still vague enough to cause confusion.

schmidtbag:

But remember that only Intel is the one to really be worried about, due to the remote access - all other chip manufacturers don't seem to have that glaring issue, which includes ARM, MIPS, IBM, AMD, and Oracle.

Can these new exploits be enabled remotely? No. Any malware using this side channel analysis method must be running locally on the machine. Following good security practices that protect against malware in general will also help to protect against possible exploitation until updates can be applied. https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

schmidtbag:

I agree that this issue should've been taken care of much sooner (or at least these companies should've had well-written and reviewed patches by now). But remember that only Intel is the one to really be worried about, due to the remote access - all other chip manufacturers don't seem to have that glaring issue, which includes ARM, MIPS, IBM, AMD, and Oracle.

Yeah, I'm wary of my lone Intel system (although it should have been patched by now), but have no concerns about my AMD ones. I look forward to Zen 2 but not for the Spectre protection - it was Meltdown that caused all this panic, as it was the really serious threat, and it only affected Intel processors. It was only because Intel's PR tried to conflate Meltdown with Spectre that the latter was given any sort of limelight.

Guess I'll wait for Zen2 then, hopefully the DDR4 crisis will be over by then.

I heard that it usually takes 3-5 years to make these kind of changes into silicon or perhaps they got their numbers wrong?

RzrTrek:

I heard that it usually takes 3-5 years to make these kind of changes into silicon or perhaps they got numbers wrong?

AMD is already pretty resilient to Spectre and have their secret sauce , memory encrypting, so i guess it probably doesn't take much of silicon change for them to implement that. And about 3-5 years , that is usually how long it takes to develop new arch , since they don't need to develop new arch , just apply some changes to already developed arch before it gets send to FAB for manufacturing they don't need 3-5 years.What i mean by that is that changes required to be done to CPU doesn't need whole new arch just couple tweaks to existing

Not good enough , Intel will have the fix sorted this year according to he latest update . They all knew about the problem long enough imo to have this sorted in the next release , Ryzen+ in this case .

I understand the patches should have been out earlier and agree. But the folks here talking about Intel will have it fixed sooner or all the IF this IF that are not really on point. Intel has committed to fixing these vulnerabilities in Ice Lake which at best is end of 2018 not much sooner than AMD should have Zen 2. Intel also has the most exposure to the variants. The other thing on all the If this if that patches micro code etc the only other option is to buy a new CPU with the fixes. I just don't understand all the hate as AMD is the least impacted CPU vendor of the bunch because they focused on security with the Zen design and they will only be shortly behind Intel with new CPU's that have the fixes in the silicon. Personally I felt AMD and Intel commiting to fixes in Zen 2 and Ice Lake was pretty darn fast. Intel already has Ice Lake tape in ready so this is going to cost them a bit to go back and fix the design. This is also why i'm a little sceptical on their 2018 release date as it has to push them back a bit. Maybe I'm just a half glass full person but I thought this was positive to have both AMD and Intel committed to these design fixes on there next round CPU's.

Ladies and gentlemen, we have malware. http://www.tomshardware.com/news/meltdown-spectre-malware-found-fortinet,36439.html should be a lots of fun in the coming years.

user1:

Ladies and gentlemen, we have malware. http://www.tomshardware.com/news/meltdown-spectre-malware-found-fortinet,36439.html should be a lots of fun in the coming years.

So having a bit of sense not to click on every "DOWNLOAD" button on browser ruins all the fun? Damn you common senses! What took them too long to create simple damn virus with all info vulnerabilities information leaked. Anyway, I am just having fun watching people losing their mind over it.

Is there any way to know if my processor is affected by any of those?

hijodeosiris:

Is there any way to know if my processor is affected by any of those?

https://forums.guru3d.com/threads/download-inspectre.419057/

I am bored with this Spectre/Meltdown noise and stuff. Perhaps tons of people should find new meaning in life. Boredom is harmful nowadays.

warlord:

I am bored with this Spectre/Meltdown noise and stuff. Perhaps tons of people should find new meaning in life. Boredom is harmful nowadays.

Did you just bore yourself? Anyway, people just love drama! Be it politics, new exploits or a celebrity scandal! That how human being entertained themselves for ages! I mean just create a bit of noise and you got yourself a crowd! And it only snowballing afterwards!

sverek:

So having a bit of sense not to click on every "DOWNLOAD" button on browser ruins all the fun? Damn you common senses! What took them too long to create simple damn virus with all info vulnerabilities information leaked. Anyway, I am just having fun watching people losing their mind over it.

well the graph shows that the first malware appeared pretty much the day of release, and that the amount of unique samples( i assume means not from the same machine) has been growing exponentially, from around ~25 samples perday to about ~120 perday in less than 2 weeks the graph also shows how many unique malwares sampled perday, which for most of the graph has been an avg rate of ~10 new previously unknown malwares perday all i can say is that if you have java script enabled on an unpatched device, expect to get aids eventually(primarly info stolen from unpatched android and ios phones), the rate of growth is tremendous, only a matter of time before a trusted site ends up serving tainted ads from a compromised source.

Yes, JS exploits are scary. But as far as you end up visiting the site you can't trust, there no much you can do. Only pray your browser detects the bad JS and stops it from executing on client side. That why Google been patching Chrome for a while now. Again, it's easier for virus to be executed while in binary and downloaded on disk, not poorly written in JS. That why vising shady sites with downloading prompting and pressing all download buttons are generally not a good idea.

fantaskarsef:

Hardware fixed in 2019... ... so let's pray that nobody decides to get the exploit working on AMD systems in the next 12 to 18 months? - - - - IF you have gotten the firmware for your CPU AND it works properly (which many have not). IF you updated your OS to have it "secure" (which I am not sure they have, did win7 get ALL the fixes?). IF you believe that those firmware and OS updates really help (did you read about what Torvals said about them?) This is a security issue, and as such I don't fancy hearing about IFs that last for 18 months. This whole issue was supposed to be taken care of in 6 to 7 months after being discovered (that time ended last week and we're not that much closer to having real fixes across all platforms and vendors than we were a month ago). More than enough time for any capable programmer to try and up their botnet right now via the IoT crap devices nobody patches. Or consoles. Or smartphones / tablets.

Where is your logic? Those IFs you mentioned are correct. Currently produced chips can be considered as vulnerable till "soft-patched". But that has nothing to do with release of HW fixed CPUs in 18 months. Those old ones still need to get patch and Zen2 existence does not change anything for them. Your comments here are not even off-topic.

user1:

Ladies and gentlemen, we have malware. http://www.tomshardware.com/news/meltdown-spectre-malware-found-fortinet,36439.html should be a lots of fun in the coming years.

Yeah, it's out in the wild apparently: http://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges

Fox2232:

Where is your logic? Those IFs you mentioned are correct. Currently produced chips can be considered as vulnerable till "soft-patched". But that has nothing to do with release of HW fixed CPUs in 18 months. Those old ones still need to get patch and Zen2 existence does not change anything for them. Your comments here are not even off-topic.

What I was referring too is that AMD brags with fixing the issues they have known in two years of time (since they have heard of Meltdown / Spectre), another 18 months from now on. Nothing to brag about, Intel isn't able to fix their CPUs with patches, but their hardware fix is at least announced to arrive this year. Also too long in my opinion. Your comment shows you didn't understand what I was complaining about, that the fixes are way overdue in any way, at last in my opinion. And I don't fancy posting off-topic, that's something for the trolls that roam this place.