OK, so this effects everybody or only VM users? Yeah, Id like the choice to wait on an update to make sure as well. Rather then spending extra time re installing an OS then patching it 15 times.

I still haven't installed the bios update for the last vulnerability and haven't been hacked until now (nor has anyone). I'm not gonna be a sucker and lose performance over nothing. Same goes with this if it hurts performance in any way.

Again? I still haven't installed Spectre patches...

another one? what's with all those vulnerabilities popping up lately?

TheDeeGee:

No worries, we will get yet another patch followed by another leak etc etc. And at the end of the day with all 4792874525 patches applied our CPUs will perform like a Pentium 3.

You're making a mountain out of a mole hill. There has been one patch so far (per OS), it only effects the performance of VM software, and even then the performance hit is minimal. And to top it off Intel is implying here that the existing workaround will work with this exploit too.

need to revive this thing No Vulnerabilities 😀 https://thumb.ibb.co/ninDN7/IMG_20180111_220646.jpg

DrCrow:

need to revive this thing No Vulnerabilities 😀 https://thumb.ibb.co/ninDN7/IMG_20180111_220646.jpg

Back in those days you did not need CPU vulnerabilities. MS's OSes were full of holes. There was hardly any library safe. Network, Direct Input, Direct Sound, ... NTFS was music from future. System was ready to commit suicide upon inserting infected flashdrive with autostart... Those were funny times. What was that dumb ass communication tool with which you could send messages over network to any MS PC and it did pop out?

Fox2232:

Back in those days you did not need CPU vulnerabilities. MS's OSes were full of holes. There was hardly any library safe. Network, Direct Input, Direct Sound, ... NTFS was music from future. System was ready to commit suicide upon inserting infected flashdrive with autostart... Those were funny times. What was that dumb ass communication tool with which you could send messages over network to any MS PC and it did pop out?

WinPopup ?

tensai28:

I still haven't installed the bios update for the last vulnerability and haven't been hacked until now (nor has anyone). I'm not gonna be a sucker and lose performance over nothing. Same goes with this if it hurts performance in any way.

I still haven't locked my door and I haven't been robbed yet (nor has anyone). I'm not gonna be a sucker and lose convenience over nothing. Same goes with this if it makes it less convenient to get into my house. :P

Kaarme:

How is it possible for Intel to have been working on this with the researchers? I thought the modern modus operandi is to reveal the flaw to the hardware manufacturer 24 hours before making it public? How much research can you do in 24 hours, huh?

Nope, you appear to have it backwards...;) Correct industry standard is for public release to come 90-days or more after the CPU manufacturers are made aware of the problem. The 24-hours given the silly recent financially motivated and failed attacks on AMD architecture were a dead giveaway that the info was false and/or very misleading. I found the following quote from near the end of the article to be highly interesting: Given our observations with mfence and lfence successfully mitigating Spectre and SpectrePrime in our experiments, we believe that any software techniques that mitigate Melt-down and Spectre will also be sufficient to mitigate Melt- downPrime and SpectrePrime. mfence and lfence are current Intel instructions which defeat so-called MeltdownPrime and SpectrePrime, entirely. More and more, these "security bulletins" remind me of the old days when the favorite topic was windows 9x/XP vulnerabilities, which blazed across the public consciousness like a 5-alarm fire, only to conclude at the bottom of the articles and in very fine print: "The listed vulnerabilities occur in only currently unpatched Windows 9x and XP systems." Then you look at the date of the patches and find they occurred three years ago but the "security bulletin" put out by "security researcher" Company X was only generated last week. Increasingly it becomes difficult to separate "researchers" from the malware hackers, and to determine the actual motivations behind the persons supplying the information in the first place. I have much more confidence in "proof of concepts" (often highly debatable) that AMD and Intel pay for themselves as opposed to the ones that pop up to make headlines without having given the customary advance notice to the cpu manufacturers that the public disclosure of such information demands. This bulletin is *not* one of those, fortunately, although it seems a concept "proven" for which even mere exiting software solutions already exist.

waltc3:

Nope, you appear to have it backwards...;) Correct industry standard is for public release to come 90-days or more after the CPU manufacturers are made aware of the problem. The 24-hours given the silly recent financially motivated and failed attacks on AMD architecture were a dead giveaway that the info was false and/or very misleading. I found the following quote from near the end of the article to be highly interesting: Given our observations with mfence and lfence successfully mitigating Spectre and SpectrePrime in our experiments, we believe that any software techniques that mitigate Melt-down and Spectre will also be sufficient to mitigate Melt- downPrime and SpectrePrime. mfence and lfence are current Intel instructions which defeat so-called MeltdownPrime and SpectrePrime, entirely. More and more, these "security bulletins" remind me of the old days when the favorite topic was windows 9x/XP vulnerabilities, which blazed across the public consciousness like a 5-alarm fire, only to conclude at the bottom of the articles and in very fine print: "The listed vulnerabilities occur in only currently unpatched Windows 9x and XP systems." Then you look at the date of the patches and find they occurred three years ago but the "security bulletin" put out by "security researcher" Company X was only generated last week. Increasingly it becomes difficult to separate "researchers" from the malware hackers, and to determine the actual motivations behind the persons supplying the information in the first place. I have much more confidence in "proof of concepts" (often highly debatable) that AMD and Intel pay for themselves as opposed to the ones that pop up to make headlines without having given the customary advance notice to the cpu manufacturers that the public disclosure of such information demands. This bulletin is *not* one of those, fortunately, although it seems a concept "proven" for which even mere exiting software solutions already exist.

"mitigate"

waltc3:

Nope, you appear to have it backwards...;) Correct industry standard is for public release to come 90-days or more after the CPU manufacturers are made aware of the problem. The 24-hours given the silly recent financially motivated and failed attacks on AMD architecture were a dead giveaway that the info was false and/or very misleading.

I think he was being sarcastic.

With all these holes i don't see Intel and AMD release a CPU which is gonna be 25% faster than the previous generation. Might even turn out to be slower because of all the hardware fixes that have to be applied.

D3M1G0D:

I still haven't locked my door and I haven't been robbed yet (nor has anyone). I'm not gonna be a sucker and lose convenience over nothing. Same goes with this if it makes it less convenient to get into my house. 😛

Obviously not the same. You are comparing a non existing threat to a very much existing threat. How many people around the world have been hacked by these exploits? The answer is zero. Now how many people around the world have had their houses broken into? Well, I don't know the exact number but I'm sure it's a lot more than zero. If you patch your bios now, you are loosing out on performance for nothing.

TheDeeGee:

With all these holes i don't see Intel and AMD release a CPU which is gonna be 25% faster than the previous generation. Might even turn out to be slower because of all the hardware fixes that have to be applied.

I was thinking the exactly same thread, posted it some weeks ago in one of the spectre / meltdown threads. Either Intel has to give us something better than they would have done in terms of performance, or there will be no performance gain at all, meaning no sales. Because of h/w level fixing of such exploits definately takes some performance with it, they would have to give a 15% boost, deduct 5-10% for the fixes, and stick to their usual 5-10% boost for their next generation 😀 It's just a joke that first they had half a year for their fixes and did nothing, then they produced faulty, buggy patches, and just when you think they have gotten a hold of themselves again, there's another vulvernability they even introduced with the patches against vulvernabilities... if I wouldn't know better I'd say that can't be real 😀

tensai28:

Obviously not the same. You are comparing a non existing threat to a very much existing threat. How many people around the world have been hacked by these exploits? The answer is zero. Now how many people around the world have had their houses broken into? Well, I don't know the exact number but I'm sure it's a lot more than zero. If you patch your bios now, you are loosing out on performance for nothing.

Meltdown and Spectre samples have been found in the wild, and these attacks don't leave an obvious trace. It is a very real threat, and choosing not to apply patches is precisely the same as leaving your door unlocked. Just because the chances of being robbed is very small doesn't mean that you can dismiss it. Security measures impact performance, there's no two ways about it. Security screenings at airports cause delays (you can't just walk into an airport and get to the terminal immediately) and are an obvious inconvenience but they are necessary, and the same goes for computers. If all security features were removed from your system then it would perform much faster, but it would be completely exposed (is it worth having a system that is twice as fast, but which anyone can hack into?). The fact of the matter is that your computer is running faster than it should be, and these patches represent the correct performance level of your system. The thing is, I'm willing to bet that even if a report came in that thousands of PCs have been hacked through Meltdown, you would still not patch your system (you would insist that it's statistically insignificant, or that hackers would not target you). I'm convinced that you would never sacrifice performance for anything.

D3M1G0D:

Meltdown and Spectre samples have been found in the wild, and these attacks don't leave an obvious trace. It is a very real threat, and choosing not to apply patches is precisely the same as leaving your door unlocked. Just because the chances of being robbed is very small doesn't mean that you can dismiss it. Security measures impact performance, there's no two ways about it. Security screenings at airports cause delays (you can't just walk into an airport and get to the terminal immediately) and are an obvious inconvenience but they are necessary, and the same goes for computers. If all security features were removed from your system then it would perform much faster, but it would be completely exposed (is it worth having a system that is twice as fast, but which anyone can hack into?). The fact of the matter is that your computer is running faster than it should be, and these patches represent the correct performance level of your system. The thing is, I'm willing to bet that even if a report came in that thousands of PCs have been hacked through Meltdown, you would still not patch your system (you would insist that it's statistically insignificant, or that hackers would not target you). I'm convinced that you would never sacrifice performance for anything.

Well you are wrong, the second I hear of even a single PC being hacked, I will immediately patch my system so please don't make assumptions. That being said I would like some proof that this has been put in the wild and hacked an actual users PC otherwise I'm calling this post BS because I have yet to hear of this.

tensai28:

Well you are wrong, the second I hear of even a single PC being hacked, I will immediately patch my system so please don't make assumptions. That being said I would like some proof that this has been put in the wild and hacked an actual users PC otherwise I'm calling this post BS because I have yet to hear of this.

http://www.tomshardware.com/news/meltdown-spectre-malware-found-fortinet,36439.html

jaggerwild:

OK, so this effects everybody or only VM users? Yeah, Id like the choice to wait on an update to make sure as well. Rather then spending extra time re installing an OS then patching it 15 times.

This attack is much like the Spectre, so yes this effects everyone, once again all that has to be done is execute malicious code on a machine, which could be something like javascript (every webpage uses javascript these days),thankfully it it is highly likely that the existing microcode+os patches for spectre are effective against this or can be easily modified to include it.

anticupidon:

another one? what's with all those vulnerabilities popping up lately?

There has been talk about these types of exploits being possible for many many years, No one published a working Proof of concept until recently, now that it is known to be possible, more people are interested in the topic and are looking for them, think of it like a newly formed branch of a tree with many smaller sub-branches budding forth.

D3M1G0D:

http://www.tomshardware.com/news/meltdown-spectre-malware-found-fortinet,36439.html

But here's the big question; has anyone been infected? Didn't see any mention of that.