New Meltdown like Vulnerability hits Intel: LVI Security vulnerabilities
Click here to post a comment for New Meltdown like Vulnerability hits Intel: LVI Security vulnerabilities on our message forum
fantaskarsef
anticupidon
Yeah, saw this on the Linux Newsfeed, wanted to share it here but I just ignore it. At this point, it's just beating a dead horse.
Don't get me wrong, I want all CPUs to be secure, regardless of brand, but it seems that's the price we pay for branch prediction or another way of data prediction, just to gain more computational speed.
It's the same triangle: performance security price choose 2 you can't have all 3.
yeeeeman
I understand these researchers are doing it for press coverage, but don't they have anything else better to do? Watch movies, drink beer, enjoy life?
anticupidon
Security people are ever the paranoid.
Enjoy life?
They are quite enjoying it, but making money in security field. But their way of enjoyment wildy varies from the average person.
Kaarme
alanm
Bring it on! With the world consumed by COVID 19, Intel vulnerabilities are more of a laughing matter now. Surprised anyone gives a crap anymore.
SpajdrEX
Source link has been removed / does not exists
asturur
The problem here is that while gamers can skip all the patches, and they probably should if they are just gaming, enterprise just can't. If the microcode update are slower enough, that may be a problem for intel.
TheDeeGee
More performance reductions.
My 4770K... i mean Pentium 3 by now is ready!
jaggerwild
AMD fires back boom! 😱
Kool64
who needs security when you have all that speed?
squalles
My god, maybe with more 34 patches mine i9 can be beated by ryzen 3800x
schmidtbag
waltc3
I'm certain that AMD is happy its cpus are invulnerable to Meltdown attacks. "Meltdown"--these names are so silly--it's like they think, "How can we name them in order to scare people?" It's like COVID-19--common flu strains are far, far worse in lethality and rates of infections every year--COVID-19 isn't a microscopic patch on the flu--but what do people worry about? "COVID-19"--sometimes I despair of the human race...
Mesab67
The research paper pdf is here: https://lviattack.eu/lvi.pdf
It's Abstract includes the following interesting section...
"Fully mitigating our attacks requires serializing the processor pipeline with lfence instructions after possibly every memory load. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction. Intel plans compiler and assembler-based full mitigations that will allow at least SGX enclave programs to remain secure on LVI-vulnerable systems. Depending on the application and optimization strategy, we observe extensive overheads of factor 2 to 19 for prototype implementations of the full mitigation."
Bitdefender states: https://www.bleepingcomputer.com/news/security/new-lvi-intel-cpu-data-theft-vulnerability-requires-hardware-fix/
"This is not an average, run-of-the-mill malware attack that one would use against home users for instance."
"This is something that a determined threat actor, such as a hostile government-sponsored entity or a corporate espionage group would use against a high-profile target to leak mission-critical data from a vulnerable infrastructure.
"Although difficult to orchestrate, this type of attack would be impossible to detect and block by existing security solutions or other intrusion detection systems and would leave no forensic evidence behind."
Check out "Daniel Gruss" YouTube page for an interesting, just released (yesterday), assembly language LVI demo.
It would be extremely interesting to find out just how much security compromise has taken place in the never ending "desire to be the fastest" and/or 'optimisation' of prediction pathways. As consumers, we should be extremely grateful to researchers in the work they do - never leave it to a manufacturer to always do the right thing. While not naming names, there is...shall we say...a pattern? On the other hand, these are extremely complex devices. Keeping track of an increasing number of potential 'what-if' misses will become increasingly problematic...A.I. anyone?
nosirrahx
One thing that I don't see mentioned enough is the nature of actual exploit 'kits' in the wild. It is very rare to see monolithic exploits being used in an attack.
Instead 'kits' come packaged with many interconnected exploits all designed to breach a specific level of security culminating in a full compromise.
While an individual exploit might be tough to use on its own to accomplish much, every newly discovered exploit gives each phase of an attack additional methods to become successful.
nosirrahx
Denial
NiColaoS
Intel Management Engine (ME) Firmware Version 12.0.49.1556 (S&H)(1.5Mo)
Is this the new patch that makes it slower? Because I did the mistake and installed it already. If that's the case, I'll re-install the slightly older one
Intel Management Engine (ME) Firmware Version 12.0.49.1534 (S&H)(1.5Mo)
I also use the InSpectre utility in order to disable the old ones that make the CPU slower in certain aspects.
I want my gaming PC with Intel CPU and all its holes open, but all the performance untouched. I never even use banking or Credit card on this PC. Nothing that worries me. Simply want the performance it was indented for.
mbk1969
You will never convince me that all these side-channel attacks have value for "professional" malware hackers. Why waste your time in trying to see valuable information in bits of cache memory when you can simply take remote "root" control on millions and millions of computers of uneducated users by sending them letters with fake links (and even software) promising something, or by putting "bad" versions of software to file servers (torrents)? And speaking about bank operations, as I take it most of the users use smartphones for that.
I guess, such researches are valuable for researchers themselves: they got reputation, they got grants, probably they even got Ph.D.