Researchers reveal Variant 4 of Spectre vulnerability
Click here to post a comment for Researchers reveal Variant 4 of Spectre vulnerability on our message forum
schmidtbag
These companies really need to stop giving examples of how to take advantage of exploits. They do realize that some of us have no way of getting our CPUs patched, right? For the most part, Spectre and Meltdown were a non-threat. They've been a "problem" for over a decade, and only up until recently were they actually an issue since they were brought to everyone's attention. Stuff like this needs to be patched silently, for the benefit of everyone.
Kool64
Next thing you know these researchers will tell us that licking the heat spreader causes a vulnerability.
mbk1969
I am curious whether researchers publish tools (which they develop) in binary and/or source form.
Dragondale13
https://i.imgur.com/ycDBpYe.jpg
Denial
vonSternberg
So has anyone ever been affected by either Spectre or Meltdown? All I see is news about "new vulnerabilities" but never have I heard of someone actually having problems with this thing.
Google only yields results to said news.
alanm
Denial
alanm
schmidtbag
Dragondale13
https://i.imgur.com/Kzy18Yw.jpg
nosirrahx
@schmidtbag
You vastly underestimate the resources and intelligence of the malware author side of the equation. Disclosing info does not help the bad guys, they have all of this info and more at their disposal.
Disclosing the information gives as many people as possible access to what they need to create mitigation.
Disclosure is required if you want firmware, OS, browser and online resources to all have the best chances of becoming immune to a new exploit.
nevcairiel
Denial
http://www.techzoom.net/Papers/Modeling_The_Security_Ecosystem_(2009).pdf
And the general consensus among them is the best way to handle it is to fully disclose the exploit after a period of time. It gives security teams of various companies time to patch their code with a headstart and after disclosure it gives companies that may not have been notified knowledge of the issue and 3rd party security companies the ability to mitigate it + it gives the public a chance to secure themselves and provides an incentive for the companies to patch the issues in a timely matter.
For meltdown/spectre they had 180 days, for lesser attacks they have 90 days. That seems like a decent amount of time considering the severity of the exploit.
It's not this simple. For starters companies have no incentive to patch non-disclosed issues and even less incentive to share it with competitors and/or SIPs. The vulnerabilities are typically leaked by researchers internal to these companies and/or exploited by them - so they essentially are in the wild regardless to disclosure or not, except now no one even knows what to look for or even to look. There are like a billion other reasons - like I said we had an entire section of our ethics course dedicated to reasonable disclosure and why it's an important part of the security model. And while I can't remember all the of the specific reasons (it was over 10 years ago now) I know that there are tens of thousands of people that put a ton of philosophical thought and/or research into it similar to papers like this:
WareTernal
https://support.microsoft.com/en-us/help/4100347/intel-microcode-updates-for-windows-10-version-1803-and-windows-server
Intel has released BIOS updates back to Cougar Point/Sandy Bridge - I'm not seeing that from ASUS, MSI, or Gigabyte. My DP67DE got a BIOS even though it was EOL on 1/1/14 and the last BIOS was from 6/22/12. They did a good job covering the Q-series boards. Sadly they skipped my DZ77GA-70K, but they did make an update for DZ87KLT-75K.
Microcode updates going back to Sandy Bridge:
warlord
This crap months now around PC industry, I'll pray for nuclear war,https://imgflip.com/i/2as04w if it doesn't stop. It is like noise for real life PC users. Propaganda at its finest, brain washing.
Oh God! Spectre! Variants! Meltdown! blah blah blah blah blah, 25 yeas behind PC screen, but I cannot tolerate this society anymore. I wish for a global format.
schmidtbag
JamesSneed
I guess this will be one more reason to upgrade my Ryzen CPU when Zen 2 comes out, given they have a fix in silicone so perf isn't affected.
nosirrahx
tsunami231
all these researches popoing up and disclosing this stuff to public it not issue with never been known about and never disclosed to public years, but one idiots blab it out to public it becomes nightmare for ever one. which what i issue with. cause that is when people start looking for ways to exploit it