Researchers reveal Variant 4 of Spectre vulnerability
Click here to post a comment for Researchers reveal Variant 4 of Spectre vulnerability on our message forum
Denial
disclosed in 2016 at blackhat conference. The better part of the netsec community knew about the vulnerability in relation to all Intel processors weeks before the disclosure, it was all over /r/netsec. That's my point - you aren't keeping this secret, the cat was out of the bag on both these exploits literally two years before it was disclosed and fully leaked and understood by the wider community two to three weeks before disclosure. So what exactly is the benefit of saying "we need to keep it secret for longer" when everyone knew about it weeks before the secret was up? It's not just kernel devs that need to know about exploits of this kind, its also architecture engineers designing hardware fixes, system validation engineers and software developers validating that the kernel devs are actually fixing the issue and not breaking a million other things, etc. It's across like 6+ different hardware vendors if not more when you consider Nvidia and whatnot also had to make changes in order to mitigate the problem in their drivers, plus countless other security vendors that implement ARM based SoCs in switches/firewalls/etc - they all need to be updated and patched and in order to do that they need to be fully knowledgeable about the exploit. By the time you're done 10K+ if not more people know about it - a portion of those people are engaged in the netsec community and it leaks everywhere. Which is exactly what happened.
So idk, you're not keeping it secret and honestly even if you could I don't think the advantages outweigh the negatives. I want to know when my hardware/software is insecure and I want to be able to demand that companies fix it or know I need to replace hardware in order to be secure. I don't trust Intel to do it behind the scenes - hell even under public pressure to get it done they've dropped the ball and announced that half their hardware isn't even receiving a patch and countless delays.
180 days is generous and that itself is the exception, as the disclosure is typically 90 (unless your AMD then it's 24 hours looooool) - the extra time isn't even going to matter because the devices will never be patched regardless.
The hackers already knew a problem existed when the vector for vulnerability was schmidtbag
Athlonite
BLAH BLAH BLAH until someone actually gets hacked via Spectre or Meltdown then I'd rather not keep hearing about it thanks we all know by now that all of the Spectre attack paths require local machine access and considerable knowledge and effort to affect a machine but that's it one machine big deal
warlord
It is tiring and irrelevant to guru3d. We are not a cybersec or hacking tips site. I can only tolerate this rubbish only for performance loss meaning benchmarks. Anything more it is headache and food for nerds or no lifers.
HH please stop these kind of news as they are uninteresting for the real life pc user / gamer.
alanm
TheDeeGee
I actually flashed back to Microcode 22 for my CPU, cuz the Spectre Fix causes all kinds unexplainable issues.
user1
performance hit is up to 8%
on intel cpus.
i find it concerning the reaction time of intel and microsoft has been so slow to these problems
patches for linux are already available for all the stable kernel kernels, just waiting on intel to provide microcode,
it should be noted that this exploit can be mitigated the same way as some of the other spectre exploits, lowering the timer resolution makes it much more difficult to use, web browsing should still be relaticely safe even on machines without the required microcode
Irenicus
Thankfully this will never affect me nor most users
Nope, but I know it has affected databases and other systems in some companies, but for a regular user/gamer it's not really something you need to worry about
fantaskarsef
Sergio
I seriously don't believe this shit anymore. Just ignore this kind news. Will they patch and protect all their hardwares? NO!?.. Why not??! Are we safe with Linux already? YES?.. Wake the fk up!
slyphnier
knowing the problem important, but no matter what .... there no perfect-secure anyway
human-build will always have flaw... and there cat&mouse play, between exploit and patches
no other way than accept it... and just let those chip-maker/designer+software programer solve issue after issues
if cant accept it, then exile yourself in offline-world
jaggerwild
In other news, there are hackers but we can't seem to find any of them making a living doing this. but to be safe we should all toss out our computers before they become infected.
waltc3
Just thought I'd mention that InSpectre #8, latest version as of five minutes ago when I double checked, does not appear to check for Spectre 3a and Spectre 4 at all, as of the present moment. So, fat lot of good that does at the moment--but this is obviously not the author's fault--read on...I certainly share everyone's obvious disdain for all of this and wonder what's really going on here--I mean, the way it is supposed to work is that the Project Zero hackers (Google, et al) are supposed to let AMD, Intel, and Microsoft, and whom else may be affected, know about these conjectured and theoretical "vulnerabilities" a whole 90-days before the information is made public, and even the 90-days is not written in stone, the hackers could actually give the companies a year or more if they wanted. The *only* reason that I can see for discovering this stuff and two days/two weeks later making it public is because of malware discovered in circulation that actually depends on the vulnerability in order to function as some type of malware. So...*why* all of this rush to fix vulnerabilities without any known incidents of Spectre/Meltdown malware having been discovered anywhere in public domain circulation? The answer to that question will tell us a lot, imo. I'm not sure we are going to *get* a straight answer on that, unfortunately.
The entire idea of these things being some kind of back-door for the NSA, or FBI, or KGB, whomever, is, I think, very much mistaken simply because in that case the manufacturers of the cpus would certainly *know* about them as they'd have to be designed into the cpus deliberately prior to them being manufactured and shipped. Obviously, nothing like that is going on.
My opinion for what it's worth is as follows: I don't mind the patches, Windows or cpu microcode via bios updates, so long as cpu performance is not sacrificed--my personal threshold for cpu degradation is a 1-2% absolute maximum slowdown for these cpu microcode fixes, under a very narrow set of conditions, and of course preferably no performance loss at all. I also prefer bios microcode updates to OS-delivered microcode updates because then the fixes remain in place when the OS is reinstalled or when another OS is employed on the same general hardware and cpu. I was pleased to see that MSI rectified the Spectre 2 cpu microcode slowdown imposed by their first attempt via a bios update--I was concerned after their first attempt because the performance penalties were stiff in certain cases and I had no trouble demonstrating or repeating them. Next bios release fixed 99% of it! This gives me hope that at least on my current AMD hardware the Spectre4 (AMD says it hasn't found any vulnerabilities to 3a as of yet) cpu microcode patches applied in a bios release won't exact stiff performance penalties after all.
I conclude by saying that it's obvious that most of us find the performance so far of the "project zero" people to be very amateurish, and that's being flattering to them, I think. I can see by the tone and tenor of the posts ahead of mine that we are all pretty much sick and tired of this kind of thing. To add insult to injury, next we have to put up with fraudulent "companies" sprouting up from literally nowhere to make all kinds of bogus claims--like for instance calling access to a machine plus administrator rights a "vulnerability" when in fact that is exactly what Admin mode is supposed to supply the end user--access to his own computer/workstation..! So who is doing this for various shady financial reasons, etc.? We know the outright frauds are doing it for that motive, obviously. But what about the rest? What a mess Google has helped make, imo. Someone has declared war on x86 PC cpus for some reason, apparently. Motive speculations anyone?
chispy
Oh dear , will this ever end :/
user1