0x6A7232 wrote: »
This just got worse: there's another security hole. This one affects all CPUs, Intel, AMD, and the ARM processors in your smartphones. The previous flaw in the OP is called Meltdown. The new flaw that affects all processors is called Spectre.
How much is the Spectre patch going to affect your performance, you ask? It won't, because there is no fix. You'll need new hardware. Spectre has been living quietly with us for decades, so there's no way to just use older hardware. Once the attack method gets out... yeah.https://www.nytimes.com/2018/01/03/business/computer-flaws.html
In summary, there's two separate flaws; Meltdown only affects Intel CPUs, and requires a performance-draining patch (which will also be applied to the non-affected AMD chips, because "glory to Intel!" (no, really!)) and Spectre, which affects all (to include the ARM processors in your smartphones) systems. There is no known fix for Spectre, besides new hardware.
So yeah, we're all screwed once Spectre leaks.
SnailsAttack wrote: »
"haha get screwed intel users.. wait"
Nordic wrote: »
Apparently AMD is getting the same treatment regardless of if they bug affects them https://www.techpowerup.com/240187/amd-struggles-to-be-excluded-from-unwarranted-intel-vt-flaw-kernel-patches
Last year, Google’s Project Zero team discovered serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance.
The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.
As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.
We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming.
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.
Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 .
So far, there are three known variants of the issue:
Fathom wrote: »
But... I don't want to run windows updater on my win7, they just patch win10 over it without asking.
Nordic wrote: »
This is all an elaborate plan by Google to sabotage Intel so that Alphabet can join and then dominate the x86 cpu market.
0x6A7232 wrote: »
I've heard gaming is barely affected....