This is an easy way to provide backdoor. It wasn’t discovered until last year which I would say, goes to show that they were able to hide this from the public for so long.
Because of the nature of this security flaw, it’s easy to see that Intel intentionally designed this flaw into their CPU products. There are not one but three different ways that attackers could get malicious code onto a system that could read memory data such as passwords with only normal user privileges.
This was clearly designed to bypass and defeat encryption which means that most, if not all consumer encrypted computers are not safe even despite being heavily encrypted. Luckily, I am paranoid enough to beef the security to the nines that my computer is still relatively impenetrable…for the moment.
But it’s events like these that makes you wonder just how long ago crooked, rogue intelligence agencies started spamming National Security Letters to all the major companies like Google, Microsoft, Intel, Linux etc in an attempt at compliance to provide backdoors which allow mass surveillance. If I had to guess, about 20 years ago.
Lets take a closer look at OS/firmware/microcode updates.
Google mention suggested mitigations in the following blog post:
As you can see, microcode or firmware updates for Meltdown are not appropriate - the problem is with the hardware itself.
To mitigate Variant 1, which allows an application to read its own memory, we’re seeing updates to specific applications for which this would be an issue. Specifically, applications that run third-party code. For instance your web-browser. Edge (from Windows Update) and Firefox ( from 57 onwards) will adjust (degrade) the resolution of their timers. Google are cooking up an update to Chrome as well, from 64 onwards, though they have not outlined their methodology. In the meantime it’s recommended to turn on whatever enhanced process separation features your browser has, but be warned this will absolutely devour your RAM.
I can also see this affecting applications that use plugins, perhaps even Office files that use VBA. So as usual, be careful what you run.
Remember that Variant 1 affects all out-of-order CPUs, period.
To mitigate Variant 2, which is harder to execute but allows an application to pull in data from other applications or even the kernal, Google suggests either a microcode update or the usage of Retpoline, a software technique they pioneered. Retpoline is a per-app fix, and is baked in on compile. Amusingly, however, we have this: https://twitter.com/never_released/status/948996493280731139
Which is to say that no matter what, even if every app ever decided to adopt Retpoline immediately, to mitigate Variant 2 on Intel, you will need a firmware update. Luckily it seems Intel have already released the update for every processor released in the past 5 years, and at least the Surface devices have already been patched. AMD have promised an update but none has been provided as of yet.
Variant 2 affects Intel, and may affect some AMD processors, but no working exploit has successfully compromised AMD.
Variant 3, Meltdown, is the one that affects only Intel (and some ARM, apparently), and requires kernel pagetable isolation. This has been applied by Linux and Windows, and importantly, on both OSes, AMD processors are exempt from the feature. There has been speculation that the Windows fix isn’t similar to the Linux one, that it uses different methodology that doesn’t hit performance as much, but this seems unlikely to me.
To sum up what catonkatonk is saying, ‘Meltdown is fixable, but a hefty chunk of your CPU performance will nosedive no matter how fine-tuning the microcode or firmware is’.
‘Spectre is not fixable, period! To do so would require a complete re-design of the CPU’s silicon hardware architects as well as an update to the instruction set architectures. It’s virtually impossible to fix.’
Online banking, TV/Movie streaming, Youtube, Porn and every other site you visit every day is a potential risk on an order of magnitude that you have never seen before.
Frankly, I think there should be a mass recall of every Intel CPU that dates back to 10 years ago, but we know Intel is NEVER going to do that…because that would bankrupt the company to the ground. Everyone is going to have to wait 5 years for new CPU’s to hit the market that have had redesigned architectures…5 years is too long so this is a catastrophic mistake they made designing these backdoors for intelligence agencies with the assumption that they could get away with it.
Intel needs to own up for what it did because this is a severe violation, even if it means going bankrupt recalling their CPU’s.
Pretty much. They (CPU companies) have got the power through mistakes, blunders and hidden backdoors to push civilization back to the stone age. Given their track record, well…let’s just say that it’s more likely to happen than winning the lottery.
What I am really concerned about is the tens of thousands of lines of hidden instructions in x86 CPUs which is perfect for a rogue AI. It’s literally a portentous precedent, in which greedy companies setup the conditions to which a civilization can fall, all in the name of money…should a rogue AI infiltrate every computer in the world.
Ooops. “After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.” And now some AMD systems are unbootable after installing the update.
I’m not in this situation, as I haven’t had an AMD system for a number of years now, but I’m guessing this means that WINDOWS doesn’t boot, not the computer? A windows update isn’t screwing with the firmware, is it?
@Eriol_Ancalagon I’m not in this situation either, fortunately. Sounds like it’s the Athlon chips that are affected. According to some other articles, reinstalling windows (and immediately disabling updates) is working for some people, so I would assume the update isn’t touching firmware.