from the everyone-out-of-the-pool dept.
Arthur T Knackerbracket has found the following story:
Qualcomm has confirmed its processors have the same security vulnerabilities disclosed this week in Intel, Arm and AMD CPU cores this week.
The California tech giant picked the favored Friday US West Coast afternoon "news dump" slot to admit at least some of its billions of Arm-compatible Snapdragon system-on-chips and newly released Centriq server-grade processors are subject to the Meltdown and/or Spectre data-theft bugs.
[...] Qualcomm declined to comment further on precisely which of the three CVE-listed vulnerabilities its chips were subject to, or give any details on which of its CPU models may be vulnerable. The paper describing the Spectre data-snooping attacks mentions that Qualcomm's CPUs are affected, while the Meltdown paper doesn't conclude either way.
[...] Apple, which too bases its iOS A-series processors on Arm's instruction set, said earlier this week that its mobile CPUs were vulnerable to Spectre and Meltdown – patches are available or incoming for iOS. The iGiant's Intel-based Macs also need the latest macOS, version 10.13.2 or greater, to kill off Meltdown attacks.
Google has decided to publicly disclose the well speculated on CPU based security flaw ahead of their original schedule as a response to the rapidly increasing amount of information that is becoming available. It's official: Google was able to construct a PoC that can read kernel memory at a speed around 2000 bytes per second from a user space application. An overview of the situation is available at the Project Zero blog. Despite the AMD Linux kernel patch that disables the existing known mitigation for their processors Google specifically names AMD CPUs as suffering from the flaw along with Intel and ARM.
Linux creator Linus Torvalds has had some harsh words for Intel in the course of a discussion about patches for two bugs that were found to affect most of the company's processors. [...] Torvalds was clearly unimpressed by Intel's bid to play down the crisis through its media statements, saying: "I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed."
The Finn, who is known for never beating about the bush where technical issues are concerned, questioned what Intel was actually trying to say. "Or is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything'?" he asked. "Because if that's the case, maybe we should start looking towards the ARM64 people more."
Intel Says Updates Will Render Systems "Immune" to Meltdown and Spectre Exploits
What does "immunity" to the "Meltdown" bug mean, and at what cost does it come?
Intel says it has developed and is issuing updates for all types of Intel-based machines that will "render those systems immune from both exploits (referred to as 'Spectre' and 'Meltdown') reported by Google Project Zero. "Intel has already issued updates for the majority of processor products introduced within the past five years," says an Intel spokesperson. "By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years."
Intel's reference to "immune" is an interesting twist in this saga. The New York Times reported yesterday that Spectre fixes will be a lot more complicated as they require a redesign of the processor and hardware changes, and that we could be living with the threat of a Spectre attack for years to come. Intel's wording appears to suggest that this isn't the case for its own processors and security fixes.
Intel is facing class action lawsuits over Meltdown:
Just days after The Register revealed a serious security hole in its CPU designs, Intel is the target of three different class-action lawsuits in America.
Complaints filed in US district courts in San Francisco, CA [PDF], Eugene, OR [PDF], and Indianapolis, IN [PDF] accuse the chip kingpin of, among other things, deceptive practices, breach of implied warranty, negligence, unfair competition, and unjust enrichment.
The RISC-V Foundation would like to remind you that RISC-V is not affected.
Previously: Major Hardware Bug Quietly Being Patched in the Open
Patch for Intel Speculative Execution Vulnerability Could Reduce Performance by 5 to 35% [Update: 2]
Don't Expect Intel Chip Recall After Spectre and Meltdown, CEO Says
« SpaceX's Mysterious Zuma Mission May Soon Take Flight [Update: Successful] | Australia's First Electric Passenger Plane Takes To The Skies »
Spotted over on HN:
tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.
Turns out 2018 might be more interesting than first thought. So grab some popcorn and keep those systems patched!
UPDATE 2: (martyb)
This still-developing story is full of twists and turns. It seems that Intel chips are definitely implicated (AFAICT anything post Pentium Pro). There have been various reports, and denials, that AMD and ARM are also affected. There are actually two vulnerabilities being addressed. Reports are that a local user can access arbitrary kernel memory and that, separately, a process in a VM can access contents of other virtual machines on a host system. These discoveries were embargoed for release until January 9th, but were pre-empted when The Register first leaked news of the issues.
At this time, manufacturers are scrambling to make statements on their products' susceptibility. Expect a slew of releases of urgent security fixes for a variety of OSs, as well as mandatory reboots of VMs on cloud services such as Azure and AWS. Implications are that there is going to be a performance hit on most systems, which may have cascading follow-on effects for performance-dependent activities like DB servers.
To get started, see the very readable and clearly-written article at Ars Technica: What’s behind the Intel design flaw forcing numerous patches?.
Google Security Blog: Today's CPU vulnerability: what you need to know.
Google Project Zero: Reading privileged memory with a side-channel, which goes into detail as to what problems are being addressed as well as including CVEs:
Submitted via IRC for Bytram
Hoping the Meltdown and Spectre security problems might mean Intel would be buying you a shiny new computer after a chip recall? Sorry, ain't gonna happen.
Intel famously paid hundreds of millions of dollars to recall its Pentium processors after the 1994 discovery of the "FDIV bug" that revealed rare but real calculation errors. Meltdown and Spectre are proving similarly damaging to Intel's brand, sending the company's stock down more than 5 percent.
[...] But Intel CEO Brian Krzanich said the new problems are much more easily fixed -- and indeed are already well on their way to being fixed, at least in the case of Intel-powered PCs and servers. Intel said Thursday that 90 percent of computers released in the last 5 years will have fixes available by the end of next week. "This is very very different from FDIV," Krzanich said, criticizing media coverage of Meltdown and Spectre as overblown. "This is not an issue that is not fixable... we're seeing now the first iterations of patches."
Amid the ongoing Meltdown fiasco, Intel has only one way to go in the data center... down. Intel may be forced to offer discounts or rebates to prevent customers from eventually moving to AMD x86 chips (such as Epyc) or even ARM chips:
Intel chips back 98% of data center operations, according to industry consultancy IDC. [...] Microsoft said on Tuesday the patches necessary to secure the threats could have a significant performance impact on servers.
[...] For Gleb Budman's company, San Mateo-based online storage firm Backblaze, building with ARM chips would not be difficult. "If ARM provides enough computing power at lower cost or lower power than x86, it would be a strong incentive for us to switch," said Budman. "If the fix for x86 results in a dramatically decreased level of performance, that might increasingly push in favor of switching to ARM."
Infinitely Virtual, a Los Angeles-based cloud computing vendor, is counting on Intel to replace equipment or offer a rebate to make up for the loss in computing power, Chief Executive Adam Stern said in an interview. "If Intel doesn't step up and do something to make this right then we're going to have to punish them in the marketplace by not purchasing their products," said Stern, whose company relies exclusively on Intel processors.
[...] Both Qualcomm and Cavium are developing ARM chips aimed at data centers. Cavium said it aimed to rival the performance of Intel chips for applications like databases and the content-delivery networks that help speed things like how fast online videos load.
New laptops are drawing upon features/attributes associated with smartphones, such as LTE connectivity, ARM processors, (relatively) high battery life, and walled gardens:
This year's crop of CES laptops -- which we'll define broadly to include Windows-based two-in-one hybrids and slates -- even show signs of a sudden evolutionary leap. The long-predicted PC-phone convergence is happening, but rather than phones becoming more like computers, computers are becoming more like phones.
The most obvious way this is happening is the new breed of laptops that ditch the traditional Intel (and sometimes AMD) processors for new Snapdragon processors from Qualcomm. So far, we've seen three of these Snapdragon systems announced: the HP Envy x2, the Asus NoveGo and the Lenovo Miix 630.
Laptops with lower-end processors have been tried before, with limited success. Why is now potentially the right time? Because these systems aren't being pitched as bargain basement throwaways -- and in fact, they'll cost $600 and up, the same as many mainstream laptops in the US. Instead, they promise some very high-end features, including always-on LTE connectivity (like a phone) and 20-plus hours of battery life with weeks of standby time, which also sounds more like a phone than a PC. The tradeoff is that these Snapdragon laptops run Windows 10 S, a limited version of Windows 10, which only allows apps from the official Microsoft app store. That's also similar to the walled garden of mobile OS apps many phones embrace.
[...] There's another take on phone-laptop convergence happening here at CES. Razer, the PC and accessory maker, always brings one or two inventive prototypes to CES, such as last year's triple-screen Project Valerie laptop. The concept piece for CES 2018 is Project Linda, a 13-inch laptop shell, with a large cutout where the touchpad would normally be. You drop a Razer Phone in that slot, press a button, and the two pieces connect, with the laptop body acting as a high-end dock for the phone. The phone acts as a touchpad and also a second screen, and it works with the growing number of Android apps that have been specially formatted for larger laptop screens or computer monitors.
Related: Symetium Launches Crowdfunding Campaign for a "Smartphone PC"
Maru OS: an Android ROM that Turns into Debian when it Senses Connected PC Peripherals
What Are Must-Have Specs for a Laptop in 2017?
ARM Based Laptop DIY Kit Ready to Hit the Shops
Windows 10 PCs Running on Qualcomm Snapdragon 835 to Arrive this Year
Microsoft Knows Windows is Obsolete. Here's a Sneak Peek at Its Replacement.
Samsung to Give Linux Desktop Experience to Smartphone Users
Samsung Shows Off Linux Desktops on Galaxy 8 Smartphone
First ARM Snapdragon-Based Windows 10 S Systems Announced
Snapdragon 845 Announced
Qualcomm Joins Others in Confirming its CPUs Suffer From Spectre, and Other Meltdown News