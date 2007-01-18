from the everyone-out-of-the-pool dept.
Qualcomm has confirmed its processors have the same security vulnerabilities disclosed this week in Intel, Arm and AMD CPU cores this week.
The California tech giant picked the favored Friday US West Coast afternoon "news dump" slot to admit at least some of its billions of Arm-compatible Snapdragon system-on-chips and newly released Centriq server-grade processors are subject to the Meltdown and/or Spectre data-theft bugs.
[...] Qualcomm declined to comment further on precisely which of the three CVE-listed vulnerabilities its chips were subject to, or give any details on which of its CPU models may be vulnerable. The paper describing the Spectre data-snooping attacks mentions that Qualcomm's CPUs are affected, while the Meltdown paper doesn't conclude either way.
[...] Apple, which too bases its iOS A-series processors on Arm's instruction set, said earlier this week that its mobile CPUs were vulnerable to Spectre and Meltdown – patches are available or incoming for iOS. The iGiant's Intel-based Macs also need the latest macOS, version 10.13.2 or greater, to kill off Meltdown attacks.
Google has decided to publicly disclose the well speculated on CPU based security flaw ahead of their original schedule as a response to the rapidly increasing amount of information that is becoming available. It's official: Google was able to construct a PoC that can read kernel memory at a speed around 2000 bytes per second from a user space application. An overview of the situation is available at the Project Zero blog. Despite the AMD Linux kernel patch that disables the existing known mitigation for their processors Google specifically names AMD CPUs as suffering from the flaw along with Intel and ARM.
Linus Torvalds: "Is Intel basically saying 'We are committed to selling you shit forever and ever, and never fixing anything'?"
Linux creator Linus Torvalds has had some harsh words for Intel in the course of a discussion about patches for two bugs that were found to affect most of the company's processors. [...] Torvalds was clearly unimpressed by Intel's bid to play down the crisis through its media statements, saying: "I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed."
The Finn, who is known for never beating about the bush where technical issues are concerned, questioned what Intel was actually trying to say. "Or is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything'?" he asked. "Because if that's the case, maybe we should start looking towards the ARM64 people more."
Intel Says Updates Will Render Systems "Immune" to Meltdown and Spectre Exploits
What does "immunity" to the "Meltdown" bug mean, and at what cost does it come?
Intel says it has developed and is issuing updates for all types of Intel-based machines that will "render those systems immune from both exploits (referred to as 'Spectre' and 'Meltdown') reported by Google Project Zero. "Intel has already issued updates for the majority of processor products introduced within the past five years," says an Intel spokesperson. "By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years."
Intel's reference to "immune" is an interesting twist in this saga. The New York Times reported yesterday that Spectre fixes will be a lot more complicated as they require a redesign of the processor and hardware changes, and that we could be living with the threat of a Spectre attack for years to come. Intel's wording appears to suggest that this isn't the case for its own processors and security fixes.
Intel is facing class action lawsuits over Meltdown:
Just days after The Register revealed a serious security hole in its CPU designs, Intel is the target of three different class-action lawsuits in America.
Complaints filed in US district courts in San Francisco, CA [PDF], Eugene, OR [PDF], and Indianapolis, IN [PDF] accuse the chip kingpin of, among other things, deceptive practices, breach of implied warranty, negligence, unfair competition, and unjust enrichment.
The RISC-V Foundation would like to remind you that RISC-V is not affected.
Previously: Major Hardware Bug Quietly Being Patched in the Open
Patch for Intel Speculative Execution Vulnerability Could Reduce Performance by 5 to 35% [Update: 2]
Don't Expect Intel Chip Recall After Spectre and Meltdown, CEO Says
Spotted over on HN:
The mysterious case of the Linux Page Table Isolation patches (archive)
tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.
Turns out 2018 might be more interesting than first thought. So grab some popcorn and keep those systems patched!
UPDATE 2: (martyb)
This still-developing story is full of twists and turns. It seems that Intel chips are definitely implicated (AFAICT anything post Pentium Pro). There have been various reports, and denials, that AMD and ARM are also affected. There are actually two vulnerabilities being addressed. Reports are that a local user can access arbitrary kernel memory and that, separately, a process in a VM can access contents of other virtual machines on a host system. These discoveries were embargoed for release until January 9th, but were pre-empted when The Register first leaked news of the issues.
At this time, manufacturers are scrambling to make statements on their products' susceptibility. Expect a slew of releases of urgent security fixes for a variety of OSs, as well as mandatory reboots of VMs on cloud services such as Azure and AWS. Implications are that there is going to be a performance hit on most systems, which may have cascading follow-on effects for performance-dependent activities like DB servers.
To get started, see the very readable and clearly-written article at Ars Technica: What’s behind the Intel design flaw forcing numerous patches?.
Google Security Blog: Today's CPU vulnerability: what you need to know.
Google Project Zero: Reading privileged memory with a side-channel, which goes into detail as to what problems are being addressed as well as including CVEs:
Submitted via IRC for Bytram
Hoping the Meltdown and Spectre security problems might mean Intel would be buying you a shiny new computer after a chip recall? Sorry, ain't gonna happen.
Intel famously paid hundreds of millions of dollars to recall its Pentium processors after the 1994 discovery of the "FDIV bug" that revealed rare but real calculation errors. Meltdown and Spectre are proving similarly damaging to Intel's brand, sending the company's stock down more than 5 percent.
[...] But Intel CEO Brian Krzanich said the new problems are much more easily fixed -- and indeed are already well on their way to being fixed, at least in the case of Intel-powered PCs and servers. Intel said Thursday that 90 percent of computers released in the last 5 years will have fixes available by the end of next week. "This is very very different from FDIV," Krzanich said, criticizing media coverage of Meltdown and Spectre as overblown. "This is not an issue that is not fixable... we're seeing now the first iterations of patches."
Source: Nope, no Intel chip recall after Spectre and Meltdown, CEO says
(Score: 2, Funny) by Apparition on Sunday January 07, @11:25PM (8 children)
In the short term, Meltdown and Spectre are PR disasters for Intel, AMD, ARM, Qualcomm, etc. However, in the long term, Spectre is a holiday gift for them all. The only real way to fix Spectre is via new hardware, which will see release in 2019 or 2020. That means new desktop computers for governments and businesses, and new notebook computers, smartphones, and tablets for everyone! Merry Christmas, Happy Hanukkah, and Happy New Year, Intel, AMD, ARM, Qualcomm, Apple, Samsung, Dell, Lenovo, etc.
(Score: 1, Interesting) by Anonymous Coward on Sunday January 07, @11:34PM (2 children)
This is just getting started. Some bright spark last year decided to start fuzzing CPU instructions. This is something the chip manufactures should have been doing. They better get on it ASAFP. Security and tech through obscurity does not work. When everyone learns this lesson yet again. We all get to pay for it. They are going to find more and more just like this for a long time.
This means things like pretty much all new cars have it. Your routers have it. Your internet modems have it. That oh so clever internet connected thermostat will have it. So on and so on. This is going to be *ugly*.
(Score: 0) by Anonymous Coward on Monday January 08, @12:28AM
(Score: 0) by Anonymous Coward on Monday January 08, @12:42AM
The notion that "security by obscurity doesn't work" doesn't mean what you think it means.
It means that if you try to keep your mechanisms secret, you'll probably be compromised. This is because your particular, individual ideas are probably not that smart; it's much better to use mechanisms that have been vetted by very many intelligent people over a lengthy period of time, and which have already been proven under real-world attacks.
The mechanisms of a lock, though public knowledge, are buried obscurely in a metal body.
Your cryptographic key is a number that is so obscure, it's nearly impossible to guess.
(Score: 2) by takyon on Sunday January 07, @11:41PM (1 child)
You can get a laptop as thin as a smartphone!
Acer just unveiled the thinnest laptop in the world [bgr.com]
Meanwhile in Chromebook land:
Acer launches a new Chromebook 11 with USB-C [theverge.com]
I can tolerate 1366x768 resolution (for the moment), but 2 GB RAM needs to be eliminated as an option. The only good thing is that there are not any fewer full-sized USB ports to make way for the added USB Type-C ports. That's the way it should be.
Call it a delayed holiday gift for the computer manufacturers. The things they are showing off at CES right now probably have the compromised chips in them, and there's a good chance most people won't notice slowdowns enough to even want to avoid the bug and upgrade in 2 years. In short, no change!
AMD is still a winner in this situation because Spectre has no huge slowdowns associated with it and can be fixed with a firmware update AFAIK:
AMD is big winner from chip flaw fiasco as more than $11 billion in Intel stock value is wiped out [cnbc.com]
If the hit seen on "synthetic benchmarks" translates to a similar/noticeable hit on I/O-heavy datacenter and HPC workloads, AMD has found its way in to actually push Threadripper and Epyc to customers who might not have given them the chance before. They are probably going to try to double the core count of Epyc in the next year or two. Zen was a good punch thrown at Intel, but Meltdown might lead to the knockout.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2, Informative) by Apparition on Sunday January 07, @11:58PM
According to Matt Dillon of Amiga and DragonFlyBSD fame, Spectre can only be fixed by completely new hardware [dragonflybsd.org]. Not to say that he's completely correct, but he knows much more about hardware than I do.
(Score: 2) by Grishnakh on Monday January 08, @12:03AM (2 children)
What I want to know is: are other CPU architectures vulnerable to something like this? x86-64 (and i586 before it, as this goes back to the PPro days) and ARM are vastly different architectures. But I wonder if SPARC or the old DEC Alpha were vulnerable to this kind of thing, or if they were simply better designed for memory security because they came from the "big iron" market where multi-process multi-user systems were the norm, unlike Intel which came from single-user DOS machines and ARM which came from the Acorn microcomputer company and was designed for embedded systems.
(Score: 2) by Grishnakh on Monday January 08, @12:16AM
Also, a more current architecture that I'm interested to know about is IBM's POWER chips. A bit of research found that POWER6 does not support out-of-order execution, but I don't know about 7-9.
(Score: 2) by driverless on Monday January 08, @12:40AM
The 6502 isn't. That's why Cyberdyne used them in the T-800 Terminator.
