Comments Locked

42 Comments

Back to Article

  • Teckk - Wednesday, March 11, 2020 - link

    While issues exist in all systems, whether hardware or software, it has become a little too often in Intel's case. How is this affecting their data center sales? Those who buy/use Xeons shouldn't they be concerned? Should we be concerned if, say, a banking system runs on such a platform?
  • Sharpman - Wednesday, March 11, 2020 - link

    Personally I think that those issues will start arising on AMD CPU as soon as they gain market share and will become an object of attacks. Intel has been in the leading position for years and thus these cases. Same will all operating systems and browsers, the more something is popular, the more people will try to find holes..
  • darkswordsman17 - Wednesday, March 11, 2020 - link

    Certainly there's some truth to that, and absolutely vulnerabilities happen to pretty much everyone. That's not the real issue here though, which is Intel's response. It seems to be better for this one (by better, I mean they're acknowledging and providing some of their own technical analysis), but they ignored some of the other vulnerabilities (one group I think said they alerted Intel about some vulnerability over a year before releasing their findings, and Intel essentially blew them off until it blew up into big news once it was publicly known). Its nice to see Anandtech reporting on this again. At one point AT's official (by that I mean, one of the editors replying to a comment on an article) response was "we're waiting for Intel's response" which simply never came. And then AT stopped reporting on it altogether. Really tarnished my opinion of Anandtech (especially after the CTSLabs fiasco). Then again, perhaps its simply because there's an official response from Intel with regards to it that we're getting this article?
  • Spunjji - Thursday, March 12, 2020 - link

    Pretty sure that first thing you're referring to is Meltdown. We found out about it publicly a long, long time after it was discovered and Intel still didn't have a patch.
  • rocky12345 - Wednesday, March 11, 2020 - link

    Yes it is true that as a company gains market share they can become a target for attacks. With that said 99% if not all of these so called exploits found since 2017 and became public since 2018 are nothing more than researchers in labs trying to find ways to break the CPU so it can be attacked.

    Since 2018 it has become the rage to report these things and make them public. Why that's easy job security for those involved in finding these exploits. If the ones involved were not getting paid a wage to work at these labs we would never hear of these exploits because no one would take the time to find them because they would not be getting paid any income.

    As stated over and over again 99% of these so called exploits need access to the system itself as in in front of it to make things happen. So for most of these exploits if you don't let strange people into your home and access your computer everything should be fine. Yes some of them can be done through the web browser but even then the risks are small.

    The other day when someone reported a exploit on AMD CPU's the post stated the researchers had to reverse engineer stuff to make the exploit work. My reply to that was nearly 100% of malware writers would not have a clue how the inner workings of a CPU works and for them to reverse engineer something like that is nearly impossible and not worth their time to figure out.

    Of coarse this is just my opinion and my take is if these researchers were to just report what they find to the companies in question and not make them public so every tom,dick & harry knows about them maybe things would be safer for everyone.
  • rahvin - Wednesday, March 11, 2020 - link

    With state sponsored cracking and exploitation of digital assets your assertion that these would never be discovered if foolish. They called it Spectre because they new it would haunt us for a decade.

    Need I remind you that timing based attacks have been known about since the early 00's. The first practical demonstration of these was the spectre attacks, but that's all it took. Once people knew how the first attack worked it was only a matter of time until additional exploits were discovered using the first as a template.

    Spectre variants will continue as researchers explore these new attacks. How bad the exploit is depends entirely on the vendors desire for security above speed.
  • Spunjji - Thursday, March 12, 2020 - link

    You seem to be missing the point of all this - it's datacentres, large businesses, financial houses legal operations, governments and the like that are worried about these vulnerabilities - not ordinary home users. That you need physical access is a barrier, but not enough of one. That's why these security researchers are paid to do it; it's not for "job security" (you don't get security in a job nobody wants you to do), it's because it's better for white-hat teams to find the flaws than it is to find out after the black-hats are already exploiting them.

    Suggesting that malware writers have no incentive to reverse-engineer things is contrary to the facts. Some of these people work for state governments, and they often have more resources and more of an incentive to do this than any private company, hence the outsourcing to specialist security researchers.

    Your final paragraph makes no sense at all. If the white hats don't perform a controlled release of the info, nobody knows to patch their systems. They literally *have* to go public, and the methodology of most is to do so *after* the manufacturer of the affected product(s) has developed a patch. There have been some exceptions - either where the affected company took too long to respond (Meltdown) or where the researchers were doing an obvious hit job (Ryzenfall etc).
  • rocky12345 - Thursday, March 12, 2020 - link

    Ok then the short answer for making it all public would be do do so without providing all of the needed details or pretty much instructions on how they did it. If they released a less detailed version to the public letting us know they found something that they were able to reverse engineer to break the CPU.

    We don't need to know the full details as the public. What I am saying is have the public release info and have the more detailed version for the company in question that the product was exploited by them. This way we the public know about it but do not have enough information to do anything about it other than wait for a patch and the company that the product was exploited has all of the information they need to patch or fix the problem because they got the full break down on what was found.

    This way both we know about it & the company does as well. Because we know about it we can update our systems as needed and because it was safely made public the company in question has to do something about it or face backlash from the public.
  • rocky12345 - Thursday, March 12, 2020 - link

    No edit so have to add another comment. These so called flaws everyone is going on about. Maybe these were not flaws in the hardware at all. If someone has to reverse engineer something and then write code that attacks the hardware that tells me they had to go out of their way to break the hardware. With that said then pretty much everything ever created by man is flawed and can be made broken because as humans we are not perfect and anything we make will not be perfect and can be broken or exploited by someone willing to take the time to break the product.

    Anything that is made by us most of the time works as it is intended to work but if you introduce someone into the picture that is trying to break the product yes it will break every time because it was not created perfect. I am willing to bet over the coarse of time there will be several more exploits found in CPU's and pretty much everything else in our computers and everyone will claim they are flaws. They are not flaws until someone goes in and tried to break it by reverse engineering and creating targeted code to make an exploit.
  • Carmen00 - Friday, March 13, 2020 - link

    I've worked in information security and I can tell you that a lot of your assumptions are wrong.

    1. Malware authors are often highly-motivated and highly-competent, perhaps more so than academic researchers. Yes, they know precisely how a CPU works, and reverse-engineering something is not difficult for them. We wouldn't have ROP attacks (for example) if they were stupid.

    2. Malware authors SELL their products to criminals. Those criminals are unlikely to have the skills to do the job themselves, and those criminals are often the ones who are caught. The original authors of much of the malware around the world today are simply unknown.

    3. Security research leads to more security. If your system relies on security by obscurity, then the only open question is how many attacks you're not detecting per unit time -- because you don't know enough to even recognize them as attacks. When everything's open, at least you can detect the attacks. When everything's private, attackers have an immense advantage.

    4. Partial disclosure just doesn't work. It's been tried and it's failed. Firstly, you need to understand an attack thoroughly to understand how to defend against it. All you're doing with partial disclosure is putting up a sign that says "There's a vulnerability here! Anyone want to have a go at finding it?", which is pretty good motivation for a "black hat" hacker. Secondly, it gives a huge incentive for a company to PARTIALLY fix a vulnerability, or just claim they've fixed it, since they know that you can't release attack code to call them out on their BS.

    5. Secure software is possible. Secure hardware is possible. There is plenty of research on provably secure systems and what security actually means. It's not easy reading, but maybe you should have a look at the decades of research before you pronounce your opinion.
  • Dribble - Wednesday, March 11, 2020 - link

    It's not random groups of unrelated researchers finding all these vulnerabilities, if you look they've pretty well all been found by the same bunch of researchers. They have spent years becoming highly specialised at picking holes in Intel cpu's. I don't think anyone has given AMD quite the same focus. It's also possible that AMD just doesn't have that many vulnerabilities but I would have to say that would be luck not judgement on AMD's part.
  • rahvin - Wednesday, March 11, 2020 - link

    That's a silly assertion. This is happening because Intel and AMD are both paying researchers to look for these bugs. The first Spectre attack opened up a massive avenue for new attacks so there is a ton of research going into it. But in each case I've seen these researchers are testing the attacks against both CPU's.

    A lot of the most recent attacks are coming out of the CPU vendors information. This and the last AMD spectre version were both found by reviewing the CPU programming documentation put out by Intel and AMD. In other words the bugs were obvious in the vendors own documentation.

    But there has been a simple reality with all the Spectre bugs, and thats given the design choice between speed and security AMD has generally chosen the later while Intel has generally chosen the former which is why they are being hit by more of them.
  • Spunjji - Thursday, March 12, 2020 - link

    This isn't true about the "same bunch of researchers". Not sure where you got that idea from but it's not borne out in fact.

    You also seem to be forgetting the CTS Labs "Ryzenfall" hit job. Intel absolutely has the money and resources to fund grey-hat groups to pick holes in its competitor's CPUs. Based on the barrage of lies that surrounded that abrupt disclosure (CTS claimed they wouldn't be fixed for "many months or years", patches were released within 6 weeks of disclosure), it was pretty clear that's what happened. They definitely wouldn't be sitting around on billions in cash and as-yet unable to release a redesigned architecture, while their competitor mops up from free publicity.

    Your "luck not judgement" comment is bad reasoning, too. We have no real way to know which it is - you could just as easily be wrong as right about that.
  • eva02langley - Wednesday, March 11, 2020 - link

    Issue here is Intel maintained the same uarch for almost a decade. We are still seeing those lakes coming up... it is pathetic.
  • Irata - Wednesday, March 11, 2020 - link

    You do know that there are Millions of AMD based systeme out there ? They have a lower market share but are not exactly niche.

    Also, again, this issue is tied to an Intel specific feature just like many (but not all) of the other security bugs.

    While I agree that Intel gets more scrutiny just like the kid who keeps cheating in class will get looked at more often, it doesn't mean AMD and Arm go under the radar.
  • Spunjji - Thursday, March 12, 2020 - link

    Exactly. ARM have shipped 100 billion processors. They're in all sorts of devices, including ones that contain precious data, ones that manage network traffic flow - all kinds of stuff. There's plenty of theoretical attack surface area and plenty of incentive to probe it.
  • Teckk - Thursday, March 12, 2020 - link

    ARM owns mobile market, are there that many vulnerabilities in their designs? Or does it fall under Apple, Samsung etc. whoever licenses it.
  • Threska - Wednesday, March 11, 2020 - link

    "Those who buy/use Xeons shouldn't they be concerned? Should we be concerned if, say, a banking system runs on such a platform? "

    Good thing mainframes are still a thing.
  • Teckk - Thursday, March 12, 2020 - link

    As a niche?
  • Chaitanya - Wednesday, March 11, 2020 - link

    Whats the latest count for these vulnerebilities ?
  • eva02langley - Wednesday, March 11, 2020 - link

    Above 100 if I remember well.
  • WaWaThreeFIVbroS - Wednesday, March 11, 2020 - link

    I think it's around 200-250 for Intel and 100-160 for AMD (old numbers tho)
  • Irata - Thursday, March 12, 2020 - link

    According to CVE Details, Intel has 247, AMD 16.

    The latest ones may not be included yet but the ratio stays the same.

    There is also not just the quantity of exploits but also the quality.
  • Spunjji - Thursday, March 12, 2020 - link

    Not all the CVEs are specifically CPU exploits, though - Intel have a lot of ancillary components that are vulnerable to attack, too.
  • Irata - Thursday, March 12, 2020 - link

    That‘s true, but the AMD numbers also contain GPU vulnerabilities. It is still a huge difference.
  • Spunjji - Thursday, March 12, 2020 - link

    It's actually really difficult to get an answer for that. The best I managed was 11 in 2019 alone, which was from an Intel-sponsored article crowing about how their own teams are finding most of them.
  • shabby - Wednesday, March 11, 2020 - link

    If intel wouldn't rehash the same cpu over the last decade maybe it wouldn't affect so many cpus.
  • FunBunny2 - Wednesday, March 11, 2020 - link

    wait... you mean all those 'microarchitecture' advances are just lipstick(s) on a septagenarian pig? :) and... may be SCM implemented directly, without all those caches and buffers, would yield a much more svelte cpu without all these nooks and crannies to hide poison in? would Intel/AMD/ARM be happy with a cpu that only needed a megabyte or so of transistors? yikes!
  • Threska - Wednesday, March 11, 2020 - link

    Security is hard. May have to rethink basic future CPU architectures.
  • Spunjji - Thursday, March 12, 2020 - link

    Oh cool, another "all the CPU designers suck" comment from a certified genius.

    The fact that ARM - a CPU company primarily focused on area efficiency, who beat out Intel in mobile on that basis - have ended up using similar tricks to get their CPUs running quickly should tell you enough about how "all those caches and buffers" aren't just there for shits and giggles.
  • Unashamed_unoriginal_username_x86 - Wednesday, March 11, 2020 - link

    If I can say something incredibly naïve and stupid, why can't they just, like, not tell everyone about these vulnerabilities? It doesn't seem they found most of them being applied in malware, and they require potentially costly mitigation efforts. What's wrong with antiviruses and not letting strangers get near your laptop? Sorry for any lost brain cells
  • teohhanhui - Wednesday, March 11, 2020 - link

    That's "security by obscurity" which isn't security at all.
  • darkswordsman17 - Wednesday, March 11, 2020 - link

    There's a few reasons. First, just not telling anyone won't accomplish what you think it would, as the issue is still there, open to be exploited. Often they don't even know if its being exploited (although they could possibly check various common malware to see, but that doesn't mean its not being exploited just that they aren't aware of it). Typically they will alert those that have control over this some time (I think some waited for over a year, although generally more like 3-6 months seems to be standard procedure) before more openly divulging them, to give them lead time to come up with a solution for the issue (patch, etc), giving them opportunity to quietly mitigate it before "its in the wild" (publicly shared). They are doing this as research though and its literally their jobs. And if they don't, someone else likely will (or others will find and potentially exploit, meaning not reporting leaves a lot of people open to potential attack). Lastly, its important for them to share this so that these issues can hopefully be fixed (notice how they speculate that others might be vulnerable as well) and/or taken into account (thereby providing better security for everyone). In simplest terms, not releasing their info leaves more vulnerable and likely little hope of a fix (if companies can get away with vulnerabilities not being known, they very likely won't bother fixing them - there's some evidence that Intel knew about the potential for some of these vulnerabilities for years, possibly over a decade even, and didn't do anything to prevent them, choosing to value things like performance over security).
  • FreckledTrout - Wednesday, March 11, 2020 - link

    This used to be how it was 20+ years ago. So hackers and governments had easy access once they found a vulnerability. They kept these things in inner circles while stuff was getting hacked left and right. This open approach on security is far better.
  • JoeyJoJo123 - Wednesday, March 11, 2020 - link

    Antivirus isn't always a solution for a data breach. Antivirus can usually only try to respond to known threats. If the threat isn't known, then what can an antivirus do to protect against that? Also, dumb analogy incoming:

    John (Intel) is some dude that lives in a house in a neighborhood, alone with his dog (Antivirus). John's house has a backdoor into his backyard. It doesn't have a lock on it (exploit).

    Next door neighbor Jim (Security Expert) one day spots that John's house doesn't have a lock on his backdoor.

    Now, Jim can just say nothing, and one day, eventually, John will get robbed (hacked), and maybe or maybe not his dog (antivirus) might be enough to deter the robbery. Jim has a conscience and doesn't want to just wait and let that happen one day because it'll just cost a real person their livelihood.

    Or Jim can say something to John (private disclosure of vulnerability). Problem is, people like John will go up and down for a year and say "Nawwww, it's not a problem, don't worry about it, it's fine, besides someone would need to physically be in my backyard to begin with to rob me, and what are the odds of that happening?"

    Eventually a year passes and Jim just makes a public Facebook post the entire neighborhood can see stating "John's backdoor has no lock on it. I'm not saying go rob him, but I'm saying he needs to put a lock on his backdoor already".

    The next day John goes to the hardware store and buys a door lock and installs it. Problem averted.
  • rahvin - Wednesday, March 11, 2020 - link

    Information security works best in layered defenses. From the firewall and email scanning, to the virus and anti-malware software right on down to infosec computer training. You need all the layers because each layer provides protection the other layers don't.
  • Spunjji - Thursday, March 12, 2020 - link

    This is actually a pretty damn good analogy. In my headcanon "Intel John" is played by John McAfee.
  • Drkrieger01 - Wednesday, March 11, 2020 - link

    This sounds like another exploit that can be mitigated by educating your working staff (like 'knowbe4.com'), and using a decent email filtration system (ex.: Fortimail). Education on what is/is not malware is paramount these days - you would not believe the crap that comes through email. So many javascript attacks, vbs scripts, macro embedded office files, etc., that users need to know how to identify... these are the things that will help protect your systems. Most of these exploits coming to light need direct access - educate the users to remove the 'direct access' from the equation.
    Yes, microcode updates are good as well, but lets be honest... are we ever going to see a completely secure CPU in the next 5 years? Probably not. Can it be 95% secure with proper care of use of the equipment, and education on identifying threats? Very likely.
  • JoeyJoJo123 - Wednesday, March 11, 2020 - link

    Yes, great solution. Let's just hire humans that never get overworked and never hastily click a link to try to mow through e-mail overload and never make mistakes. I've never fallen for phishing attempts, but that's not the issue here, it's a HARDWARE VULNERABILITY, let's not move the goalposts and say it's OK to have hardware vulnerabilities and that the real issue is security training.

    It's not feasible for every employee your company ever hires to never make mistakes. Every human is a human. And besides, this is a vulnerability that affects the hardware, where no matter how good your IT staff is, they can't just reformat the vulnerability away.
  • Spunjji - Thursday, March 12, 2020 - link

    Can back this up. Anyone who's worked for an educational institution in particular will know how utterly un-possible it is to prevent some minority of users from clicking random crap in emails. You can give training seminars, send out emails, post bulletins, whatever - and then 3 weeks later someone calls in and says "well, I clicked this thing..."
  • eva02langley - Wednesday, March 11, 2020 - link

    MELTDOWN!

    https://youtu.be/hOzulXud52I?t=87
  • hakabakkjanu - Thursday, March 12, 2020 - link

    your song is amazing thanks for sharing a good link,
    https://rentacar.guru https://pakistani.guru

Log in

Don't have an account? Sign up now