Intel Spectre Vulnerabilities Now Have a Release Schedule

[cageymaru]

Intel has adopted a release schedule for new Spectre vulnerability disclosures. According to The Register, starting today new patches will be released quarterly to patch the latest exploits. This is akin to the Windows Patch Tuesday. I never thought that hardware would have a patch release schedule, but on the bright side, organizations can now plan in advance. I would manually set a restore point after reading this.....

The new Spectre-class side-channel vulnerability to be disclosed today in Intel's processors can be exploited through bounds-check bypass store attacks. This means malicious code already running on an Intel-powered computer can leverage speculative execution to potentially alter function pointers and return addresses in other threads to hijack applications. At that point, the malware can extract secrets from the system, and cause other merry mischief. The good news is that software mitigations available today for Spectre variant 1 will thwart bounds-check bypass store attacks. Thus, web browsers and other applications employing anti-Spectre mechanisms should be safe.

UPDATE: Intel did send over its statement and we wanted to make sure and share that with you.

“As we continue working with industry researchers, partners and academia to protect customers against evolving security threats, we are streamlining security updates and guidance for our industry partners and customers when possible. With this in mind, today we are providing mitigation details for a number of potential issues, including a new sub-variant of variant 1 called Bounds Check Bypass Store, for which mitigations or developer guidance have been released. More information can be found on our product security page. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel.”

 

[Azphira]

If intel releases a fixed cpu that's $1700 before 2020, I should request an RMA on my warranty.

Betcha it's a LGA 2067

 

[alxlwson]

So how much slower is my CPU now compared to a year ago?

 

[Vercinaigh]

So how much slower is my CPU now compared to a year ago?

Wasn't it said to be around 30% by now? that's painful, it rendered by 1660 v2 useless as it kept hard resetting even at stock as soon as it got a microcode update.

 

[lostin3d]

i.e. Intel is telling us when to bend over, and then updates as to whether or not Vaseline is applied. I truly understand if this post is banned but that is how Intel's statement feels.

 

[TheHobbyist]

How do you guys feel about running older systems that are unpatched for Meltdown and Spectre?

 

[Master_shake_]

i bet intel wishes that it was still 2017.

good luck to everyone on intel patchday.

 

[Advil]

This has become a caricature of itself.

Quarterly Spectre/Meltdown patches? That means they know this mess is about as "fixable" as JAVA or Flash is, so updates are released frequently just to break the existing exploits while knowing full well the underlying issue isn't fixable.

I think at this point we deserve an answer to these questions:

1) Can a microcode update be released that will fully disable all speculative read features that are related to these issues?

2) And if so, exactly how much performance impact is that?"

Maybe some system admins don't want to play quarterly random disaster with CPU microcode patches...

 

[anss123]

2) And if so, exactly how much performance impact is that?"

Benchmark the old Intel Atoms, or one of the earlier ARM implementations without spectacular execution, and you should be in the ballpark.

 

[SvenBent]

How do you guys feel about running older systems that are unpatched for Meltdown and Spectre?

From what i understand (and i might be wrong)
I have no qualms running with the bugs enabled on my home computer
Its not an infection vector. aka its software you need to run on your system that can now use a trick to by pass things like VM's to read data.
If you are not running anything in a sandbox anyway. software can read you data and send it without any changes, so the software does not even need this security hole to be present to do its deeds.

Its however for rentals servers, catastrophic though.

 

[Deleted member 214115]

Just tired of all this Intel (and nVidia) bullshit lately.

 

[Tiburon1186]

Because of this, I'm waiting until they have a hardware fix before doing a new upgrade...

 

[Brahmzy]

So how much slower is my CPU now compared to a year ago?

It's not necessarily your CPU that's slower, it's everything USING your CPU. Storage takes a MASSIVE hit on random performance.

 

[M76]

From what i understand (and i might be wrong)
I have no qualms running with the bugs enabled on my home computer
Its not an infection vector. aka its software you need to run on your system that can now use a trick to by pass things like VM's to read data.
If you are not running anything in a sandbox anyway. software can read you data and send it without any changes, so the software does not even need this security hole to be present to do its deeds.

Its however for rentals servers, catastrophic though.

That's exactly why I think the patching should be opt in or at least opt out for home users. And not snuck in a windows update.

 

[auntjemima]

That's exactly why I think the patching should be opt in or at least opt out for home users. And not snuck in a windows update.

I haven't installed any updates to my home systems. I don't expect any issues on them.

 

[katanaD]

so.. quarterly performance hits, how nice.

 

[velusip]

I'm sure they will want to log/monitor the effectiveness of the patches. :/

 

[Araxie]

That's exactly why I think the patching should be opt in or at least opt out for home users. And not snuck in a windows update.

I haven't installed and I will not install any patch related to those bugs. all this whole thing it's over-reacted, people need to have their machines already stupidly compromised and also be a targeted victim to be able to be exploited by any of these bugs.. that's not my case and I can be sure the same will be for most people out there.. my grandma clicking every ad on the web? im not so sure but still believe she will be safe. lol

 

[alxlwson]

Paging Grand Master 1o57 How exactly big a deal is all this?

 

[PaulP]

Benchmark the old Intel Atoms, or one of the earlier ARM implementations without spectacular execution, and you should be in the ballpark.

If we can't have spectacular execution, can we at least have great execution?

 

[Shaten]

For everyone no thinking your home computer in insecure, remember there are some legit ways this code can be run on your computer through your browser.

In reality the only unpatched systems should be those with no network.

 

[Mode13]

For everyone no thinking your home computer in insecure, remember there are some legit ways this code can be run on your computer through your browser.

In reality the only unpatched systems should be those with no network.

One could simply use a cheap laptop or old PC that is patched for their browsing and net needs. Also, my 486 rig beside me doesn't need any such patches .

The big question is when can we expect an architectural revamp that alleviates the need for software band-aids? I'm not going to upgrade while this is going on though at this point the 4790k in my rig isn't satiating my power hunger any longer. I would love to jump up to the 8 core mainstream chip Intel may or may not have in the works but I doubt it's fixed yet. I suppose whoever has an 8 core first that is sub $400 and fixes spectre/meltdown/etc at the hardware level gets my money.