Spectre Next Generation is Coming Whether we Like it or Not

[DooKey]

According to the folks over at c't spectre isn't over it's just moving on to the next generation. They say Spectre NG has been confirmed as eight flaws in Intel CPU's that haven't been revealed yet and that some ARM and possibly AMD vulnerabilities are possible as well. So watch out people because this ride is just getting started and you can't get off yet. Thanks cageymaru.

So far we only have concrete information on Intel's processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable. Further research is already underway on whether the closely related AMD processor architecture is also susceptible to the individual Spectre-NG gaps, and to what extent.

 

[jfreund]

How many of these 8 new flaws require flashing a custom UEFI?

 

[BSmith]

I am just going to take my chances, with my personal computer(s).

Getting to be a pain dealing with this.

 

[ProfessorUtopia]

I am just going to take my chances, with my personal computer(s).

Getting to be a pain dealing with this.

Same. Without credible, confirmed, in-the-wild threats, I'm going to hold off on throwing away 5 years of CPU performance gains, speculatively patching with speculative fixes for speculative execution over speculative vulnerabilities.

 

[Stinkfist]

It is nice they are catching the vulnerabilities before they are made public though. Sure, I'm going to take my chances too, but the fact that we haven't seen these in the wild BEFORE they became known problems is a good thing.

 

[cjcox]

How many of these 8 new flaws require flashing a custom UEFI?

Only the first 10 of the 8.

(dang fdiv bug)

 

[Dead Parrot]

Not surprising. Once this attack vector was published, everyone wants to get in on the action. Likely to be many more variations on the theme. CPUs, chip sets, USB controller sets, etc are complex gizmos often built in a hurry to get to market with 'New and Shiny' before the other guy. Seems a lot of companies are still living in "The Internet is a Friendly Place to Play" world and place security testing well out of the top 10 things to worry about.

 

[SixFootDuo]

You guys can image a brand new install of your OS and deploy it everyday or once or twice a week in a matter of a few minutes. It's not that big of a deal. It's not hard to keep people and shit off your system

 

[viper1152012]

....... I DO have a system image backed up once a month..... And yes I have a dual bios.... You know what, bring it on

 

[theplaidfad]

So is branch prediction just going to have to stop being a thing? I, for one, do not welcome our new 1998 performance level CPU overlords.

 

[knowom]

Why am I not that surprised...

 

[Sycraft]

So is branch prediction just going to have to stop being a thing? I, for one, do not welcome our new 1998 performance level CPU overlords.

No, this is just something that we'll need to deal with and mitigate. There are risks to computer systems, just like physical systems, and you can't eliminate risk. You take steps to minimize it, but it is still there. This is just a new class of covert data channel attacks. Those have been around for a long time, and will always be around. You can't eliminate them all. To give you two examples take DNS and ICMP. Both can be used to covertly exfiltrate (or infiltrate in the right circumstances) data from a system. ICMP is designed for control messages and pings and such, but there is a payload in it and malicious programs can and do make use of that payload to transfer data that bypasses firewall rules (because you have to permit at least some ICMP for IP to work properly).

So what will we do about these? When feasible, we'll patch CPU microcode to stop them there, if not, we'll patch OS kernels to stop them there, if not we'll need to change how applications work to stop them there, and if not we'll have to work on detection for malware using them. Same shit as other security issues. It won't go away, and we won't just say "Well, that's it, can't fix this 100%, let's pack it up and stop using the technology!" No we'll just do our best to mitigate the risk, and to detect exploitation when it happens.

 

[NAXDON]

All I'm thinking is Star Trek right now.

 

[Dk975]

I wonder if the future Intel chips that are coming out with former Spectre and Meltdown problems fixed will also have these problems fixed?
These problems are getting out of hand. Wasn't China producing their own CPUs? Maybe they will be smarter and think about security up front.

 

[Skull_Angel]

Guy: Hey guys, I found that secret backdoor X agency made you put into the system.

Company: What? You're crazy, no you didn't. ::whispers to boss:: Hey boss we've got a problem... <Boss> What? Let me contact the PR guys and let them handle the announcements...

Guy: Still there? I can prove it. Watch. ::customers x, y, z, ect. complain about being locked out of their systems::

Company: Hey boss!! <Boss> Shit! PR guys!? <PR guys> We're on it!! <Boss> Tech guys, patch that backdoor and put it somewhere else... ::grumbles:: <Tech guys> On it.

Guy: Um guys... I found that new backdoor...

Company: Danmin! Boss!! <Boss> Again!? L$HD#*HG*$SYI!!

 

[MrDeaf]

INB4 another unheard of IT security company publishes AMD CPU vulnerabilities that require an already compromised system, gives only 24hrs of notice to AMD and also claims that "AMD can't fix it for several months".

 

[Mazzspeed]

Meh, don't care. I'm personally over it.

 

[Advil]

I realize I'm just being idealistic here, but at what point does Intel actually owe us a fixed processor?

This is moving way beyond "stuff happens and we released a patch which makes your machine slightly slower but act of god level unforseeable issues happen sometimes, move along."

Now it's turning into a case of the exploit being the never-completely-fixable gift that just keeps on giving and taking performance with every new patch.

Yep, my CPU still works. Yep, it's overall quite fast. But by the time this next round of patches goes in it's pretty safe to say I could have built that overclocked Ryzen 1700 and mobo for about $250 less than this 8700k and matched the performance.

And almost a sure thing that it will no longer be a notable step up from last gen hardware anymore.

The entire decision to do this build was based on the insane per core performance numbers. I guess all we can do is wait for the numbers and see what the performance graphs look like.

 

[daglesj]

Another 'Apocalyptic Bug of the Week' that actually doesn't really translate to anything major in the real world.

If Web News etc. wasn't so reliant on sensationalism to generate clicks we would have a more reasoned and balanced view of the world.

How may times in the past 12 months has Android been "cracked wide open" etc. etc. etc.

We're still here.

 

[Brahmzy]

Maybe not major for you. A nightmare for Enterprise SysAds / Infrastructure folk. Major real-world impact for us.

 

[sirmonkey1985]

Not surprising. Once this attack vector was published, everyone wants to get in on the action. Likely to be many more variations on the theme. CPUs, chip sets, USB controller sets, etc are complex gizmos often built in a hurry to get to market with 'New and Shiny' before the other guy. Seems a lot of companies are still living in "The Internet is a Friendly Place to Play" world and place security testing well out of the top 10 things to worry about.

Sometimes it's just shit you never think of. The people that find these flaws spend years trying to break shit til they get the results they need.. i mean think about it, this flaw has existed for 10 years and they are just now finding it.