Security flaws in computers?!
Comment has been collapsed.
Hmmm.... what? .... ..... my cpu steal my passwords? O.o ....
Comment has been collapsed.
I was considering buying a new laptop in the near future.
Does this mean I should wait?
Comment has been collapsed.
Meltdown already got patches for all major systems. It's hard to tell anything specific about Spectre for now...
On one hand, if I were you, I would wait at least few days until there's more adequate info on the case. On the other hand, I don't know IF we'll get any new significant info in a matter of few days. So do as you please ¯_(ツ)_/¯
Comment has been collapsed.
Waiting would be for next generation CPUs already fixed I guess, so more like months than days.
Comment has been collapsed.
Right know I'm not talking about waiting for new CPUs. I'm talking about waiting for accurate answers on the questions:
Should we wait for new CPUs? How long we would need to wait? Is it worth waiting? Or is it unnecessary panic?
...and other similar ones. But as I said above - I don't know if we will get answers for these questions in the matter of days.
Comment has been collapsed.
And next rushed out generation will have far worse problems no doubt, like the i9 response to Ryzens.
Comment has been collapsed.
Well, by "near future" I mean the next two to three months, so no panic!
Comment has been collapsed.
You could go for AMD - their x86 CPUs aren't affected.
Comment has been collapsed.
Wait for Ryzen laptops if you think the performance degradation from Meltdown would hit you for what you do on your laptop. Wait for benchmarks for common tasks if you want to get an idea of what the Meltdown patch slows down and what it barely affects.
Comment has been collapsed.
I'd only be gaming (the heresy, I know) so I don't think it would be that much of an issue, tbh. I won't be buying for at least another two months so by then hopefully it'll be more clear.
Comment has been collapsed.
In general these vulnerabilities do not affect home users. These aren't remote execution vulnerabilities and they cannot be executed through a browser. It's a privilege escalation vulnerability that allows reading protected memory. In the context of Windows and home users this is almost completely irrelevant as this protected data isn't your data, they can already access all of that without this.
The real concern is cloud hosting providers, who can no longer offer any data security without dedicated servers.
Comment has been collapsed.
..then again..
"Things We Know: These are local attacks: Both Meltdown and Spectre are local attacks that require executing malicious code on a target machine..
[snip snip]
..With that said however, researchers have shown that they can perform Spectre-based attacks using JavaScript, so it is possible for a web browser to pull a malicious JavaScript file and then attack itself in that fashion."
But yes, I'd be a lot more worried about my cloud data.. if I had any
Comment has been collapsed.
On one hand, hopefully chrome & friends will hurry up and fix the js exploit. On the other hand, a js performance degradation (to fix the exploit) will hit chromebooks pretty bad and Google might not want to do that..
Comment has been collapsed.
Actually there's confirmation from Mozilla that such an exploit is possible.
There's some help towards protection but not a total solution yet, not for Spectre at least.
Comment has been collapsed.
From your link, Mozilla is disabling whatever high resolution timers they can for now, but are already trying to come up with ways to stop the leak before it happens rather than hide it. (if you can't tell time finely enough, you can't tell the difference between accessing data preloaded by the leak and data that wasn't preloaded) Hopefully Google does the same, even with the larger investment in the Chrome app ecosystem. If web browsers lose the high res timers for js, they could lose a lot of potential web-based apps (like vsync'd games for example).
Comment has been collapsed.
Thanks for the info. I had assumed there wouldn't be a suitible timing source.
On a separate note, I'm not sure if I'm more disturbed or pleased to learn that HTML5 has given javascript real concurrency.
Comment has been collapsed.
The exploits are really quite elegant. Meltdown uses a bona fide security bug in Intel's chips that the software works around and the next generation of chips will almost certainly fix, but the general class of exploits (which includes Spectre) is much harder to fix while still keeping the benefits of speculative execution. What's worse, the ideas behind these exploits, while clever, are not so clever that it's inconceivable that someone didn't come up with them before, without informing the rest of the world. But we'll never know for sure...
If your machine has an Intel chip, update now to at least mitigate Meltdown. And regardless of your chip, update your browser to mitigate Spectre. You don't want to wait for an exploit in the wild to demonstrate a site reading your passwords.
Comment has been collapsed.
If your machine has an Intel chip, update now to at least mitigate Meltdown.
Does Intel have any available updates for cpu? I didn't find any. o.O
Comment has been collapsed.
There aren't any. This is a fundamental problem in the architecture (whether or not it's possible to fix it in the microcode is unclear, but if it is there aren't any fixes on that level yet). You want to update your OS -- everyone has been working their butts off since November last year to patch their kernels to work around the hardware problem.
The mass hysteria and confusion are a little unfortunate -- things have leaked earlier than the agreed-on date of January 9 for "everyone" to be patched. As a result, while the Linux kernel is patched, for example, not all distros have managed to incorporate the fix yet (and backport to earlier versions). Ubuntu users are out of luck at the moment, to name one.
Comment has been collapsed.
I have only updated whatever was in the windows update thingy. :P What else do I need to do? ;_;
Comment has been collapsed.
Nothing. If you have updated Windows with the update that was available two days ago, you're good. If you're on Windows 10, winver should tell you you're running build 16299.192.
Comment has been collapsed.
It says 16299.125. xD Ffs, I literally updated it today. There are no other updates. xD
Comment has been collapsed.
The update is deliberately held back for machines that have an incompatible anti-virus package installed (unsurprisingly, some AV vendors screwed up as usual by doing undocumented stuff with the kernel that will no longer work in the patched version and would bluescreen your machine if it did get installed), so that might be an issue (aside from everything else that can affect getting updates). If you're using third-party AV, make sure it's up to date and/or read up on what they have to say about KB 4056892.
Comment has been collapsed.
My bitdefender is always up-to-date. I can't understand what I'm missing.
Comment has been collapsed.
I've read at least one online report that Bitdefender has not yet updated their software to be compatible, so that would explain things. Up-to-date unfortunately does not mean "good enough".
Edit: to be clear, Microsoft has made the update opt-in, probably because they had no intention of testing every AV package out there (not to mention no time). So even if your AV software is fully compatible already, the vendor needs to put out an update to flip the opt-in switch (it's a registry value) just to signal that there will be no problem. (If you're really adventurous, you could add the value yourself, but I strongly recommend against it, because you could render your machine unbootable.)
Comment has been collapsed.
Hello again. Just so you know, my current version is 16299.192 and I have also updated Google Chrome to version 64. Is my system protected now? Also, can I finally disable strict site isolation? I had enabled it in order to protect myself, but it screwed up my browser a bit. :'( Thank you in advance. ^_^
Comment has been collapsed.
If you're on 16299.192 and your OS has been recently updated, you're good to go.
(If you want to be extra sure, you can check for Update KB4056892 in your update history).
EDIT: Just to be on the safe side - here's a link to download the update if you don't have it.
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892
Comment has been collapsed.
I have this update already. Thank you. So, can I disable strict site isolation now? :P
Comment has been collapsed.
I think I read somewhere that these are not bugs, so they can't be patched with a microcode update. Linus Torvalds is really angry with Intel: http://www.businessinsider.com/linus-torvalds-linux-inventor-is-furious-at-intel-2018-1
These are CPU design flaws, specially Spectre (which also affects AMD and ARM), so they can only be "patched" at OS/software level to mitigate the risks involved with a severe performance loss, specially on servers and VMs.
Comment has been collapsed.
Well, whether or not something is a bug doesn't dictate if a microcode fix is possible or not, but this affects speculative execution and the branch predictors, and it is indeed more than probable that the microcode simply can't effectively work around things on that level (there are no "smoking gun" instruction sequences to recognize, or anything like that). I'm not an Intel engineer, though, so it might have been just about possible that Intel decided microcode-fixing all their existing processors (and not breaking something else terribly) was simply not a realistic prospect in the time they had for it. Time will tell -- Intel has only put out damage control press releases so far, they've been pretty quiet on the technical front. (Though there's no doubt a ton of Intel engineers are currently sweating bullets over this very issue.)
It'll be very interesting to see how this problem is going to be tackled "properly" in the future -- through a combination of both fundamental architecture changes and compiler re-jiggering, most likely. For now we only have the latter, and those are only mitigations, not fixes. Some performance loss seems almost unavoidable even with new hardware; the wild days of unbounded speculative execution are over.
Comment has been collapsed.
fundamental architecture changes
We will see them for sure, but we'll have to wait years for it to happen, because relevant CPU architecture changes like this one are implemented very slowly.
In the short term I bet we will only see "patches" (mitigations) at the OS level, probably they'll find a way to gradually improve the performance but we'll never see the same performance on Intel processors like it was before this mess.
Comment has been collapsed.
I'm a little more optimistic because 1) Intel still has a fuckton of money, 2) they stand a real chance of losing a big part of said fuckton of money if they don't turn this boat around real soon, or at least give clear indications that they're doing so.
Spectre is almost impossible to mitigate entirely by OS patching (it's exploitable while staying completely in user mode) and I don't see all software out there getting recompiled real quick. Rewriting all binaries on the fly as they're loaded is only slightly less of a pipe dream...
While it may indeed be years before things are "fixed for good", there's almost certainly going to be some hardware changes (or microcode updates, if at all possible, but it seems unlikely) that make it (much) harder to exploit speculative execution side channel attacks, and that may be on the order of months rather than years. The fact that all chip vendors have to do this, or at least think about this, also helps. While I doubt that Intel and AMD will be exchanging notes any time soon, they'll keep each other motivated to come up with effective improvements. :-)
Comment has been collapsed.
It looks like there are microcode updates that, when combined with an OS update, provide mitigation for some of the PoC attacks described, though not the whole class of Spectre-type attacks theoretically possible. https://twitter.com/aionescu/status/948818841747955713
Comment has been collapsed.
The latest browser update isn't exactly new. I have updated whatever was in the windows update thingy.
Comment has been collapsed.
I posted info about Mozilla just below, if you use Chrome they'll probably launch an update soon as well.
Comment has been collapsed.
Mozilla has just launched a security fix (57.0.4)
Security fixes to address the Meltdown and Spectre timing attacks
https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
Comment has been collapsed.
'Some applications can suffer slow-dows, some to 30%'
Say good bye Ark, Pubg.
Comment has been collapsed.
And for "some", read "PostgreSQL benchmarks". Everyone has been jumping on the "30%" figure as if all computers are going to become 30% slower overnight, and frame rates will drop accordingly. This is basically nonsense. Yes, there will be a performance degradation, especially for code that calls into the kernel frequently (which is something high performance software is always trying to avoid anyway), but the 30% is the worst figure anyone has quoted so far.
Not to say this isn't particularly poor news, especially for Intel (big server parks aren't happy with any performance degradation), but for consumer hardware it's really not going to be as bad as it sounds.
Comment has been collapsed.
I know, not only said figures could be expected to 'some' but could reach that much - it would depend on how much a system would rely in affected software.
Im curious however about what kind of software is affected. Beyond games i run graphics design software (entire adobe package for example, including its file managers), 3d sculpting, game engines like unity and not so often video editing. It has been years since i looked at and stayed far away from databases but i may need to fiddle into setting up one (i may need one for some features in a project in development, haven't looked into it or alternatives yet).
Sometimes i run a bunch of those side by side- i imagine if any or some rely on kernel memory in someway, the cumulative effective could result in a noticeable slow down (from a user point of view) - Im not worried about server side slow downs since i don't run one (the beauty of 'someones else problem').
Comment has been collapsed.
There's an easy way to find out -- update your OS if you haven't already done so, and run benchmarks. :-)
If you've got an Intel chip and your Windows is up to date, you're already under the effect of the perf degradation. And that's fine -- you really don't want to run a machine that doesn't have this patch, even if the perf degradation sounds really bad. That's simply because not being protected against Meltdown is on the whole much worse than a slower machine.
Comment has been collapsed.
Seems a bit of a case of throwing the baby out with the bathwater. Why should every application on my computer suffer when I'm only worried about certain questionable advertising scripts.
Comment has been collapsed.
Because you'd need to have an inordinate amount of faith in NoScript/uBlock/IP lists and the like to block every single questionable advertising script/tracker/questionable site you visited on your own before it can run on your machine.
If any malicious software does slip through, with Meltdown unpatched it would be capable of stealing any bit of sensitive data from any application, not merely those in your browser. Imagine every password you use becoming available to an attacker, including those you need to reset others... Personally, I'd throw out a hundred babies to make sure that's not happening.
Comment has been collapsed.
In my browser settings there's a handy switch that disables javascript.
Comment has been collapsed.
Games are not really affected because they don't make excessive calls to kernel memory.
It may effect games that need to stream assets from the HDD, but that's yet to be seen.
Comment has been collapsed.
Many do stream assets, but i don't expect it to be that worse(30%).
Im unfamiliar however with calls to the kernel memory. I tought processor heavy games did it too (clueless assumption)
Comment has been collapsed.
Don't worry, at least for gaming: https://www.youtube.com/watch?v=_qZksorJAuY
Comment has been collapsed.
Please update. No matter what you do, just update your software. There are already patches out for the Linux kernel, Windows, OSX, and Android for Meltdown. There's a work in progress patch for one of Spectre's two variants that LLVM is working on.
The patches are a software solution to a hardware issue. This is going to stick around for a couple years until we have a fully redesigned CPU generation. For now, the only thing you can do is update, and you should since these two exploits can read all process memory.
If you're worried about performance hits, they won't affect rendering or gaming much because those are computationally intensive activities, not system call intensive activities. Things like VMs will be heavily affected, but games don't have any substantial performance hits.
Comment has been collapsed.
damn, they are gonna steal my bundle keys T_T
or read my steam chats with spam T_T
hopefully they won't be able to -1 my library count, that's all i got :O
Comment has been collapsed.
A successful exploit could simply steal your account entirely, by plucking the login credentials from memory. Two-factor authentication helps against this. While your mobile phone is also vulnerable, an attacker would need to subvert both, which is not that easy. Not impossible either, but for now your library count is probably safe...ish.
Comment has been collapsed.
There was person here that blamed some Intel software for the loss of his Steam items not long ago, He said that the 2 two factor authentication was disabled somehow. Wonder If has to do something with this. Tbh I dont think so. Hackers would hit valuable assets with Meltdown and Spectre, not some Steam items, but hey maybe It was a simple test.
Comment has been collapsed.
You may want to read all about these latest vulnerabilities that affect almost every processor since 1995..(well, at least one of the two does). It's the usual attacker-steals-passwords et al kind of problem..Apparently it's quite serious..
Enj Oy..
Time to bring out my trusted ol' Speccy..
Critical "Meltdown" and "Spectre" Flaws Breaks Basic Security for Intel, AMD, ARM Computers | WIRED
“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws | Ars Technica
Meltdown and Spectre (at meltdownattack.com)
Comment has been collapsed.