Overclock.net - An Overclocking Community

Overclock.net - An Overclocking Community (https://www.overclock.net/forum/)
-   Hardware News (https://www.overclock.net/forum/225-hardware-news/)
-   -   [The Register] SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability (https://www.overclock.net/forum/225-hardware-news/1721926-register-spoiler-alert-literally-intel-cpus-afflicted-simple-data-spewing-spec-exec-vulnerability.html)

Imouto 03-05-2019 06:39 AM

Quote:

This security shortcoming can be potentially exploited by malicious JavaScript within a web browser tab, or malware running on a system, or rogue logged-in users, to extract passwords, keys, and other data from memory. An attacker therefore requires some kind of foothold in your machine in order to pull this off. The vulnerability, it appears, cannot be easily fixed or mitigated without significant redesign work at the silicon level.

Moghimi doubts Intel has a viable response. "My personal opinion is that when it comes to the memory subsystem, it's very hard to make any changes and it's not something you can patch easily with a microcode without losing tremendous performance," he said.

"So I don't think we will see a patch for this type of attack in the next five years and that could be a reason why they haven't issued a CVE." ®️
SPOILER

Spoooilers!!!

Offler 03-05-2019 06:56 AM

Quote:

Originally Posted by Imouto (Post 27878812)
SPOILER

Spoooilers!!!

https://arxiv.org/pdf/1903.00446.pdf

Its an archive from University of Cornell. I skimmed the paper and it looks legit. What looks bit sketchy to me is that:

"While most of these attacks require
local access and native code execution, various efforts have
been successful in conducting them remotely "

huzzug 03-05-2019 07:11 AM

So Intel procs having another Meltdown?

AlphaC 03-05-2019 07:14 AM

Nobody should be surprised, honestly

JackCY 03-05-2019 07:47 AM

How long before laws force Intel to do refunds considering the amount of negligence and errors in their products?

Almost seems like Intel has stopped paying people to keep it quiet so now we get all sorts of exploits old and new making it to the public. Maybe they should relaunch their "if you find an issue with our product we will pay you and you will keep it quiet" program.

Catscratch 03-05-2019 08:09 AM

Let me cut to the chase.

"The researchers also examined Arm and AMD processor cores, but found they did not exhibit similar behavior."

:D

Ceadderman 03-05-2019 08:12 AM

I believe Intel chose the Beta test manufacture level.

Pretty it up give it the works sell it for a large markup and let the suckers at the user end tell us how to smooth things out. Recover from that, put out the same CPU under a different SKU and make $$$$ at the expense of the sheep. If it works for PC gaming then it will work anywhere. :doh:

~Ceadder :drink:

Defoler 03-05-2019 08:20 AM

Quote:

Originally Posted by Catscratch (Post 27878932)
Let me cut to the chase.

"The researchers also examined Arm and AMD processor cores, but found they did not exhibit similar behavior."

:D

Note that they only tested bulldozer from 2012.
While intel did not significantly changed their design, AMD did in zen.

Hwgeek 03-05-2019 08:25 AM

As a consumer, I am not so happy with that (OMG I cannot believe I a saying that -lol), with all the troubles Intel are facing last few years, I am afraid that there is a chance to see "9900K" case with overpriced AMD CPU in few years since Intel are having troubles. :-).
As huge as a company is, the risk to fail gets bigger since the operation cost is massive and depends on their high income(For Intel it was 99% Datacenter/80~90% PC market?).

Avonosac 03-05-2019 08:38 AM

Quote:

Originally Posted by Offler (Post 27878842)
https://arxiv.org/pdf/1903.00446.pdf

Its an archive from University of Cornell. I skimmed the paper and it looks legit. What looks bit sketchy to me is that:

"While most of these attacks require
local access and native code execution, various efforts have
been successful in conducting them remotely "

It's called chaining. They get code added and staged through a series of vulnerabilities and use this to execute it. This is how all advanced attacks work, it's basically vulnerability legos.


All times are GMT -7. The time now is 06:04 AM.

Powered by vBulletin® Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.

User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
vBulletin Security provided by vBSecurity (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.

vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.