this post was submitted on 13 Aug 2023
958 points (99.1% liked)

Technology

59490 readers
2898 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Oh no.

top 50 comments
sorted by: hot top controversial new old
[–] eager_eagle@lemmy.world 286 points 1 year ago (3 children)

Downfall, Inception, Meltdown, Spectre, I hate to see new vulnerabilities, but their naming choices are solid.

[–] elbarto777@lemmy.world 141 points 1 year ago (1 children)

They should name them after their investors and board members.

[–] nikt@lemmy.ca 30 points 1 year ago

Gelsinger, McKeon, and Lavender do have a nice ring to them.

[–] dingleberry@discuss.tchncs.de 52 points 1 year ago (2 children)
[–] elvith@feddit.de 59 points 1 year ago* (last edited 1 year ago) (1 children)

Imagine a bug in the ALU when adding two octal values - Octoplussy

Or a bug in a specific Intel generation - Skylakefall

[–] emogu@lemmy.world 23 points 1 year ago

The next one will be discovered On Her Motherboard’s Secret Processes

load more comments (1 replies)
[–] mishimaenjoyer@kbin.social 34 points 1 year ago (1 children)

can't wait for "shellshock", "wildfire" and "collapse".

[–] nabladabla@sopuli.xyz 60 points 1 year ago* (last edited 1 year ago) (1 children)
[–] cybervseas@lemmy.world 204 points 1 year ago (4 children)

Intel claims most consumer software shouldn’t see much impact, outside of image and video editing workloads..

But that's, like the one place other than games where consumers are looking for performance. What's left, web browsing and MS Office?

[–] eager_eagle@lemmy.world 81 points 1 year ago (1 children)

"whew* my horrible bubble sort implementation is safe from performance impacts

load more comments (1 replies)
[–] FaceDeer@kbin.social 55 points 1 year ago (28 children)

I just skimmed through the article and it seems like this vulnerability is only really meaningful on multi-user systems. It allows one user to access memory dedicated to other users, letting them read stuff they shouldn't. I would expect that most consumer gaming computers are single-user machines, or only have user accounts for trusted family members and whatnot, so if this mitigation causes too much of a performance hit I expect it won't be a big risk to turn it off for those particular computers.

[–] TheOctonaut@mander.xyz 82 points 1 year ago (3 children)

Would it mean that a malicious application being run in non-admin mode by one user could see data/memory in use by an admin user?

It would indeed imply that which is why this vulnerability is also serious for single user contexts.

The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible.

load more comments (2 replies)
[–] Espi@kbin.social 43 points 1 year ago (2 children)

All these kind of CPU level vulnerabilities are the same, they are only really "risky" if there is malicious software running in the computer in the first place.

The real problem is that these CPU-level vulnerabilities all break one of the core concepts of computers, which is process separation and virtual memory. If process separation is broken then all other levels of security become pointless.

While for desktops this isn't a huge problem (except when sometimes vulnerabilities might even be able to be exploited though browsers), this is a huge problem for servers, where the modern cloud usually has multiple users in virtual machines in a single server and a malicious user could steal information across virtual machines.

[–] towerful@reddthat.com 31 points 1 year ago* (last edited 1 year ago)

Your first paragraph isn't quite right.
Modern hacks/cracks aren't a "do this and suddenly you are in" type deal.
It's a cascade chain of failures of non-malicious software.
Saying "don't have a virus" is absolutely correct, however that's not the concern here.
The concern is about the broadening of the attack surface.

A hacker gets minor access to a system. Leverages some CVE to get a bit more access, and keeps poking around and trying CVEs (known or unknown) until they get enough access to run this CVE.
And then they can escape the VM onto the host or other VMs on the same system, which might then give them access to a VM on another host, and they can escape that VM to get access to another VM, and on and on.

Very quickly, there is a fleet of VMs that are compromised. And the only sign of someone poking around is on the first VM the hacker broke into.
All other VMs would be accessed using trusted credentials.

ETA:
Infact, it doesn't even need to be a hacker.
It could be someone uploading a CI/CD task using their own account. It extracts all API keys, usernames and passwords it can find.
Suddenly, you have access to a whole bunch of repositories and APIs.
Then you can sneak in some malicious code to the git repo, and suddenly your malicious code is being shipped within legit software that gets properly signed and everything.

load more comments (1 replies)
[–] gressen@lemm.ee 33 points 1 year ago (1 children)

It allows memory access across virtual machines as well, meaning the all cloud VMs are vulnerable.

load more comments (1 replies)
load more comments (25 replies)
load more comments (2 replies)
[–] hark@lemmy.world 169 points 1 year ago (23 children)

Install backdoors and sell that info to governments and companies, then years later reveal the issue to justify downgrading performance of older CPUs to encourage people to upgrade.

load more comments (23 replies)
[–] TimeMuncher2@kbin.social 99 points 1 year ago (3 children)

According to him, billions of Intel processors are affected, which are used in private user computers as well as in cloud servers.
Update: Intel’s Downfall was closely followed by AMD’s Inception, a newfound security hole affecting all Ryzen and Epyc processors.

so both desktop and server chips are affected on both cpu manufacturers products. can't take any measures if your password is online on some server.

[–] TWeaK@lemm.ee 32 points 1 year ago

I was going to say, AMD had a flaw of similar severity. And they won't have a fix for a few months for most affected CPUs, and that fix will likely incur a loss in performance.

Basically it sounds like both of these flaws are due to the security chip. I can't help but feel like these flaws are by design. /tinfoil

[–] Wats0ns@sh.itjust.works 30 points 1 year ago

Downfall was disclosed to Intel a year ago but was on embargo until this week. Can't help but suspect that Intel waited for AMD to be impacted by a similar event to reveal downfall

load more comments (1 replies)
[–] AvgJoe@lemmy.world 72 points 1 year ago* (last edited 1 year ago) (2 children)

It took them a year for a microcode fix and it still has a performance loss of 50% in some cases? Ew

[–] Gsus4@feddit.nl 66 points 1 year ago* (last edited 1 year ago) (2 children)

So they created a massive vulnerability by misimplementing speculative execution which promised a, what, 10% speed gain tops and now that it was discovered you have to patch it and lose 50%? Genius.

load more comments (2 replies)
load more comments (1 replies)
[–] ram@feddit.nl 69 points 1 year ago* (last edited 1 year ago) (1 children)

If you get caught we've never met.

load more comments (1 replies)
[–] dual_sport_dork@lemmy.world 64 points 1 year ago* (last edited 1 year ago) (3 children)

Ha-ha. My chip's too old to be affected. I don't see my architecture on the list.

I knew putting off upgrading for around a decade would pay off. (Windows Update tells me my PC is not "ready" for Windows 11 due to its hardware, either. Oh no, whatever shall I do.)

load more comments (3 replies)
[–] RobotToaster@infosec.pub 56 points 1 year ago (5 children)

They really should be recalled like they were forced to when the fdiv bug happened https://en.wikipedia.org/wiki/Pentium_FDIV_bug

load more comments (5 replies)
[–] FrankFrankson@lemmy.world 53 points 1 year ago (8 children)

Every article is a copy paste of the same bullshit talking about the vulnerability and pointing to the stupid cryptic list of processors that requires you to jump through hoops to read it. You can't just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it? Why with a microcode update of course!!...from where you ask? Well don't worry just look at the cryptic list it will tell you if you need a microcode update!!

Fuck every article about this shit. Anyone wanna bust an Eli5 on how to fix this problem for people? (I was assuming it's a BIOS update but the articles have only confused me further)

[–] stardreamer@lemmy.blahaj.zone 39 points 1 year ago* (last edited 1 year ago)

ELI5, or ELIAFYCSS (Explain like I'm a first year CS student): modern x86 CPUs have lots of optimized instructions for specific functionality. One of these is "vector instructions", where the instruction is optimized for running the same function (e.g. matrix multiply add) on lots of data (e.g. 32 rows or 512 rows). These instructions were slowly added over time, so there are multiple "sets" of vector instructions like MMX, AVX, AVX-2, AVX-512, AMX...

While the names all sound different, the way how all these vector instructions work is similar: they store internal state in hidden registers that the programmer cannot access. So to the user (application programmer or compiler designer) it looks like a simple function that does what you need without having to micromanage registers. Neat, right?

Well, problem is somewhere along the lines someone found a bug: when using instructions from the AVX-2/AVX-512 sets, if you combine it with an incorrect ordering of branch instructions (aka JX, basically the if/else of assembly) you get to see what's inside these hidden registers, including from different programs. Oops. So Charlie's "Up, Up, Down, Down, Left, Right, Left, Right, B, B, A, A" using AVX/JX allows him to see what Alice's "encrypt this zip file with this password" program is doing. Uh oh.

So, that sounds bad. But lets take a step back: how bad would this affect existing consumer devices (e.g. Non-Xeon, non-Epyc CPUs)?

Well good news: AVX-512 is not available on most Intel/AMD consumer CPUs until recently (13th gen/zen 4, and zen 4 isn't affected). So 1) your CPU most likely doesn't support it and 2) even if your CPU supports it most pre-compiled programs won't use it because the program would crash on everyone else's computer that doesn't have AVX-512. AVX-512 is a non-issue unless you're running Finite Element Analysis programs (LS-DYNA) for fun.

AVX-2 has a similar problem: while released in 2013, some low end CPUs (e.g. Intel Atom) didn't have them for a long time (this year I think?). So most compiled programs wouldn't compile with AVX-2 enabled. This means whatever game you are running now, you probably won't see a performance drop after patching since your computer/program was never using the optimized vector instructions in the first place.

So, the affect on consumer devices is minimal. But what do you need to do to ensure that your PC is secure?

Three different ideas off the top of my head:

  1. BIOS update. The CPU has a some low level firmware code called microcode which is included in the BIOS. The new patched version adds additional checks to ensure no data is leaked.

  2. Update the microcode package in Linux. The microcode can also be loaded from the OS. If you have an up-to-date version of Intel-microcode here this would achieve the same as (1)

  3. Re-compile everything without AVX-2/AVX-512. If you're running something like Gentoo, you can simply tell GCC to not use AVX-2/AVX-512 regardless of whether your CPU supports it. As mentioned earlier the performance loss is probably going to be fine unless you're doing some serious math (FEA/AI/etc) on your machine.

load more comments (7 replies)
[–] HexesofVexes@lemmy.world 52 points 1 year ago (3 children)

Guess it's time for another FPS hit...

While the article says it won't impact most applications, I suspect it's closer to saying "won't impact most applications as much".

load more comments (3 replies)
[–] chicken@lemmy.dbzer0.com 48 points 1 year ago (3 children)

This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer.

So just continue not letting people use my computer, got it. Very simple fix.

[–] ryannathans@lemmy.world 26 points 1 year ago

Shared use of servers is probably the main issue

load more comments (2 replies)
[–] scottywh@lemmy.world 39 points 1 year ago (4 children)

/tinfoilhat

I admittedly stopped reading halfway through but I feel like these newest vulnerabilities being discovered are probably just fucking government back doors the manufacturers have been forced to include.

/tinfoilhat

load more comments (4 replies)
[–] Veedem@lemmy.world 37 points 1 year ago

Yikes the performance hit is scary but if you’re running a server, what option do you have?

[–] DarkThoughts@kbin.social 36 points 1 year ago (18 children)
load more comments (18 replies)
[–] lowleveldata@programming.dev 33 points 1 year ago (3 children)

Intel’s newer 12th-gen and 13th-gen Core processors are not affected.

Oh ok

[–] madeinthebackseat@lemmy.world 60 points 1 year ago (1 children)
[–] 1984@lemmy.today 21 points 1 year ago (1 children)

Upgrade to get 3% performance gains on paper and no noticeable real performance gain!

load more comments (1 replies)
[–] porksoda@lemmy.world 25 points 1 year ago

Oh don't worry, you'll hear about that vulnerability in two years.

load more comments (1 replies)
[–] iHUNTcriminals@lemm.ee 32 points 1 year ago* (last edited 1 year ago)

Jokes on them. I'm already watched by criminals and am used to companies throttling products.

[–] Chickenstalker@lemmy.world 26 points 1 year ago (2 children)

> Downfall

Is the Intel CEO holed up in a bunker and raging at his chip designers?

load more comments (2 replies)
[–] 1984@lemmy.today 21 points 1 year ago

Here we go again....

load more comments
view more: next ›