Oh no.

  • Eager Eagle@lemmy.world
    link
    fedilink
    English
    arrow-up
    250
    arrow-down
    1
    ·
    1 year ago

    Downfall, Inception, Meltdown, Spectre, I hate to see new vulnerabilities, but their naming choices are solid.

  • cybervseas@lemmy.world
    link
    fedilink
    English
    arrow-up
    173
    arrow-down
    2
    ·
    1 year ago

    Intel claims most consumer software shouldn’t see much impact, outside of image and video editing workloads…

    But that’s, like the one place other than games where consumers are looking for performance. What’s left, web browsing and MS Office?

  • TimeMuncher2@kbin.social
    link
    fedilink
    arrow-up
    85
    ·
    1 year ago

    According to him, billions of Intel processors are affected, which are used in private user computers as well as in cloud servers.
    Update: Intel’s Downfall was closely followed by AMD’s Inception, a newfound security hole affecting all Ryzen and Epyc processors.

    so both desktop and server chips are affected on both cpu manufacturers products. can’t take any measures if your password is online on some server.

    • TWeaK@lemm.ee
      link
      fedilink
      English
      arrow-up
      31
      arrow-down
      3
      ·
      1 year ago

      I was going to say, AMD had a flaw of similar severity. And they won’t have a fix for a few months for most affected CPUs, and that fix will likely incur a loss in performance.

      Basically it sounds like both of these flaws are due to the security chip. I can’t help but feel like these flaws are by design. /tinfoil

    • June@lemm.ee
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      From what I’m reading, Inception is a pretty minor vulnerability, especially compared to downfall.

  • AvgJoe@lemmy.world
    link
    fedilink
    English
    arrow-up
    62
    arrow-down
    1
    ·
    edit-2
    1 year ago

    It took them a year for a microcode fix and it still has a performance loss of 50% in some cases? Ew

    • Gsus4@feddit.nl
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      Good supplier for an offline supercluster 😄 I’ll let my grant manager know.

  • dual_sport_dork 🐧🗡️@lemmy.world
    link
    fedilink
    English
    arrow-up
    54
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Ha-ha. My chip’s too old to be affected. I don’t see my architecture on the list.

    I knew putting off upgrading for around a decade would pay off. (Windows Update tells me my PC is not “ready” for Windows 11 due to its hardware, either. Oh no, whatever shall I do.)

    • atticus88th@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      Dont the older chips suffer from a greater performance drop from spectre and meltdown vulnerabilities?

    • ArcaneSlime@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      1 year ago

      This inspires confidence with my 2010 ass toshiba sattelite with an i5 and 8gb DDR3. I need to look and see if mine is too old lol.

    • linearchaos@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      6
      ·
      1 year ago

      Recall billions of processors?

      I hate Intel as much as the next person, but I don’t want them to disappear overnight generating a unimaginably large processor shortage.

      • Skates@feddit.nl
        link
        fedilink
        English
        arrow-up
        25
        arrow-down
        2
        ·
        edit-2
        1 year ago

        Then subsidize them for the recall, and take a percentage of their profits every year until it’s paid back. How is it OK to pass on a manufacturer defect to all consumers?

        • linearchaos@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          2
          ·
          edit-2
          1 year ago

          I’m not saying that it’s not a shit sandwich. I am saying that if Intel shut down right now we’d be pretty fucked. It would be far more likely for them to shut down production and walk away, start selling off patents and equipment. The strain it would put on arm to pick up the gauntlet would probably mean you’re not going to see a new cell phone, television or new car for the next few years.

          What the hell are they going to do for a recall anyway? Are you going to have them go back 5 years and try to recreate every model of CPU between then and now? None of those motherboards are going to support new things.

          You get your five or $600 back on your CPU which ends up being $50 by the time it comes out of arbitration, now you need not only a new CPU but a new motherboard.

          It’s like wrecking your 15-year-old beater car, insurance company gives you $150 and says go find yourself a new car.

          edit: Look, Intel is worth 150 billion. if they paid $50 per processor for a couple billion refunds, they’d just go bankrupt. They’re going to run for years subsidized making 0 profit and losing all their talent. It wasn’t their intent to screw it up, but here we are. There’s a patch that makes slow processors slower honestly, that’s the end of their responsibility other than to help people get it installed.

        • linearchaos@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          We have a lot of that going on, but blame won’t fix the outcome. Can’t pass any laws to fix it, the government is run by the politicians.

  • FrankFrankson@lemmy.world
    link
    fedilink
    English
    arrow-up
    46
    arrow-down
    1
    ·
    1 year ago

    Every article is a copy paste of the same bullshit talking about the vulnerability and pointing to the stupid cryptic list of processors that requires you to jump through hoops to read it. You can’t just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it? Why with a microcode update of course!!..from where you ask? Well don’t worry just look at the cryptic list it will tell you if you need a microcode update!!

    Fuck every article about this shit. Anyone wanna bust an Eli5 on how to fix this problem for people? (I was assuming it’s a BIOS update but the articles have only confused me further)

    • StarDreamer@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      33
      ·
      edit-2
      1 year ago

      ELI5, or ELIAFYCSS (Explain like I’m a first year CS student): modern x86 CPUs have lots of optimized instructions for specific functionality. One of these is “vector instructions”, where the instruction is optimized for running the same function (e.g. matrix multiply add) on lots of data (e.g. 32 rows or 512 rows). These instructions were slowly added over time, so there are multiple “sets” of vector instructions like MMX, AVX, AVX-2, AVX-512, AMX…

      While the names all sound different, the way how all these vector instructions work is similar: they store internal state in hidden registers that the programmer cannot access. So to the user (application programmer or compiler designer) it looks like a simple function that does what you need without having to micromanage registers. Neat, right?

      Well, problem is somewhere along the lines someone found a bug: when using instructions from the AVX-2/AVX-512 sets, if you combine it with an incorrect ordering of branch instructions (aka JX, basically the if/else of assembly) you get to see what’s inside these hidden registers, including from different programs. Oops. So Charlie’s “Up, Up, Down, Down, Left, Right, Left, Right, B, B, A, A” using AVX/JX allows him to see what Alice’s “encrypt this zip file with this password” program is doing. Uh oh.

      So, that sounds bad. But lets take a step back: how bad would this affect existing consumer devices (e.g. Non-Xeon, non-Epyc CPUs)?

      Well good news: AVX-512 is not available on most Intel/AMD consumer CPUs until recently (13th gen/zen 4, and zen 4 isn’t affected). So 1) your CPU most likely doesn’t support it and 2) even if your CPU supports it most pre-compiled programs won’t use it because the program would crash on everyone else’s computer that doesn’t have AVX-512. AVX-512 is a non-issue unless you’re running Finite Element Analysis programs (LS-DYNA) for fun.

      AVX-2 has a similar problem: while released in 2013, some low end CPUs (e.g. Intel Atom) didn’t have them for a long time (this year I think?). So most compiled programs wouldn’t compile with AVX-2 enabled. This means whatever game you are running now, you probably won’t see a performance drop after patching since your computer/program was never using the optimized vector instructions in the first place.

      So, the affect on consumer devices is minimal. But what do you need to do to ensure that your PC is secure?

      Three different ideas off the top of my head:

      1. BIOS update. The CPU has a some low level firmware code called microcode which is included in the BIOS. The new patched version adds additional checks to ensure no data is leaked.

      2. Update the microcode package in Linux. The microcode can also be loaded from the OS. If you have an up-to-date version of Intel-microcode here this would achieve the same as (1)

      3. Re-compile everything without AVX-2/AVX-512. If you’re running something like Gentoo, you can simply tell GCC to not use AVX-2/AVX-512 regardless of whether your CPU supports it. As mentioned earlier the performance loss is probably going to be fine unless you’re doing some serious math (FEA/AI/etc) on your machine.

    • SymphonicResonance@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      You can’t just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it?

      This page tells you how to get your CPUID: https://www.intel.com/content/www/us/en/support/articles/000006831/processors/processor-utilities-and-programs.html

      Then search for the CPUID here: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

      • FrankFrankson@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        I figured out how to do it fairly quickly but it would be a hell of a lot easier if people could just type in “11700K” in a box on a web page or something and it could just tell them. Or they could have added a little bit of code to their CPU ID utility that says “yupp your processor is effected by the flaw”. I am mostly annoyed at all this not for me but for all the people who would read those pages and the contents would seem like an insane foreign language to them all while articles are telling them it’s a major security flaw that would allow people to steal their encryption keys.

        • SymphonicResonance@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          . Or they could have added a little bit of code to their CPU ID utility that says “yupp your processor is effected by the flaw”.

          That is a fair point.

    • alekks09@lemm.ee
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      1 year ago

      Are you using Windows or macOS? If so you don’t have to do anything. You can just wait and a new update will be available to you soon.

  • chicken@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    46
    arrow-down
    2
    ·
    1 year ago

    This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer.

    So just continue not letting people use my computer, got it. Very simple fix.

    • dbilitated@aussie.zone
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      I think it also means software running can access other software’s memory which is probably bad but personally I’m not keen for that performance hit on my desktop

  • HexesofVexes@lemmy.world
    link
    fedilink
    English
    arrow-up
    43
    ·
    1 year ago

    Guess it’s time for another FPS hit…

    While the article says it won’t impact most applications, I suspect it’s closer to saying “won’t impact most applications as much”.

    • ram@feddit.nl
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      1 year ago

      Guess it’s time for another FPS hit…

      Is it August already? Man, time flies.

    • StarDreamer@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      I would say you’ll be fine. Most games don’t compile with avx-2 anyways since it’ll crash if you run it on something that doesn’t have them (which is a lot of CPUs) and AVX-512 is straight up only available on Xeons, Epyc and zen 4. Nobody is going to use that for consumer software.

      The only game I can think of using AVX is a Skyrim mod for realistic physics, where the author provided binaries for AVX-2/AVX-512. So it won’t affect most compiled applications much since you need to compile with it first (which almost nobody does).

  • scottywh@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    arrow-down
    3
    ·
    1 year ago

    /tinfoilhat

    I admittedly stopped reading halfway through but I feel like these newest vulnerabilities being discovered are probably just fucking government back doors the manufacturers have been forced to include.

    /tinfoilhat

    • luciferofastora@discuss.online
      link
      fedilink
      English
      arrow-up
      14
      ·
      edit-2
      1 year ago

      I can’t comment on the general trend, but this specific one seems a bit too circumstantial to be of use for a serious spying effort. You’d have to have the spyware running parallel to the apps usong passwords you want to steal in a specific way.

      The risk exists, which is bad enough for stochastic reasons (eventually, someone will get lucky and manage to grab something sensitive, and since the potential damage from that is incalculable, the impact axis alone drives this into firm "you need to get that fix out asap), but probably irrelevant in terms of consistency, which would be what you’d need to actually monitor anyone.

      If you manage to grab enough info to crack some financial access data, you can steal money. If you can take over some legit online account or obtain some email-password combo, you can sell it. But if you want to monitor what people are doing in otherwise private systems, you need some way to either check on demand or log their actions and periodically send them to your server.

      It would be far more reliable to have injection backdoors to allow you access by virtue of forcing a credential check to come up valid than to hope for the lucky grab of credentials the user might change at an arbitrary moment in time.

    • deranger@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Check out the documentary Zero Days (2016) if you haven’t already. That’s not really a tinfoil hat take these days IMO.

      • scottywh@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Just means they have to intentionally create new ones to be eventually found for the next generation.

      • 1984@lemmy.today
        link
        fedilink
        English
        arrow-up
        21
        arrow-down
        1
        ·
        1 year ago

        Upgrade to get 3% performance gains on paper and no noticeable real performance gain!

        • glockenspiel@lemmy.world
          link
          fedilink
          English
          arrow-up
          16
          ·
          1 year ago

          Now it’s more like “upgrade to maintain your level of performance, because our patched CPUs take a 50% performance hit” (per the article).

          That is quite convenient for them. I’m sure not a conspiracy given depth of the issue, just very convenient if people heed the call.

          Which most won’t. Enterprise is likely already on the newer gens aa part of normal refresh cycles. Maybe this just accelerates that a bit.

  • Veedem@lemmy.world
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    1
    ·
    1 year ago

    Yikes the performance hit is scary but if you’re running a server, what option do you have?

  • iHUNTcriminals@lemm.ee
    link
    fedilink
    English
    arrow-up
    26
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Jokes on them. I’m already watched by criminals and am used to companies throttling products.