CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,190
    Messages:
    19,396
    Likes Received:
    24,148
    Trophy Points:
    931
    This base problem that Intel won't release updated microcode for processors earlier than 2011 for earlier or future vulnerabilities also affects Windows / Linux x58 hardware CPU's for me, and of course many thousands of others.

    So this article isn't only about Apple Mac's, it's about all still active Intel CPU's that Intel won't support. Eventually it might catch up with an Intel CPU you have that is getting support now for currently found issues, but later found issues won't get microcode updates.

    Eventually all Intel CPU's made that are vulnerable due to architecture failings will succumb to no support, so many like me that try to keep hardware in use as long as functionally practical will have to retire hardware much earlier than anticipated.

    Apple lists Macs it can’t patch against ‘ZombieLoad’ exploits

    There’s only so much Apple can do without Intel’s help.
    BY KILLIAN BELL • 6:00 AM, MAY 17, 201
    https://www.cultofmac.com/625928/apple-macs-cant-patch-against-zombieload-exploit/

    "Apple has published a list of Macs that are still vulnerable to “ZombieLoad” exploits because they cannot be patched.

    The older machines — all made before 2011 — may receive security updates, Apple says. But a proper fix won’t be available because Intel won’t release the necessary microcode updates.

    The ZombieLoad exploit takes advantage of a newly-discovered vulnerability in all Intel processors released since 2011. It allows attackers to acquire sensitive data temporarily stored on the chip.

    Fixing the problem is complicated. Apple has already rolled out patches that mitigate the issue, but users who apply a complete fix could suffer a performance decrease of up to 40%.

    Some Mac users won’t get a proper fix at all, Apple has warned.

    Older Macs still vulnerable to ZombieLoad
    A number of Mac models released before 2011 may remain vulnerable to ZombieLoad and similar exploits, Apple has warned. Those include:
    • MacBook (13-inch, Late 2009)
    • MacBook (13-inch, Mid 2010)
    • MacBook Air (13-inch, Late 2010)
    • MacBook Air (11-inch, Late 2010)
    • MacBook Pro (17-inch, Mid 2010)
    • MacBook Pro (15-inch, Mid 2010)
    • MacBook Pro (13-inch, Mid 2010)
    • iMac (21.5-inch, Late 2009)
    • iMac (27-inch, Late 2009)
    • iMac (21.5-inch, Mid 2010)
    • iMac (27-inch, Mid 2010)
    • Mac mini (Mid 2010)
    • Mac Pro (Late 2010)
    ZombieLoad itself won’t work on these machines because they use older Intel chips. But they could be vulnerable to similar “speculative execution vulnerabilities,” - like those discovered Jan 2018 - Apple says, and there’s only so much Cupertino can do about it.

    Intel won’t fix older processors
    “These models may receive security updates in macOS Mojave, High Sierra or Sierra,” Apple explains in a new support document. But they are “unable to support the fixes and mitigations due to a lack of microcode updates from Intel.

    You shouldn’t be too concerned, though. Even on newer Macs, it’s unlikely ZombieLoad and similar exploits will affect too many users.

    But this is another big reason why Apple is rumored to be developing its own chips for the Mac. Relying on third-parties leads to all kinds of problems that Apple often has no control over."

    Additional mitigations for speculative execution vulnerabilities in Intel CPUs
    https://support.apple.com/en-us/HT210107
     
    Riley Martin and Kyle like this.
  2. Kyle

    Kyle JVC SZ2000 Dual-Driver Headphones

    Reputations:
    1,740
    Messages:
    918
    Likes Received:
    407
    Trophy Points:
    76
    Intel being a dick. Microcode updates are not like big OS updates, and for security related issues, updates should be provided for 20 years at least.
     
    Riley Martin, joluke and hmscott like this.
  3. Prema

    Prema Your Freedom, Your Choice

    Reputations:
    8,189
    Messages:
    6,079
    Likes Received:
    15,484
    Trophy Points:
    681
    Oh poor Apple can now blame someone else while they push user into buying new systems.
    If you need 'fear' to drive sales then maybe the problem is something else...

    No one cares what data anyone has on their system and if someone does care, then buying a new system won't stop that person from getting it.
     
    Riley Martin likes this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,190
    Messages:
    19,396
    Likes Received:
    24,148
    Trophy Points:
    931
    Apple's point wasn't to buy more Intel Mac's. There are no new "secure" architecture Intel CPU's available to purchase by anyone. Apple can't make new "secure" Intel Macintosh computers to sell, they can't exist.

    If Intel's master plan was to force customers to purchase new Intel CPU's through core CPU security design failures, that would be another Intel failure as Intel doesn't have a working "secure" CPU solution to sell, even at 14nm.

    Apple's message is that Intel needs to get their act together and support Apple Intel Macintosh Owners by continuing to fix CPU security issues that existed when the CPU's were made and sold, only to be discovered years later.

    There are lots of people that do care about their data privacy, and if nothing else most people care if their systems are compromised for use in botnets and used as go-betweens in attacks on other computers.

    Although I understand these vulnerabilities are very frustrating, adding time consuming work to our already over worked lives - costing us time and money to mitigate, simply declaring "it doesn't matter" doesn't solve the problems now or in the future.

    I feel your pain bro, but please don't give up or suggest others should give up, that's not the guru way - we help people solve problems. Suggesting people should simply give up without solving the problem isn't cool.

    Hang in there. :)
     
    Last edited: May 19, 2019
    Riley Martin and Kyle like this.
  5. Prema

    Prema Your Freedom, Your Choice

    Reputations:
    8,189
    Messages:
    6,079
    Likes Received:
    15,484
    Trophy Points:
    681
    Everyone has an agenda. It's no coincidence that all these potential security flaws show up now.

    If you don't instill fear into people, then how are you going to sell them new laws that are going to keep you 'secure'.

    Everyone has already access to all our data because we have signed it away a long time ago...data is the thing that feeds the machine.

    Create a problem to sell the solution, sadly the old mistakes are still being repeated.

    We live in an age of instant information, but not instant transformation.

    We will get there one day, but each one at their own pace...
     
    Last edited: May 18, 2019
    bennyg, Riley Martin and Falkentyne like this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,190
    Messages:
    19,396
    Likes Received:
    24,148
    Trophy Points:
    931
    As with all security flaws made public, these are showing up now because enough people in parallel figured them out and the information couldn't be contained. Releasing the information didn't benefit Intel, and it could have horrendous effects on everyone.

    The only conspiracy that would come out of this is a conspiracy to weaken peoples resolve to maintain their personal space and personal privacy because it's "hopeless" or "inevitable" so we should all simply "give up".

    If you are looking for timing, then it's been timed right at the juncture when people are waking up to the danger to their personal privacy.

    Providing such a "hopeless" blow to people to get them to give up is the only conspiracy that makes sense to me. Promoting hopelessness and ignorance is the historical method of choice. It's time to wake up and work toward being a part of the solution, or roll over and go back to sleep in ignorance.

    We need to inform people and encourage them to implement solutions, not throw up our hands and suggest giving up. :)
     
    Riley Martin and Starlight5 like this.
  7. Prema

    Prema Your Freedom, Your Choice

    Reputations:
    8,189
    Messages:
    6,079
    Likes Received:
    15,484
    Trophy Points:
    681
    That's easy. We have to start looking inside for security and stop looking for it outside.

    Edit: In short > stop buying into fear and don't let it be your decision maker.
     
    Last edited: May 18, 2019
  8. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,190
    Messages:
    19,396
    Likes Received:
    24,148
    Trophy Points:
    931
    If you are suggesting we ignore publicly posted security investigations, publicly posted vendor reports from Intel and OS vendors, or other publicly factual reporting, then I can't recommend your advice, as it's motivated by fear - you yourself are interpreting it as fear generating.

    I've been doing security mitigations for decades, and there isn't a single time our work has been run on fear - it runs on facts and rational solutions.

    Rarely the solutions required switching hardware vendors, usually switching OS versions or specific configurations is all that is needed. If there wasn't a ready solution but the vulnerabilities were live - we are tracking intrusion attempts - then live configuration changes to block those intrusions are acted on - and are adrenaline fueled at times, but you can't let fear change your reasoned course of action.

    When I received responses like, ignore it it'll go away, or it's got a low probability of occurring ignore it, those were valid responses 40 years ago, as they didn't know better.

    As part of the progression of understanding growing in the mind of managers and employee's, it was fun to watch those fear driven responses die right in front of our eye's - some large conference table meetings included someone saying such fear motivated things - with immediate repudiation by someone else in the meeting - "it's already happened, that's why we are here" let's work toward solutions now we can no longer put this off.

    We'd use those times to also take action on other "back burner" projects to resolve security issues - to fold in solution choices - added features to address other issues at the same time - early on we added monitoring functionality we could never get funding for "when everything was working fine".

    Can you imagine, there was a time when large networks only monitored for faults? Then performance was added. Then even later monitoring for intrusions, before formalized IDS systems were available.

    These are all the steps I've been through, many more of course, and I can tell you that ignoring it isn't a solution, it won't go away, security holes will be actualized into real activity - we don't always know what form, but it's never good for the end user.

    We are lucky now in that we have a large heads up and real activity being applied to solutions, unfortunately there are likely even greater levels of activity going into using these vulnerabilities.

    I know the feeling, I have had to talk down a lot of panicky people over the years - and reasoned education and awareness were the only workable solution - and lots of patience waiting for them to catch up.

    You can help by getting out there and learn as much as you can about the software and hardware behind the problems - and watch for exploits and solutions to mitigate them.

    We can't bury our heads to escape from the repercussions from publicly published security vulnerabilities, it's not going away, it's only going to get worse over time.

    The more pressure brought on Intel to solve this problem through new hardware architectures the better, sooner, and faster Intel will put the work in to move past these failures.

    If I was Intel I'd throw resources at this before wasting $ on 10nm / 7nm, buy new process technology from others right now to assure competitive production continues, and then get back to building new architectures and new secure CPU's.
     
    Last edited: May 18, 2019
    Riley Martin likes this.
  9. Riley Martin

    Riley Martin Notebook Consultant

    Reputations:
    68
    Messages:
    158
    Likes Received:
    215
    Trophy Points:
    56
    good post. and 'profit' is substitutable for 'performance'. :( Remember how the Intel CEO sold off his stock , all but the min required to be CEO, 1 week b4 Project Zero's POC was made public?

    Interesting. Big picture, yet another angle -pissed off employee wants to upset his boss, read the Amsterdam POC & go for it. But selfishly I couldn't help but wonder, is oldschool AHCI mode a safer alt. for those who can still use it?

    From Article above, ""Some of the data will always be the same, and other data will change. We see what occurs most often, and this is the data we’re interested in. It’s basic statistics." Scary!

    "We have signed it away...", meaning our Govts.? I agree w/ you Prema on most points, but don't stop the good fight, you know? Its not easy, but there is still some semblance of Privacy today, if one works at it, no? (#eff) Peace! :)
     
    Last edited by a moderator: May 22, 2019
  10. ajc9988

    ajc9988 Death by a thousand paper cuts

    Reputations:
    1,464
    Messages:
    5,500
    Likes Received:
    7,828
    Trophy Points:
    681
    Actually it wasn't 1 week. He setup his 10b5-1 trading plan at the beginning of October of 2017. The sell went through after the release of the HEDT High Core Count CPUs (14-18 core). Also, Coffee Lake, which had the vulnerability, was seemingly pushed up until then and had low availability until after the vulnerability became public in the first days of 2018. Meanwhile, Intel received word of the vulnerability in June of 2017, which considering it required a redesign to fix it, and that was known by September of 2017, there is no way he was not briefed and did not know about the vulnerability. That makes a strong argument for insider trading. But, after the announcement, within a couple days, the couple dollar loss bounced back, meaning you have to argue damages on it.


    It's more that governments allow consumers to sign away their privacy rights is how I took that part. So it is the person on FB or other data mining sites that have stripped people of privacy.

    Moreover, I don't find those arguments convincing. I personally feel, even though if a person has enough gumption they will get to the data regardless, that you shouldn't make it easy for them.

    Considering the plethora of vulnerabilities that have come out in the past 2 years, and the uptick in the number of attacks companies receive daily, I would say that Intel has a serious security issue.

    The datacenter market was set to have a downturn in purchases. These vulnerabilities, with the patches implemented, reduced processing power, resulting in the need to scale out their server implementations, which caused the datacenter demand to increase rather than decrease (to make up for the lost processing power), a likely contributor to Intel's fabrication shortage.
     
    bennyg, Vasudev and hmscott like this.
Loading...
Similar Threads - Vulnerabilities Meltdown Spectre
  1. Starlight5
    Replies:
    14
    Views:
    867

Share This Page