Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Intel Hardware Technology

Intel Is Patching Its 'Zombieload' CPU Security Flaw For the Third Time (engadget.com) 24

An anonymous reader quotes a report from Engadget: For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the speculative functionality of its processors. On Monday, the company said it will issue a software update "in the coming weeks" that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws. This latest update comes after the company released two separate patches in May and November of last year.

Compared to the MDS flaws Intel addressed in those two previous patches, these latest ones have a couple of limitations. To start, one of the vulnerabilities, L1DES, doesn't work on Intel's more recent chips. Moreover, a hacker can't execute the attack using a web browser. Intel also says it's "not aware" of anyone taking advantage of the flaws outside of the lab.
In response to complaints of the company's piecemeal approach, Intel said that it has taken significant steps to reduce the danger the flaws represent to its processors.

"Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues," a spokesperson for the company said. "We continue to conduct research in this area -- internally, and in conjunction with the external research community."
This discussion has been archived. No new comments can be posted.

Intel Is Patching Its 'Zombieload' CPU Security Flaw For the Third Time

Comments Filter:
  • With zombies you have to shoot them in the head. Otherwise they keep coming back.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday January 27, 2020 @08:09PM (#59662834)
    Comment removed based on user account deletion
    • Comment removed based on user account deletion
      • Hyper-threading is a waste. It is nothing but a total and complete waste and will never be anything other than that. Like many other technologies that we have created, they were done to work around corners we painted ourselves into. We are now out of that corner and should burn HT to the ground and leave it there where it belongs. Every thread you create you have to expend resources to handle that thread. We created HT to help keep very CPU hungry processes from eating an entire core up and causing iss

        • by TheGratefulNet ( 143330 ) on Monday January 27, 2020 @10:31PM (#59663218)

          HT on the amd 3000 is well above 30% speed increase. I tested it personally.

          if you want to give up 30%, that's up to you, but I'll gladly take a build that completes 30% faster.

          on my older i7, the HT increase was much much less. but AMD, its stupid to disable it. IT WORKS WELL. no security problems with HT on AMD either.

        • by AmiMoJo ( 196126 ) on Tuesday January 28, 2020 @08:08AM (#59663938) Homepage Journal

          Hyper threading makes complete sense and is an obvious enhancement to make when you already have multiple ALUs and FPUs and an out-of-order CPU. The gain can be relatively large (+30% is low for AMD implementations) for relatively little extra silicon.

          The problem is the way Intel cut corners when implementing it. AMD's version is fine, immune to most of these issues and easily fixed with negligible performance loss on the rest.

    • Intel also needs to up PCI-E lanes on all classes and drop the idea of raid keys. Will just be rolling out pci-e V4 when amd is at v5?

    • by Mashiki ( 184564 )

      ahh...I'm sure the idiots will be along anytime now telling you how a 30% performance drop is impossible, and it's pure AMD propaganda. Intel has some mighty serious issues with multiple areas of their CPU's right now, it's almost like they decided to dump "best practices" for "expedient practices."

    • Intel needs to sober up and learn this isnt going away with hand waving and lowballing the severity of their CVE's for the sake of the investors. Hyperthreading was always a tradeoff between security and speed. HT patches at best nerf performance by 30%, and if given enough time will mean some environments no longer run with hyperthreading at all. Now that AMD has caught up again, its time Intel sees HT for what it really is: a liability.

      Flying through hyperthreading ain't like dusting crops, boy! Without precise calculations you could fly right through a mem allocation stack or bounce right into to a closed loop process and that'd end your threading trip real quick, wouldn't it?

    • The problem is not hyperthreading itself, is to do hyperthreading in an insecure way as Intel did. It took a series of shortcuts that compromised thread safety in favor of speed, and is now paying for it.
  • Intel Is Patching Its 'Zombieload' CPU Security Flaw For the Third Time

    Next, it's "Intel Meets the Women of Jerusalem" or "Intel is Stripped of its Garments".
    Been a very long time, can't remember the exact order.

  • The maxim is credited to Donald Knuch. author of The Art of Computer Programming.

    • by Aighearach ( 97333 ) on Tuesday January 28, 2020 @02:11AM (#59663510)

      "The real problem is that programmers have spent far too much time worrying about efficiency in the wrong places and at the wrong times; premature optimization is the root of all evil (or at least most of it) in programming."
      -- Donald Knuth, The Art of Computer Programming

      • by AmiMoJo ( 196126 )

        premature optimization is the root of all evil (or at least most of it) in programming

        See how he prematurely optimized his sentence from "most cases" to "all cases, no conditional branch required" and then had to go back and correct it?

        • Nope, like most people you omitted the words "in the wrong places and at the wrong times" from your attempt at internalizing the lesson.

  • ..before someone or some hacking group figures out how to lasso an I.P. connection and coordinate MDS and zombieload with remote attack vectors on networks.

    The advisory says successful attacks already had credentialed access where they were logged in, but what about applying brute force measures or getting into Intel's Management Engine/security ring levels again like Spectre/Meltdown could?

    What if somehow this problem exists in another form or speculative instance on AMD machines, too but no one is fully a

  • Not aware of anyone using it ... Yeah ... riiiight.

    Do they think the NSA and such are *that* incompetent? Or are they just lying? Hmm... what's more likely, given past experiences? :D

After all is said and done, a hell of a lot more is said than done.

Working...