Intel Is Patching Its 'Zombieload' CPU Security Flaw For the Third Time (engadget.com) 24
An anonymous reader quotes a report from Engadget: For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the speculative functionality of its processors. On Monday, the company said it will issue a software update "in the coming weeks" that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws. This latest update comes after the company released two separate patches in May and November of last year.
Compared to the MDS flaws Intel addressed in those two previous patches, these latest ones have a couple of limitations. To start, one of the vulnerabilities, L1DES, doesn't work on Intel's more recent chips. Moreover, a hacker can't execute the attack using a web browser. Intel also says it's "not aware" of anyone taking advantage of the flaws outside of the lab. In response to complaints of the company's piecemeal approach, Intel said that it has taken significant steps to reduce the danger the flaws represent to its processors.
"Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues," a spokesperson for the company said. "We continue to conduct research in this area -- internally, and in conjunction with the external research community."
Compared to the MDS flaws Intel addressed in those two previous patches, these latest ones have a couple of limitations. To start, one of the vulnerabilities, L1DES, doesn't work on Intel's more recent chips. Moreover, a hacker can't execute the attack using a web browser. Intel also says it's "not aware" of anyone taking advantage of the flaws outside of the lab. In response to complaints of the company's piecemeal approach, Intel said that it has taken significant steps to reduce the danger the flaws represent to its processors.
"Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues," a spokesperson for the company said. "We continue to conduct research in this area -- internally, and in conjunction with the external research community."
Everyone knows this (Score:2)
Rule #2 (Score:2)
Rule #2: Double Tap
Never assume a zombie is dead. Always make sure with a clean shot to the brain.
Re: (Score:2)
Re: (Score:2)
Comment removed (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
Hyper-threading is a waste. It is nothing but a total and complete waste and will never be anything other than that. Like many other technologies that we have created, they were done to work around corners we painted ourselves into. We are now out of that corner and should burn HT to the ground and leave it there where it belongs. Every thread you create you have to expend resources to handle that thread. We created HT to help keep very CPU hungry processes from eating an entire core up and causing iss
Re:death by a thousand patches. (Score:4, Informative)
HT on the amd 3000 is well above 30% speed increase. I tested it personally.
if you want to give up 30%, that's up to you, but I'll gladly take a build that completes 30% faster.
on my older i7, the HT increase was much much less. but AMD, its stupid to disable it. IT WORKS WELL. no security problems with HT on AMD either.
Re:death by a thousand patches. (Score:5, Insightful)
Hyper threading makes complete sense and is an obvious enhancement to make when you already have multiple ALUs and FPUs and an out-of-order CPU. The gain can be relatively large (+30% is low for AMD implementations) for relatively little extra silicon.
The problem is the way Intel cut corners when implementing it. AMD's version is fine, immune to most of these issues and easily fixed with negligible performance loss on the rest.
Intel also needs to up PCI-E lanes on all classes (Score:2)
Intel also needs to up PCI-E lanes on all classes and drop the idea of raid keys. Will just be rolling out pci-e V4 when amd is at v5?
Re: (Score:3)
ahh...I'm sure the idiots will be along anytime now telling you how a 30% performance drop is impossible, and it's pure AMD propaganda. Intel has some mighty serious issues with multiple areas of their CPU's right now, it's almost like they decided to dump "best practices" for "expedient practices."
Re: death by a thousand patches. (Score:1)
agree 100%
Re: (Score:1)
Intel needs to sober up and learn this isnt going away with hand waving and lowballing the severity of their CVE's for the sake of the investors. Hyperthreading was always a tradeoff between security and speed. HT patches at best nerf performance by 30%, and if given enough time will mean some environments no longer run with hyperthreading at all. Now that AMD has caught up again, its time Intel sees HT for what it really is: a liability.
Flying through hyperthreading ain't like dusting crops, boy! Without precise calculations you could fly right through a mem allocation stack or bounce right into to a closed loop process and that'd end your threading trip real quick, wouldn't it?
Re: (Score:3)
IIRC... (Score:2)
Next, it's "Intel Meets the Women of Jerusalem" or "Intel is Stripped of its Garments".
Been a very long time, can't remember the exact order.
Premature optimization is the root of all evil. (Score:2)
The maxim is credited to Donald Knuch. author of The Art of Computer Programming.
Re:Premature optimization is the root of all evil. (Score:4, Informative)
"The real problem is that programmers have spent far too much time worrying about efficiency in the wrong places and at the wrong times; premature optimization is the root of all evil (or at least most of it) in programming."
-- Donald Knuth, The Art of Computer Programming
Re: (Score:2)
premature optimization is the root of all evil (or at least most of it) in programming
See how he prematurely optimized his sentence from "most cases" to "all cases, no conditional branch required" and then had to go back and correct it?
Re: (Score:2)
Nope, like most people you omitted the words "in the wrong places and at the wrong times" from your attempt at internalizing the lesson.
won't be long.. (Score:1)
..before someone or some hacking group figures out how to lasso an I.P. connection and coordinate MDS and zombieload with remote attack vectors on networks.
The advisory says successful attacks already had credentialed access where they were logged in, but what about applying brute force measures or getting into Intel's Management Engine/security ring levels again like Spectre/Meltdown could?
What if somehow this problem exists in another form or speculative instance on AMD machines, too but no one is fully a
This is why we need exploits. (Score:2)
Not aware of anyone using it ... Yeah ... riiiight.
Do they think the NSA and such are *that* incompetent? Or are they just lying? Hmm... what's more likely, given past experiences? :D