Friday, January 5th 2018

Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).
Add your own comment

111 Comments on Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

#1
eidairaman1
The Exiled Airman
Ouch another one, not good at all
Posted on Reply
#2
First Strike
It is OK to blame Intel for releasing Meltdown-vulnerable processors. But since it can be solved with Linux KPTI and Windows kernel rework, and Intel did finish those work with Linux team and Microsoft in time, it's kinda less unacceptable.

But hell no, you can’t blame Intel for Spectre vulnerability. It affects ALL modern processors with speculative execution and is simply impossible to fix (unless every app developer cooperates). The only way we currently know is to drop speculative execution and get back to stone age (80x86). We need another breakthrough in computer science in the following years to fix it.
Posted on Reply
#3
Prima.Vera
Why do I have a feeling that things are blowing out of proportions again...
Posted on Reply
#4
Chaitanya
Prima.Vera said:
Why do I have a feeling that things are blowing out of proportions again...
I dont think it blown to proportions it needs to, these c***-ups are affecting millions of users of cloud computing. What's worse is that now that it's all over the news hackers who may have been in dark will now exploit the bug even after software band-aid patches have been applied(since its a hardware bug still it can be exploited). Intel needs to own up their mess and clean it up or go belly up for good. Just a few months back it was Intel ME exploit , before that a USB exploit and now these 3 new exploits guess its a good thing so many fanboys are still a**-******g Intel in making sure they make profit end of the year.
Posted on Reply
#5
First Strike
Nevertheless, Intel CEO did a great job on timing in terms of dumping stocks, so he didn't get thrown into jail. lmao
Posted on Reply
#6
RejZoR
I hope shit is paying off for Intel skimping on quality work on hardware saving few millions back then and now losing 10x as much. And no, I don't think anything is blowing out of proportions. Crap like this shows the real attitide of the company. Releasing a flawed product well knowing it's flawed to such extent shows intent. They were literally hoping no one would notice or care. Damn right people should be outraged and they should feel the angre financially. I'm still waiting for actual confirmations what all the recent patches are fixing (if anything at all and how much penalty we're paying for it), but it's very unlikely I'll be buying Intel next time. I ditched Intel as an option for laptop the moment news broke out about the flaws and how their CEO dumped the stocks right before shit went public. That was the moment I ordered AMD based laptop which was as a second a bit more expensive (but faster) option. Same fate will meet the desktop eventually depending on situation. Not in the mood to change my entire X99 platform just yet...
Posted on Reply
#7
Prima.Vera
But then again, for a normal desktop machine, do you really need a bios and OS update that just going to slow your CPU down? I mean how many Joes are running VMs in a shared environment??
Posted on Reply
#8
piloponth
Has been Intel's CEO sued for insider trading yet? Or once again rule "too big to fail" applies?
Posted on Reply
#9
RejZoR
Prima.Vera said:
But then again, for a normal desktop machine, do you really need a bios and OS update that just going to slow your CPU down? I mean how many Joes are running VMs in a shared environment??
If you think VM means only VMWare and VirtualBox, then you're greatly mistaken. Pretty much all security software today uses virtualization for malware protection and analysis. You know, what they used to run in dreadfully slow and limited emulators is now run natively in its own secure space and dissected there. Would you want to allow that in a "secure space" from which malware can potentially access your actual host?
Posted on Reply
#10
lilunxm12
First Strike said:
It is OK to blame Intel for releasing Meltdown-vulnerable processors. But since it can be solved with Linux KPTI and Windows kernel rework, and Intel did finish those work with Linux team and Microsoft in time, it's kinda less unacceptable.

But hell no, you can’t blame Intel for Spectre vulnerability. It affects ALL modern processors with speculative execution and is simply impossible to fix (unless every app developer cooperates). The only way we currently know is to drop speculative execution and get back to stone age (80x86). We need another breakthrough in computer science in the following years to fix it.
The fact that Meltdown can be easily patched by software update actually makes it more unacceptable to me. The logic behind the fix is simple enough and shouldn't be ignored to new generation of CPU release. To me it sounds like intel chosed to quickly push out competitive products (with an undisclosed critical flaw) against Ryzen over offering better security to all customers. Not patching Spectre can be excused, but not Meltdown.
Intel is committed to product and customer security
That official statement is a plain lie to me.
Posted on Reply
#11
thesmokingman
You don't ship a flawed product as new, especially one where you knew well in advance. It's rather deceptive imo. The cost after the fact is immeasurable.
Posted on Reply
#12
notb
Man... you and @Raevenlord are like a TPU's special squad for writing these anti-Intel comments. It's not even qualified as editorial or a citation from another page. It's just you - being able to put your personal opinion on the front page... :-)

Was AMD aware of Spectre when they released Ryzen Mobile in November? :-)

This really is a serious issue, but this panic is totally pointless. The reason why there is an embargo after a bug/flaw is found, is to give companies time to fix it before the problem goes public and media make a mess of it.
The most possible outcome now is that this whole situation will rush companies into releasing precooked fixes (so soon we'll get fixes to fixes).
Posted on Reply
#13
cmmw
This may all not be a design flaw but "is functional by design as a backdoor to professional hackers, legel, and illegal organization that had been informed about the backdoor." NSA is one of the publicly known organizations.

The leak of the backdoors is however undesirable to the organizations and hackers that use the backdoors on a daily basis.
Posted on Reply
#14
LocutusH
I also feel that this gets way overhyped (by the press) already...
Posted on Reply
#15
Patriot
cmmw said:
This may all not be a design flaw but "is functional by design as a backdoor to professional hackers, legel, and illegal organization that had been informed about the backdoor." NSA is one of the publicly known organizations.

The leak of the backdoors is however undesirable to the organizations and hackers that use the backdoors on a daily basis.
Yeah... no shit they knew there was a backdoor on the latest gen cpu... it's been there for 15yrs... the next wikileak dump should make this all more clear.
Given that 4 independent research groups happened to find all this shit at the same exact time... this was a tip-off/retiring of a backdoor due to impending leak.
Posted on Reply
#16
biffzinker
Prima.Vera said:
I mean how many Joes are running VMs in a shared environment??
I prefer my passwords as an example of the information disclosure being talked about in text I quoted below stay private undisclosed to third party apps in user space. ;)
Microsoft Security Advisory
Speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and can therefore lead to information disclosure.
These mitigations prevent attackers from triggering a weakness in the CPU which could allow the contents of memory to be disclosed.

In client (desktop) scenarios, a malicious user mode application could be used to disclose the contents of kernel memory.

Customers using Windows client operating systems including Windows 7 Service Pack 1, Windows 8.1, and Windows 10 need to apply both firmware and software updates.
Source: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities - Security Advisory
Posted on Reply
#17
dj-electric
piloponth said:
Has been Intel's CEO sued for insider trading yet? Or once again rule "too big to fail" applies?
I'm a firm believer in "the bigger they are, the harder they fall".
Posted on Reply
#18
ensabrenoir
.....just ignore that iceberg intel....nothing to worry about.... On the real though....this is kinda sad....
Posted on Reply
#19
thesmokingman
LocutusH said:
I also feel that this gets way overhyped (by the press) already...
It's all fake news right?
Posted on Reply
#20
cmmw
May just be like you said "retiring of a backdoor" and later push for next-generation processor sale with even more powerful backdoors:
(without the leaked backdoors)
Intel Management Engine (ME) cannot be switched off
AMD's Platform Security Processor (PSP) it uses an ARM processor..... can be switched off in BIOS, but can it actually be switched off in hardware level?

Scary.....

may just be retiring some leaked backdoors..... retiring some leaked backdoors...
main investors have both AMD and Intel shares
boosting AMD for balancing the CPU market, dramas and competitions are needed to boost sales.

All in the name for the greater good
Posted on Reply
#22
Patriot
Outback Bronze said:
Looks like ill have to fire up my old P4 : )
It is still vulnerable.... you would have to break out a P1 to be unaffected....
Posted on Reply
#23
qubit
Overclocked quantum bit
Intel are clearly, a caring, sharing company. Aww, I feel so warm and fuzzy now. :nutkick:
Posted on Reply
#24
Rahmat Sofyan
Is it all of this related to yahoo problem and other hacked or leaked accounts ?
Posted on Reply
#25
I No
Tis funny how everyone ignores the fact that these chips were made way before specter and meltdown hit. The only thing you can blame intel is realsing it to the public but then again some hefty sum went into the development of said chips. Business is business. Work for coffee lake was done pretty much at least 6 months before the chip went into production. Could Intel stop the launch with Ryzen lurking around? I wouldn't. As for the CEO dumping shares it was all legal under plan 10b5-1. So thinfoil hats on everybody. Oh and btw when the investors start dumping shares and bailing out THAT would be a sign that the ship has a leak. As far as this goes it's all getting blown out of proportion. Intel will still have the data center niche (kudos to AMD for their awsome business model that practicly gave the segment away for free). At the end of the day this could've happened to any big tech firm out there.... They are all the same.
Posted on Reply
Add your own comment