Friday, January 5th 2018

Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).
Add your own comment

111 Comments on Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

#2
Devon68
The fact that Intel knew about this 5-6 months ago and the fact they sold stock before the leak seems to be too big of a coincidence.
Oh well. Keep On Digging
Posted on Reply
#3
Emu
Prima.Vera said:
But then again, for a normal desktop machine, do you really need a bios and OS update that just going to slow your CPU down? I mean how many Joes are running VMs in a shared environment??
You do realise that the Meltdown exploit allows any program running on your computer to gain access to protected kernel memory. Stuff that is supposed to be kept secure like passwords are kept there. Exploiting Meltdown will allow a program to take over your computer.

Meltdown affects ALL INTEL CPUS THAT SUPPORT Out Of Order Execution which is pretty much all Intel CPUs released since 1995 other then some Atom and all Itanium CPUs.

Spectre is a different story though. Spectre potentially allows a program to access memory from another running program. This could potentially allow the program to steal things like your credentials, browser history, credit card numbers, and so on.

So, yes, if you are running a modern Intel CPU then you need the OS update. And you will also need the BIOS update to fix the ME exploit which allows malicious programs to get beyond kernel level access to a Intel based machine.

I No said:
Tis funny how everyone ignores the fact that these chips were made way before specter and meltdown hit. The only thing you can blame intel is realsing it to the public but then again some hefty sum went into the development of said chips. Business is business. Work for coffee lake was done pretty much at least 6 months before the chip went into production. Could Intel stop the launch with Ryzen lurking around? I wouldn't. As for the CEO dumping shares it was all legal under plan 10b5-1. So thinfoil hats on everybody. Oh and btw when the investors start dumping shares and bailing out THAT would be a sign that the ship has a leak. As far as this goes it's all getting blown out of proportion. Intel will still have the data center niche (kudos to AMD for their awsome business model that practicly gave the segment away for free). At the end of the day this could've happened to any big tech firm out there.... They are all the same.
The Intel CEO may still run into issues with insider trading if he did not have the share sale time and quantity predetermined before Intel found out about the vulnerabilities.
Posted on Reply
#4
I No
Even if he sold the shares due to the vulnerability panic I'm still having a hard time believing he's that much of a moron to actually risk a lawsuit over this... actually this is more like white collar prison grade stuff to mess around with. Then again I could be wrong lol. If he's guilty then to a prison he'll be going and I have no problem with that, if the law was broken haul his ass up to the big house.
Posted on Reply
#5
Flaky
Thank god I still have an atom n450 netbook :D

Anyway...
Coffee lake was meant to be a release of 6 core cpus with no architectural changes.
There would be no point in halting the release of coffee lake, especially when ES/QS cpus are being provided, and all partners already have working prototypes of new platform.
As the OS workaround is already out, the problem is resolved. Not in a way satisfying everyone, but it is resolved.
Posted on Reply
#6
HisDivineOrder
Haha. Everyone thought Intel rushed out Coffee Lake and the i9 because of competition with AMD. The truth is more sinister. They needed to get all their affected product lines out well in advance of the revelation of their insecurity came to light.

So the truth is Intel never worried about AMD; they worried about their own disastrous mistakes tanking a launch that might have otherwise been great for them. It's really hard to believe the entire tech industry tried to protect Intel from its own shortsightedness rather than expose them and let them reap all that they sowed.
Posted on Reply
#7
I No
HisDivineOrder said:
Haha. Everyone thought Intel rushed out Coffee Lake and the i9 because of competition with AMD. The truth is more sinister. They needed to get all their affected product lines out well in advance of the revelation of their insecurity came to light.

So the truth is Intel never worried about AMD; they worried about their own disastrous mistakes tanking a launch that might have otherwise been great for them. It's really hard to believe the entire tech industry tried to protect Intel from its own shortsightedness rather than expose them and let them reap all that they sowed.
They can't do anything else, the whole tech industry is running on their hardware.
Posted on Reply
#8
R-T-B
notb said:
being able to put your personal opinion on the front page... :)
Facts aren't opinions... What he said is fact.

AMD did not know about Spectre from their behavior until the project zero release, is my bet. Otherwise they would not have tried to market their cpus as immune in a rather vain struggle.
Posted on Reply
#9
Jism
This is why trust AMD with hardware more then Intel. The amount of bugs that Intel actually has is scaring. The IMEI thing, now this. So basicly no matter how updated your OS, Antivir, Firewall and even router configuration was, your system was still completely vulnerable towards some slick exploits causing safe data to be compromised. And on top of that, have 5 up to 30% performance penalty due to a software fix. Intel is bin skimping out on testing their CPU's. it's not just testing, it's the TIM and all sorts of stuff as well. Maximize profit, lower down the time required for the devs to test CPU's and all, as managers insist on doing so.

Intel WAS a quality company back in the 386/486/586 days. Their CPU's where superior compared to cloned ones such as AMD. But from that complete P3 and above, alot of various tactics where used to put themself on top and keep it that way, by offering vendors huge discounts of not the competition (=AMD) was being sold to the mass.

This company should burn over this case.
Posted on Reply
#10
EarthDog
Rahmat Sofyan said:
Is it all of this related to yahoo problem and other hacked or leaked accounts ?
No.
Posted on Reply
#11
Thefumigator
I am the only one who doesn't care? I will continue using my ryzen 7 cpu, and I don't even use an antivirus. Nobody is going to get rich by breaking into my email account and reading my stuff. All these vulnerability issues is making media go along for the ride.
Posted on Reply
#12
jigar2speed
Thefumigator said:
I am the only one who doesn't care? I will continue using my ryzen 7 cpu, and I don't even use an antivirus. Nobody is going to get rich by breaking into my email account and reading my stuff. All these vulnerability issues is making media go along for the ride.
^This, this is the reason why people get hacked and don't even realise/know that its not just your email account. Identity theft is the first thing that comes to my mind. Incase if you are using netbanking, you are screwed, incase if you are using CC for buying anything online, you are screwed.
This vulnerability has your computer completely exposed to attacks that you don't even comprehend yet. Oh and not having antivirus is an excellent recipe where you are already breached and someone might using your system for DDOS attacks or someone might be threatening someone pretending to be you. Things can go bad to worst and you won't even know it until authorities show up at your doorsteps.
Posted on Reply
#13
Vayra86
HisDivineOrder said:
Haha. Everyone thought Intel rushed out Coffee Lake and the i9 because of competition with AMD. The truth is more sinister. They needed to get all their affected product lines out well in advance of the revelation of their insecurity came to light.

So the truth is Intel never worried about AMD; they worried about their own disastrous mistakes tanking a launch that might have otherwise been great for them. It's really hard to believe the entire tech industry tried to protect Intel from its own shortsightedness rather than expose them and let them reap all that they sowed.
Don't overinflate and speculate, because that is what you're doing here.

CPUs are already designed, probably even the next Intel release will still contain the same architecture with the same leak.

This topic and the supposed scandal of Intel stock being sold are perfect examples of everything we don't really need. Only Meltdown is directly attributable to an Intel specific design, Spectre hits everyone. Also consider the alternative: not releasing anything, not just for the past 6 months but also the next year. Meanwhile, you also can't disclose WHY you're not releasing anything. Imagine the question marks that would raise...

The fact that Intel is a rat company was known long ago, these news items really add zero to that fact.
Posted on Reply
#14
Manu_PT
Ok, this is bad, sure. But isn´t all of this fixed already? Yes it is, and no you won´t have a 30% performance hit in any application. Tests and benchmarks are all over the web. This issue is fixed just like Blaster was fixed in 2001, for those that can remember it or if you even used computers back then.

You guys are acting like right now everyone with a personal computer is at risk while surfing the web and is the end of the world. This affects big data centers and companies more than anything, not the home user. Most of those exploits can´t even be used against you, unless you use specific apps/tasks. And as I said, it is fixed now, so chill out. Intel is still faster than Ryzen, and that still makes more money to some people, wich is what matters.
Posted on Reply
#15
Vayra86
Manu_PT said:
Ok, this is bad, sure. But isn´t all of this fixed already? Yes it is, and no you won´t have a 30% performance hit in any application. Tests and benchmarks are all over the web. This issue is fixed just like Blaster was fixed in 2001, for those that can remember it or if you even used computers back then.

You guys are acting like right now everyone with a personal computer is at risk while surfing the web and is the end of the world. This affects big data centers and companies more than anything, not the home user. Most of those exploits can´t even be used against you, unless you use specific apps/tasks. And as I said, it is fixed now, so chill out. Intel is still faster than Ryzen, and that still makes more money to some people, wich is what matters.
There are multiple exploits. Only 'Spectre 1' is fixed with the current patches as far as I can tell, which is based on the proof of concept that is currently available. That said, the leak that allows the exploit still exists in a basic sense. It just needs a new workaround to be used.

In addition, as I posted earlier to clarify, EVERY SYSTEM is vulnerable. Including your home PC. Happen to be a crypto whale? I'd start worrying.



- Entry: have code execution on system = ridiculously easy. Any website can inject malware, remember the malware we got served by ads not too long ago?
- Method: uses a very basic processor function that is present everywhere. Any attack is potentially huge in scope
- Impact: Read out memory and you can spy on everything someone does on a rig
- Action: software patching. As with all software, it can be hacked.

Let me sketch a worst-case scenario: software patching keeps getting circumvented and new hacks actually occur using these backdoors. At some point, public outrage forces Intel/AMD to start disabling branch prediction/speculative exec entirely. All of a sudden we're back in Sandy Bridge performance metrics ie. performance drops to 2012 mainstream.
Posted on Reply
#16
I No
Jism said:
This is why trust AMD with hardware more then Intel. The amount of bugs that Intel actually has is scaring. The IMEI thing, now this. So basicly no matter how updated your OS, Antivir, Firewall and even router configuration was, your system was still completely vulnerable towards some slick exploits causing safe data to be compromised. And on top of that, have 5 up to 30% performance penalty due to a software fix. Intel is bin skimping out on testing their CPU's. it's not just testing, it's the TIM and all sorts of stuff as well. Maximize profit, lower down the time required for the devs to test CPU's and all, as managers insist on doing so.

Intel WAS a quality company back in the 386/486/586 days. Their CPU's where superior compared to cloned ones such as AMD. But from that complete P3 and above, alot of various tactics where used to put themself on top and keep it that way, by offering vendors huge discounts of not the competition (=AMD) was being sold to the mass.

This company should burn over this case.
It's called running a business not a charity. They tend to maximize profit, everyone's on the "let's make moneyz" wagon. In a perfect world where all things were fair we wouldn't have to see these headlines, Intel would not roll out bugged hardware, AMD wouldn't skip the testing and rush out Ryzen or VEGA, nVidia wouldn't have seen a class action lawsuit over the 970 memory, Samsung wouldn't have to owe SAMSUNG for the Note 8 fiasco, Apple wouldn't sell the same crap they brought to the table a couple of years ago for $1000 and so forth. Besides this whole thing's been blown out of proportions data centers are ok your system is safe for the time being :
https://newsroom.intel.com/news-releases/industry-testing-shows-recently-released-security-updates-not-impacting-performance-real-world-deployments/
The company should burn if they would bail out on their customer base ... which mind you Intel isn't going to do with the branch that provides the biggest chunk of their income (Data Centers).
Posted on Reply
#17
Manu_PT
Vayra86 said:
There are multiple exploits. Only 'Spectre 1' is fixed with the current patches. Meltdown is not.

The other forms of Spectre are still out in the wild and potential backdoors, given the right approach/malware.

In addition, as I posted earlier to clarify, EVERY SYSTEM is vulnerable. Including your home PC. Happen to be a crypto whale? I'd start worrying.
You can worry if you want. I´m not worried at all, I don´t use anything that can allow access to my stuff with those flaws. You need to read the full disclosure of it to understand. Then talk please.

Stop spreading misinformation if you guys don´t know what you´re talking about.
Posted on Reply
#18
Vayra86
Manu_PT said:
You can worry if you want. I´m not worried at all, I don´t use anything that can allow access to my stuff with those flaws. You need to read the full disclosure of it to understand. Then talk please.

Stop spreading misinformation if you guys don´t know what you´re talking about.
I did. Seems like it matters a lot what/where you read. And most importantly, when, because this issue is still developing. Truths of yesterday are not the ones of today. I have already posted my sources. You're at liberty to think this isn't relevant for yourself, but I find that pretty naive, if not to say arrogant, especially when you state 'I don't use anything that can allow access'. So you never visit websites then?

Bottom line: we now all own a system with a broken lock on one of the doors. The software patch allows us to put duct tape over it, so we can pray it holds until this gets an architectural fix.
Posted on Reply
#20
john_
notb said:
Man... you and @Raevenlord are like a TPU's special squad for writing these anti-Intel comments. It's not even qualified as editorial or a citation from another page. It's just you - being able to put your personal opinion on the front page... :)
In the past, TPU was like doing a Holly Crusade against AMD for much less than a huge security flaw. I was complaining back then the way you do now. Well, having 3-4 articles in 2-3 days about the same stuff, does look a little too much. But considering that they where doing the same in the past about AMD stuff, I would say that they are keeping a balance here.
Posted on Reply
#21
notb
Jism said:

Intel WAS a quality company back in the 386/486/586 days. Their CPU's where superior compared to cloned ones such as AMD. But from that complete P3 and above, alot of various tactics where used to put themself on top and keep it that way, by offering vendors huge discounts of not the competition (=AMD) was being sold to the mass.

This company should burn over this case.
Hmm... so what you've said above is: before Intel had a serious competitor in AMD, they were a quality company. So maybe if we got rid of AMD, Intel would be back to it's great days? :)
Plus, older Intel designs were also full of issues, including the well known FDIV. It's even more significant when you think how far we've come in CPU design.

Also, your approach to this matter is really sad. Intel is the company running global microprocessor business. It's way more complicated than just you replacing your i7 with a Ryzen for gaming.
This problem might cost Intel billions and will have a serious impact on the whole computer industry.
Posted on Reply
#22
newtekie1
Semi-Retired Folder
I think Intel definitely needs to pay for releasing known insecure products to the market, but I also think people are over-reacting to the problems. The news reports want to make it sound like doomsday for security, and it really isn't. Yes, this is a hardware vulnerability, but it isn't as bad as some of the software vulnerabilities that exist. Spectre and Meltdown both require the exploit to be run locally, it can't be exploited remotely. There are vulnerabilities that can give people control of systems remotely. These require the user to execute something.

That said, people are likely to be able to easily be tricked into running virus programs. If there weren't people that run random things, I probably would lose half my business, and all those ransomware people wouldn't be making any money. But at the same time, I'd bet any good anti-virus programs will very quickly be updated to watch for behavior of this exploit and stop it, I mean that is what anti-viruses do with minimal performance impact.

I'm just glad Intel did this, because now I'll get some money back from the class-action lawsuit!
Posted on Reply
#23
Vayra86
newtekie1 said:
These require the user to execute something.
I keep reading this on TPU, but these days 'to execute code' is not something that needs to be done locally, it just needs to reside locally. Any malware can reside on your system for days, months, undetected and call home once its done reading out the process it wants to read.

The user really doesn't have to be in play here.
Posted on Reply
#24
CrAsHnBuRnXp
We should all get a refund on our processors and motherboards and then buy stock in AMD and all buy Ryzen products.
Posted on Reply
#25
EarthDog
LOL, I'll pass... and just kick back and watch.



I am glad I took a seat on the sidelines here... this is humorous to watch what many believe/think they know/don't know... etc. and the reactions from some are priceless.

Not saying I know any better. I don't really, but I'm not here running around like a chicken with my head cut off. Life is good.
Posted on Reply
Add your own comment