Tuesday, March 5th 2019

Spoiler Alert: New Security Vulnerability Found Affecting Intel CPUs

A new security vulnerability has been found that only affects Intel CPUs - AMD users need not concern regarding this issue. Dubbed Spoiler, the newfound security vulnerability was discovered by the Worcester Polytechnic Institute in partnership with the University of Lübeck, and affects all Intel CPUs since the introduction of their Core architecture. This vulnerability too affects Intel's speculative execution design, and according to the researchers, works independent of OS, virtual machine, or sandboxed environments.

As the researchers explain, Intel's speculative execution of certain memory workloads requires the full physical address bits for the information in memory to be known, which could allow for the full address to be available in user space - allowing for privilege escalation and other microarchitectural attacks. According to the researchers, a software solution to this problem is impossible, which means this is yet another silicon-level bug that needs to be addressed in future processor designs.
Source: White Paper
Add your own comment

114 Comments on Spoiler Alert: New Security Vulnerability Found Affecting Intel CPUs

#2
trparky
Oh crap... :shadedshu::banghead:
Posted on Reply
#5
jmcslob
So in other words they discovered the NSA's back door.
Posted on Reply
#6
juiseman
I think Intel found the flaws themselves....That way they have an excuse to sell more of the same CPU's they have been selling since 2010.

"scare ware tactic" to sell more over priced CPU's...

If it ain't broke don't fix...well guess what? its broke again; "now we have to upgrade 1000's of our severs again""We just bought them last quarter!!"....lol...

This is most likely not accurate what I just wrote, but I can believe in market manipulation on almost any level....this would just be an extreme case of that.

I'm sure then, the next post will be "Why would Intel call foul on their own product? Because people will buy from them anyways because they are Intel....
Ever heard the phrase "All press is good press" its almost free advertisement in a way; though one might think it would hurt sales. The opposite effect
is most of the time observed....

jmcslob
So in other words they discovered the NSA's back door.
lol...that was my next thought....hahahhah
funney; and really kind of scary, but most likely true.
Posted on Reply
#9
Blinken
in all reality, it was probably just negligence in the pursuit of more profit. I'm sure in the coming years there'll be an internal memo leak where someone expressed a concern but was ignored and then there'll be a groundbreaking 20/20 story on some Sunday night about it, all while the general populace goes on computing in ignorant bliss.
Posted on Reply
#11
sam_86314
Good thing I switched to AMD recently...

...except my laptop and all of my other computers have Intel chips :banghead:
Posted on Reply
#12
ArbitraryAffection
laughs in Ryzen

Only thing left with an Intel processor in the house is mum's old Toshiba P750 laptop with a i5 2410M from 2011. I'm waiting for it to die so I can get her a Raven Ridge machine like my Envy x360, Super happy with it, especially now the drivers from the main stack can be used on the 2500U.
Posted on Reply
#13
lexluthermiester
Wow, this is literally deep core logic problems. Pun intended. This has the potential to be a little worse than the S&M thing of last year, if I'm understnding it correctly. Ouch. My poor Xeon's...
Posted on Reply
#14
Darmok N Jalad
Curious what sort of solutions we will get if it’s not software patchable as the reasearcher claims.
Posted on Reply
#15
jmcslob
lexluthermiester
Wow, this is literally deep core logic problems. Pun intended. This has the potential to be a little worse than the S&M thing of last year, if I'm understnding it correctly. Ouch. My poor Xeon's...
I just went from Ryzen to an I7 and I just put my kids on Ryzen and it looks like I'm going back that way too.
I'm not worried about S/M or this but I'm starting to get a bad feel for Intel again.
Posted on Reply
#16
phanbuey
So you would have to have code running on the machine that sits there looking for the moment when it can intercept a full address to a page in memory, and then grab that out of memory, in the hopes that it has sensitive data in there.

And after I grab that sensitive data and figure out how to use it, I will clean my house with a toothpick.
Posted on Reply
#17
mcraygsx
INTEL should've stopped selling any CPU built around core architecture as soon as first set of vulnerabilities were discovered. Especially to the Enterprise Market altogether. But its amazing to see over priced CPU and related motherboard on shelves at my local MC :eek:.

On the other hand I suppose if consumers are okay with IME then we should be okay with another vulnerability. Thank you for reporting this.
Posted on Reply
#18
GoldenX
mcraygsx
INTEL should've stopped selling any CPU built around core architecture as soon as first set of vulnerabilities were discovered. Especially to the Enterprise Market altogether. But its amazing to see over priced CPU and related motherboard on shelves at my local MC :eek:.

On the other hand I suppose if consumers are okay with IME then we should be okay with another vulnerability. Thank you for reporting this.
But but, best CPUs on the world, but but mah FPS, but but I can't go to "are you poor?" AMD.
Posted on Reply
#19
HTC
To be fair, while Meltdown and Spoiler don't affect AMD's CPUs, Spectre does so speculative execution needs to be addressed @ silicon level in order for speculative execution based vulnerabilities to "go away".

Spectre based vulnerabilities do have software mitigations which come @ a performance cost. @ least that's better than Spoiler which, supposedly, can't be mitigated by software:
The attack exploits the fact that when there is a load instruction after a number ofstore instructions, the physical address conflict causes a high timing behavior. This happens because of the speculatively executed load before all the stores are finished executing. There is no software mitigation that can completely erase this problem.
Posted on Reply
#20
Darmok N Jalad
mcraygsx
INTEL should've stopped selling any CPU built around core architecture as soon as first set of vulnerabilities were discovered. Especially to the Enterprise Market altogether. But its amazing to see over priced CPU and related motherboard on shelves at my local MC :eek:.

On the other hand I suppose if consumers are okay with IME then we should be okay with another vulnerability. Thank you for reporting this.
So what should they do for the next 2-4 years while they engineer a solution to a problem that wasn’t even detected for over a decade? Companies as big as Intel can’t just stop selling their products for that long. There would probably not be an Intel anymore by the time they resolved this problem, redesigned their CPUs, performed a bunch of validation and testing, retooled their FABs, worked out yields, manufactured millions of chips, and refilled the huge vacuum they left behind. They no doubt have to fix the problem, but stopping the presses would cause major damage to the economy and affect many, many people’s livelihoods. AMD can’t even come close to picking up Intel’s level of supply, so there would be a mass shortage of CPUs for years. 9th gen Core doesn’t fix all the issues at a hardware level—we are still a few generations from that.
Posted on Reply
#21
CounterZeus
The tested AMD CPU was one bulldozer chip (AMD A6-4455M). So no confirmation if Zen is affected or not.
Posted on Reply
#22
biffzinker
HTC
Spectre based vulnerabilities do have software mitigations which come @ a performance cost.
Microsoft Update KB4482887 on March 1st the company will be rolling out and enabling the Google-developed Retpoline performance optimizations that reduce the performance impact of security mitigations put in place to combat Spectre Variant 2 (CVE-2017-5715). Windows 10 users running 64-bit versions of Windows 10 Build 1809 and newer will have the Retpoline optimizations installed with the KB4482887 and other updates turned on via cloud configuration in a phased rollout.
https://www.pcper.com/news/General-Tech/Microsoft-Rolling-Out-Retpoline-Optimizations-Update-Reduce-Performance-Impact-Spe
Posted on Reply
#23
moproblems99
ArbitraryAffection
Zen didn't get the memo?
Zen is not immune from speculative execution flaws.
Posted on Reply
#24
yeeeeman
The people commenting here are just...out of this world. People still don't understand that these vulnerabilities don't have absolutely any importance to normal consumers. Who cares about your games and photos?
These attacks are important for datacenters, bank or government computers, etc.
If you have an Intel CPU, this doesn't mean that it is broken and you will be robbed if you still use it....
Also, discoveries like these give students and faculties some good press. Hey look, this is the place where that funky vulnerability was found. I see they got a habit of searching for bugs in CPUs, which is a good thing, sure, but CPUs are so complex machines that it is almost impossible to make them without some vulnerabilities. And don't worry, happy Ryzen users, AMD also has vulnerabilities, but they weren't discovered yet because nobody cares. Researches look at the market leader...
Posted on Reply
#25
Dave65
Profit over security?
Nah, Intel would never..................:shadedshu:
Posted on Reply
Add your own comment