News Posts matching "bug"

Return to Keyword Browsing

Intel Expands Bug Bounty Program in Wake Of Spectre, Meltdown Flaws

(Editor's Note: This move by Intel aims to expand their bug-bounty program to specifically include side-channel attacks, such as those that can be leverage on the Spectre and Meltdown exploits. The company is also increasing the rewards it will give the researchers who find new flaws, a move that aims to employ the masses' knowledge and ingenuity to try and reach the hard-earned bonus at the end of the vulnerability - all while saving Intel much more money than it's paying to bug hunters.)

At Intel, we believe that working with security researchers is a crucial part of identifying and mitigating potential security issues in our products. Similar to other companies, one of the ways we've made this part of our operating model is through a bug bounty program. The Intel Bug Bounty Program was launched in March 2017 to incentivize security researchers to collaborate with us to find and report potential vulnerabilities. This, in turn, helps us strengthen the security of our products, while also enabling a responsible and coordinated disclosure process.

AMD Releases Radeon Software Adrenalin 18.1.1 Alpha Drivers

Making good on its post-New Year promise, AMD late Thursday released its first Radeon Software Adrenalin iteration for the year, version 18.1.1 Alpha. Being flagged "Alpha," these are very early drivers, the use of which are not backed by any warranties. They're not fully tested to work by AMD.

Version 18.1.1 Alpha addresses critical bugs that caused some of the older games to break following Adrenalin 17.12 release. The games, which are nearly a decade old, are AAA blockbusters which are based on the older DirectX 9 API. A number of older DirectX 9 games, such as EA's "Command & Conquer 3," "Command & Conquer 4" series, "Battle for Middle Earth 1-2," and "The Witcher Enhanced Edition" had simply refused to start following the 17.12 driver update. Grab the drivers from the link below.
DOWNLOAD: AMD Radeon Software Adrenalin 18.1.1 Alpha

Intel Shares Down, AMD and NVIDIA Up Following VT Flaw Surface

Intel's stock pricing has taken a 6.19% dip at time of writing, in a regress that analysts say has everything to do with the reported VT flaw in Intel's central processing units. The flaw, which Intel has been silently firefighting and which we've covered extensively here on TPU, is a hardware-level vulnerability which has the potential to allow unauthorized memory access between two virtual machines (VMs) running on a physical machine, due to Intel's flawed implementation of its hardware-level virtualization instruction sets. Kernel patches are already being deployed that mitigate the issue; however, these should incur in performance losses for Intel processors, and are being deployed in an apparent "spray and pray" method that also affects performance in AMD-based machines, which are expected to be immune to the Intel flaw.

AMD Struggles to Be Excluded from Unwarranted Intel VT Flaw Kernel Patches

Intel is secretly firefighting a major hardware security vulnerability affecting its entire x86 processor lineup. The hardware-level vulnerability allows unauthorized memory access between two virtual machines (VMs) running on a physical machine, due to Intel's flawed implementation of its hardware-level virtualization instruction sets. OS kernel-level software patches to mitigate this vulnerability, come at huge performance costs that strike at the very economics of choosing Intel processors in large-scale datacenters and cloud-computing providers, over processors from AMD. Ryzen, Opteron, and EPYC processors are inherently immune to this vulnerability, yet the kernel patches seem to impact performance of both AMD and Intel processors.

Close inspection of kernel patches reveal code that forces machines running all x86 processors, Intel or AMD, to be patched, regardless of the fact that AMD processors are immune. Older commits to the Linux kernel git, which should feature the line "if (c->x86_vendor != X86_VENDOR_AMD)" (condition that the processor should be flagged "X86_BUG_CPU_INSECURE" only if it's not an AMD processor), have been replaced with the line "/* Assume for now that ALL x86 CPUs are insecure */" with no further accepted commits in the past 10 days. This shows that AMD's requests are being turned down by Kernel developers. Their intentions are questionable in the wake of proof that AMD processors are immune, given that patched software inflicts performance penalties on both Intel and AMD processors creating a crony "level playing field," even if the latter doesn't warrant a patch. Ideally, AMD should push to be excluded from this patch, and offer to demonstrate the invulnerability of its processors to Intel's mess.

Intel Secretly Firefighting a Major CPU Bug Affecting Datacenters?

There are ominous signs that Intel may be secretly fixing a major security vulnerability affecting its processors, which threatens to severely damage its brand equity among datacenter and cloud-computing customers. The vulnerability lets users of a virtual machine (VM) access data of another VM on the same physical machine (a memory leak). Amazon, Google, and Microsoft are among the big three cloud providers affected by this vulnerability, and Intel is reportedly in embargoed communications with engineers from the three, to release a software patch that fixes the bug. Trouble is, the patch inflicts an unavoidable performance penalty ranging between 30-35%, impacting the economics of using Intel processors versus AMD ones.

Signs of Intel secretly fixing the bug surfaced with rapid changes to the Linux kernel without proper public-visibility of the documentation. The bulk of the changes involve "kernel page table isolation," a feature that prevents VMs from reading each other's data, but at performance costs. Developers note that these changes are being introduced "very fast" by Linux kernel update standards, and even being backported to older kernel versions (something that's extremely rare). Since this is a hardware vulnerability, Linux isn't the only vulnerable software platform. Microsoft has been working on a Windows kernel patch for this issue since November 2017. AMD x86 processors (such as Opteron, Ryzen, EPYC, etc.,) are immune to this vulnerability.

AMD Will Fix Adrenalin Driver Game Incompatibility Issues After All

Right in the last corner of 2017, as our collective minds were getting ready to move onto a new year at full warp speed, we covered this bit of news regarding AMD's Adrenalin Driver incompatibility with some older game titles under DX9 ("C&C3 Tiberium Wars," "C&C3 Kane's Wrath," "C&C Red Alert 3," "C&C Red Alert 3 Uprising," "C&C4 Tiberian Twilight," "Battle for Middle Earth 1-2," and "The Witcher Enhanced Edition.") At the time, AMD stated that they were "unlikely to devote any valuable engineering resources to this issue." User backlash ensued, and with the new year comes a new AMD: one that has found the valuable engineering resources needed towards working on a fix for said issues.

Apparently, the problem stemmed from a driver-level incompatibility with SAGE engine games, and AMD's Terry Makedon took to Twitter to make things better for fans of those games, saying that "We will for sure fix this bug with SAGE engine games in an upcoming hotfix." All in all, a good guy move by AMD. For sure, the initial statement might not echo the full sentiment of the entire company on the issue, though it's a fact that it was an AMD employee that started the whole debate. That said, the user backlash certainly goes to show that PC gamers want their systems to always have backwards compatibility with older games - one of the more important differentiating factors between PCs and games consoles.

AMD Unlikely to Fix DX9 Games Bugged by Adrenalin Driver

AMD ended 2017 with its year-end mega driver release, the Radeon Software Adrenalin Edition (17.12), which introduced a large number of new features. The drivers, incidentally, also inadvertently caused bugs with some 10-year old games running on the older DirectX 9 API. When AMD Radeon users took to Reddit, and other tech forums to report these issues, AMD responded on its official support forums that it is "unlikely to devote any valuable engineering resources to this issue."

Among the games affected, old as they may seem, are AAA blockbusters, including "C&C3 Tiberium Wars," "C&C3 Kane's Wrath," "C&C Red Alert 3," "C&C Red Alert 3 Upising," "C&C4 Tiberian Twilight," "Battle for Middle Earth 1-2," and "The Witcher Enhanced Edition." AMD blames its inability to fix these issues to outdated API models. The company's full statement reads "This title is from 2007, so we are unlikely to devote any valuable engineering resources to this issue, which is most likely caused by outdated API modules."

AMD Confirms its Platform Security Processor Code will Remain Closed-Source

Since the launch of AMD Ryzen, a small piece of hardware that handles basic memory initialization as well as many security functions has been the center of some controversy. Called the Platform Security Processor (the "PSP" for short) it is essentially an arm core with complete access to the entire system. Its actions can be considered "above root" level and are for the most part invisible to the OS. It is similar in this regard to Intel's Management Engine, but is in some ways even more powerful.

Why is this a bad thing? Well, let's play a theoretical. What happens if a bug is discovered in the PSP, and malware takes control of it? How would you remove it (Answer: you couldn't). How would you know you needed to remove it? (answer, unless it made itself obvious, you also wouldn't). This scenario is obviously not a good one, and is a concern for many who asked AMD to open-source the PSPs code for general community auditing.

WannaCry: Its Origins, and Why Future Attacks may be Worse

WannaCry, the Cryptographic Ransomware that encrypted entire PCs and then demanded payment via Bitcoin to unlock them, is actually not a new piece of technology. Ransomware of this type has existed nearly as long as the cryptocurrency Bitcoin has. What made headlines was the pace with which it spread and the level of damage it caused to several facilities dependent on old, seldom-updated software (Hospitals, for example). It's not a stretch to say this may be the first cyberattack directly attributable to a civilian death, though that has not been concluded yet as we are still waiting for the dust to settle. What is clear however is WHY it spread so quickly, and it's quite simple really: Many users don't have their PCs up to date.

Google Project Zero Finds Windows Vulnerabilty, "Worst in Recent Memory"

Google's Project Zero has found yet another critical Windows Vulnerability, this time going so far as to call it "Crazy Bad" in a lone tweet by Google security researcher Tavis Ormandy. Tavis went on to elaborate that the vulnerability "works against a default install, [you] don't need to be on the same LAN, and it's wormable."

Sounds like the stuff of nightmares from a security perspective, right? The good news is Google's policy is to give companies 90 days to patch bugs like this before revealing the exploits details. The idea is to pressure developers to fix vulnerabilities before the reveal, so users remain protected and companies are forced to act rather than adopt a "wait and see" approach. Microsoft however, does not have the best follow-up reputation, having left at least two major security bugs unpatched for the entire 90-day security-flaw reveal window as recently as this year.

NSA's Windows Exploit "DoublePulsar" Being Actively Utilized in the Wild

The "DoublePulsar" exploit exposed recently as part of the leaked NSA-derived hacking toolkit posted online, is set to become one of the more significant issues related to the leak. Not because it is unpatched, because it has been patched for roughly a month, but rather because according to a threatpost.com report, few users are as up to date as they should be.

Microsoft Advises Against Installing The Creators Update Manually

Apparently, Microsoft is alerting would-be Creators Update takers that doing so manually (as in, before its automatic update roll-out through Windows Update itself) may result in a bad first experience. Microsoft is therefore suggesting that the majority of Windows 10 users should wait for the Windows Update version of the (ahem) update, due to concerns with some hardware compatibility problems.

In a blog post, Microsoft give the example of a user who reported issues between a Bluetooth connectivity accessory (Broadcom-based) for their PC and Windows 10 Creators Update, which resulted in Microsoft blocking all machines with similar hardware from being able to update until issues are solved. I for one must say I manually updated my system on April 7th and found nothing wanting, so these really do seem like hardware-specific snags. Microsoft is apparently doing everything in its power to make sure adopters of the latest version of Windows find a hassle-free experience on the other side of their screens, which is commendable. This does seem like a sensible solution to the problem, with power users (or simply users who don't care about warnings and are confident on their success and hardware compatibility) still being able to update, while less tech-savy customers are left waiting for a proven version for their hardware configuration. Here's hoping that doesn't take long, since the 3D-version of Paint really brought back childhood joy (for some of us, at least.)

AMD Preparing BIOS Update to Fix FMA3 Freezes on Ryzen CPU Family

AMD has acknowledged an issue in which applications utilizing FMA3 code (basically compute and floating point heavy applications) can freeze Ryzen-based desktops. According to AMD, a fix is already on the way in the form of a basic bios update that will be issued to motherboard vendors, who will then most assuredly update their boards with the fix. If you want to be sure your Ryzen based system is not affected by this or numerous other teething issues, making sure you are running the latest BIOS will go a long way towards easing your experience with your new platform.

AMD Ryzen Machine Crashes to a Sequence of FMA3 Instructions

An AMD Ryzen 7-1800X powered machine was found to be crashing upon execution of a very specific set of FMA3 instructions by Flops version 2, a simple open-source CPU benchmark by Alexander "Mystical" Yee. An important point to note here is that this little known benchmark has been tailored by its developer to be highly specific to the CPU micro-architecture, with separate binaries for each major x64 architecture (eg: Bulldozer, Sandy Bridge, Haswell, Skylake, etc.), and as such the GitHub repository does not have a "Zen" specific binary.

Members of the HWBot forums found that Ryzen powered machines crash on running the Haswell-specific binary, at "Single-Precision - 128-bit FMA3 - Fused Multiply Add." The Haswell-specific binary (along with, we imagine, Skylake), adds support for the FMA3 instruction-set, which Ryzen supports, and which lends some importance to the discovery of this bug. What also makes this important is because a simple application, running at user privileges (i.e. lacking special super-user/admin privileges), has the ability to crash the machine. Such a code could even be executed through virtual machines, and poses a security issue, with implications for AMD's upcoming "Naples" enterprise processor launch.

Intel's Skylake and Kaby Lake-based Systems Vulnerable to USB Exploit

At this year's CCC hacker congress, researchers from Positive Technologies have released information, which documents vulnerabilities in Intel's Skylake and Kaby Lake series processors' handling of USB 3.0-based debugging - which could be used to attack, corrupt, and even subvert a user's system.

This vulnerability allows attackers to bypass typical security mechanisms - both at the hardware and at the OS level - by using a new debugging interface, which could allow them to install malware and/or rewrite the system's firmware and BIOS. The exploit is currently undetectable using existing security tools, and according to the researchers, this mechanism can be used on a hacked system regardless of the OS installed.

AMD Releases Radeon Software Crimson Edition 16.2.1

AMD released the latest version of Radeon Software Crimson Edition. Version 16.2.1 is marked "non-WHQL" and hence should be a beta. The driver comes with a CrossFireX profile for "Far Cry Primal," along with a variety of game-specific bug fixes for "Fallout 4," and "Rise of the Tomb Raider." It also fixes an issue of choppy display on systems with both FreeSync and CrossFire being enabled. Grab the drivers from the links below.
DOWNLOAD: AMD Radeon Software Crimson Edition 16.2.1 for Windows 10/8.1/7 64-bit | Windows 10/8.1/7 32-bit

AMD Releases Radeon Software Crimson Edition 15.12 WHQL

AMD released the WHQL-signed version of Radeon Software Crimson Edition 15.11.1 as the new 15.12 WHQL. It addresses a variety of game-specific issues, including rendering errors on Star Wars: Battlefront; bugs on Fallout 4; texture-compression issues with Just Cause 3; poor CrossFire performance with Call of Duty: Black Ops 3. It also addresses a critical issue in which the driver would either spool fan-speeds all the way up to 100% on load, or lock them down at 30%, causing certain GPUs to overheat. A variety of bugs specific to the Radeon Settings app were also addressed.

DOWNLOAD: AMD Radeon Software Crimson Edition 15.12 WHQL for Windows 10 64-bit | Windows 10 32-bit | Windows 8.1 64-bit | Windows 8.1 32-bit | Windows 7 64-bit | Windows 7 32-bit

NVIDIA Releases GeForce 344.16 WHQL Drivers

Well, that was fast! NVIDIA gave WHQL signing to the GeForce 344.16 Beta drivers it released earlier this week. The drivers still support just GeForce GTX 980 and GTX 970 graphics cards. The release notes document (PDF) is still not clear on exactly what these drivers bring to the table, over the recently released 344.11 WHQL, but we believe it could be an important bug-fix specific to NVIDIA's new GPUs.
DOWNLOAD: GeForce 344.16 WHQL

28 nm struggles: TSMC & GlobalFoundries

Making silicon chips is not easy, requiring hugely expensive fabs, with massive clean-room environments and at every process shrink, the complexity and difficulty of making the things goes up significantly. It looks like TSMC and GlobalFoundries are both having serious yield problems with their 28 nm process nodes, according to Mike Bryant, technology analyst at Future Horizons and this is causing a rash of non-working wafers – to the point of having nothing working with some chip designs submitted for production. It seems that the root cause of these problems are to do with the pressures of bringing products to market, rather than an inherent problem with the technology; it just takes time that they haven't got to iron out the kinks and they're getting stuck: "Foundries have come under pressure to release cell libraries too early – which end up with designs that don't work," Bryant said. In an effort to try and be seen to treat every customer equally, TSMC is attempting to launch ten 28 nm designs from seven companies, but it's not working out too well: "At 45-nm, only NVIDIA was affected. At 28-nm any problems for TSMC will be problems for many customers" said Bryant.

NVIDIA Investigates TDR Issues, Requests Sample Cards

Guru3D reports on a post from NVIDIA tech support on NVIDIA's forums regarding TDR issues (Timeout Detection & Recovery problem (display stopped responding but has successfully recovered)). These problems centre around Battlefield 3 and Windows Media Centre, which NVIDIA can't reproduce, so it looks like the problems may be with specific card models. NVIDIA rep ManuelG posted:

Bitcoin & Password Stealer Trojan For Mac Now Available!

Hot on the heels of our previous story of Apple Macs falling prey to a DDoS trojan, we now have another Mac trojan come on the market, as explained by Sophos. Yes, the Apple platform must indeed be becoming more popular to get this one. It's an unfortunate fact of life that the popularity of any computing platform, including smartphones, can be judged by the number of criminals who will attack it. This little nasty, called OSX/Miner-D or 'DevilRobber', hijacks Mac OS X to perform various tricks, which include minting Bitcoins (the virtual and now virtually worthless currency) stealing usernames and passwords (of course) taking screenshots and stealing the victim's Bitcoin wallet while it's at it, if there is one. And for good measure:
it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history.
So, now the criminals also know about all the sites one has visited, eroding user privacy even more. It looks like this malware has covered all the bases, but wait, there's more.

SandForce BSOD Firmware Bug: Fix Finally Available

Finally a fix for the BSOD/disconnect bug that has been plaguing users for months is available for SF-2200 based SSDs. OCZ uses these, has been testing this new firmware for several weeks and now believes that it's fit for release. The new firmware is at version 2.15 for OCZ drives and 3.3.2 for drives that SandForce's standard numbering system. As with any firmware update, it should be used cautiously, all data backed up and perhaps used on a non-mission critical Windows install for a while, for confidence. Note that there may be more unresolved issues and new ones introduced.
Return to Keyword Browsing