• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

New security flaw in Intel chips could affect millions

Bullet Club

Banned
New security flaw in Intel chips could affect millions

SANTA CLARA, Calif. — Intel has revealed another hardware security flaw that could affects millions of machines around the world.

The bug is embedded in the architecture of computer hardware, and it can’t be fully fixed.

“With a large enough data sample, time or control of the target system’s behavior,” the flaw could enable attackers to see data thought to be off-limits, Bryan Jorgensen, Intel’s senior director of product assurance and security, said in a video statement.

But Intel said Tuesday there’s no evidence of anyone exploiting it outside of a research laboratory. “Doing so successfully in the real world is a complex undertaking,” Jorgensen said.

It’s the latest revelation of a hard-to-fix vulnerability affecting processors that undergird smartphones and personal computers. Two bugs nicknamed Spectre and Meltdown set a panic in the tech industry last year.

Intel said it’s already addressed the problem in its newest chips after working for months with business partners and independent researchers. It’s also released code updates to mitigate the risk in older chips, though it can’t be eliminated entirely without switching to newer chips.

Major tech companies Google, Apple, Amazon and Microsoft all released advisories Tuesday to instruct users of their devices and software, many of which rely on Intel hardware, on how to mitigate the vulnerabilities.

As companies and individual citizens increasingly sign their digital lives over to “the cloud” — an industry term for banks of servers in remote data centers — the digital gates and drawbridges keeping millions of people’s data safe have come under increasing scrutiny.

In many cases, those barriers are located at the level of central processing unit, or CPU — hardware that has traditionally seen little attention from hackers. But last year the processor industry was shaken by news that Spectre and Meltdown could theoretically enable hackers to leapfrog those hardware barriers and steal some of the most securely held data on the computers involved.

Although security experts have debated the seriousness of the flaws, they are onerous and expensive to patch, and new vulnerabilities are discovered regularly.

Bogdan Botezatu, director of threat research for security firm Bitdefender, said the latest attack was another reason to question how safe users can really be in the cloud.

“This is a very, very serious type of attack,” Botezatu said. “This makes me personally very, very skeptical about these hardware barriers set in place by CPU vendors.”

Intel said it discovered the flaw on its own, but credited Bitdefender, several other security firms and academic researchers for notifying the company about the problem.

Botezatu said Bitdefender found the flaw because its researchers were increasingly focused on the safety and management of virtual machines, the term for one or more emulated mini-computers that can be spun up inside a larger machine — a key feature of cloud computing.

Source: Washington Post
 
New security flaw in Intel chips could affect millions

Major tech companies Google, Apple, Amazon and Microsoft all released advisories Tuesday to instruct users of their devices and software, many of which rely on Intel hardware, on how to mitigate the vulnerabilities.

As companies and individual citizens increasingly sign their digital lives over to “the cloud” — an industry term for banks of servers in remote data centers...
Coincidence?

Hackers Intel Inside
 

Boss Mog

Member
Intel has been losing tremendous ground to AMD in the CPU space as of late, outselling them by as much as 2 to 1. With news like this and the very promising Ryzen 2 launching next month with supposedly very aggressive pricing, AMD might soon overtake Intel in overall CPU marketshare.
 

CyberPanda

Banned
Intel has been losing tremendous ground to AMD in the CPU space as of late, outselling them by as much as 2 to 1. With news like this and the very promising Ryzen 2 launching next month with supposedly very aggressive pricing, AMD might soon overtake Intel in overall CPU marketshare.
Of course its going to throw a cog in Intel's gears, but AMD has a long way to go in terms of market share:

 

Boss Mog

Member
Of course its going to throw a cog in Intel's gears, but AMD has a long way to go in terms of market share:

Look how much the gap widened from Q1 2006 to Q1 2007, a lot can happen in a year. Also Passmark isn't exactly the best indicator of anything. I've never run the benchmark on my system, and neither have others. Also the majority of PCs are in the workplace, and companies don't really run Passmark either.
 
Last edited:

V1LÆM

Gold Member
I will definitely be replacing my Intel CPU as soon as the new Ryzen CPUs come out. They can't come soon enough!

Also, Intel only really has such a large market share because of laptops. If AMD can do well there then Intel should be very worried.
 

Helios

Member
Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.

Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.
Update: (17/05): An Intel spokesperson commented on this story.

Intel contacted us with a statement on this story pertaining to the terms of its bug bounty program:

"We [Intel] believe that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities. One of the ways we engage with researchers is through our bug bounty program. We provide a clear overview of our bug bounty program requirements, eligibility and award schedule on our website."
 

LordRaptor

Member

The issues seem to be more widespread than that article seems to state and definitely not already mitigated by Intel (ZombieLoad).

Yeah, this is absolutely huge, and a cynic might wonder why the US based tech bloggers (that aren't specifically security focused) just haven't really covered it at all, when even an unsubstantiated hint of a security flaw in a Huawei device will generate security scaremongering articles for weeks.
 

marquimvfs

Member
I cannot create new threads, but there's new info on the matter. The researchers who found some of the vulnerabilities have said that Intel, while saying the vulnerabilities were fixed, where telling them to be quiet about the fixes, that according to them, were not fixing the problem properly.
"After they notified Intel about the unfixed flaws in advance of Tuesday’s patch release, the company asked the researchers to remain silent until it could produce another patch, the researchers said. But this time they refused."

Source: https://www.nytimes.com/2019/11/12/technology/intel-chip-fix.html?smid=tw-nytimes&smtyp=cur
 

Demigod Mac

Member
Most articles about CPU vulnerabilities annoy me. The way they are written makes the issue sound much scarier than it actually is to the average user, as if every affected computer will get compromised within one nanosecond of being connected to the internet. They also rarely explain that most end users have nothing to worry about and it is a greater risk to enterprise and government servers running virtual machines, where a [sophisticated, well funded] attacker would want to siphon sensitive data from VMs running on the server. (this article sort of does, to its credit - the blurb at the end mentions VMs)

Take note: CPU vulnerabilities are not some innovative new vector to infect a system, like a worm. It's simply a neat new trick malware can perform if it gets on the machine, but it still has to get there in the first place. You protect yourself from this as you normally would against common banking trojans. Got antivirus, a content blocker, and a fully patched browser and OS? You probably have nothing to worry about even if your CPU is "vulnerable".
 

Kagey K

Banned
Buy a PC it’s better then consoles.

It’s super easy, just out the disc in and play.

Master Race and all that.
 
Last edited:

PhoenixTank

Member
Read that its getting fixed on their "new hardware" so would a i9 9900k be safe to buy this black friday or not?
Safe is relative. They have fixes for this in microcode updates that mostly fix the exploit (and another update due to fix the remaining holes), but I very much doubt there is going to be a new stepping with hardware fixes in wide supply for Black Friday.
I imagine 10th gen desktop will have hardware fixes... but then this line of exploits will sprout another head again. Going to be continual whack-a-mole for a good while yet.
 
Look how much the gap widened from Q1 2006 to Q1 2007, a lot can happen in a year. Also Passmark isn't exactly the best indicator of anything. I've never run the benchmark on my system, and neither have others. Also the majority of PCs are in the workplace, and companies don't really run Passmark either.
If you are referring to company/work pcs, the majority of which (I do tier2 Sup and did Sup for 30+ companies previously ) are Lenovo (sometimes Dell) laptops or thin clients which usually have an Intel cpu. Desktops aren't used as much and when are its for things like cad and those are usually Intel as well. In fact, I have only seen AMD on a handful of systems and they were usually with smaller companies or non critical personnel.

Until amd gets a foothold into the business pc market I don't see this changing anytime soon. Enthusiast/gamer market is small compared to business pc needs, unfortunately. Even back in 2000 when AMD Athlons sported high clock 1ghz+ machines and Intel was lagging behind by 100s of mghz, in that regard companies still chose Intel for dependability and their business push.
 

johntown

Banned
Never been a fan of AMD but all of this stuff with Intel is probably going to make me jump ship and go with AMD for a CPU for my next PC.
 
If you are referring to company/work pcs, the majority of which (I do tier2 Sup and did Sup for 30+ companies previously ) are Lenovo (sometimes Dell) laptops or thin clients which usually have an Intel cpu. Desktops aren't used as much and when are its for things like cad and those are usually Intel as well. In fact, I have only seen AMD on a handful of systems and they were usually with smaller companies or non critical personnel.

Until amd gets a foothold into the business pc market I don't see this changing anytime soon. Enthusiast/gamer market is small compared to business pc needs, unfortunately. Even back in 2000 when AMD Athlons sported high clock 1ghz+ machines and Intel was lagging behind by 100s of mghz, in that regard companies still chose Intel for dependability and their business push.

Intel is notorious for making all kinds of shady deals with big server companies and OEMs in order to prioritize their product offerings over AMD. IIRC, a couple of times this even got them into legal trouble.

There's a reason the 'Wintel" name took off and stuck for a while. In any case, it's some interesting stuff definitely worth watching/reading about. Even if AMD is on an upswing in certain sectors, ironically they can't capitalize on that with the same sort of gusto Intel did in the '00s, for example, because they're caught in a fab war between Samsung and HiSilicon/Huawei (and the CCP is at the center).
 

raduque

Member
There is no high end console. So that would be false.

High End PCs are also few and far between. The most popular games on Steam happily run on a PC with the compute power of my 2014 model Moto360 smartwatch, with maybe a GTX960-level GPU.
 

Kenpachii

Member
High End PCs are also few and far between. The most popular games on Steam happily run on a PC with the compute power of my 2014 model Moto360 smartwatch, with maybe a GTX960-level GPU.

Doesn't matter, consoles have no high end machines never will. His argument is pointless.

The only reason he came in here is to shit on PC's, because for some reason he thinks his shitty console box is anywhere near relevant towards PC users. Which it aint.
 
Last edited:

diffusionx

Gold Member
High End PCs are also few and far between. The most popular games on Steam happily run on a PC with the compute power of my 2014 model Moto360 smartwatch, with maybe a GTX960-level GPU.

Why does this matter? The fact is that high end PC is open to anyone who wants to do it. It’s not some hidden inaccessible secret. Just buy the appropriate hardware. Why does it matter what other people do, when the whole point of the PC is customization and flexibility.
 
Top Bottom