General > Security & Bug Fixes

Meltdown & Spectre Information and Discussion

<< < (2/32) > >>

TMG1961:
The video lost me about 10 seconds after it started. I have no idea what he is talking about.

ian_r_h:
Thanks for this.  Though I'm not sure how well I understand some parts.

In essence, and from technical news posts, my understanding is that (anyone has better knowledge may correct me):-


* Intel processors since the 1990s are vulnerable to this because of using the "speculative" approach.  But cancelling this approach can greatly slow processing in processor-intensive tasks.
* AMD prcoessors are technically unknown according to some reports, and unaffected by others; and possibly affected in their own right by others (I don't have the sources to hand).  My take is that it is unknown/thought unlikely to affect AMD processors.
* My take is also that it requires local access to exploit (as known at the moment), but whether that will continue the case isn't reported on in the items I've read.
* This has been known about for some time.
* The problem requires fixing at the OS level.
I'm presuming that using Intel processors with the current kernel 4.4.x series in Linux Lite leaves it theoretically vulnerable; though I understand that at present there is no malware exploiting the problem?

JmaCWQ:
This may or may not help explain things......https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html

ian_r_h:
OK.

I've had a few minutes to research this further, since coming to it myself first time first thing this morning.

There are two bugs reported:  MELTDOWN and SPECTRE.  According to Wikipedia:-

"The Meltdown vulnerability can be thought of as a particularly easy and efficient-to-implement special case of Spectre."  Note that there is no citation and it is reported as needing one; indeed citation is lacking in the Spectre entry at this time.

"Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 and CVE-2017-5715, have been issued."

Spectre affects Intel, AMD and ARM processors.

"[Meltdown] was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754."

Meltdown affects Intel processors and "does not seem to affect AMD microprocessors".

The Wikipedia entries are at:-

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

There is a website for Meltdown and Spectre (which both Wikipedia articles label as the "official website") at:

https://meltdownattack.com/

Hope this helps, though I'm still reading up on it at the moment.

trinidad:
I have two Windows 10 machines that have been already patched (both originally developer/insider mode) and have had no problems so far, and no noticeable performance issues though there are reports of some VM complications elsewhere. In the case of Linux this is another OEM hardware nuisance which like all such nuisances diffuses down to ordinary users with some over-reaction. Spectre is a threat to ordinary users but only on multi-user boxes i/e - do you trust your wife? I played around with this issue some years back on a Suse Linux system I administrated. It has been known in some form or another for quite a while, but developers never looked at it as particularly threatening. It's the nature of CPUs themselves to not be secure, and again this problem lies within the the whole idea of low level proprietary code. It should be a legal issue with tart recourse to the courts, but who's big enough to sue, maybe Google, or Amazon. Big business is a strangely esoteric political beast here in the US - The government bails out GM but upholds a billion dollar penalty against Ford for bad tires. I can't think of a company in recent history that deserved a class action suit against them more than Intel. As far as civil disobedience perhaps a well organized boycott of Google and Amazon would do the trick but in a lot of ways consumerism is an addiction so that would be awfully hard to organize. Buying a computer for your kids to use is a lot like taking your kids to the doctor. The difference is that most doctors live by a code of ethics, while OEM hardware is produced with an eye to insulating the developers from any liability. Intel developers don't need malpractice insurance. Intel is so big and internationalized that the US government must cast a wary eye on their hardware to protect itself. I have often thought that the first line of recourse for the government is to use the SEC to suspend trading of Intel, and then go from there.

TC

Additionally: "News" of this is hardly new. Only the exploit news part of it, which was held back by Google in agreement with Intel. I highly doubt that AMD is not vulnerable with a modified version. Any 64bit multt-core cached cpu is vulnerable. This has always been known of speculative processes. The bigger the processor the greater the possibility of stealing information. That is the only reason this has suddenly become important. CPUs are finally big enough to cough up and spew considerable information via the hack. Hilariously the hack will still work even with the patch by simply falling back to the old kernel address system. It is not a permanent solution. The permanent solutuion is full and complete free access to CPU microcode.

   

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version