Horrific Security Flaw Affects Decade of Intel Processors

www.popularmechanics.com ^ | 03 January 2018 | By Eric Limer

[upchuck]

Windows and Mac ping.

[Dalberg-Acton]

You didn’t administer any beatings? They expect that, you know.

[martin_fierro]

Per this article, AMD and ARM chips are also impacted:

https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO

[Swordmaker]

It looks as if Apple was already on top of this Intel vulnerability:

---

Apple has already partially implemented fix in macOS for 'KPTI' Intel CPU security flaw

By Mike Wuerthele
Wednesday, January 03, 2018, 11:18 am PT (02:18 pm ET)After a public disclosure of a security flaw with nearly every Intel processor produced for the last 15 years, concern grew that a fix may take up to 30 percent of the processing power away from a system. But Apple appears to have at least partially fixed the problem with December's macOS 10.13.2 —and more fixes appear to be coming in 10.13.3.

Multiple sources within Apple not authorized to speak on behalf of the company have confirmed to AppleInsider that there are routines in 10.13.2 to secure the flaw that could grant applications access to protected kernel memory data. These measures, coupled with existing programming requirements about kernel memory that Apple implemented over a decade appear to have mitigated most, if not all, of the security concerns associated with the flaw publicized on Tuesday.

Further confirming the fixes, developer Alex Ionescu has further identified the code that fixed the issue, and is calling it the "Double Map."

The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 —and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63— Alex Ionescu (@aionescu) January 3, 2018

Our sources, as well as Ionescu, say that there are more changes in the macOS High Sierra 10.13.3 —but both declined comment on what they may be, or what else is required to totally secure users.

AppleInsider is in the midst of comparative speed testing on a 2017 MacBook Pro. Early indications are that there are no notable slowdowns between a system running macOS High Sierra 10.13.1 and 10.13.2.

Mitigations by Linux code-base maintainers are underway, as are changes by Microsoft to protect Windows users. In response to a query, Microsoft told AppleInsider that they had no comment on a timetable of a release to fix the security flaw at this time, but kernel memory handling was altered by the company in Windows 10 beta builds in the end of 2017.

Potentially at risk from the flaw is anything contained in kernel memory, such as passwords, application keys, and file caches. Details surrounding the bug, and how to exploit it, are still under wraps.

Intel is unable to fix the flaw with a firmware update.

Aside from macOS, Microsoft's Windows and Linux are also open to the vulnerability. Beyond personal computers, some believe cloud services like Amazon EC2, Microsoft Azure and Google Compute Engine are impacted by the bug and will need to be updated.

Amazon has alerted its customers to a large security update coming to AWS in February. Microsoft's Azure service has a maintenance period scheduled for Jan. 10.

[IndispensableDestiny]

Back in the 80’s I had an IBM XT clone that had a ‘Turbo Boost’ button on the front.

I think all it did was turn on a light..................

Leaving the button off slowed your PC to 4.77 MHz. Turning it on let it run at whatever the advertised speed was (16, 20, 33, 66). It was found on 80286, 386, and 486 machines.

Many games timed off of the original 4.77 MHz chip speed on the PC. They would not run at higher speeds. The button gave you backwards compatibility for these games.

[usconservative]

Thank goodness I’m on my AMD FX-8350 as I type ...... yeah, she’s old and she’s not the fastest CPU in the world but she don’t have this steenking vulnerability!!!

[Swordmaker]

Apple uses intel on Macs. But phones and pads don’t.

It turns out that Apple patched for this Intel vulnerability on December 6, 2017. . . so it's not a problem. It's not an issue on Macs now and no slowdown in the operations.

[ConservativeMind]

4.77 Mhz to 8 Mhz

[usconservative]

It's not an issue on Macs now and no slowdown in the operations.

Would be interesting to see before & after patch performance benchmarks for Microsoft, Apple and Linux. Any future lawsuits against Intel for this vulnerability are going to depend on/require demonstration of loss of performance.

[BereanBrain]

Intel has had backdoors forever, as per our “government” requests.

[HP8753]

Windows has another undocumented “feature”?? Who would have thought........?

[dayglored]

Intel CPU Mega-flaw affects Windows, etc. ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

Thanks to Windflier for the ping!!

[Swordmaker]

Per this article, AMD and ARM chips are also impacted:

There are two vulnerabilities only one of which is the Intel vulnerability. The other, called Spectre can effect the AMD and ARM processors, especially mobile devices such as cellular phones and tablets, for it to be exploited required the following:

"In order to exploit the flaw the "attacker gains physical access by manually updating the platform with a malicious firmware image through flash programmer physically connected to the platform’s flash memory."

So it's not really too much of a serious exploit. "Physical access" and "manually updating" the device's firmware. Right. Sure.

[dayglored]

> It turns out that Apple patched for this Intel vulnerability on December 6, 2017. . . so it's not a problem. It's not an issue on Macs now and no slowdown in the operations.

Does that apply to all supported versions, or only High Sierra? I.e. Has Apple rolled out fixes for older versions, -or- will older versions get a fix in the future, -or- does this force us all to upgrade?

[SgtHooper]

And it seems, according to the wording, that the “physical” stuff only applies to the AMD and ARM chips.

[Spktyr]

A similar exploit has been found in AMD processors. https://www.windowscentral.com/all-modern-processors-impacted-new-meltdown-and-spectre-exploits

[Spktyr]

A similar exploit has been found in AMD processors. https://www.windowscentral.com/all-modern-processors-impacted-new-meltdown-and-spectre-exploits

[Spktyr]

Apple’s is already patched as of 10.13.2 (which has been out a while) and further steps will be taken in 10.13.3, currently in dev beta. 10.13.2 shows no significant speed loss.

[hsmomx3]

I wish I understood all of this tech stuff.

My computer says it has an Intel Core 17????

Just what we need a bunch of broken computers after this fix.

[Bob434]

[[Back in the 80’s I had an IBM XT clone that had a ‘Turbo Boost’ button on the front.

I think all it did was turn on a light..................
]]

Yeah but I’ll bet the light came on really really fast=- turbo fast