Page 1 of 1

Meltdown & Spectre

Posted: Thu Jan 04, 2018 11:45 am
by Valerion
Two of the most serious vulnerabilities ever have been identified. Meltdown is currently exploitable on all Intel x86_64 CPUs, while Spectre is theoretical and hard to do, but affects Intel, AMD and ARM chips. And perhaps some other RISC-based ones as well.

Less technical details: https://spectreattack.com/
Project Zero: https://googleprojectzero.blogspot.co.z ... -side.html
Wired: https://www.wired.com/story/critical-in ... computers/

This is a hardware issue, that can be fixed in the OS, but at a cost. Due to the nature of it there will be a performance penalty of between 5% and 30%, depending on the exact workload the CPU handles.

And I recommend updating as soon as the patches for this drops. Linux kernel devs, Microsoft and Apple are working on fixes.

Re: Meltdown & Spectre

Posted: Thu Jan 04, 2018 12:52 pm
by ArtyLoop
At this stage, it is apparent this only affects the x86 architecture. The ARM architecture is too different and the instruction set is totally different, as is the whole programmer's model.
We are aware of this issue at the office, we received the advisory, and so far, it appears to be impossible to implement on the ARM platforms we have under our control.

Re: Meltdown & Spectre

Posted: Thu Jan 04, 2018 1:09 pm
by Valerion
Lucky you.

ARM have published a short list of vulnerable CPUs, but it is a really short list. Not "Every 64-bit CPU from at least 2011 and possibly 1995" short, like Intel ...
https://developer.arm.com/support/security-update

I see the ARM Linux Git repo contains all the fixes now, so at least if you run Linux and the absolutely latest kernel in git you should be protected on all platforms. I am confident the Linux vendors will include these in kernel updates soon, and MS will likely drop it this Patch Tuesday. Apple will fix it when Apple releases the latest update, probably soonish.

Re: Meltdown & Spectre

Posted: Thu Jan 04, 2018 1:49 pm
by ArtyLoop
Whatever we find out here I will share with you on the forum. For the moment it seems the patches are what we need to roll out on our Linux boxen, and workstations. Will advise when we start with this.

Re: Meltdown & Spectre

Posted: Thu Jan 04, 2018 3:28 pm
by Valerion
Seems Windows desktop performance won't be much affected. Servers on the other paw ...


Re: Meltdown & Spectre

Posted: Thu Jan 04, 2018 3:53 pm
by ArtyLoop
To be clear:
Spectre: The name for a class of vulns that exploit out-of-order execution on modern microprocessors
Meltdown: A Spectre class exploit specific to the x86 architecture

More names will probably appear as the exploits become proven for other architectures.
So to clarify, the Spectre class vulnerabilities, although mostly theoretical, affect nearly every type of processor architecture and sadly this includes ARM. As of my knowledge the only architecture that might not be affected is the humble SuperH RISC (SEGA consoles and office machines) but that's merely my opinion.
Spectre has the potential thus to even affect residential routers that run Linux, Raspberry Pi, etc, etc.. even network switches.
We will watch it for now, but as I mentioned we received the advisory and my boss and I are on this.

Re: Meltdown & Spectre

Posted: Fri Jan 05, 2018 5:54 pm
by Rakuen Growlithe
There are even more exploits being found in 2018! The password protection for Xerox Alto disks has been completely bypassed and there are major flaws with the hash algorithm. If you're storing data on password-protected Xerox Alto disks then you need to find a more secure method of storage.
http://www.righto.com/2018/01/xerox-alt ... -disk.html

Re: Meltdown & Spectre

Posted: Sat Jan 13, 2018 9:31 am
by Rakuen Growlithe
I feel worse and worse about getting an Intel processor when I could've got AMD...
http://m.dw.com/en/new-security-flaw-de ... a-42122823