If at first you don't succeed, you're likely Intel: Second Spectre microcode fix emitted For the second time of asking, Intel has issued microcode updates to computer makers that it prays says will mitigate the Spectre variant two design flaw impacting generations of x86 CPUs spewed out over previous decades. Yep, old Chipzilla has turned up at the scene of the metaphorical IT industry earthquake with a dustpan …
I would imagine that the damages are going to be pretty hefty even by Intel's standards given the fact that pretty much every organization in the world and everyone except for Luddites and a few older AMD fanboys fit into at least some of the classes in the class action lawsuits levied at Intel. This is not going to be a week's worth of profit. If the courts do their job properly then Intel is in for a rough few years.
I don't think the damages will be enough to drag them under. Nor would I want that. If nothing else the sudden dissolution of Intel would leave the type of power vacuum that can destabilize entire industries. But you can bet that the damages will be enough to actually hurt.
I don't expect the damages to be much, for flaws that took over a decade to discover(widely at least maybe 3 letter agencies were using it long before), I don't fault Intel, or AMD or the others for these things(yes I know Meltdown seems to be specific to Intel). Even more on Spectre since it affects many different CPU brands.
In a world where we constantly see root exploits and other security issues that are far worse than just being able to read random bits of memory(yes those root exploits often get fixed but there are always new ones being discovered), I don't see a reason to have a knee jerk reaction.
But hey, it gives people reason to write more articles and get more ad impressions.
You may not, but Intel's CEO apparently did, selling all the Intel shares he was allowed to, after the news hit the fan internally but before outsiders were informed. Widely reported at the start of 2018, but transactions took place (and were initially reported) in 2017:
https://www.fool.com/investing/2017/12/19/intels-ceo-just-sold-a-lot-of-stock.aspx
http://fortune.com/2018/01/05/intel-ceo-stock-security-flaws/
https://www.theregister.co.uk/2018/01/11/intel_ceo_cfo_sued_spectre_meltdown/
I remember reading about that, though I still think that is more likely a coincidence than anything. The CEO would have to be pretty stupid to do something like that. I expect that behavior from penny stock type companies.
Also looking at the stock price over the past year the stock really hasn't moved much since early November, down less than $1 from November 2. The stock hit a new 52-week high in late January (maybe earnings? I don't follow stocks) before going back down again.
So this thing really hasn't done anything to Intel's stock price, showing there wasn't much incentive to sell based on that news.
"But hey, it gives people reason to write more articles and get more ad impressions."
Such worldly cynicism! You may be right of course.
Those dastardly fear-mongers at the Reg should probably wait until everyone's chips are smoking puddles of silicon goo before hauling out the Olivettis and Gestetnering a few million pages of (literally) purple prose.
Or, even better, step away completely from a watchdog profession with one of the worst ROIs on the planet, and even worse profit prospects, and leave y'all to the tender mercies of our new global robber digi-barons, and their 'hyper efficient and extremely productive' minions.
Not the first time this has happened... A while ago, a few Bay Trail tablets were borked by a firmware update performed by a windows update. In this particular case, the hardware ID pulled from the firmware was incorrect. i.e. a poorly modified firmware derived from a "parent" firmware..
This post has been deleted by its author
Reading through the whitepaper on Retpoline linked by the article, in section 5.4, it says that this mitigation requires that all code in a program or OS kernel is compiled with a retpoline-enabled compiler. From what I can tell, this was added to the latest version of gcc back in January, and I assume the Intel compiler around the same time. So, to take advantage of this mitigation, you need to rebuild all your code with the latest compiler available, otherwise ".. retpoline is not a practical mitigation for environments where full recompilation itself is not practical. Other mitigations may be appropriate in those environments."
You may have noticed that companies like Cisco regard these bugs as unimportant. The chip architecture might have a vulnerability but its really not the architecture but rather the combination of the architecture and the software we run on it that causes the problem. Intel could quite rightly argue that the problem is really software vendors making assumptions about the relative security of memory areas that is the real problem.
But then, who cares about architectural subtlety when there's money to be made? (Personally, I'd just ramp down all these attempts to make inefficient software go fast and just give everyone 80186 chips to run their Javascript on.....Enjoy, folks!)
This post has been deleted by its author
If there's a way for an attacker to run code capable of exploiting Spectre on a Cisco device, the attacker has already won and doesn't need to bother with Spectre.
That's why they aren't worried.
These vulnerabilities are privilege escalation - a process can get hold of data it is not supposed to have.
If the arch is intended to be that no untrusted process can run at all, then the chances are that an attacker getting their code to run is already Game Over.
Because Dell Asus etc won't make new "BIOS" updates for most products they make. Most Only update the BIOS for computers build in last 1 to 3 years. Maybe ~5 years for Business types like Dell Latitude. Many "White Box" MoBo's from Asus et al are same thing but many "old" MoBo's are still in stock at Newegg months to years after makers mostly stopped supporting them. IOW You bought a MoBo 2 years ago but the Manufacturer sees many MoBo as 4-5 years old.
So Don't hold your breath thinking you will get this patch later.
Even then Most Dell etc owners never upgraded the BIOS. Not even most Enterprise owner like NHS, Big Banks, etc.
Dell will, because of the support they sell.
If a business has a support agreement with Dell and Dell refuse to provide the patches, that business will sue.
Dell will make it public on their website as well, because it'd cost them a fortune to send a repair tech to every single business machine.
Same goes for the other brands that sell support contracts.
Any that don't... Well, good luck.
It's not that the development process is shit, it is indeed that CPU development is very hard indeed.
Combine that with some very clever people who can figure out utterly obscure exploits such as these, and this sort of thing can happen.
As someone above said, it's taken about 10 years to figure out this exploit. If Intel/ARM/AMD had spent an extra 10 years figuring it out before releasing the chips, well, nobody would be in business.
For the BIOS/uEFI/microcode patch on my dinosauroid Sony SVF142C (Sandy Bridge) WEEE bin-fished laptop.
8GB RAM, 2C4T CPU, (or should that be 2g1c? as it sounds a bit like "scat"), 1TB recycled HDD, 10 :-(
It passed the self-tests I threw at it so what the heck. SPECTRE fail.
I named this beast "Alice" because it seems to exhibit quantum-like effects such as random BSODs when plugging in certain wonky USB devices, flaky touchpad which randomly resizes webpages and inexplicable power drain issues that I just can't explain.
"Bob" aka the Tosh laptop was also working but he is currently cooling his cement overshoes in BOFH Hell waiting for parts.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
