Spectre Next Generation

LAZA · 6 May 2018 17:11

Super-GAU for Intel: More Spectre breaches in the approach

New holes and more patches - "Spectre Next Generation" is right around the corner. Researchers have already found eight new vulnerabilities in Intel processors, as evidenced by information exclusive to c't.
[...]
Each of the eight holes has its own number in the directory of all vulnerabilities (Common Vulnerability Enumerator, CVE) and each requires its own patches - they probably also get their own names. Until then, we call them together the Specter NG holes to differentiate them from the previously known problems.

Until now we only have precise information about Intel's processors and their patch plans. However, there are some indications that at least some ARM CPUs are also vulnerable. Further research into whether and to what extent the closely related AMD processor architecture is vulnerable to the individual Spectre NG holes is already in progress.

Intel already works on some Spectre NG patches; others are developed in collaboration with the operating system manufacturers. When the first Spectre NG patches come is not yet clear. According to our information, Intel is planning two patch waves: a first one should start in May; a second is currently scheduled for August.

For at least one of the Spectre NG patches is already a specific date in the room: Google's Project Zero has again found one of the holes and on May 7 - the day before the Windows Patchday - expires the 90-day period, the they typically allow the manufacturer to publish. Google's elite hackers are quite uncompromising in terms of such dates and published after their expiry more often information on vulnerabilities for which the manufacturer had not finished patches. In a second hole, Intel even expects that information could come to the public at any time. For these two holes, patches should appear sooner rather than later.
[...]
Intel classifies four of the Spectre NG vulnerabilities as "high-risk"; the danger of the other four is only rated as medium. According to our own research, Specter-NG risks and attack scenarios are similar to those of Spectre - with one exception.

Heise added himself an English translation:

Strit · 3 May 2018 06:08

So glad I switched to AMD recently.

DeMus · 3 May 2018 06:22

Are you sure?

LAZA · 3 May 2018 06:30

Es gibt jedoch erste Hinweise, dass zumindest einzelne ARM-CPUs ebenfalls anfällig sind.

---> However, there are some indications that at least some ARM CPUs are also vulnerable.

Strit · 3 May 2018 06:32

As I understand it, that's what they are trying to determine. I reckon they will provide a list of specific chips that are affected by this at some point.

bogdancovaciu · 3 May 2018 06:41

To be honest i'm not surprised, but also i will not be concerned just yet

anon23612428 · 3 May 2018 08:08

I will switch too, but still waiting for full support by the Linux kernel et al. (and €€€, TRs are expensive)

Spectre NG seems to be even more dangerous and easier to exploit than Spectre v1 and v2.
Oh dear... according to the article, not "security holes" but "swiss cheese".

BS86 · 3 May 2018 12:04

just ordered my R7 2700X components: 900€'s well spent (with 16GB 3200MHz RAM, a 500GB Samsung m.2 SSD and a Gaming-Mainboard)

the CPU's without integrated graphics are already supported.

anon23612428 · 3 May 2018 12:04

Ryzen 2 and Threadripper 2? Don't they need kernel 4.17? (I don't use RC kernels)

BS86 · 3 May 2018 12:04

Ryzen 2700 is "only" Ryzen+ (12nm) - and it should also work with 4.14.
Ryzen 2 will start next year as Ryzen 3700 and will be 7nm.

Only the Ryzen 2200G and 2400G with integrated Vega graphics need 4.17.

My hardware should arrive on Saturday, will test and tell

Edit: The only thing that might make problems is the ethernet chip of my board: Intel I211-AT - but I can use my USB WIFI dongle in case that this chip really is not working OOTB.

anon34396487 · 3 May 2018 12:04

This is what I’m waiting for before I upgrade. Intel just goes from bad to worse.

Chrysostomus · 3 May 2018 12:04

Maybe it has been good that I haven't had the money to get a new computer. Maybe I'll buy and some day if I get rich

sothis6881 · 3 May 2018 22:55

A little sad I didn't end up waiting...I'm so done with Intel!

BS86 · 5 May 2018 07:41

@anon23612428 My hardware arrived today, but DHL seems to have dropped it somewhere on the way. There is a nice little crack in the CPU coming from a dent that looks like the whole package was dropped on an edge.

No test results from me until at least Tuesday (the company's warranty/Return-department is not working on Saturday's .... )

I thought about waiting until next year too, but there is no real advantage for me in doing so. The single-thread performance of my FX8350 is already noticeably too slow in WoW through Wine, and Ryzen 3700 will also fit into AM4 sockets. I ordered a Asus ROG Strix mainboard with X470 chipset, the ROG series usually gets the necessary BIOS updates to fit newer CPU's - so if the 7nm is troublefree and an upgrade is worth it, I can upgrade with just replacing the CPU.

LAZA · 7 May 2018 13:43

Spectre-NG: Intel verschiebt die ersten Patches – koordinierte Veröffentlichung aufgeschoben

Eigentlich war für Montag die Veröffentlichung der ersten Spectre-NG-Patches geplant. Doch Intel hat um Aufschub gebeten und diesen auch erhalten. Neue, exklusive Informationen zeigen, wie es mit Spectre-NG jetzt weiter gehen soll.
[...]
Intel plant jetzt eine koordinierte Veröffentlichung am 21. Mai 2018. Zu diesem Termin sollen neue Microcode-Updates bereit gestellt werden.

english version: (will follow)

philm · 7 May 2018 21:24

There is a new microcode for Intel available. It might help against Spectre Next-Gen.

LA-MJ · 8 May 2018 18:07

Call me paranoid but I am starting to put more stock in tales that NSA has been sitting on these 0days for years while private researchers are finding the treasure troves only now...

Couldn't that explain their cockiness in the Snowden dumps?..

I hope Americans are paying attention and will at least try to FOIA or otherwise sue them. As well as Intel.

sueridgepipe · 11 May 2018 23:55

Next gen Spectre won't be fixed for a while ...

LA-MJ · 12 May 2018 21:50

Vulture South asked Intel to comment on the Heise report, and received a non-response saying it takes security very, very seriously, is working with anyone who can or should help to fix things. "We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations," the company said.

Where did I hear this before, I wonder?..

Everybody takes security seriously when their ass is on fire. But not before.

BS86 · 15 May 2018 20:31

@anon23612428 Writing this from my R7 2700X 4.16 worked great, but showed some ACPI errors during boot (no issues afterwards)

4.17 works great too, no ACPI errors during startup. Did not have a chance to test 4.14 yet, still busy setting the beast up

Edit: 4.14 shows the same ACPI messages, but also works without further issues.