Spectre Next Generation

Super-GAU for Intel: More Spectre breaches in the approach

New holes and more patches - "Spectre Next Generation" is right around the corner. Researchers have already found eight new vulnerabilities in Intel processors, as evidenced by information exclusive to c't.
[...]
Each of the eight holes has its own number in the directory of all vulnerabilities (Common Vulnerability Enumerator, CVE) and each requires its own patches - they probably also get their own names. Until then, we call them together the Specter NG holes to differentiate them from the previously known problems.

Until now we only have precise information about Intel's processors and their patch plans. However, there are some indications that at least some ARM CPUs are also vulnerable. Further research into whether and to what extent the closely related AMD processor architecture is vulnerable to the individual Spectre NG holes is already in progress.

Intel already works on some Spectre NG patches; others are developed in collaboration with the operating system manufacturers. When the first Spectre NG patches come is not yet clear. According to our information, Intel is planning two patch waves: a first one should start in May; a second is currently scheduled for August.

For at least one of the Spectre NG patches is already a specific date in the room: Google's Project Zero has again found one of the holes and on May 7 - the day before the Windows Patchday - expires the 90-day period, the they typically allow the manufacturer to publish. Google's elite hackers are quite uncompromising in terms of such dates and published after their expiry more often information on vulnerabilities for which the manufacturer had not finished patches. In a second hole, Intel even expects that information could come to the public at any time. For these two holes, patches should appear sooner rather than later.
[...]
Intel classifies four of the Spectre NG vulnerabilities as "high-risk"; the danger of the other four is only rated as medium. According to our own research, Specter-NG risks and attack scenarios are similar to those of Spectre - with one exception.


Heise added himself an English translation:

7 Likes

So glad I switched to AMD recently. :stuck_out_tongue:

3 Likes

Are you sure?

Es gibt jedoch erste Hinweise, dass zumindest einzelne ARM-CPUs ebenfalls anfällig sind.

---> However, there are some indications that at least some ARM CPUs are also vulnerable.

As I understand it, that's what they are trying to determine. I reckon they will provide a list of specific chips that are affected by this at some point.

To be honest i'm not surprised, but also i will not be concerned just yet :slight_smile:

I will switch too, but still waiting for full support by the Linux kernel et al. (and €€€, TRs are expensive)

Spectre NG seems to be even more dangerous and easier to exploit than Spectre v1 and v2.
Oh dear... according to the article, not "security holes" but "swiss cheese".

just ordered my R7 2700X components: 900€'s well spent (with 16GB 3200MHz RAM, a 500GB Samsung m.2 SSD and a Gaming-Mainboard)

the CPU's without integrated graphics are already supported.

Ryzen 2 and Threadripper 2? Don't they need kernel 4.17? (I don't use RC kernels)

Ryzen 2700 is "only" Ryzen+ (12nm) - and it should also work with 4.14.
Ryzen 2 will start next year as Ryzen 3700 and will be 7nm.

Only the Ryzen 2200G and 2400G with integrated Vega graphics need 4.17.

My hardware should arrive on Saturday, will test and tell :wink:

Edit: The only thing that might make problems is the ethernet chip of my board: Intel I211-AT - but I can use my USB WIFI dongle in case that this chip really is not working OOTB.

2 Likes

This is what I’m waiting for before I upgrade. Intel just goes from bad to worse.

Maybe it has been good that I haven't had the money to get a new computer. Maybe I'll buy and some day if I get rich :slightly_smiling_face:

1 Like

A little sad I didn't end up waiting...I'm so done with Intel!

@anon23612428 My hardware arrived today, but DHL seems to have dropped it somewhere on the way. There is a nice little crack in the CPU coming from a dent that looks like the whole package was dropped on an edge.

No test results from me until at least Tuesday (the company's warranty/Return-department is not working on Saturday's .... )

I thought about waiting until next year too, but there is no real advantage for me in doing so. The single-thread performance of my FX8350 is already noticeably too slow in WoW through Wine, and Ryzen 3700 will also fit into AM4 sockets. I ordered a Asus ROG Strix mainboard with X470 chipset, the ROG series usually gets the necessary BIOS updates to fit newer CPU's - so if the 7nm is troublefree and an upgrade is worth it, I can upgrade with just replacing the CPU.

2 Likes

Spectre-NG: Intel verschiebt die ersten Patches – koordinierte Veröffentlichung aufgeschoben

Eigentlich war für Montag die Veröffentlichung der ersten Spectre-NG-Patches geplant. Doch Intel hat um Aufschub gebeten und diesen auch erhalten. Neue, exklusive Informationen zeigen, wie es mit Spectre-NG jetzt weiter gehen soll.
[...]
Intel plant jetzt eine koordinierte Veröffentlichung am 21. Mai 2018. Zu diesem Termin sollen neue Microcode-Updates bereit gestellt werden.


english version: (will follow)

There is a new microcode for Intel available. It might help against Spectre Next-Gen.

4 Likes

Call me paranoid but I am starting to put more stock in tales that NSA has been sitting on these 0days for years while private researchers are finding the treasure troves only now...

Couldn't that explain their cockiness in the Snowden dumps?..

I hope Americans are paying attention and will at least try to FOIA or otherwise sue them. As well as Intel.

2 Likes

Next gen Spectre won't be fixed for a while ...

1 Like

Vulture South asked Intel to comment on the Heise report, and received a non-response saying it takes security very, very seriously, is working with anyone who can or should help to fix things. "We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations," the company said.

Where did I hear this before, I wonder?..

Everybody takes security seriously when their ass is on fire. But not before.

2 Likes

@anon23612428 Writing this from my R7 2700X :slight_smile: 4.16 worked great, but showed some ACPI errors during boot (no issues afterwards)

4.17 works great too, no ACPI errors during startup. Did not have a chance to test 4.14 yet, still busy setting the beast up

Edit: 4.14 shows the same ACPI messages, but also works without further issues.

1 Like

Forum kindly sponsored by