Amd and Intel's security flaws and security vulnerabilities. The chosen one ISN'T BETTER THAN THE OTHER.

[Papusan]

AMD And Intel CPUs Rocked By New Speculative Execution Attack With A Huge Performance Hit

Do you remember a few years ago when everyone panicked over a couple of security flaws known as Meltdown and Spectre? These were a new type of security hole altogether, known as speculative execution flaws because they exploit the so-named capability of modern processors. That was back in 2018, and since then, every tech company under the sun has issued patches, firmware updates, and other guidance to mitigate the danger of these attacks.

 

So that's all over and dealt with, right? Well... not exactly. As it turns out, one of the major mitigations deployed against Spectre, known as "retpoline", isn't actually as helpful as we thought. A new flaw, known as "retbleed", has been discovered by researchers at ETH Zurich. Retbleed evades earlier protections against a specific form of the Spectre vulnerability, including machines using the retpoline mitigation..

 

Both AMD and Intel say that they're not aware of anyone making use of these vulnerabilities in the wild, but patches aren't available yet. When they do become available, they may come with a performance hit of as much as 28%. Hopefully some clever coders will come up with a way to mitigate that performance loss.

 

Microsoft try push you over on new hardware so you can enjoy their latest and most secure OS. Same do the HW manufacturers. They know they later have to patch flaws they have added to try optimize for better performance. Give with one hand and then take it back with the other hands. Or just hope you buy their newest and safer products that will suffer same mess after a couple of years. Why not just stop optimize for performance when you know you have to take it back later?

[Ishayin]

Meh... I rather agree with the sentiments expressed in this article:
https://www.extremetech.com/computing/337005-researchers-found-an-unpatchable-security-flaw-in-apples-m1-and-you-probably-dont-need-to-care

 

The amount of energy and drama expended seems out of proportion to the actual risks, and mainly only serves to keep IT professionals and tech writers employed as far as I can see. How many people do you know who have been impacted by any of these things? Over the entirety of the past decade, I know one person who got a minor virus, one person who was targeted by a social hack with no ill-results, and two people who have had their WhatsApp accounts hacked (and well, if you're still using WhatsApp, lol...). Social engineering is by far the most common form of attack these days, and renders most of the underlying technical issues completely moot.

[jaybee83]

2 hours ago, Ishatix said:

Meh... I rather agree with the sentiments expressed in this article:
https://www.extremetech.com/computing/337005-researchers-found-an-unpatchable-security-flaw-in-apples-m1-and-you-probably-dont-need-to-care

 

The amount of energy and drama expended seems out of proportion to the actual risks, and mainly only serves to keep IT professionals and tech writers employed as far as I can see. How many people do you know who have been impacted by any of these things? Over the entirety of the past decade, I know one person who got a minor virus, one person who was targeted by a social hack with no ill-results, and two people who have had their WhatsApp accounts hacked (and well, if you're still using WhatsApp, lol...). Social engineering is by far the most common form of attack these days, and renders most of the underlying technical issues completely moot.

true, drama sells clicks n views. but still, better to be aware than be caught off guard.

[Papusan]

It seem AMD collect vulnerabilities and prefer push out patches after they have released new products. This time patched only 31 vulnerabilities 🙂

 

AMD Discloses 31 New CPU Vulnerabilities, Issues Patch Guidance tomshardware.com

And yes, Intel follows the same path. But stop the talk about who is best in the class. They are both equal dishonest and both have to implement vulnerabilities to make their products to show better perfomance. Then they have to fix their own created mess with patches after they have been discovered with the panths down. This is classic. Give something with the left hand then backtack it later with the right hand. They should stop implement code to show their products in better lights. 

 

On 7/26/2022 at 10:45 PM, jaybee83 said:

true, drama sells clicks n views.

Not always😎 AMD try avoid drama. Drama can reduce sales😎 They usually hide what is patched in newer firmware. And they don't patch before they have to.

 

"AMD quietly divulged 31 new CPU vulnerabilities" in a January update, spanning its Ryzen chips for consumers and the EPYC data center processors. The vulnerability update also includes a list of AGESA versions, with mitigations for the impacted processors. 

 

Quetly fix the vulnerabilities then throw it out. The end results will sometimes end as this.. Angry owners of their modern HW.

. 

[Papusan]

AMD 'Zenbleed' Bug Allows Data Theft From Zen 2 Processors, Patches ComingA huge Zen 2 leak requires a patch.

 

[Update 9:15am PT: AMD told us that patches to prevent Zenbleed are available for its EPYC Rome processors, but hasn't said if they are available for the impacted consumer Ryzen CPUs. AMD also hasn't given an ETA for patches for Ryzen chips or responded to our questions about potential performance impacts from the Zenbleed patches. We're still working to learn more.]

 

The 'Zenbleed' vulnerability spans the entire Zen 2 product stack, including AMD's EPYC data center processors and the Ryzen 3000 CPUs, allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via javascript on a webpage.

 

Update. AMD's statement implies there will be some performance impact from the patches, but we'll have to conduct independent benchmarks when the patches arrive for the consumer Ryzen products. In the meantime, we've asked AMD for any ballpark figures it can share.

 

 

According to Ormandy, all Zen 2 CPUs are impacted, including the EPYC Rome processors:

• AMD Ryzen 3000 Series Processors
• AMD Ryzen PRO 3000 Series Processors
• AMD Ryzen Threadripper 3000 Series Processors
• AMD Ryzen 4000 Series Processors with Radeon Graphics
• AMD Ryzen PRO 4000 Series Processors
• AMD Ryzen 5000 Series Processors with Radeon Graphics
• AMD Ryzen 7020 Series Processors with Radeon Graphics
• AMD EPYC “Rome” Processors

 

Not what the fanboys want to hear. But the AMD engineers is spot on.... from the security bulletins.  "Any computer system" has risks of security vulnerabilities that cannot be completely prevented or mitigated. 

 

And nice to see that AMD don't bother release a new patch before end of 2023 for their consumer chips. This means you still can have the same Cpu performance another 4 or 5 months 🙂

[Papusan]

The Red pill.....

 

AMD 'Inception' Vulnerability Affects Zen 3 and 4

 

Unfortunately for AMD and its users, Inception affects the latest AMD Ryzen processor families based on Zen 3 and Zen 4 cores — across data center, desktop, HEDT, and mobile. However, we must be thankful that, as details of Inception go live, mitigations are in the pipeline.

 

 

The Blue pill.....

 

Intel 'Downfall' Bug Steals Encryption Keys, Data From Years of CPUs

 

A new security vulnerability, called Downfall, was revealed today by Intel and the researcher who discovered it, Daniel Moghimi. The new attack uses Gather Data Sampling to steal data and other sensitive information from other users on a computer with Intel processors from 2015 through 2019 ranging from sixth gen Skylake through eleventh gen Rocket Lake and Tiger Lake.

[Papusan]

One more.... But for older Zen chips.  AMD Zen 1 Vulnerability Emerges, Dividing by 0 Can Leak Sensitive Data

 

Despite the fact that AMD's Zen 1 architecture is immune to the recent 'Inception' vulnerability affecting modern Zen 3 and Zen 4 CPUs, another vulnerability has been found that affects Zen 1 CPUs specifically. According to a report by Phoronix, a new Zen 1 vulnerability was found that can release potentially sensitive data if the CPU divides an integer calculation by the number 0 in Linux operating systems.

 

Thankfully the issue appears to be Linux-specific and does not affect Windows operating systems. Plus the vulnerability is already being actively patched for Linux users. However, the same cannot be said of the two other vulnerabilities affecting modern AMD CPUs and Intel CPUs, Inception and Downfall, right now.

[Papusan]

Yep. You'll never get what you paid for. Scummy. First they offer better performance then later they'll have to take it back. 

 

The Blue pill.

Intel's Downfall Mitigations Drop Performance Up to 39%, Tests Show

 

 

The Red pill.

AMD's Inception Fix Causes Up to 54% Performance Drop

 

 

 

 

And here is AMD's second problem..... It's Zen time 🙂 Maybe 3rd time have it's charm.

 

AMD Zen 1 Vulnerability Not Properly Fixed, Second Pass Issued

 

[Papusan]

CPU VULNERABILITY Intel is said to have known about Downfall as early as 2018

Plaintiffs accuse Intel of having known about security problems five years ago, which ultimately led to Downfall.....

[Papusan]

AMD CacheWarp Vulnerability Afflicts Previous Gen EPYC Server CPUs, Patch Issued tomshardware.com

[Papusan]

A new vulnerability affecting Apple, AMD, and Qualcomm GPUs could expose AI data

Some affected devices have already been patched, but many more are still vulnerable...

 

Based on extensive research, the group found GPUs made by AMD, Apple, and Qualcomm are vulnerable to this attack. Researchers could not find flaws in Intel, Nvidia, Arm, or Imagination GPUs....

[Papusan]

AMD discloses slew of high severity security vulnerabilities for Zen chips that attack BIOS chips — updates aim to patch bugs, finally fix Zenbleed

 

Update your BIOS ASAP. Hmmm. Here as well. Follow same procedure as with Windows security patches. Don't be the guinea pig.

[Papusan]

Yup. Everyone hoped that Apple could make it better than Intel. 

 

The security analysts confirmed the exploit, dubbed GoFetch, works on M1 CPUs and speculate that it likely also impacts M2 and M3 chips and their Pro and Max variants. Intel's 13th-generation Raptor Lake processors also exhibit the flaw that enables GoFetch but are probably unaffected.

 

 

Unpatchable Apple Silicon vulnerability could leak encryption keys

In brief: Hardware-based security flaws have become more frequent over the last several years but have mostly affected Intel and AMD processors. Now, Apple joins those ranks with a recently discovered vulnerability that causes Mac M-series CPUs to expose encryption keys. Since it is hardware-based, there is little users can do besides keeping macOS updated.