Amd and Intel's security flaws and security vulnerabilities. The chosen one ISN'T BETTER THAN THE OTHER.

[Papusan]

AMD And Intel CPUs Rocked By New Speculative Execution Attack With A Huge Performance Hit

Do you remember a few years ago when everyone panicked over a couple of security flaws known as Meltdown and Spectre? These were a new type of security hole altogether, known as speculative execution flaws because they exploit the so-named capability of modern processors. That was back in 2018, and since then, every tech company under the sun has issued patches, firmware updates, and other guidance to mitigate the danger of these attacks.

 

So that's all over and dealt with, right? Well... not exactly. As it turns out, one of the major mitigations deployed against Spectre, known as "retpoline", isn't actually as helpful as we thought. A new flaw, known as "retbleed", has been discovered by researchers at ETH Zurich. Retbleed evades earlier protections against a specific form of the Spectre vulnerability, including machines using the retpoline mitigation..

 

Both AMD and Intel say that they're not aware of anyone making use of these vulnerabilities in the wild, but patches aren't available yet. When they do become available, they may come with a performance hit of as much as 28%. Hopefully some clever coders will come up with a way to mitigate that performance loss.

 

Microsoft try push you over on new hardware so you can enjoy their latest and most secure OS. Same do the HW manufacturers. They know they later have to patch flaws they have added to try optimize for better performance. Give with one hand and then take it back with the other hands. Or just hope you buy their newest and safer products that will suffer same mess after a couple of years. Why not just stop optimize for performance when you know you have to take it back later?

[Ishayin]

Meh... I rather agree with the sentiments expressed in this article:
https://www.extremetech.com/computing/337005-researchers-found-an-unpatchable-security-flaw-in-apples-m1-and-you-probably-dont-need-to-care

 

The amount of energy and drama expended seems out of proportion to the actual risks, and mainly only serves to keep IT professionals and tech writers employed as far as I can see. How many people do you know who have been impacted by any of these things? Over the entirety of the past decade, I know one person who got a minor virus, one person who was targeted by a social hack with no ill-results, and two people who have had their WhatsApp accounts hacked (and well, if you're still using WhatsApp, lol...). Social engineering is by far the most common form of attack these days, and renders most of the underlying technical issues completely moot.

[jaybee83]

2 hours ago, Ishatix said:

Meh... I rather agree with the sentiments expressed in this article:
https://www.extremetech.com/computing/337005-researchers-found-an-unpatchable-security-flaw-in-apples-m1-and-you-probably-dont-need-to-care

 

The amount of energy and drama expended seems out of proportion to the actual risks, and mainly only serves to keep IT professionals and tech writers employed as far as I can see. How many people do you know who have been impacted by any of these things? Over the entirety of the past decade, I know one person who got a minor virus, one person who was targeted by a social hack with no ill-results, and two people who have had their WhatsApp accounts hacked (and well, if you're still using WhatsApp, lol...). Social engineering is by far the most common form of attack these days, and renders most of the underlying technical issues completely moot.

true, drama sells clicks n views. but still, better to be aware than be caught off guard.

[Papusan]

It seem AMD collect vulnerabilities and prefer push out patches after they have released new products. This time patched only 31 vulnerabilities 🙂

 

AMD Discloses 31 New CPU Vulnerabilities, Issues Patch Guidance tomshardware.com

And yes, Intel follows the same path. But stop the talk about who is best in the class. They are both equal dishonest and both have to implement vulnerabilities to make their products to show better perfomance. Then they have to fix their own created mess with patches after they have been discovered with the panths down. This is classic. Give something with the left hand then backtack it later with the right hand. They should stop implement code to show their products in better lights. 

 

On 7/26/2022 at 10:45 PM, jaybee83 said:

true, drama sells clicks n views.

Not always😎 AMD try avoid drama. Drama can reduce sales😎 They usually hide what is patched in newer firmware. And they don't patch before they have to.

 

"AMD quietly divulged 31 new CPU vulnerabilities" in a January update, spanning its Ryzen chips for consumers and the EPYC data center processors. The vulnerability update also includes a list of AGESA versions, with mitigations for the impacted processors. 

 

Quetly fix the vulnerabilities then throw it out. The end results will sometimes end as this.. Angry owners of their modern HW.

. 

[Papusan]

AMD 'Zenbleed' Bug Allows Data Theft From Zen 2 Processors, Patches ComingA huge Zen 2 leak requires a patch.

 

[Update 9:15am PT: AMD told us that patches to prevent Zenbleed are available for its EPYC Rome processors, but hasn't said if they are available for the impacted consumer Ryzen CPUs. AMD also hasn't given an ETA for patches for Ryzen chips or responded to our questions about potential performance impacts from the Zenbleed patches. We're still working to learn more.]

 

The 'Zenbleed' vulnerability spans the entire Zen 2 product stack, including AMD's EPYC data center processors and the Ryzen 3000 CPUs, allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via javascript on a webpage.

 

Update. AMD's statement implies there will be some performance impact from the patches, but we'll have to conduct independent benchmarks when the patches arrive for the consumer Ryzen products. In the meantime, we've asked AMD for any ballpark figures it can share.

 

 

According to Ormandy, all Zen 2 CPUs are impacted, including the EPYC Rome processors:

• AMD Ryzen 3000 Series Processors
• AMD Ryzen PRO 3000 Series Processors
• AMD Ryzen Threadripper 3000 Series Processors
• AMD Ryzen 4000 Series Processors with Radeon Graphics
• AMD Ryzen PRO 4000 Series Processors
• AMD Ryzen 5000 Series Processors with Radeon Graphics
• AMD Ryzen 7020 Series Processors with Radeon Graphics
• AMD EPYC “Rome” Processors

 

Not what the fanboys want to hear. But the AMD engineers is spot on.... from the security bulletins.  "Any computer system" has risks of security vulnerabilities that cannot be completely prevented or mitigated. 

 

And nice to see that AMD don't bother release a new patch before end of 2023 for their consumer chips. This means you still can have the same Cpu performance another 4 or 5 months 🙂

[Papusan]

The Red pill.....

 

AMD 'Inception' Vulnerability Affects Zen 3 and 4

 

Unfortunately for AMD and its users, Inception affects the latest AMD Ryzen processor families based on Zen 3 and Zen 4 cores — across data center, desktop, HEDT, and mobile. However, we must be thankful that, as details of Inception go live, mitigations are in the pipeline.

 

 

The Blue pill.....

 

Intel 'Downfall' Bug Steals Encryption Keys, Data From Years of CPUs

 

A new security vulnerability, called Downfall, was revealed today by Intel and the researcher who discovered it, Daniel Moghimi. The new attack uses Gather Data Sampling to steal data and other sensitive information from other users on a computer with Intel processors from 2015 through 2019 ranging from sixth gen Skylake through eleventh gen Rocket Lake and Tiger Lake.

[Papusan]

One more.... But for older Zen chips.  AMD Zen 1 Vulnerability Emerges, Dividing by 0 Can Leak Sensitive Data

 

Despite the fact that AMD's Zen 1 architecture is immune to the recent 'Inception' vulnerability affecting modern Zen 3 and Zen 4 CPUs, another vulnerability has been found that affects Zen 1 CPUs specifically. According to a report by Phoronix, a new Zen 1 vulnerability was found that can release potentially sensitive data if the CPU divides an integer calculation by the number 0 in Linux operating systems.

 

Thankfully the issue appears to be Linux-specific and does not affect Windows operating systems. Plus the vulnerability is already being actively patched for Linux users. However, the same cannot be said of the two other vulnerabilities affecting modern AMD CPUs and Intel CPUs, Inception and Downfall, right now.

[Papusan]

Yep. You'll never get what you paid for. Scummy. First they offer better performance then later they'll have to take it back. 

 

The Blue pill.

Intel's Downfall Mitigations Drop Performance Up to 39%, Tests Show

 

 

The Red pill.

AMD's Inception Fix Causes Up to 54% Performance Drop

 

 

 

 

And here is AMD's second problem..... It's Zen time 🙂 Maybe 3rd time have it's charm.

 

AMD Zen 1 Vulnerability Not Properly Fixed, Second Pass Issued

 

[Papusan]

CPU VULNERABILITY Intel is said to have known about Downfall as early as 2018

Plaintiffs accuse Intel of having known about security problems five years ago, which ultimately led to Downfall.....

[Papusan]

AMD CacheWarp Vulnerability Afflicts Previous Gen EPYC Server CPUs, Patch Issued tomshardware.com

[Papusan]

A new vulnerability affecting Apple, AMD, and Qualcomm GPUs could expose AI data

Some affected devices have already been patched, but many more are still vulnerable...

 

Based on extensive research, the group found GPUs made by AMD, Apple, and Qualcomm are vulnerable to this attack. Researchers could not find flaws in Intel, Nvidia, Arm, or Imagination GPUs....

[Papusan]

AMD discloses slew of high severity security vulnerabilities for Zen chips that attack BIOS chips — updates aim to patch bugs, finally fix Zenbleed

 

Update your BIOS ASAP. Hmmm. Here as well. Follow same procedure as with Windows security patches. Don't be the guinea pig.

[Papusan]

Yup. Everyone hoped that Apple could make it better than Intel. 

 

The security analysts confirmed the exploit, dubbed GoFetch, works on M1 CPUs and speculate that it likely also impacts M2 and M3 chips and their Pro and Max variants. Intel's 13th-generation Raptor Lake processors also exhibit the flaw that enables GoFetch but are probably unaffected.

 

 

Unpatchable Apple Silicon vulnerability could leak encryption keys

In brief: Hardware-based security flaws have become more frequent over the last several years but have mostly affected Intel and AMD processors. Now, Apple joins those ranks with a recently discovered vulnerability that causes Mac M-series CPUs to expose encryption keys. Since it is hardware-based, there is little users can do besides keeping macOS updated.

[Papusan]

AMD finally patches gaping Zenbleed security hole — MSI releases AGESA 1.2.0.Ca BIOS update for Zen 2

 

AMD did not state if this new security update impacts performance. When we tested Zenbleed fixes previously, we found that while gaming was unaffected, other performance could drop as much as 15%.

[Papusan]

How can you make secure hardware when you can't secure your own network? Maybe AMD used own hardware? Or own home brewed AI software😀

 

This is not AMD's first encounter with cybersecurity challenges. In 2022, the company was targeted by the RansomHouse hacking group, which also claimed to have extracted data from AMD's networks. That incident led to an extensive investigation by AMD to assess the damage and bolster its security measures. 

AMD confirms new security breach: future product information, source code and spec sheets compromised

[Papusan]

Firmware flaw affects numerous generations of Intel CPUs

Eclypsium Automata uncovers Phoenix as the latest to fall to a significant Arbitrary Code Execution exploit impacting Lenovo, AMI, Insyde, and Intel motherboard firmware.

[Papusan]

AMD's 'Sinkclose' vulnerability affects hundreds of millions of processors, enables data theft — AMD begins patching issue in critical chip lines, more to follow

Almost cannot be fixed, say researchers....

 

 

'Sinkclose' is the name of a recently discovered major security vulnerability that affects virtually all of AMD's processors released since 2006. This flaw allows attackers to deeply infiltrate a system, making it extremely difficult to detect or remove malicious software. The issue is so severe that, in some cases, it may be easier to abandon an infected machine than to repair it, reports Wired. 

There is good news, though: since it has not been discovered for 18 years, it likely hasn't been used. Also, AMD is patching its platforms to protect them, though not all affected processors have received a patch yet.  

 

 

[Papusan]

AMD won't patch all chips affected by severe data theft vulnerability

 

 "There are some older products that are outside our software support window." AMD has no plans to update its Ryzen 1000, 2000, and 3000 series processors or its Threadripper 1000 and 2000 models.

 

In short. AMD processors released as late as late 2019 is too old to be patched. Yup, AMD care about their customers (corporate, governments and vanilla PC consumers). 

 

Sinkclose evades antiviruses and "persists even after OS reinstall".

[Mr. Fox]

A "secure" system (actually a myth) that doesn't do what you want it to do is worthless. Function and performance always trump security as far as I am concerned. All the patches and security fixes in the world won't fix the DIMM-wit using the keyboard. (Yeah, you saw what I did there, LOL.)

 

The biggest security risk with any computer is a stupid user.

 

Simple fix... for unwanted updates, not for stupid users or stupid employees working on the Windoze Support Team (can't fix stupid)... just tweak the registry and hit "Advanced options" on the Windoze Updates page in settings and delay them for 10 years. Hint: You'll need to scroll a LOOOONG way down to reach the 10 year mark.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings]
"ActiveHoursEnd"=dword:00000011
"ActiveHoursStart"=dword:00000008
"AllowAutoWindowsUpdateDownloadOverMeteredNetwork"=dword:00000000
"ExcludeWUDriversInQualityUpdate"=dword:00000001
"FlightCommitted"=dword:00000000
"IsExpedited"=dword:00000000
"LastToastAction"=dword:00000000
"UxOption"=dword:00000004
"InsiderProgramEnabled"=dword:00000000
"SvDismissedState"=dword:00000001
"SmartActiveHoursSuggestionState"=dword:00000001
"SmartActiveHoursTimestamp"=hex(b):b9,80,63,7c,b6,73,da,01
"HideMCTLink"=dword:00000001
"RestartNotificationsAllowed2"=dword:00000000
"SmartActiveHoursStart"=dword:00000007
"SmartActiveHoursEnd"=dword:00000010
"FlightSettingsMaxPauseDays"=dword:00000e42

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\ModelState]
"SignalRegistered"="::2F1AAFCACF"

 

No need to worry about stupid crap like this (below) ruining your day when you're calling all of the shots and keeping the numbskulls at Micro$lop out of your business.

3 hours ago, Papusan said:

 

Yup. And this apply also for the OS. 

An update made to fix a vulnerability broke dual-boot Windows-Linux PCs

neowin.com · 7 hours ago

A Windows Patch Tuesday update that was supposed to fix a vulnerability has caused a number of dual-boot Windows-Linus PCs to no longer boot up in Linux. Microsoft has yet to fix this problem.

[Papusan]

On 8/10/2023 at 3:31 AM, Papusan said:

The Red pill.....

 

AMD 'Inception' Vulnerability Affects Zen 3 and 4

 

Unfortunately for AMD and its users, Inception affects the latest AMD Ryzen processor families based on Zen 3 and Zen 4 cores — across data center, desktop, HEDT, and mobile. However, we must be thankful that, as details of Inception go live, mitigations are in the pipeline.

 

 

The Blue pill.....

 

Intel 'Downfall' Bug Steals Encryption Keys, Data From Years of CPUs

 

A new security vulnerability, called Downfall, was revealed today by Intel and the researcher who discovered it, Daniel Moghimi. The new attack uses Gather Data Sampling to steal data and other sensitive information from other users on a computer with Intel processors from 2015 through 2019 ranging from sixth gen Skylake through eleventh gen Rocket Lake and Tiger Lake.

 

With a native mitigation to Inception.... Newer Zen 5 and older Zen 1/Zen+ and Zen 2 CPU is unaffected. With Zen3 you're screwed.

 

With a native mitigation to Inception, Zen 5 is unaffected by software-based security mitigations' potential performance degradation effects. Zen 3 and Zen 4 require software mitigations to patch Inception. Zen 3 can suffer a whopping 54% performance drop with the Inception software mitigations turned on (but only on specific workloads).

Hilariously, though, AMD's older Zen 1/Zen+ and Zen 2 CPU architectures are unaffected by the Inception vulnerability due to the way the branch predictor works in those architectures.

 

https://www.tomshardware.com/pc-components/cpus/zen-5-cpu-performance-is-unaffected-by-inception-mitigation