Intel Claims 90 Per Cent Of Affected CPUs Have Live Patches Just As Rumours Of New Attacks Arrive

This morning in a press release, Intel announced that it has "issued firmware updates for 90 per cent of Intel CPUs introduced in the past five years." But it's possible the flurry of patches is just beginning.

These Intel CPU updates patch major vulnerabilities known as Meltdown and Spectre, which security researchers say affect most CPUs -- including Intel's.

If you happen to have an Intel CPU made in the last five years, it might be time to consider applying one of those firmware updates just in case even more patches are imminent: Today the security world is wondering whether a new pair of attacks that are allegedly based on work related to Meltdown and Spectre is on the horizon - or just a hoax taking advantage of CPU-exploit fears.

It's been two weeks since The Register reported that nearly every CPU made in the last few years was subject to these severe security vulnerabilities, which could give bad actors access to some of your most precious data. Since then, Intel, which is reportedly most affected by the vulnerabilities, has been hard at work doing damage control. CEO Brian Krzanich tried to distract during his keynote at CES last week with esoteric talk of data and AI, and the company has been fairly religious about updating consumers as to the status of patches.

It's a nice turn for a company that reportedly sat on the news of the vulnerability for months. The latest update notes that while 90-per cent of Intel CPUs made in the last five years have had firmware updates there is "more work to do." For Intel that's investigating a problem that finds patched CPUs, based on Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake, rebooting too frequently.

In the press release today, Navin Shenoy, executive vice president and general manager of the Data Center Group, said, "We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week." Which means we should, hopefully, be getting fixes to the reboot problem in short order.

Shenoy also addressed the reports that patched CPUs will operate more slowly. While this data is limited to only a few server-focused benchmarks on server-grade CPUs, it is some of the first hard facts we've seen about how slow these CPUs will actually get with a firmware upgrade.

According to Shenoy, most processes saw negligible changes in performance. However "the workloads that incorporate a larger number of user/kernel privilege changes and spend a significant amount of time in privileged mode will be more adversely impacted," he said. In one benchmark the processor saw a 25-per cent decrease in performance.

What that will actually mean for end users trying to process videos in Handbrake or edit photos in Adobe Photoshop, or even just playing around in PUBG, remains to be seen. Testing on consumer level products has been more difficult as the patches issues are frequently wrapped up in larger patches, which means there's often too many variables to take into account. A drop in performance could be related to the firmware upgrade or it could be related to a tweak to Windows or MacOS.

Either way, it's probably a good idea to suck it up and face the slowdown and reboot problem since things may get worse before they get better. A website that began going viral today, Skyfallattacks, suggests more potential attack vectors are imminent. Currently, the site is basically just some text that alludes to two allegedly potential new attacks dubbed Skyfall and Solace. (Someone out there really likes Daniel Craig's James Bond -- marketing!) Little is known about this new pair of alleged exploits, and it's entirely possible they're entirely bullshit.

Following the recent release of the Meltdown and Spectre vulnerabilities, CVE-2017-5175, CVE-2017-5753 and CVE-2017-5754, there has been considerable speculation as to whether all the issues described can be fully mitigated.

Skyfall and Solace are two speculative attacks based on the work highlighted by Meltdown and Spectre.

Full details are still under embargo and will be published soon when chip manufacturers and Operating System vendors have prepared patches.

Again, this is all the information we have so far about Skyfall and Solace. Are they real exploits? A hoax meant to get everyone in a tizzy? Some nonsense marketing hype? We reached out to Intel to find out if they have any additional info, and we'll update when we hear back.

Still, Skyfall and Solace aside, the Meltdown and Spectre debacle is far from over. Any new kinds of attacks mean more patches in your future. So get to upgrading.

[Intel, Skyfall]


Comments

    Yeah, right. Sure thing, intel.

    Thing entire thing is a complete shitshow, and all intel is concerned about is keeping the PR fire stoked up and spreading misinformation. Meltdown and spectre require fixes in hardware, which is not possible for a CPU. It cannot be fixed with firmware/microcode updates, and instead requires huge workarounds in the kernel to mitigate the vulnerability. Even then, no vendor has actually solved the problem yet.

    KPTI and retpoline have made big strides to this in the linux kernel, yet even with the latter Skylake and newer CPUs were still not completely fixed. The BSDs are going down a similar route after being informed woefully late.
    What changes are microsoft and apple making to their kernels? Like always it's anyone's guess.

    All that being said, it's frustrating as hell that intel are trying to extinguish all of the flames directed at them. Flames which rightly should be directed at them. All the while they are still pushing new CPUs which yield the same vulnerability! What sort of recourse is there for consumers? I think there's a strong case for warranty claims or some sort of remuneration.

    ARM and AMD aren't off the hook either. Yet this campaign by intel to get everyone to relax is complete nonsense. "90 percent of CPUs have live patches". That's nice. The patches don't fix the problem, but sure thing, make everyone feel at ease!

    There are also benchmarks available for post-KPTI patched kernels [linux], running on consumer hardware [i7] not server hardware. As expected, performance impacts are highly task dependent, but it's a hugely mixed bag.

    https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=1

    The good news, however, is that gaming applications don't appear to be affected too much. [It's mostly highly I/O intensive operations at this point which suffer].

    https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-Initial-Gaming-Tests

      For the shit that I do, I hope it’s minimal impact. Like owning a Ferrari and having the power reduced by 20%. I never use that power anyway.

      But for heavy users or organizations like Google and Amazon... that’s a massive performance impact and subsequent cost to buy new hardware to make up for the loss.

      Last edited 19/01/18 5:38 pm

      Of course they are still selling them. AMD can't supply the world CPU market for 5 years.

Join the discussion!