Intel chips have security design flaw

There is a massive design flaw found in Intel processors that affects operating systems using Windows, Mac, and Linux. It is also believed that this will affect cell phones as well.

Evidently, Mac already pushed patches for this and Microsoft will push its patch on Tuesday’s update schedule.

Intel and some others claim it affects many other companies such as AMD. AMD says it doesn’t. Here’s an article with info about the flaw in AMD and ARM processors. (Deducting two points for using the term “Chipocalypse now”.)

The problem is predictive computing: The chip “guesses” what instructions will be executed next and goes ahead and does them. If the “if” branch turns out to be not taken, then the operation is dumped without effect (in theory).

Note that if the “if” branch not taken involved peeking into an area of memory you’re not supposed to be looking at (hence why that branch wasn’t supposed to be done), then you can squeeze out some info in certain circumstances due to the flaw.

Note that “fixing” the flaw in software (it can’t be fixed with a microcode update), hurts this predictive computing which means it slows down regular processes.

Not good.

Updating the OS for Intel and AMD chips will be needed but people running older OSes (for a loose definition of “older”) will be left out, as usual.

The ARM situation is scarier. A lot of phone/tablet makers don’t provide updates of this type for anything a year or two old, if at all.

Note that this peeking into protected memory doesn’t sound like a full root exploit. But it certainly sounds like something that can be exploited to gain full control now that the details are out in the open.

I watched the stock tank yesterday, and it continues today. Down 4% at this time.

As I understand it, there are actually two flaws. Both have to do with predictive computing (I think). The initial press conference wasn’t clear on the details.
One problem can be solved with a software patch-though it comes at a significant performance cost. It causes a security hole for cloud computers as well.

The second flaw simply can’t be fixed according to the people at the press conference. The only way to fix this is buy a new computer with a new CPU-which hasn’t been designed yet. Apparently there was a memory management design decision 20+ years ago that turns out to be a bad idea. Unfortunately all CPU designs in the world chose to this idea to implement in their CPUs.
As the speaker said-this problem will be with us for decades as all imbedded computers, cell phones, computers, etc that use any CPU designed in the last 20 years will have this vulnerability until replaced.

Here is an article saying that AMD isn’t subject to the exploit.

And I see that it is two exploits–one that is Intel specific, one that isn’t.

Apparently Microsoft decided yesterday to push these patches to its Azure host servers without very much warning - the place where I work has all of its servers hosted in Azure and they went suddenly offline for an hour each today while their VM host went through patching (we’re too cheap for any sort of availability management - if we had that, I guess we’d have been migrated around and would not have noticed.

The one that affects almost all processors, Spectre, is a very big deal.

At least it has a cute icon. (How long do spectres live?)

Meanwhile, AMD stock, which I just happened to buy on Tuesday before this news, has climbed over 10%.


By an amazing coincidence, the CEO of Intel sold off a large part of his shares in ~November, keeping just the minimum he as required to hold. Thereby avoiding the hit Intel stock has taken now that the bug is public.

Note that Google people had informed Intel and other affected companies well before that.

Nothing to see here, move along.

I thought people did time for that sort of thing.

Intel–the computer Insider Trading.

You might want to take the gain. Once it becomes clear that Spectre is the bigger deal and patches won’t work, AMD is likely to suffer too.

Or maybe this is a buying opportunity for both stocks. People are going to need to buy a lot of new processors.

They (and the other providers) had a better mitigation plan that didn’t include unannounced updates. But news of the exploit leaked out before the planned announcement next Tuesday, so there was a lot of scrambling yesterday to rush things out.

Yeah - I spent most of the morning explaining to users that what was happening was rather extraordinary, and that yes, some proper notice would have been right and proper, but that we should assume this emergency action was done in order to prevent a greater pain.

I guess it’s especially pertinent for people running server farms and renting virtual machines, because (as I understand it) the exploit leaks data locally to the CPU (so one program can steal data from another, but in a shared virtual server farm, one CPU may be running the virtual machines (or components of them) for more than one organisation.

Here is an article from the Register which broke the story. It has others on the site.

The fix is not to change the prediction - it is to put the kernel into a separate address space. That does slow down programs which do lots of kernel calls, but shouldn’t affect much of the usual computing like gaming and word processing very much.
The exploit is most dangerous in the Cloud, since machines are shared. If you manage not to download any code with the exploit on your personal machine you should be okay - and if you do load untrusted code you will be in trouble in a lot of other ways.
This is for Meltdown - it appears that Spectre, though harder to fix, is also harder to exploit.
This all started in 1995 when Andy Grove was CEO of Intel, so he clearly wasn’t paranoid enough. When I was there I worked on Itanic (Itanium) which does not have the problem - not that anyone uses it much any more.
Prediction is done in hardware, not in microcode, so the root cause fix will require a redesign.
SPARC processors also do not have the bug.

It seems weird to me that they patched Linux out in the open if they wanted to keep a lid on this until next Tuesday. Security issues like that should be patched on a private branch.

It was an enormous fuck-up. I’m not privy to any details but I suspect that the developers involved will not be trusted with future embargoed security flaws. Leaking the issue on the day after Christmas is utterly inexcusable and has apparently caused an awful lot of problems for poor developers on other projects who have suddenly had to work on mitigating the issue over their holiday.