Topic: Flaw in Intel CPUs may lead to serious performance loss when worked around in OS

[Cobra951]

This has got to be the biggest disaster for Intel in their history.  All their CPUs going back at least 10 years have been found to allow an exploit to leak Ring-0 data into Ring 3--from kernel to user space.  The resulting security hole can't be plugged with microcode or BIOS alterations, apparently.  So far, the only solution is at the OS level, and will impact performance up to 50%, depending on workload and what that workload is calling.  Any calls into the kernel apparently will now take twice as long.  I'm not going to spend a lot of time here.  I'll link the Arstechnica article that most geekily seems to cover the details.  I first learned this from a reddit thread referencing a story in The Register (.co.uk) yesterday.  Just . . . heads up!  Patch should be incoming next week.  Vulnerabilities seems worst at the server and large-database level.  We consumers have a choice to make between now and then.  These are our systems, after all.  Risk (how much?) vs lethargy and greater security.

[scottws]

I'm in InfoSec these days... this ("Meltdown") as well as the other CPU flaw affecting virtually every manufacturer ("Spectre") are absolutely huge news because of the implications for cloud providers of IaaS and SaaS as well as the various virtual hypervisor platforms.

I didn't hear the 50% performance impact number.  I heard 30%.  But I think that claim is being seized upon by the media because its so alarming.  I don't think overall performance degradation will be anywhere near that number.

I'd say fun times at work ahead, but I'll be out of the country for leisure from January 8 to February 2, so it's someone else's problem at work.

[idolminds]

I updated Windows manually to protect against this since the built in windows update wasn't grabbing it for some reason. Link here for the different versions. Most of you will want the last one on the list.

And I guess this isn't just Intel. AMD and ARM systems are affected. What a complete disaster.

[Cobra951]

Are you sure about AMD?  According to what I've been reading, AMD CPUs don't do the speculative shit that made this hole, but the OS's are getting patched to assume all x86 CPUs are vulnerable.  So is it a case of the big boys (Blue and Green) in bed together imposing an artificially level playing field, is it too difficult to maintain two separate paths in the OS, or something I missed?

Have you done anything to compare performance on your system before and after?  Oh, and thanks for that link.  I'm about to download that, though I'll hold off on applying it at least until some of this dust settles.  I still have a lot to learn about what this all means on the consumer end, and how much real-world performance loss is involved here.

[idolminds]

Ah, I might be mistaken. The news reports I was reading said AMD and ARM were affected but that might not be the case.

And no, havent done any benchmarking but so far everything seems normal. I'll let you know if I notice anything.

[Quemaqua]

This is all a bit above my pay grade. Sounds nasty, though, and I certainly don't like the idea of losing performance to security patches. I just updated Windows but have no idea if it includes this patch. Is there any way to tell?

[Cobra951]

The choking update isn't supposed to come out to the general public until next week.  What idol linked above is a cumulative update for 1709 (Win 10, Fall Creators version) dated 1/4/18, which apparently has the security fix.  Only insiders have been getting the patch as part of auto-updates.  You can download the update manually from the catalog site and apply it.  I'm still on 1607 (Anniversary Edition), and the last update for that so far is 11/22/17.  I'll have to wait a bit longer, but I was going to do that anyway.

Edit:  Well, now I'm hearing the update was pushed out to the public.  I'm also hearing it isn't the last one we'll see because there is more to fix.  Oi.  Trouble in paradise.  This is the one aspect of my life that was running smoothly . . .   Figures.

On the positive side, it seems like the updates (so far) have negligible impact on gaming and general desktop use.  Will need to keep an eye on the kind folks doing benchmark work, before and after.

https://meltdownattack.com/meltdown.pdf

[gpw11]

Soooooooo, I'm pretty basic (ha).  What exactly are the implications to someone like me who basically just uses my pc to play games and crush out some spreadsheets/emails?

[idolminds]

Firefox 57.0.4 has some preliminary changes to help protect against this.

[Cobra951]

Soooooooo, I'm pretty basic (ha).  What exactly are the implications to someone like me who basically just uses my pc to play games and crush out some spreadsheets/emails?

The bulk of the pain is on servers, databases, the "cloud"--both performance hits by the fixes, and vulnerability potential if not fixed.  Everything I've read so far is that it's all reading privileged memory by unauthorized processes, not writing into it.  But if they're reading your keystrokes, login information, etc, the real damage to you can be as severe as if they could directly screw up your kernel.  Virtual machines, for instance, always thought totally isolated from the system and from each other, are now compromised.  Anything that uses virtualization lost a security barrier once thought to be impregnable.

I wouldn't take this lightly, but I wouldn't panic either.  Truth be told, we've lived with this vulnerability a long time, and the sky hasn't fallen in on us.  (Wonder if the NSA has used it?)  Now that the cat is out of the bag to the public, the danger will escalate.  I never would have conceived of this, and neither would most hackers.  The public dissemination in detail of the attacks possible against the vulnerabilities helps both the security establishment and the hackers.

Edit:  Downloading update for Win10 Anniversary Ed (1607) now.  Cumulative with security fix.  So glad I don't have to do the big jump to Fall Creators Ed.  Looks like 1607 gets support till 2023 too, perhaps due to some CPUs being incompatible with later editions.  (Not that I'm morally opposed to them.  I just like to leave well enough alone whenever I can.)

Edit 2:  DO NOT download this if you allow automatic Windows updates.  This is not for the latest version of Windows 10.  (Not that it would harm anything, but it'd be a waste of your time.)

Edit 3:  Gamer's Nexus go at explaining and urging calm.  I think it's pretty good at it.

[idolminds]

Epics Fortnite was having login issues today. Its due to the cloud hosting service being updated to mitigate the meltdown vulnerability. They even provided a chart showing CPU usage before and after the patch.

[scottws]

I don't really think it's feasible for Windows users, including enterprises and their servers, to avoid installing the patch.  Microsoft deploys everything as cumulative updates now, so it would mean forgoing all future updates.

I installed it on my new ThinkPad t470s (Core i5-6300) and I haven't noticed a difference, but I'm not a heavy user.  We also installed it at work and haven't noticed much of a difference.  Haven't deployed it on the SQL Server database servers yet, though.  That's where the highest impact is likely to be.

[Cobra951]

I don't really think it's feasible for Windows users, including enterprises and their servers, to avoid installing the patch.  Microsoft deploys everything as cumulative updates now, so it would mean forgoing all future updates.

Yes, to be sure.  It's more a question of when than if.  I want to see all the falling chips land, bounce, and settle down first.  I already read that Cemu isn't affected.  If a totally CPU-bound emulator intensively using all my resources gets through unscathed, I feel a lot better about it.  Maybe the fixes will improve significantly over time too?  More efficiency, less impact, more optimizations elsewhere to mitigate the damage?  Hope springs eternal.

I'd feel sorry for you in your job if you weren't traveling on vacation to fun foreign places.

[idolminds]

Yeah I havent noticed anything with the games I play, so heres hoping its not so bad.

[scottws]

I'd feel sorry for you in your job if you weren't traveling on vacation to fun foreign places.

Haha!  Honestly it's a just another day in the life of an InfoSec professional.  It seems like every day we're dealing with one major issue or another.  Phishing attacks, malware outbreaks, significant vulnerabilities, audits...  You almost become numb to it after a certain point.

[Cobra951]

7 days later, I'm still waiting for the fear of God.  Details were supposed to be embargoed until this week, or so I thought.  I figured we'd have a more complete and ominous story by now.  The only thing more ominous is the amount of work it's going to take to plug up all the holes.  It seems everything is involved, OS, BIOS, microcode, even applications.  You know average consumers are not going to jump through all those hoops.  On the other hand, it doesn't seem they need to.  They're not running servers or virtual machines.  Neither am I.

The last time I felt the fear of God was last Spring, when the Shadow Brokers and WannaCrypt worm were making headlines.  Red ransomware lock screens featured in my nightmares.  I security-patched everything lickety split.  What I feel now can more accurately be described as annoyance.  If I let unauthorized processes get into my system, I might expose my private data.  Yeah, so what else is new?  I'll tell you:  What's new is that now I'm supposed to overhaul my system, from soup to nuts, lose some performance in the process, perhaps stability as well, to mitigate a small risk of intrusion that is only one way I might compromise myself if I'm careless.  There is no new risk of malicious corruption of the system or data, which is what really scares me.

I'm back on the fence.  I will wait and see.  I will do nothing about these bugaboos just yet.