For meltdown, my feeling is that the risk is real. Code running in unprivileged user space can pull memory contents from anything, including the kernel. That's bad. It's not unauthenticated RCE bad, but it could make other RCE vulnerabilities worse.
Spectre is a bit tougher. The CVSS (v3) is supposed to help better categorize risk, but frankly I'm not sure it really helps. The reality is that the risk is probably low...until it isn't. The most common attack vector for a typical client/user is via Javascript executing within browser, and most browsers now have incorporated strategies to mitigate the risk the best they can, mostly by decreasing timer precision. However, w.r.t. Spectre, risk reduction is about all we can hope for at this point. In my mind, the biggest danger is for cloud/multi-tenant service providers, especially those using virtualization (i.e., all). And I can virtually guarantee you that everybody on this distribution has data they would consider sensitive on one of these platforms, knowingly or not. Before I left my last job in January, where part of my role included vulnerability risk analysis with respect to the environments we operated, this was the largest risk we were tracking. It's unlikely we'll see BIOS updates incorporating the new microcode for boards as old as the X79, but my Sandy Bridge-E's CPUID (206D7) is included in the Microsoft patch I linked previously. -----Original Message----- From: Hardware [mailto:hardware-boun...@lists.hardwaregroup.com] On Behalf Of Winterlight Sent: Friday, July 6, 2018 3:38 PM To: hardw...@lists.hardwaregroup.com Subject: Re: [H] Should I rebuild my machine now or wait until the next gen of CPUs? This has been an interesting thread. So Greg the Ivy Bridge patch that you posted will be delivered by Windows 10 ...eventually... maybe? I am still running a P9X79 WS with my six core Ivy Bridge with Win10. InSpectre tells me Spectre is not protected and performance is slower. Just how much at risk am I. I figure I will never see a BIOS update.. ... or will I. The whole thing is a big mess, and I would imagine there are all sorts of class action law suites heading toward CPU and motherboard manufactures. At 10:08 AM 7/6/2018, you wrote: >The chipset vulnerabilities were ugly, yes, but for their part AMD >did ensure they were resolved quickly despite the research firm not >following industry best-practices regarding vulnerability >disclosure. My bigger beef is that AMD would use ASSmedia (not a >typo) at all, given their fairly well-established track record of >being roughly equivalent to dog excrement. I don't subscribe to the >AMD Fanboy narrative that it was an Intel hit-job, though. > >Intel's roadmap is a real mess right now. A sudden and surprisingly >competitive AMD portfolio coupled with severe yield and performance >issues with their ambitious 10nm process technology has painted them >into a corner with no good near-term options. So, they're going to >push their 14nm++ tech for another iteration, adding cores, to (try >to) re-establish clear superiority . Luckily for them, their 14++ is >actually really good. > >Greg > >-----Original Message----- >From: Hardware [mailto:hardware-boun...@lists.hardwaregroup.com] On >Behalf Of Brian Weeden >Sent: Friday, July 6, 2018 9:03 AM >To: hardware <hardw...@lists.hardwaregroup.com> >Subject: Re: [H] Should I rebuild my machine now or wait until the >next gen of CPUs? > >Thanks, Greg. That pretty much aligns with my thought process on >this, so I guess it's good at least one other person is coming to >the same conclusions I am :) > >Didn't know about the Ivy Bridge patches - will look into that more. >But one of the reasons I haven't patched at all is that all the >mitigations for older chips like mine have had significant >performance penalties. And at this point that's a bigger issue for >me than the security, as I'm not really in that big of a threat environment. > >But I plan to use whatever I buy for the next several years and it >would be good to get something that's not going to have major >structural vulnerabilities that will be problems that entire time. > >My major hangup with AMD is not the performance but rather the >massive vulnerabilities found in their Ryzen chipset, all because >they did a very poor job providing oversight of the company they >outsourced it to. That doesn't speak well of their commitment to >security in my mind. > >I had heard that Intel's 2018 lineup was delayed until next year as >they try and fix all this stuff, but maybe that was just for their >mobile chips? > > > > >--------- >Brian > > >On Fri, Jul 6, 2018 at 2:20 AM, Greg Sevart <ad...@xfury.net> wrote: > > > Actually, your Ivy Bridge CPU had new microcode revision with > > additional Spectre defenses released just this past Monday. While it's > > a long-shot for your motherboard manufacturer to release a new FW > > update, it *is* likely to appear in an OS patch. CPU microcode can and > > is loaded via multiple mechanisms, including during OS early boot. On > > Windows, your options are a bit more limited as you must wait for > > Microsoft to update their microcode patch. > > > > Microsoft's microcode patch information, which is ONLY available for > > Windows 10 1709 (or later?) can be found here: > > https://support.microsoft.com/en-us/help/4090007/intel-microcode-updat > > es > > > > It's something of a mess. As you may see, Ivy Bridge desktop CPUs are > > not listed explicitly, but I've heard reports of the patch taking > > effect on them anyway. Use a tool such as InSpectre or > > Get-SpeculationControlSettings in the PowerShell Gallery to > verify your status post-update. > > > > > > With regard to an upgrade...hard to say. On the desktop side, with > > Ryzen, AMD has finally released a product that is competitive. Broadly > > speaking (i.e., on overall average), it is not clearly superior > > despite higher core counts, but very competitive and hence a viable > > option to Intel's Coffee Lake SKUs. If you're interested in HEDT, > > that's a bit harder to answer...for highly threaded workloads, the > > Threadripper/X399 platform wins on both performance and price (despite > > the dumb name and attempt to usurp Intel's existing platform naming > > scheme), but if single-threaded performance is more important, > Skylake-X/X299 is still the better bet. > > > > CPUs with integrated defenses to the various Spectre variants are > > expected near the end of the year. As it stands now, performance wise, > > Intel's silicon is more negatively impacted via existing mitigations, > > but not enough to make a meaningful difference in *most* client > > workloads for current silicon. Older CPUs (such as your Ivy) that do > > not support INVPCID are especially hurt by Meltdown's mitigation. > > Fundamentally, I don't think either one is substantially more > secure if your mitigations are current. > > While we've already seen some since the initial 3 CVEs were announced, > > it's widely expected that more vulnerabilities will be discovered in > > the coming months and years as this new and novel class of attack > vector is researched. > > > > Major items rumored to be coming soon-ish: > > Intel desktop: Widely expected to have a new 8-core mainstream chip > > out sometime later this year. > > Intel HEDT: Cascade Lake-X expected in Q4, up to 28C, though the > > series may span sockets. Maybe a 22C interim offering? > > AMD Desktop: Zen+ 2000-series just released offering minor > > improvements, Zen 2 expected next year AMD HEDT: Zen+ refresh of > > Threadripper expected soon, up to 32C. > > > > > > My personal take: I'd buy Intel for intensive, lightly-threaded > > workloads, and AMD for intensive, heavily-threaded workloads. Anything > > not intensive isn't going to be different enough to matter, so go with > > whatever floats your boat and/or wallet. > > > > Greg > > > > -----Original Message----- > > From: Hardware [mailto:hardware-boun...@lists.hardwaregroup.com] On > > Behalf Of Brian Weeden > > Sent: Thursday, July 5, 2018 9:45 PM > > To: hwg <hardware@hardwaregroup.com> > > Subject: [H] Should I rebuild my machine now or wait until the next > > gen of CPUs? > > > > Currently running a core i5-3750K with 32GB of RAM on my main machine, > > which I use for both work and gaming. > > > > Been looking to replace it for several months now, but have held off > > in part because of all the vulnerabilities that keep turning up in > > modern CPUs (Meltdown, Spectre, and all their variants). The thing is, > > my existing CPU is old enough that it doesn't support any of the > > mitigations, so I'm actually less secure now than if I bought a new > > CPU that at least had mitigations against the vulns (even if the new > > CPUs that actually fix them are 6-12 months away). > > > > So first question is, is the time right to go do this now? > > > > Second question is, Intel or AMD? Is one better off than the other > > from a security standpoint that's worth taking into consideration? > > > > > > --------- > > Brian > > > > > >
