Linked by Thom Holwerda on Wed 3rd Jan 2018 20:36 UTC
Intel

Update: Google's Project Zero disclosed details about the vulnerability a week ahead of schedule due to growing concerns, and they indeed confirm AMD and ARM processors are also affected:

The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.




Intel just published a PR statement about the processor flaw, and in it, it basically throws AMD and ARM under the bus. According to Intel, reports that only its own processors are affected are inaccurate, namedropping specifically AMD and ARM just to make it very clear who we're talking about here. From the statement:

Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices - with many different vendors' processors and operating systems - are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

More to surely come.

Thread beginning with comment 652473
To read all comments associated with this story, please click here.
Overreaching
by Alfman on Wed 3rd Jan 2018 21:27 UTC
Alfman
Member since:
2011-01-28

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.


I understand why intel is doing this (to give MS, apple, amazon, and large linux distros a chance to address the flaw themselves before pulling the curtains), however most independent service providers like me who build custom kernels are really getting screwed by it since we don't get the same privilege and can't even begin to assess the scope of this flaw until they officially choose to publish more information.

Edited 2018-01-03 21:46 UTC

Reply Score: 4

RE: Overreaching
by Bill Shooter of Bul on Wed 3rd Jan 2018 22:07 in reply to "Overreaching"
Bill Shooter of Bul Member since:
2006-07-14

Yup, you're getting hosed.

Hopefully, you're customers will understand the advantages of your service over the security of going with a kernel that does get advanced notice of large bugs.

Really, having maintained a linux kernel briefly, the best bet is to be based off a large vendor, if possible, making integrating any fixes easy as possible.

Reply Parent Score: 4

RE[2]: Overreaching
by Alfman on Wed 3rd Jan 2018 23:51 in reply to "RE: Overreaching"
Alfman Member since:
2011-01-28

Bill Shooter of Bul,

Yup, you're getting hosed.

Hopefully, you're customers will understand the advantages of your service over the security of going with a kernel that does get advanced notice of large bugs.


I hear that, but as I'm sure you can appreciate, reality always brings about nuanced problems regardless of one's approach. Customers, for their part just want things to work, which is a reasonable expectation. However there are countless times I've performed "stable" updates on commodity distros only to find out it broke some dependencies for one customer or another.

I try to wash my hands of it by letting them run whatever they need inside their own VMs, but updates can still break. Not a kernel issue, but over the years PHP has been particularly problematic. In one instance a 3rd party dev imposed strict requirements for a magento component that was only compatible with an older version of magento that was only compatible with an older version of PHP that was replaced in the official distro. I only discovered all of this after getting complaints after applying official ubuntu updates.

That's my experience with mainstream distros, if you have no special needs, updates typically go pretty smoothly, but any custom configuration or locally installed software can still be hell at times.


Really, having maintained a linux kernel briefly, the best bet is to be based off a large vendor, if possible, making integrating any fixes easy as possible.


Yeah, the key is fully automating as much as you can.

Edited 2018-01-03 23:52 UTC

Reply Parent Score: 3