2 decade old security flaw found in all microprocessors

[DigiCorn]

https://www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-flaw-discovery/

Interesting read. Just heard about this. Not sure what category this falls under.

[Slappy]

Not sure what category this falls under.

File it under "Oops! Our bad."

[Possum]

Microsoft has put out patches for machines going way back. It's a hardware flaw. According to what I heard on a newscast, something got overlooked in the race for speedier processors, which left the vulnerability. 

Some older AMD processors are freaking out with the patches, so be careful.

https://arstechnica.com/gadgets/2018/01/bad-docs-and-blue-screens-make-microsoft-suspend-spectre-patch-for-amd-machines/

[scottrsimons]

Now that you mention AMD, I read an article about AMD yesterday, and that they were a good option to Intel.

https://gizmodo.com/amd-is-making-a-really-great-case-for-ditching-intel-ba-1821850744

And now the article today about Windows bricking the AMD processors.    Not a good day to be in tech. Wait...scratch that, it's a GREAT day to be in tech.  It's a little something I like to call "Job Security". YEAH!!

[DigiCorn]

Microsoft has put out patches for machines going way back. It's a hardware flaw. According to what I heard on a newscast, something got overlooked in the race for speedier processors, which left the vulnerability.

Some older AMD processors are freaking out with the patches, so be careful.

https://arstechnica.com/gadgets/2018/01/bad-docs-and-blue-screens-make-microsoft-suspend-spectre-patch-for-amd-machines/

Two of my desktops and one old laptop are all AMD and on W10. Our other laptops are both Intel and one runs W10 and the other is a Google Chromebook. The two desktop units are always on, so I hope they didn't auto apply any bad patches. One is a 3-core and the other is a 4-core, both about 7-8 years old.

[frailer]

Not expecting to hear from our in-house IT guy about the 1 vs. 2 seat Adobe licensing anytime soon, I think.

[Joe]

https://www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-flaw-discovery/

Interesting read. Just heard about this. Not sure what category this falls under.

It also affects all Apple hardware too.

[Farabomb]

All Intel based apple hardware. I wouldn't put it past a shop to still be running a quadra.

[Joe]

Actually we still have a couple of G5's plugged in. Those are safe with the Motorola CPU. They suck but they are safe.

[Possum]

My G4 at home is still plugging along. They don't make them like they used to.

[Farabomb]

With Apple crippling their older hardware with their software updates, you're totally correct. Hard to make money if people don't keep buying the newest phone every 2 years.

Mind you I have a 4 year old phone (m8) that's running nougat without issue. I'd be running oreo but since it's still in beta I won't put it on my daily driver. I also have a 6 year old one (s3) that's running nougat as well. It's a bit slow but still works fine.

[Joe]

Your Android device is also affected by this 'issue'.

The specifics

Intel processors since 1995 except for the Itanium and pre-2013 ATOM platform are affected by both Meltdown and Spectre.

All modern AMD processors are affected by the Spectre attack. AMD PRO and AMD FX (the AMD 9600 R7 and AMD FX-8320 were used as proof-of-concept) CPUs in a non-standard configuration (kernel BPF JIT enabled) are affected by Meltdown. It's expected that a similar attack against side-channel memory reading is possible against all 64-bit CPUs including AMD processors.
ARM processors with Cortex R7, R8, A8, A9, A15, A17, A57, A72, A73, and A75 cores are suspectable to Spectre attacks. Processors with Cortex A75 (the Snapdragon 845) cores are vulnerable to Meltdown attacks. It's expected that chips using variants of these cores, like Qualcomm's Snapdragon line or Samsung's Exynos line, will also have similar or the same vulnerabilities. Qualcomm is working directly with ARM, and has this statement on the issues:

Qualcomm Technologies, Inc. is aware of the security research on industry-wide processor vulnerabilities that have been reported. Providing technologies that support robust security and privacy is a priority for Qualcomm, and as such, we have been working with Arm and others to assess impact and develop mitigations for our customers. We are actively incorporating and deploying mitigations against the vulnerabilities for our impacted products, and we continue to work to strengthen them as possible. We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available.

NVIDIA has determined that these exploits (or other similar exploits that may arise) do not affect GPU computing, so their hardware is mostly immune. They will be working with other companies to update device drivers to help mitigate any CPU performance issues, and they are evaluating their ARM-based SoCs (Tegra).

Webkit, the people behind the browser rendering engine of Safari and the forerunner to Google's Blink engine, have an excellent breakdown of exactly how these attacks can affect their code. Much of it would apply to any interpreter or compiler and it's an amazing read. See how they are working to fix it and keep it from happening the next time.

In plain English, this means that unless you're still using a very old phone, tablet, or computer, you should consider yourself vulnerable without an update to the operating system. Here's what we know so far on that front:

Google has patched Android against both Spectre and Meltdown attacks with the December 2017 and January 2018 patches. Google has patched Chromebooks using the 3.18 and 4.4 versions of the kernel in December 2017 with OS 63. Devices with other versions of the kernel (look here to find yours) will be patched soon.
In plain English: The Toshiba Chromebook, the Acer C720, Dell Chromebook 13, and the Chromebook Pixels from 2013 and 2015 (and some names you've probably never heard of) aren't patched yet but will be soon. Most Chromeboxes, Chromebases, and Chromebits are not patched but will be soon.

For Chrome OS devices that aren't patched, a new security feature called Site Isolation will mitigate any issues from these attacks.

Microsoft has patched both exploits as of January 2018.

Apple has patched macOS and iOS against Meltdown starting with the December update. The first round of Spectre updates were pushed out in early January. Check out iMore for everything you need to know about these CPU flaws and how they affect your Mac, iPad, and iPhone. Patches have been sent to all supported versions of the Linux kernel, and Operating Systems like Ubuntu or Red Hat can be updated through the software update application.

For Android specifics, the Nexus 5X, Nexus 6P, Pixel, Pixel XL, Pixel 2, and Pixel 2 XL have been patched and you should see an update soon if you haven't already received it. You can also manually update these devices if you like. The Android Open Source project (the code used to build the OS for every Android phone) has also been patched and third-party distributions like LineageOS can be updated.

[Farabomb]

I'm glad I'm running LineageOS then. 

[Joe]

Lineage OS is supposed to have the patch either in this weeks or next weeks update.

[frailer]

6 colour Komori guy was in here... we were discussing CIP3 files, and how they *could* streamline getting them to him and the 5 col.

We currently Export them from Black Magic, manually; it's not a biggie, as we're rarely stupidly busy for very long, and we can juggle it...

anyhoo, in the discussion, he says...  "the PC on my press runs a Celeron!"        I'd completely forgotten they existed.