In case you missed it:Intel CPUs have another security flaw

At this point, I don't supposed that this will really surprise anyone, but it's happened again:

A team of researchers at the Systems and Network Security Group at Vrije Universiteit Amsterdam, in the Netherlands, say they were able to leverage the security weakness to extract crypto keys from another running program in 99.8 of tests on an Intel Skylake Core i7-6700K desktop CPU; 98.2 percent of tests on an Intel Broadwell Xeon E5-2620 v4 server CPU; and 99.8 per cent of tests on a Coffeelake part.

Their code was able to lift a secret 256-bit key, used to cryptographically sign data, from another program while it performed a signing operation with libgcrypt’s Curve 25519 EdDSA implementation. It took roughly 17 seconds to determine each of the keys using machine-learning software and some brute force, according to a paper detailing the attack, seen by The Register this week.

[...]

The extraction technique is not reliant on speculative execution, and thus is unrelated to Spectre and Meltdown. Instead, it builds upon the exploitation of Intel's Hyper-Threading technology and the processor caches to leak data, which is a known security problem with its own mitigations.

Have I mentioned lately how relieved I am to have stuck with AMD, all these years?

Important points:

1. TLBleed is unrelated to the Meltdown and Spectre vulnerabilities that Google Project Zero reported back in January; it's an entirely new category of vulnerability, and one which Intel's competitors apparently don't share.
2. TLBleed affects Intel CPUs ranging from Broadwell to Coffee Lake, i.e. every Intel CPU released since 2014, including their newest (Broadwell was followed by Skylake, and then by Kaby Lake, although The Reg's coverage doesn't specifically mention Kaby Lake). So, once again, we're talking about a lot of affected PCs.

Intel, naturally, has "no plans to specifically address a side-channel vulnerability in its processors that can be potentially exploited by malware to extract encryption keys and other sensitive info from applications." Because why would Intel have a plan? Or, really, a clue? Look for this messaging to change as this story gains traction, though... and then for Intel comments to dry up entirely, once the class action lawsuits start. Because they will start, and it won't take long.

And don't think that Whiskey Lake or Cannon Lake are going to fix the issues, either; both of those are just variations on Skylake/Kaby Lake.

Intel have clearly been playing way too fast for way too long with consumers' security in the name of eking out a little extra performance over AMD, and with no clear plan for what they'd do when it started to come back to bite them. TLBleed is now the fourth serious security vulnerability to be found in Intel's hardware in just a year, starting with Intel's TME, Meltdown, and Spectre, with only Spectre reaching well beyond Intel. I don't expect it to be the last.

Still melting down

Back when Meltdown and Spectre were first making headlines, the word was that Meltdown was more serious but also easier to fix, while Spectre would be haunting us for a long, long time (hence the name). But not only is Meltdown proving more pernicious than first thought, there are more Meltdown-like vulnerabilities in Intel's chips. Yikes.

First, from Bleeping Computer:

Microsoft's patches for the Meltdown vulnerability have had a fatal flaw all these past months, according to Alex Ionescu, a security researcher with cyber-security firm Crowdstrike.

Only patches for Windows 10 versions were affected, the researcher wrote today in a tweet. Microsoft quietly fixed the issue on Windows 10 Redstone 4 (v1803), also known as the April 2018 Update, released on Monday.

Welp, it turns out the #Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation. This is now patched on RS4 but not earlier builds -- no backport?? pic.twitter.com/VIit6hmYK0

— Alex Ionescu (@aionescu) May 2, 2018

Back-ported patches are apparently in the works, but no ETA yet from Microsoft. So, that's the bad news. Ready for the worse news?

From Reuters:

Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday.

The magazine, called c’t, said it was aware of Intel Corp’s plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan’s Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable.

[...]

C’t did not name its sources because researchers were working under so-called responsible disclosure, in which they inform companies and agree to delay publishing their findings until a patch can be found.

The magazine said Google Project Zero, one of the original collective that exposed Meltdown and Spectre in January, had found one of the flaws and that a 90-day embargo on going public with its findings would end on May 7.

Once again, it's looking like a pretty good day to be a W7-using AMD fan.

Do you remember when WX was supposedly on pace to surpass W7 by November?

NMS's end-of-January numbers are out, and once again, WX has managed modest gains at the expense of Windows XP, while W7 and W8.1 remain mostly unchanged. And, no, WX still hasn't caught up to its nine-year-old rival.

WX gained, of course, from 32.93% to 34.29% (+1.36); W7 ticked down, from 43.08% to 42.39% (-0.69); W8.1 ticked down slightly, from 5.71% to 5.56% (-0.15); and XP slid the most, from 5.18% to 4.05% (-1.13). Except for W8.1's, all of these results are above the ±0.5% "noise threshold," but WX's gains are not enough to encompass the losses of W7, W8.1, and XP. Some of those former Windows users are going elsewhere.

Where are they going, you ask? By the looks of it, Apple. Windows' overall market share slid from 88.51% to 87.79% (-0.72), while MacOS grew its overall market share from 9.02% to 9.95% (+0.93), propelled by MacOS X 10.13 (from 3.53% to 4.46%, +0.93). An overall decline in Windows' user base probably isn't something that Microsoft want to see; yes, WX gained more than a percentage point to start the year, but the fact that those gains are mostly coming at the expense of the 16½ year old XP, rather than the market-leading W7, can't be good news, either.

Google to the rescue!

First, Google's Project Zero researchers found the CPU-level security vulnerabilities known as Meltdown and Spectre. Now, they've found the cure... or, at least, a more efficient workaround, as reported in The Verge:

Google just gave chipmakers some much needed good news. In a post on the company’s Online Security Blog, two Google engineers described a novel chip-level patch that has been deployed across the company’s entire infrastructure, resulting in only minor declines in performance in most cases. The company has also posted details of the new technique, called ReptOnline, in the hopes that other companies will be able to follow the same technique. If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted.

“There has been speculation that the deployment of KPTI causes significant performance slowdowns,” the post reads, referring to the company’s “Kernel Page Table Isolation” technique. “Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

[...]

That assessment is consistent with early reports from Intel, which had said slowdowns would be “highly workload-dependent and, for the average computer user, should not be significant.” Those claims were met with skepticism, with many seeing them as an effort by Intel to downplay the impact of the newly public vulnerabilities. At the same time, some early benchmarks saw slowdowns as high as 17 percent.

More recently, Intel announced it had deployed patches that would render chips immune to the new attacks, and restated that the performance impact was not significant. It’s difficult to confirm Google and Intel’s claims until the patches are deployed, but it’s significant that Google has joined the chipmaker in reporting minimal slowdowns.

As someone who met Intel's early minimal-impact claims with skepticism, I can honestly say to all Core i5 users that I'm glad to learn that the picture is looking less grim than first thought. I'm still glad to be an AMD man, though, and even more glad that Google were awake at the switch for this one. People give Google a lot of grief for sometimes acting like they've forgotten their original mission statement, but this, folks, is what they meant by "don't be evil." Not only were they not evil, they used their powers for good, and are extending help to anyone who needs it, for free.

Intel, meanwhile, is claiming to have finished patches for 90% of their products released in the past five years, which sounds a little weaksauce considering that Meltdown affects Intel products released in the last ten years, much like the firmware issue that was reported a few months ago. And there's also the small matter of Intel, who were notified about Meltdown and Spectre back in June, being led by a CEO who sold off a bunch of stock in October, before either flaw became public knowledge, as reported by MP1st, among others:

Suspiciously, Intel CEO Brian Krzanich sold off $24 million worth of stock late last year before the vulnerabilities became public knowledge. An Intel spokesperson said the stock trade was “unrelated” despite Intel knowing about the issue for five months.

Oops! I predict that the SEC will be investigating that piece of business.

Intel's stock price has, naturally, dropped as a result of all this news, while AMD's has risen, but I suspect that Intel's problems over these problems are only beginning.

UPDATE:

One minor correction: While Jann Horn at Google Project Zero (GOOGL.O) came to similar conclusions independently, it looks like credit for discovering Meltdown actually goes to an independent researcher named Daniel Grus, whose feat of security research is described in this article by The Verge:

The 31-year-old information security researcher and post-doctoral fellow at Austria’s Graz Technical University had just breached the inner sanctum of his computer’s central processing unit (CPU) and stolen secrets from it.

Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor’s ‘kernel’ memory, which is meant to be inaccessible to users, was only theoretically possible.

“When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked,” Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured.

Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result.

“We sat for hours in disbelief until we eliminated any possibility that this result was wrong,” said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as “one of the worst CPU bugs ever found”.

Damn, Daniel! (Sorry, I couldn't resist.) Seriously, though, congratulations to Mr. Gruss for some solid detective work.

UPDATE #2:

Cue the lawsuits! As reported by Gizmodo:

It’s been just two days since The Register first reported that all Intel x86-64x processors were subject to a severe security vulnerability, and already Intel has been hit with at least three separate class action lawsuits related to the vulnerability.

The Register first reported the news on January 2nd, noting that the solution to fixing the vulnerability could result in slowdown of the affected computers. Intel has since claimed that any performance penalties would be negligible, and today Google, which has implemented a fix on its affected servers (which host its cloud services, including Gmail) wrote that, “On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

Plaintiffs in three different states disagree. As Law.com first noted, a class action complaint was filed January 3rd in United States District Court for the Northern District of California. Since then Gizmodo has found two additional class action complaints filed today (just eleven minutes apart)—one in the District of Oregon and another in the Southern District of Indiana.

All three complaints cite the security vulnerability as well as Intel’s failure to disclose it in a timely fashion.

That's some fast work, and I have a feeling that there are more to come.

Meltdown and Spectre - much less sexy than the James Bond movies they sound like.

Yesterday, The Reg reported that Intel CPUs going back ten years had a fundamental design flaw which compromised the security of users. At the time, it looked like only Intel chips were affected, but Intel has been quick to claim that AMD and ARM chips have the flaw, too.

Here's the thing about that, funny story.. it's actually not true. Not Pants On Fire, mind you, but still Mostly False, or at best Half True, according to this report from Gizmodo:

Originally, the Register reported, only Intel processors (which dominate the U.S. market) were believed to be subject to the flaw. But it’s become clear that a wide range of processor types could be affected, with Google writing that AMD, ARM, and other devices were also vulnerable—though only partially and with less performance impact following a fix than Intel-based devices.

In a statement to Gizmodo, AMD said that of the three attack variants, one was easily resolved with “negligible performance impact,” while the others have “near zero risk” or “zero risk” due to “architecture differences.”

ARM told Gizmodo that it has been working “together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This is not an architectural flaw; this method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory.”

I don't believe Intel's spin on this one; there is currently no evidence that AMD and ARM have anywhere near the same kind of fundamental design issues that Intel have with this, and users of AMD and ARM products will not see the same kind of slowdown post-patch as Core i5 users. Sure, AMD (and ARM) are also engaged in a little PR over this development, but right now, I'm inclined to trust them a lot more than I trust Intel, for whom this is the second such wide-reaching security problem that comes built right in to their Core i5 product line. 

Right now, it looks like AMD and ARM are acting from an abundance of caution, here (better safe than sorry, right?), and not trying to "work the refs" in advance of the inevitable flood of class action lawsuits by which Intel will shortly be besieged. So, yeah... I'm still glad to be an AMD man, at least for one more day.