a new intel-specific CPU vulnerability has been discovered: cyberus-technology.de/posts/20

quick facts:
- can be used to leak data between processes, hyperthreads, SGX enclaves, etc
- effects core and xeon CPUs
- CPUs with meltdown mitigations are less effected, but still vulnerable
- this is a hardware issue - OS independent
- can be mitigated by disabling hyperthreading
- proof of concept - one thread is able to access URLs typed into firefox (a different thread)

@lynnesbian Ubuntu released an update for their Intel microcode package yesterday, which I assume disables HyperThreading as per the recommended fix.

Also, I find it hilarious that Intel has had this fixed for two years as evidenced by the last two generations of their CPUs being unaffected, but only now decided to tell us for the older ones.

And by hilarious, I mean fucked up.

@lynnesbian Just as a source on this, since the article you linked makes no mention of it:

"The vulnerability affects most of the company’s processor SKUs, except the 8th and 9th generation chips, which Intel said includes hardware mitigations against this flaw."

@KitsuneAlicia @lynnesbian you can sometimes fix bugs unintentionally, but considering that it is Intel we are taking about here, my bet is that they knew it and stayed silent, for $$$ reasons

@uint8_t @lynnesbian Yup. I 100% believe that they deliberately delayed it so they could use it for planned obsolescence purposes similar to Google's Play Services and Apple's iOS updates slowing down older systems for no reason other than to "encourage" users to buy new versions of the same hardware they bought 2 years ago.

@KitsuneAlicia @lynnesbian If they announce the hardware bug and the performance penalty the mitigation causes, people won't be so keen to buy Intel hardware and will look toward alternatives.

But if Intel tells us about the problem when its current model line is already fixed, it's just an image loss, and does not necessarily steer revenue toward AMD.


@uint8_t @lynnesbian Yup. They put all their customers at risk just to save their profit margins. That should be criminal behavior, but since CEOs control law in this country, they've made sure it's legal to gamble with their customer's livelihoods.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!