fantaskarsef:

[...] And when my Gen 5 Intel CPU is too old to be vulvernable: [...]

It might not be vulnerable by Platypus but it is vulnerable by Foreshadow, MDS, Fallout, Spectre, Meltdown, LVI, Zombieload, PortSmash and many more. Doesn't make anything better, just saying *shrug*

Fox2232:

To be honest, I doubt intel ever had intention to compete in security.

They bought McAfee, so I guess that's +1 for you. 😉

fantaskarsef:

And when my Gen 5 Intel CPU is too old to be vulvernable:

5930K is 4th gen (Haswell-E).

Meh. Since Spectre/Meltdown came to light in early 2018, not one exploit in the wild has been using them. Not trying to absolve Intel of guilt, but to the gaming/home user crowd, all of this is basically irrelevant. I don't even know I can recommend bothering with the new microcodes, since they've gotten worse and worse performance wise since mid 2019, at least for Coffee Lake. Plus, these are older CPUs by now, and if you bought the 10000 series, well, it's all on you. The 8700K was likely the last CPU from Intel that was worth buying: - cheaper than the Ryzen 1700x on release - OC performance often near 1800x levels - toothpaste TIM, so nice to delid and play with - onboard iGPU, good for Premiere etc. - no Spectre/Meltdown yet, so there was no way to tell it was a vulnerable CPU if bought in 2017 After the 8700K, all went to shit real fast.

tunejunky:

that's the play. AMD has been betting Intel wouldn't change/react/evolve fast enough to deal with both the expansion of the server farm market and the inherent advantages of a new(er) uArch, smaller process, higher core count, and now higher ipc single or multi. this was the "advice" of a lot of investment counsellors in The Valley esp. two years ago. they were and are right. Intel has everything it needs to compete except time. 5 years ago i was all about Intel going all in on fabs, but i'm just a shareholder not someone that's listened to. their half-assed, quarterly profit driven, viewpoint was that of a company in a mature or declining market, not the reality of one in technological transformation.

Yeah. Seems like the plan is working extremely well. I do realize we won't see Intel hurt to terribly bad for most of this year even if AMD increases market share significantly.

Can we just take a minute and laugh at the security threats name?

vbetts:

Can we just take a minute and laugh at the security threats name?

it lays an egg...

KB4586781.

Fox2232:

Does it randomly increase power draw of CPU?

AMD64 bug and security fixes.

Fox2232:

Boring. If it is of any importance, make appropriate thread in appropriate section. No need to measure who has more holes. Winner is known for very long time. Now since you sparked my interest. Are you joking? KB4586781: Updates to improve security when using input devices such as a mouse, keyboard, or pen. Updates to improve security when using Microsoft Office products. Updates to improve security when Windows performs basic operations. Updates the 2020 DST start date for the Fiji Islands to December 20, 2020. Looks like you garbled together those points, and made something up to create: "AMD64 bug and security fixes." statement.

DId you even read through what you posted? MSRC Number: n/a MSRC severity: Critical KB article numbers: 4586781 Updates to improve security when Windows performs basic operations.

toyo:

Meh. Since Spectre/Meltdown came to light in early 2018, not one exploit in the wild has been using them. Not trying to absolve Intel of guilt, but to the gaming/home user crowd, all of this is basically irrelevant. I don't even know I can recommend bothering with the new microcodes, since they've gotten worse and worse performance wise since mid 2019, at least for Coffee Lake. Plus, these are older CPUs by now, and if you bought the 10000 series, well, it's all on you. The 8700K was likely the last CPU from Intel that was worth buying: - cheaper than the Ryzen 1700x on release - OC performance often near 1800x levels - toothpaste TIM, so nice to delid and play with - onboard iGPU, good for Premiere etc. - no Spectre/Meltdown yet, so there was no way to tell it was a vulnerable CPU if bought in 2017 After the 8700K, all went to crap real fast.

Did you stop and think that the reason there are no exploits is because by the time they could develop one the vast majority of vulnerable systems that they cared about (enterprise customers) had it patched? I worked my ass off for three months straight of nights and weekends applying the multiple layers of patches that were required to mitigate Specter/Meltdown as did various collogues in my position at other companies. We very seldom run into a "patch now" level vuln (I think it's been 3 in the last 4 or so years), but when it happens the entire IT industry moves their asses to get it patched so that it isn't worth the effort to bother making code to exploit them. Between that and Windows 10 actually forcing people to install patches, the window of opportunity on these things is pretty small. You're correct, though, it's only gotten worse lately. As long as Intel continues to use the same instruction pipeline with an emphasis on branch prediction in cache, there will continue to be new ways to exploit it. At this point they will need an entirely new architecture to truly resolve the problem, something they should have been doing 5 years ago instead of letting the P3 core architecture age like cheap fine wine until it turns to vinegar on them.

illrigger:

Did you stop and think that the reason there are no exploits is because by the time they could develop one the vast majority of vulnerable systems that they cared about (enterprise customers) had it patched? I worked my ass off for three months straight of nights and weekends applying the multiple layers of patches that were required to mitigate Specter/Meltdown as did various collogues in my position at other companies. We very seldom run into a "patch now" level vuln (I think it's been 3 in the last 4 or so years), but when it happens the entire IT industry moves their asses to get it patched so that it isn't worth the effort to bother making code to exploit them. Between that and Windows 10 actually forcing people to install patches, the window of opportunity on these things is pretty small. You're correct, though, it's only gotten worse lately. As long as Intel continues to use the same instruction pipeline with an emphasis on branch prediction in cache, there will continue to be new ways to exploit it. At this point they will need an entirely new architecture to truly resolve the problem, something they should have been doing 5 years ago instead of letting the P3 core architecture age like cheap fine wine until it turns to vinegar on them.

I've patched up everything I own too. I even modded my BIOS to use the latest 0xDE ucode for my 8700K, for example. But then again, I'm not a regular user, I come from a period where people online were anonymous, refused to share private info, and religiously protected their data. I acknowledge that this is a gaming forum and most people simply do not care anymore. Most consumer PCs are unpatched and use ancient microcodes. Microsoft offers "recent" hotfixes with ucodes from mid 2019 for some CPUs, for others even older. There's no other realistic way to use it other than BIOS modding, and that's a niche thing. So there are so many systems that are vulnerable, yet not ONE serious attack. Add to this that 14nm++++++++ is old, Skylake derivatives - old, Rocket Lake will be a new architecture, so... yeah.

toyo:

I've patched up everything I own too. I even modded my BIOS to use the latest 0xDE ucode for my 8700K, for example. But then again, I'm not a regular user, I come from a period where people online were anonymous, refused to share private info, and religiously protected their data. I acknowledge that this is a gaming forum and most people simply do not care anymore. Most consumer PCs are unpatched and use ancient microcodes. Microsoft offers "recent" hotfixes with ucodes from mid 2019 for some CPUs, for others even older. There's no other realistic way to use it other than BIOS modding, and that's a niche thing. So there are so many systems that are vulnerable, yet not ONE serious attack. Add to this that 14nm++++++++ is old, Skylake derivatives - old, Rocket Lake will be a new architecture, so... yeah.

That's all correct, but not really what information security is about in 2020. Modern hackers aren't really interested in those machines, they want big targets that they can exploit via ransomware - in other words, corporate networks that can pay off in the hundreds of thousands to millions of dollars. Working for 3 months so you can ransom a PC that hasn't been patched in 5 years isn't worth enough money to bother with - you probably can't even contact a person like that to try and blackmail them, as they likely don't even check their email. Most people who are in that camp whose system suddenly stops working are more likely to go to Best Buy and buy whatever is on sale for cheapest than even try to fix it, or just go use their phone for everything. Chances are if they bother getting a new computer they will end up with a Chromebook and then you never can target them again anyway. Worst of all, people like that don't have enough money to ransom anyway, and even if they do they would have no idea how to buy and transfer crypto to get it to you. At best, you might end up with a PC that you can use as part of a botnet, and with the anti-DDOS stuff that's out there now it's barely worth it. I've been the server patch manager for a large healthcare conglomerate for about 5 years now, I and one other guy patch about 3000 servers a month; 99.9% of them are automatically handled by software (although it still takes a bunch of time to set up baselines, send out communications, and deal with change controls). The remaining 60-100 have to be touched by hand to figure out why they didn't work as expected, which usually ends up being an end user who screwed with something that prevents the necessary reboot from happening. Needless to say, it's time consuming. I am just glad I'm not my counterpart on the desktop side of the house. 😛 Most of the big vulns are patched right away on corporate systems, so it's really the small stuff that's a worry. Things like outdated Java versions or Adobe products from 2001 that were integrated into apps that are still sticking around because nobody knows how to maintain them but they have vital corporate info in them still. It's shocking how many of those kinds of things are out there waiting for an idiot to click the wrong thing in an email and let hackers in with. It's also shocking how much money it takes to keep a corporate network secure. There are about 8 people at my company whose entire job is information security, plus more people like me who have about 60% of their time dedicated to it - well over a million dollars a year in salaries alone, plus at least double that in licenses for products that we use to do our jobs. Half of those people and products are dedicated to countering social engineering or human failure in some way, the other half are dedicated to detecting and mitigating vulnerabilities. I guess my point here is that while there aren't exploits being created for these vulns, there is a reason why that's the case - and that reason is that there is a multi-billion dollar industry with hundreds of thousands of people constantly fighting to make sure that such vulns never get a chance to get a foothold that makes it worthwhile exploiting them.

@illrigger I don't quite understand your point. Is it that people who are paid for security are doing their job? That they are doing too good job? Or that they are getting paid 😀 for preventing this group or exploits that claimed zero known victims

toyo:

Meh. Since Spectre/Meltdown came to light in early 2018, not one exploit in the wild has been using them.

lol not ONE! too funny

Noisiv:

lol not ONE! too funny

I have some vague recollections that I've read an article maybe a year ago about something Meltdown related, but other than that, I cannot remember anything, and we all know that if we've had some attack based on these vulnerabilities, it'd be all over the press, as so much has been written about this, hardware CPU security issues, microcodes, all new and exciting stuff compared to years of trojans and worms nobody bothered to read anymore. Truth is, most people wouldn't bother updating the BIOS even if it meant 5% additional performance. Sure, automated Windows updates would do, but few go beyond that. Not to mention people visiting the worst porn sites, not using a firewall or antivirus, and only running scans when their data is encrypted and they're left with a message for where to pay up to regain access to it.

toyo:

I have some vague recollections that I've read an article maybe a year ago about something Meltdown related, but other than that, I cannot remember anything, and we all know that if we've had some attack based on these vulnerabilities, it'd be all over the press, as so much has been written about this, hardware CPU security issues, microcodes, all new and exciting stuff compared to years of trojans and worms nobody bothered to read anymore. Truth is, most people wouldn't bother updating the BIOS even if it meant 5% additional performance. Sure, automated Windows updates would do, but few go beyond that. Not to mention people visiting the worst porn sites, not using a firewall or antivirus, and only running scans when their data is encrypted and they're left with a message for where to pay up to regain access to it.

And not to be stupid as "It didn't even surpass Black plague" COVID loonies, we do realize that measures WERE taken as mentioned by @illrigger. But come on... one hostage... is that too much to ask 🙂

Fox2232:

Thing is, that your system can be under attack right now, and you would not know.

LOL I expected this one. Like anyone could prove a negative. You try: Because it seems to me that aliens are in your PC. Can you prove otherwise? Too ridiculous? I agree. Can you prove that your PC is clean or that it hasn't been under an attack for last 7 days? No you can't. Is why I asked for ONE, just one KNOWN victim, or you know a ransom or a HOSTAGE, ANYTHING.

Kevin Mauro:

Well, from time to time the odd critter roams along too. I've become cleanlier over the years though and fewer roach-line side-channel attacks have been found...

'member Zone Alarm?

Mom!! the platypus is doing it again

Noisiv:

And not to be stupid as "It didn't even surpass Black plague" COVID loonies, we do realize that measures WERE taken as mentioned by @illrigger. But come on... one hostage... is that too much to ask 🙂

This is the worst thing about being in IT as a profession. Any time you successfully react to a problem that already happened, you get praise and bonuses, but any time you try to be proactive and prevent the problem from happening, everyone just makes fun of the problem because it never existed. :P It's really hard to provide metrics about how the thing you spent the last 6 months doing was worth the money when if you are successful nobody ever knows how much money it saved the company. I got a $1200 bonus last year for making sure a new product launch went smoothly, which took about a month. I spent 6 months re-vamping our server patching process, which took us from an average of one production outage due to patch management a quarter to zero, and added automation so that we only need to spend one day a month on prep and scheduling rather than one day a week and didn't even get an attaboy for it during the quarterly meeting. That's IT for ya.