Announcement

**dungeon** · 22 May 2018, 04:13 AM

These new vulnerabilities affect all major CPU vendors just not AMD/Intel but also ARM and IBM / POWER.

Likely not all vendors by all vulnerabilities other than Intel

, like with Meltdown currently it is not proved that any AMD CPUs are affected by 3A

We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date.

https://www.amd.com/en/corporate/security-updates

When it comes to ARM, sitation is also not so clear so that we can speak in general:

https://developer.arm.com/support/ar...-vulnerability

At least they provide easy to read table :

Processor	Variant 1	Variant 2	Variant 3	Variant 3a	Variant 4
Cortex-R7	Yes*	Yes*	No	No	No
Cortex-R8	Yes*	Yes*	No	No	No
Cortex-A8	Yes	Yes	No	No	No
Cortex-A9	Yes	Yes	No	No	No
Cortex-A12	Yes	Yes	No	No	No
Cortex-A15	Yes	Yes	No	Yes	No
Cortex-A17	Yes	Yes	No	No	No
Cortex-A57	Yes	Yes	No	Yes	Yes
Cortex-A72	Yes	Yes	No	Yes	Yes
Cortex-A73	Yes	Yes	No	No	Yes
Cortex-A75	Yes	Yes	Yes	No	Yes

**Mike Frett** · 22 May 2018, 05:40 AM

I assume any new Processors coming out this year, or the next, will be affected too? I can't see myself upgrading until all this stupidity is fixed.

**pmorph** · 22 May 2018, 05:59 AM

Originally posted by TheOne View Post

I thought about this before and the more vulnerabilities I see it kind of reaffirms my thought that this was planned obsolescence. How can so much freaking cpu vulnerabilities keep appearing which only a person that knows the insides and out of CPU's get disclosed like this.

Nothing was planned. That's the problem. You see, these things were desiged by IT geeks - performance was what mattered, battling exploits and evil minds of men didn't come to them naturally. That's why the whole industry of IT security is largely an afterthought, still.

**willmore** · 22 May 2018, 06:22 AM

I keep seeing this called a 'joint announcement' around the web, but it's anything but.

1528 - project-zero - Project Zero - Monorail

https://bugs.chromium.org/p/project-zero/issues/detail?id=1528

Google announced it, but as part of their disclosure let effected parties know a while back. Today is the expiration of the responsible disclosure deadline. The really bad thing about this is that Microsoft say that they notified 'partners' (meaning Intel) back in November when they claim to alos have discovered this.

**dungeon** · 22 May 2018, 07:45 AM

Originally posted by willmore View Post

I keep seeing this called a 'joint announcement' around the web, but it's anything but.

https://bugs.chromium.org/p/project-...detail?id=1528

Google announced it, but as part of their disclosure let effected parties know a while back. Today is the expiration of the responsible disclosure deadline. The really bad thing about this is that Microsoft say that they notified 'partners' (meaning Intel) back in November when they claim to alos have discovered this.

Well, Intel stated how Microsoft and Google both independently reported this CVE-2018-3639, while SYSGO for reporting CVE-2018-3640. BiZone likely also helped them around this second issue.... can't be more transparent i think, you have even names of all people not just names of companies

Acknowledgements:

Intel would like to acknowledge and thank Jann Horn of Google Project Zero (GPZ) and Ken Johnson of the Microsoft Security Response Center (MSRC) for independently reporting CVE-2018-3639.

Intel would like to acknowledge and thank Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (https://sysgo.com) for reporting CVE-2018-3640. Intel would also like to acknowledge and thank Innokentiy Sennovskiy from BiZone LLC (bi.zone).

https://www.intel.com/content/www/us...-sa-00115.html

**TemplarGR** · 22 May 2018, 09:03 AM

This is hillarious. With all mitigations enabled at this point, a modern Intel cpu goes back how many generations in per core performance? 3-4? Seeing how each generation provided at best a 5%...

Just hillarious.

**drSeehas** · 22 May 2018, 09:03 AM

Originally posted by Peter Fodrek View Post

It seems that these are not part of eight Specre NG ... Or am I not right?

You are not right.
These are the first two of the eight Specre-NG vulnerabilities.

**L_A_G** · 22 May 2018, 09:38 AM

Originally posted by Mike Frett View Post

I assume any new Processors coming out this year, or the next, will be affected too? I can't see myself upgrading until all this stupidity is fixed.

Considering the usual multi-year design-to-manufacturing cycle it and assuming this was subject to the standard 90 day responsible disclosure practice it could be longer before all of the Spectre vulnerabilities we know of today have been fixed. Don't even get me started on what the situation will be if new vulnerabilities continue to be published like this.

First batch of Spectre vulnerabilities may be fixed in Intel's next year offerings and it probably should be fixed in most new ARM parts from manufacturers who care about security. However, while less affected, AMD's "Zen 2" part coming out next year is probably going to have some fairly limited fixes as it was only a few weeks to a couple of months from tape-out (99% finished design sent for manufacturing) when AMD was notified of the first set of vulnerabilities.

**Kayote** · 22 May 2018, 11:15 AM

Looks like it didn't affect NASDAQ price.

**Kayote** · 22 May 2018, 11:17 AM

Originally posted by Kayote View Post

Looks like it didn't affect NASDAQ price.

actually AMD price is down. Maybe there is something the investors know and we don't??

Announcement

Spectre Variants 3A & 4 Exposed As Latest Speculative Execution Vulnerabilities

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment