The online German computer magazine Heise.de is reporting that eight new Spectre-class vulnerabilities have been discovered. The vulnerabilities purportedly affect Intel and ARM processors, but the impact on AMD processors remain unknown.
Has anybody heard of any proven cases of Spectre or Meltdown being used to compromise a system? There's lot's of "could be used" or "might be used" but I can't find anything stating it "was used".
I think these two vulnerabilities should have been kept under wraps. But I guess that's the internet.
There are no known Spectre or Meltdown exploits outside the lab, though going by what was revealed they are much more difficult to exploit than, say, finding a flaw in the OS or software, much like how you can freeze RAM chips to steal information, and it's really not that severe considering these vulnerabilities existed for years without discovery.
At least it says they wont release the vulnerabilities until it's patched this time.
The original Spectre and Meltdown weren't due to be released until patches were, but someone leaked it to the media.
I'm not patching my i7 3930K\ Win 7 Pro because of the possibility of a performance hit (Intel) or not being able to boot (AMD). There doesn't seem to be any real threat to me. If I owned a corporation I would. But I don't.
Easier for you, since Spectre updates are meant to work in conjunction with additional updates in the BIOS, you're on a dead platform so you never have to touch it, whereas us on long term Socket AM4 or new Intel platforms do.
So it's the mainboard manufacturer that writes the patch code into the bios update?
Did some checking into it. Yea, it's a bios update. But it looks like a zoo with Microsoft, Intel and the mainboard manufacturers. Nothing I want to get involved with. I'm hitting 80FPS avg. on Ultra @ 1440p in Far Cry 5. No need to upgrade into that mess.
The performance impact of the patches outside of professional and server applications is minimal, games benchmark within the margin of error from both companies. Storage takes the biggest hit, which if you run a server farm with hundreds or thousands of disks cranking away running cloud based VMs and the like is bad news, but home users aren't affected. The biggest problem comes in with rushed patches causing bootloops and other garbage from Microsoft.
Proposed solution to spectre class:
If there is some abuse detected by the CPU (eg attempted out of bounds read) can't a new gen of CPUs flip a flag and store Program Counter (and whatever other useful info) so that the OS can be made aware and take appropriate action to deprivilege the thread (eg. make it run in safe mode, with no L1 and L2 cache access, and no future speculative execution).