Intel - Updated Security Risks Despite Newer "Secured" CPUs

Basically researchers were told to hold off on disclosing vulnerabilities found within the newer “secured” Intel chips in fears of losing funding from Intel themselves. I found it over at LET.

Good thing my desktop is on an APU, finding actual business-grade managed hosting on EPYC AMD processors is a whole another can of worms though…

Thread Summary

You thought, you are secure at least with the new Cascade Lake processors from intel and, if installing intels patches, on older intel processors too? You are wrong.

(Meanwhile quite well known) researchers at the university of Graz (Austria) discovered a new attack, “Zombieland” some time before intel launched their new “secure” processor generation and also before intel made a public announcement about their processors being secure thanks to their patches.

As soon as intel learned about the danger they put an embargo on the scientist and later prolonged it to Nov. 12. Now, such an embargo is not uncommon or unreasonable per se; after all everyone wants that a manufacturer, in this case intel, gets some time to fix the problem. But intel instead made announcements about their processors to be secure and prolonged the embargo so that nobody would learn the truth. In other words: intel lied and betrayed everyone, their large customers as well as us the small end customers.

“But those researchers are not bound by intels diktat!” you say? Well, theoretically they are not, they are employees of a “free” university. Factually however they are because intel sponsors the university of Graz (just like some other universities), so the university administration is in a place between a rock and hard place. The end result was anyway that the researchers stayed mum till Nov. 12.

Here’s the link →

Important: Note that even “MDS resistant” CPUs from intel do not protect against Zombieland. The only protection working so far seems to be to disable both TSX and Hyperthreading - which cuts deeply into providers income.

Or simply BUY AMD!

1 Like

I think the LET thread is being a little overdramatic. It’s pretty standard for researchers to be told to hold off on disclosing found vulnerabilities so that there’s a reasonable amount of time for a patch to be released. The issue here is that Intel seemingly still haven’t released anything. But to say that they lied and betrayed us is a large overstatement in my opinion. Vulnerabilities happen, Intel should’ve done something about this already, though.

It’s one thing to do that and proceeds to release CPUs fitted with empty promises. In this case being “secured” from any vulnerabilities.

I think they didn’t hold, because they knew that their CPUs could not be (at least easily) be “corrected” and therefore wouldn’t been a waste of whatever batches they produced already.

THAT"S where I have problems with Intel.

Reminds me that pharmacy company that resale their defective medications to 3rd world countries simply to exhaust existing stocks.

Defective production DO happens but it’s how it dealt with is what’s counts and I don’t think Intel did it as they should. So the fact that BOTH were occurred is why I believe LET is upset. If it were to be a proper Black Out procedure then I could see them not being so “upset” about it.

1 Like