Two recently disclosed hardware bugs affected Intel cpus:
- TLBleed
- T1TF (the name "Foreshadow" refers to 1 of 3 aspects of this bug, more aspects are surely on the way)
Solving these bugs requires new cpu microcode, a coding workaround, *AND* the disabling of SMT / Hyperthreading.
SMT is fundamentally broken because it shares resources between the two cpu instances and those shared resources lack security differentiators. Some of these side channel attacks aren't trivial, but we can expect most of them to eventually work and leak kernel or cross-VM memory in common usage circumstances, even such as javascript directly in a browser.
There will be more hardware bugs and artifacts disclosed. Due to the way SMT interacts with speculative execution on Intel cpus, I expect SMT to exacerbate most of the future problems.
A few months back, I urged people to disable hyperthreading on all Intel cpus. I need to repeat that:
DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS.
So please try take responsibility for your own machines: Disable SMT in the BIOS menu, and upgrade your BIOS if you can.
I'm going to spend my money at a more trustworthy vendor in the future.
NO STOP POSTING THAT SHIT ITS GOT FUKCING PHONE HOME MALWARE
Julian Cox
Proof?
Andrew Fisher
Lads, I'm using a i5-4200U but that app says my microcode is out of date and does not support any mitigations, even tho I'm running on the latest kernel and kubuntu. What the fuck do I do other than turn off HT?
Kayden Mitchell
Update the laptop bios.
Mason Reyes
Microcode is another package iirc. Try installing that
Joshua Hill
What version of the intel-microcode package are you using?
Alexander Stewart
Fucking everything Acer offers are 2015 BIOSs. What do I look for exactly? I don't want to get scammed with a phishing repo or some shit.
Leo Watson
Not sure how to check that.
Julian James
Should be in the official Ubuntu repos. If not, Intel should provide a .deb
Joseph Walker
I truly wish the best for OpenBSD and Theo, hes a great guy
Question. Is it easily remotely exploitable? If not, then I really couldn't care less. Nobody's getting near my laptop. I'm sure as hell not tanking what little performance I have over it.