Intel CPU serious kernel bug ..

Oh boy … that can’t be good news for Intel.

Actually, it’s not sure that Macs are affected as according to MacGadget their security structure might make it impossible for the bug to be exploited. But at the moment nobody knows for sure.

More knee-jerk reporting … they don’t know what it is, what it exposes, what it affects, how it can be exploited, or how it’s being fixed. Another case of reporting “First”!

The forum obfuscated J E R K?

Oof, this is gonna sting.

The error concerns the equipment, so in theory every system is at risk, unless it does not use hardware protection. Unfortunately, there is no information as to how the case looks at macOS. It is possible that the system uses a different way to protect the kernel or the security implementation will not be as resource-consuming. However, these are just my speculations. Let me remind you that iOS from the beginning was resistant to KRACK , thanks to the incomplete implementation of WPA.

Do you remember the famous KRACK ATTAC ? It’s about WPA WiFi connection security error. The creators of the WPA protocol “overreacted” and, unfortunately, their good intentions could be used in a bad way. The Intel problem looks similar."

So let’s stop hyper-ventilating.

Intel Memory Access Design Flaw Already Addressed by Apple in macOS 10.13.2

and so all the previous systems will be left on the side of the road … thanks who ?

I found this doc on Apple’s site which seems to indicate that Sierra 10.12.6 and El Capitan 10.11.6 also got something that looks like this fix:

Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2017-13833: Brandon Azad[/quote]

Hmm. would like to see some benchmarks that compares macOS 10.13.1 and 10.13.2 :slight_smile:

A valid question: “what about previous systems?”

A troll question: “and so all the previous systems will be left on the side of the road … thanks who ?”

At least be a bit less obvious … [where’s the rolling eye smiley?]

The greatest risk would appear to be virtual machines in a multi-tenanted environment i.e. “The Cloud”. A statement from Xojo on this would be appropriate about now.

As for personal systems or even corporate virtual servers - I believe you would easily find an insurance company to cover the risk.

"After a public disclosure of a security flaw with nearly every Intel processor produced for the last 15 years, concern grew that a fix may take up to 30 percent of the processing power away from a system. But Apple appears to have at least partially fixed the problem with December’s macOS 10.13.2 —and more fixes appear to be coming in 10.13.3.

AppleInsider is in the midst of comparative speed testing on a 2017 MacBook Pro. Early indications are that there are no notable slowdowns between a system running macOS High Sierra 10.13.1 and 10.13.2."

Next up are the class action lawsuits against Apple for getting an early start on fixes and not disclosing that they were fixing it. :wink:

“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,”

FWIW, we use the same base OS infrastructure for Xojo Cloud as everyone else does on these providers.

We do update the servers at regular intervals (usually monthly) for non-critical server updates and as-needed for critical or security updates.

In this case, as soon as a patch is available to us, we’ll evaluate it and it’ll be installed.

And MacOS Sierra and ElCapitan are patched too as far as I can see:

Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read kernel memory
Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology
Entry added January 4, 2018[/quote]

P.S. Oops. Just realized Paul already posted this.

A seemingly urgent patch just arrived on my Win 10 machine - wanted to restart almost immediately. I assume something related to these bugs.

I got the scoop on this from one of our Intel developer contacts - This is an important issue, but nothing like the popular press is making it out to be. It’s been around for more than 22 years.

The 3 attack vectors require local access to the system. And even then, they really only affect systems where multiple VMs are running or where a large, multi-user database environment is in play.

The reason that it’s not as big a deal as the press is pushing is that if I have physical, local access to your system, it’s mine - doesn’t matter what CPU type is in use.

Should you patch? - Sure. Are you in dire and deadly danger? - Nope.

I don’t think this is true - “requiring local access” usually means “has a user account”. It does not mean “has physical access”.

In any case, the exploits do not require either a local account or physical access: I’ve seen mention of JavaScript Proof of Concept exploits for some of these variants which can break out of the browser sandbox.

This means that anyone visiting a website that has malicious JavaScript code could, in theory, be subject to an attach where data from outside the sandbox was read.