No intel cpu since and including the Pentium Pro is safe to use unpatched.

They just did not report on earlier models because they are obsolete, so they did not bother to test (or report).

appiah4 wrote:

They just did not report on earlier models because they are obsolete, so they did not bother to test (or report).

Core 2 may be old, but still perfectly usable for many tasks. Far from obsolete and better than many later chips like Atoms.

Take it to Intel, I guess 😎

appiah4 wrote:

No intel cpu since and including the Pentium Pro is safe to use unpatched.

I wouldn't be too sure about that. I'd like to see a proof-of-concept being executed successfully on each CPU first.
There is a difference between the CPU using speculative execution and it actually being exploitable as a side-channel.
The window has to be large enough, and the differences have to be large enough to make reasonably accurate measurements.

appiah4 wrote:

No intel cpu since and including the Pentium Pro is safe to use unpatched.

Itanium and early Atoms don't suffer it (but who uses them?).

What this means for older hardware is that, pre Win7, there will be no 'official' patches, so basically any old OS (9X, ME, 2K, XP, Vista, unpatched old linux distros) and old hardware shouldn't be online (or at least don't keep sensitive info that you don't mind loosing on it). It's probably ended the use of a lot of these systems as daily drivers for people who still use them, but then again these systems can't be kept up to date (no patches, updates etc coming their way) anyhows so do people that use these as daily drivers care? who knows. It's not like this is the only security flaw that these old machines/OS suffer from which will never get patched though, although this one is fairly far reaching since the scope of the effected systems (pretty much most consumer CPU architectures in the last number of years at least).

People seem to think this is an Intel only problem... It is not... while Intel suffer Meltdown (and bad PR), AMD, ARM, POWER...all suffer Spectre.... so thats like every iPhone/iPad that exists and most (if not all) android phones o.0.... or put another way, anything that can play a youtube video at 'enough' quality thats worth it these days.

spiroyster wrote:

What this means for older hardware is that, pre Win7, there will be no 'official' patches, so basically any old OS (9X, ME, 2K, XP, Vista, unpatched old linux distros) and old hardware shouldn't be online (or at least don't keep sensitive info that you don't mind loosing on it).

So far this is just FUD. Let's see one single working exploit in the wild, that actually manages to leak anything other than hand-crafted examples. You know what would happen if something like this existed? Microsoft would release emergency patches for XP and Vista as well, just like they did for XP with WannaCry.

spiroyster wrote:

It's probably ended the use of a lot of these systems as daily drivers for people who still use them, but then again these systems can't be kept up to date (no patches, updates etc coming their way) anyhows so do people that use these as daily drivers care? who knows. It's not like this is the only security flaw that these old machines/OS suffer from which will never get patched though, although this one is fairly far reaching since the scope of the effected systems (pretty much most consumer CPU architectures in the last number of years at least).

Both points are correct. (1) It is not the only flaw and (2) people who feel sufficiently safe with these old unsupported systems at this point, will probably continue feeling just as safe even given this latest vulnerability.

dr_st wrote:

spiroyster wrote:

What this means for older hardware is that, pre Win7, there will be no 'official' patches, so basically any old OS (9X, ME, 2K, XP, Vista, unpatched old linux distros) and old hardware shouldn't be online (or at least don't keep sensitive info that you don't mind loosing on it).

So far this is just FUD. Let's see one single working exploit in the wild, that actually manages to leak anything other than hand-crafted examples. You know what would happen if something like this existed? Microsoft would release emergency patches for XP and Vista as well, just like they did for XP with WannaCry.

Just because you do not know it exists doesn't mean it doesn't exist. For all we know this is a deliberate backdoor left open for the US government and has been exploited since forever in places that would never report it.

dr_st wrote:

So far this is just FUD. Let's see one single working exploit in the wild, that actually manages to leak anything other than hand-crafted examples. You know what would happen if something like this existed? Microsoft would release emergency patches for XP and Vista as well, just like they did for XP with WannaCry.

True... they'll be around at some point though no doubt... exploit it... and they will build it... and they will cum. o.0, Crafty little buggers some of these malware authors can be, and naive little buggers these script kiddies can be (trigger pullers)... but it also wouldn't surprise me if there are 'unofficial' patches available at some point if it really is a problem that warrants the effort.

And yes It should be stressed that no one currently 'suffer's Meltdown and Spectre, they have the potential to 'suffer' it. It all needs to be reviewed on a CPU by CPU basis. Theorectically this exploit can jump into host OS, but it begs the question, would this still be the case for a 'patched' guest OS running on an 'un-patched' host OS? I have no idea how virtualised kernels operate wrt the host kernel space?

appiah4 wrote:

Just because you do not know it exists doesn't mean it doesn't exist. For all we know this is a deliberate backdoor left open for the US government and has been exploited since forever in places that would never report it.

I think that's a bit too tin-foil-hat-tey, the more I look into it, it certain does look like simply a conceptual design oversight. There are posters in this thread obviously far more qualified to say either way than me though. Just mho.

Let's not forget that this isn't some remote attack that can be run as soon as the machine is online, the code has to actually run locally on the CPU before it stands a chance of reading protected memory. Everyone is worried about web browsers and the vulnerabilities being exploitable through JavaScript, but only recent JS interpreters support what is required for this, and who runs a modern web browser on their retro PC anyway? Just use an old browser, turn off JavaScript, or use a patched web browser - Firefox reduced the precision of their timers recently to make the attack impractical.

It hardly makes the CPUs "unsafe". In fact if you go back in time looking at CPUs, pretty quickly you reach a point where they are too slow to run a web browser with accurate enough timing to execute the attacks anyway.

Really, this is no different to any other malicious code, be it a virus, trojan, etc. If a virus exploits a bug and gets into kernel mode then it can read everything as well, and a lot faster than Meltdown can. Most people try not to run viruses on their CPUs, and Meltdown/Spectre code is no different.

The real issue is people who need to run untrusted code as part of their business - namely cloud providers like AWS. They are the ones who really need to fix the problem or their core business model goes out the window. For everyone else, it's nowhere near as severe.

Looks like Meltdown and Spectre already run on old hardware 😵

appiah4 wrote:

Just because you do not know it exists doesn't mean it doesn't exist. For all we know this is a deliberate backdoor left open for the US government and has been exploited since forever in places that would never report it.

Then everything about you and everyone else already leaked, and you're just trying to close the stable door after the horse has bolted.

Malvineous wrote:

Really, this is no different to any other malicious code, be it a virus, trojan, etc. If a virus exploits a bug and gets into kernel mode then it can read everything as well, and a lot faster than Meltdown can. Most people try not to run viruses on their CPUs, and Meltdown/Spectre code is no different.

Yes, that's basically true. Something like RWEverything (which is scriptable) can dump all your physical memory using proper, documented Windows interfaces without using any bizarre exploits. The difference is, as far as I know, that on a properly secured system, RWEverything will have to request administrator privileges to work, while these side-channel attacks can leak RAM without any privilege elevations and without being detected. I think this is why everyone treats them as super-serious.

spiroyster wrote:

Looks like Meltdown and Spectre already run on old hardware 😵

Except for the 8088/8086, 286, 386, and 486 machines. Pentium (as well as the OverDrive and Pro) and higher are affected by these bugs. AMD processors, not so much (zero chance according to the AMD team).

dr_st wrote:

appiah4 wrote:

Just because you do not know it exists doesn't mean it doesn't exist. For all we know this is a deliberate backdoor left open for the US government and has been exploited since forever in places that would never report it.

Then everything about you and everyone else already leaked, and you're just trying to close the stable door after the horse has bolted.

And that excuses liability? What difference does that make? Just because one source already monitored it all its now aok for everyone else? What exactly are you trying to say here?

appiah4 wrote:

What exactly are you trying to say here?

That you are spreading FUD.

dr_st wrote:

appiah4 wrote:

What exactly are you trying to say here?

That you are spreading FUD.

Oh. Youre a funny vuy.

bjwil1991 wrote:

spiroyster wrote:

Looks like Meltdown and Spectre already run on old hardware 😵

Except for the 8088/8086, 286, 386, and 486 machines. Pentium (as well as the OverDrive and Pro) and higher are affected by these bugs. AMD processors, not so much (zero chance according to the AMD team).

Did you clicky the linkyies? ... or was my joke that bad 😢

[EDIT:] 🤣... it turns out M$ might be doing more damage to AMD than Spectre ever could.
linky: https://www.theregister.co.uk/2018/01/08/micr … md_powered_pcs/

spiroyster wrote:

Did you clicky the linkyies? ... or was my joke that bad 😢

I'm not going to click any links on the web. My computer has not been patched yet! 😵

spiroyster wrote:

Did you clicky the linkyies? ... or was my joke that bad :depressed: […]
Show full quote

bjwil1991 wrote:

spiroyster wrote:

Looks like Meltdown and Spectre already run on old hardware 😵

Except for the 8088/8086, 286, 386, and 486 machines. Pentium (as well as the OverDrive and Pro) and higher are affected by these bugs. AMD processors, not so much (zero chance according to the AMD team).

Did you clicky the linkyies? ... or was my joke that bad 😢

[EDIT:] 🤣... it turns out M$ might be doing more damage to AMD than Spectre ever could.
linky: https://www.theregister.co.uk/2018/01/08/micr … md_powered_pcs/

I got the joke. Didn't realize that those were games back then. Laughter is the best medicine.

Intel released a microcode update for linux to make it easier on sysadmins that dont have access to easy bios update tools

https://downloadcenter.intel.com/download/274 … ocode-Data-File

goes back to the pentium 75mhz

Super_Relay wrote:

goes back to the pentium 75mhz

Yes, but that does not imply that they included new microcode for these processors.
If you take the previous release, they also have that huge list of CPUs:
https://downloadcenter.intel.com/download/269 … ocode-Data-File

So it seems that this is just a 'bulk' file that contains the latest microcode for all CPUs from Pentium and up.
Could be that the Pentium microcode included there hasn't been updated in over 20 years.

The included release notes say:

IVT C0 (06-3e-04:ed) 428->42a SKL-U/Y D0 (06-4e-03:c0) ba->c2 BDW-U/Y E/F (06-3d-04:c0) 25->28 HSW-ULT Cx/Dx (06-45-01:72) 20-> […]
Show full quote

IVT C0 (06-3e-04:ed) 428->42a
SKL-U/Y D0 (06-4e-03:c0) ba->c2
BDW-U/Y E/F (06-3d-04:c0) 25->28
HSW-ULT Cx/Dx (06-45-01:72) 20->21
Crystalwell Cx (06-46-01:32) 17->18
BDW-H E/G (06-47-01:22) 17->1b
HSX-EX E0 (06-3f-04:80) 0f->10
SKL-H/S R0 (06-5e-03:36) ba->c2
HSW Cx/Dx (06-3c-03:32) 22->23
HSX C0 (06-3f-02:6f) 3a->3b
BDX-DE V0/V1 (06-56-02:10) 0f->14
BDX-DE V2 (06-56-03:10) 700000d->7000011
KBL-U/Y H0 (06-8e-09:c0) 62->80
KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80
KBL-H/S B0 (06-9e-09:2a) 5e->80
CFL U0 (06-9e-0a:22) 70->80
CFL B0 (06-9e-0b:02) 72->80
SKX H0 (06-55-04:b7) 2000035->200003c
GLK B0 (06-7a-01:01) 1e->22

You can deduce the codenames from the 3-letter codes. They all seem to be modern CPUs (Ivy Bridge, SkyLake, BroadWell, Haswell etc).
So nothing in there that proves that Core2 and earlier are affected/patched.