CPU大漏洞，補丁抓漏

【Comment】

幾乎是界上所有電腦的CPU都有兩大安全漏洞—Meltdown and Spectre。

漏洞，是自然存在—人非萬能，或是大約翰開鑿的，誰知道？

也絕不會有人承認。

CPU主要是誰設計的？Intel、AMD、APPLE等等。所以中國要自己發展CPU。

所以中國的CPU「龍芯」比較安全？

放屁！

大廠出「補丁」了。但速度會慢20～30％。

哈哈哈，「反正我是信了！」

Researchers Discover Two Major Flaws in the World’s Computers    NYT 20180103

SAN FRANCISCO — Computer security experts have discovered two major security flaws in the microprocessors inside nearly all of the world’s computers.

The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks.

There is no easy fix for Spectre, which could require redesigning the processors, according to researchers.  As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.

“What actually happens with these flaws is different and what you do about them is different,” said Paul Kocher, a researcher who was an integral member of a team of researchers at big tech companies like Google and Rambus and in academia that discovered the flaws.

Meltdown is a particular problem for the cloud computing services run by the likes of Amazon, Google and Microsoft.  By Wednesday evening, Google and Microsoft said they had updated their systems to deal with the flaw.

Amazon told customers of its Amazon Web Services cloud service that the vulnerability “has existed for more than 20 years in modern processor architectures.”  It said that it had already protected nearly all instances of A.W.S. and that customers must update their own software running atop the service as well.

To take advantage of Meltdown, hackers could rent space on a cloud service, just like any other business customer.  Once they were on the service, the flaw would allow them to grab information like passwords from other customers.

That is a major threat to the way cloud-computing systems operate.  Cloud services often share machines among many customers — and it is uncommon for, say, a single server to be dedicated to a single customer.  Though security tools and protocols are intended to separate customers’ data, the recently discovered chip flaws would allow bad actors to circumvent these protections.

The personal computers used by consumers are also vulnerable, but hackers would have to first find a way to run software on a personal computer before they could gain access to information elsewhere on the machine.  There are various ways that could happen: Attackers could fool consumers into downloading software in an email, from an app store or visiting an infected website.

According to the researchers, the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations.

Customers of Microsoft, the maker of the Windows operating system, will need to install an update from the company to fix the problem.  The worldwide community of coders that oversees the open-source Linux operating system, which runs about 30 percent of computer servers worldwide, has already posted a patch for that operating system.  Apple had a partial fix for the problem and is expected to have an additional update.

The software patches could slow the performance of affected machines by 20 to 30 percent, said Andres Freund, an independent software developer who has tested the new Linux code. The researchers who discovered the flaws voiced similar concerns.