Intel chip kernel flaw requires OS-level fix that could impact macOS performance, report s...

124

Comments

  • Reply 61 of 90
    volcanvolcan Posts: 1,799member
    The exact nature of the vulnerability has not been made public so very few people actually know what it is. The reason that the OS vendors are working to patch it is not because of any fault of their own. They are simply the only ones who can fix it on existing computers. They are basically just covering their asses by patching the vulnerability, but because the patch must limit the privileges escalation issue, which has been a very convenient way for some apps to get things done quickly, each app will be affected differently from 0% to perhaps 30% during certain tasks. It is not an across the board 30% on everything. Many apps are not affected at all because they don't rely on the privilege escalation functions, which was a bad idea from the start, but since the Intel x86 chips have this newly discovered memory leak, it allows bad actors to exploit the privilege escalation functions in an app to take control of the machine. It should be noted that there are perhaps hundreds of system apps in the OS itself that use the privilege escalation functions as well as third party apps. Older Intel processors are much more susceptible to attack than newer ones.

    AMD chips are not affected by the vulnerability, however depending on how the OS vendors decide to apply the patch, AMD may be slowed down as well. The programmers could provide an exclusion for AMD in the code, but they may also take a scorched earth approach to be on the safe side affecting both AMD and Intel, which would be bad for AMD through no fault of their own.
    edited January 2018 SoliGG1
  • Reply 62 of 90
    thomprthompr Posts: 1,521member
    polymnia said:
    If this bug does go back years, and none of you have noticed yet, what is the big deal? If you don’t want to sacrifice the performance, don’t apply the patch. Wait until you get a new Mac with a new chip to update. The sky hasn’t fallen in the years this flaw has existed. Probably sill stay up there going forward. 

    I just bought a new MacBook Pro at the beginning of 2017, and every now and then I do use it for some serious scientific programming.  For some things that take hours to run, a 30% hit is going to be painful.   If the chip in that laptop is subject to this bug, then I'm sorry but your dismissive solution is not helpful.  There will be numerous updates to the operating system prior to me being ready to purchase a brand new machine, and these OS updates will likely all contain the patch.  So your solution would have me freeze my OS until such time as a new machine (without the bug) is available and I can afford to purchase it.  That's not a good position to be in, IMO.
  • Reply 63 of 90
    foggyhillfoggyhill Posts: 4,767member
    volcan said:
    The exact nature of the vulnerability has not been made public so very few people actually know what it is. The reason that the OS vendors are working to patch it is not because of any fault of their own. They are simply the only ones who can fix it on existing computers. They are basically just covering their asses by patching the vulnerability, but because the patch must limit the privileges escalation issue, which has been a very convenient way for some apps to get things done quickly, each app will be affected differently from 0% to perhaps 30% during certain tasks. It is not an across the board 30% on everything. Many apps are not affected at all because they don't rely on the privilege escalation functions, which was a bad idea from the start, but since the Intel x86 chips have this newly discovered memory leak, it allows bad actors to exploit the privilege evaluation functions in an app to take control of the machine. Older Intel processors are much more susceptible to attack than newer ones.

    AMD chips are not affected by the vulnerability, however depending on how the OS vendors decide to apply the patch, AMD may be slowed down as well. The programmers could provide and exclusion for AMD in the code, but they may also take a scorched earth approach to be on the safe side affecting both AMD and Intel, which would be bad for AMD through no fault of their own.
    You are right that this bug could in theory be avoided in software, but most software is barely updated after install so the bug stays; it also depends how much the OS actually depend on these functions, if it does the fix may be long and painful and lead to vulnerabilities for a long time for even the best companies, let alone those that barely touch their servers. If you are running on cloud infrastructure, you'll likely won't be touched cause they'll simply upgrade your stuff and keep your level of service up (thoguh eventually prices should rise if it does impact the amount of servers they need to serve their clients).

    I'd argue that right now, most infrastructures are riddled with exploits and mitigation and insuring not everything gets compromised at the same time (so you cn actually monitor for intrusion and have proper fallback backups) is the best that can be done.
  • Reply 64 of 90
    macplusplusmacplusplus Posts: 2,112member
    larryjw said:
    I’m not likely understanding some of this story. One key statement is there is no firmware fix. Looking on Intels site, they have a table listing each cpu, and the minimum ME firmware version that resolves the issue, or at least one of the issues. 

    Like one of the other commenters, I too, in December, purchased a new mbp but also an new iMac. The About My MAC doesn’t describe the cpu level of detail about its firmware versions to know whether my chips have the latest firmware versions. It’s goimg to be Apple’s resonsibilty to push out the firmware updates. 

    A second thing to note. Intel has downloadable software to analyze your system for these flaws, but the software only runs under windows or Linux. Intel needs to push out a version for macOS. 
    I tested the tool on a Mid-2015 Retina Macbook Pro 15" under BootCamp. It outputs the following information:

    Name: <your computer's name>
    Manufacturer: Apple Inc.
    Model: MacBookPro11,5
    Processor Name: Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz
    OS Version: Microsoft Windows 8.1 Pro
    Engine: Intel(R) Management Engine
    Version: 9.1.20.1035
    SVN: 1
    Status: This system is not vulnerable.

    Other Macs may be vulnerable or not. If any Mac is vulnerable of course Apple will issue a system update.

    For the curious, here is Intel's official response. Tired of playing the voluntary reporter. Why don't you update your article AI?

    https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

    edited January 2018 randominternetperson
  • Reply 65 of 90
    1k91k9 Posts: 3member
    Should people that are still within there return period for a iMac or MacBook Pro return there computers and wait this out?
  • Reply 66 of 90
    macplusplusmacplusplus Posts: 2,112member
    1k9 said:
    Should people that are still within there return period for a iMac or MacBook Pro return there computers and wait this out?
    Why are you asking that in this forum? Ask that to Apple Support.
  • Reply 67 of 90
    1k91k9 Posts: 3member
    1k9 said:
    Should people that are still within there return period for a iMac or MacBook Pro return there computers and wait this out?
    Why are you asking that in this forum? Ask that to Apple Support.
    For an opinion, the question has to do directly with this Intel problem. 
    If you just bought a new computer and are within you return period still, would you recommend returning it and wait this Intel problem out?
    Im having a hard time understanding why Apple is still selling and shipping out computers with a known defect in the computer chip there using. 
  • Reply 68 of 90
    Time to look for iPad for any work it can handle.
  • Reply 69 of 90
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    1k9 said:
    1k9 said:
    Should people that are still within there return period for a iMac or MacBook Pro return there computers and wait this out?
    Why are you asking that in this forum? Ask that to Apple Support.
    For an opinion, the question has to do directly with this Intel problem. 
    If you just bought a new computer and are within you return period still, would you recommend returning it and wait this Intel problem out?
    Im having a hard time understanding why Apple is still selling and shipping out computers with a known defect in the computer chip there using. 
    1) What else would you buy? A Dell with an Intel processor?

    2) No.

  • Reply 70 of 90
    Mike WuertheleMike Wuerthele Posts: 6,858administrator

    For the curious, here is Intel's official response. Tired of playing the voluntary reporter. Why don't you update your article AI?

    https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
    Because we were working on something else. See the link in my post above this one.
  • Reply 71 of 90
    1k91k9 Posts: 3member
    1k9 said:
    1k9 said:
    Should people that are still within there return period for a iMac or MacBook Pro return there computers and wait this out?
    Why are you asking that in this forum? Ask that to Apple Support.
    For an opinion, the question has to do directly with this Intel problem. 
    If you just bought a new computer and are within you return period still, would you recommend returning it and wait this Intel problem out?
    Im having a hard time understanding why Apple is still selling and shipping out computers with a known defect in the computer chip there using. 
    1) What else would you buy? A Dell with an Intel processor?

    2) No.

    I wouldn't buy anything, The iMac I just purchased was $3000, but I can still return it and try to wait this out if possible.
    I guess I should wait and see what happens over the next week or so.
    GeorgeBMac
  • Reply 72 of 90
    macplusplusmacplusplus Posts: 2,112member

    For the curious, here is Intel's official response. Tired of playing the voluntary reporter. Why don't you update your article AI?

    https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
    Because we were working on something else. See the link in my post above this one.
    Thanks for the new article but the title is misleading. This is not a KPTI flaw, if you need to name it "Management Engine" is a better qualifier, as declared by Intel. KPTI is just an implementation under Linux, it may or may not relate to macOS.
    edited January 2018
  • Reply 73 of 90
    Mike WuertheleMike Wuerthele Posts: 6,858administrator

    For the curious, here is Intel's official response. Tired of playing the voluntary reporter. Why don't you update your article AI?

    https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
    Because we were working on something else. See the link in my post above this one.
    Thanks for the new article but the title is misleading. This is not a KPTI flaw, if you need to name it "Management Engine" is a better qualifier, as declared by Intel. KPTI is just an implementation under Linux, it may or may not relate to macOS.
    I don't disagree. Thus, the quotes.

    For better or worse, this is getting called KPTI on social media and the Internet as a whole.
  • Reply 74 of 90
    welshdogwelshdog Posts: 1,897member
    nht said:

    Nice to see that Luddites still exist.  

    Well, no, not really.

    The sky isn't falling.  There are many potential attack vectors both cyber and physical. 

    This is one that has a fix albeit with a sometimes hefty performance penalty.  It's safer to do it this way even if the kernel protections worked...it's just slower.
    Not sure you know what Luddite means or you didn't read what was said. Nothing was said about the sky falling. This is a very serious flaw in the actual hardware chip. That is nothing like software exploits. Yes is can be fixed with an external software bandaid, which itself will be vulnerable to exploit. That is what makes this so bad - the fix really isn't a fix. Thanks for trying to overstate what I didn't overstate.
  • Reply 75 of 90
    fastasleepfastasleep Posts: 6,408member
    This is why I keep multiple computers.  Most notably I keep one in virtual lock-down status to use as a financial computer.  It stores my financial records and only accesses a very few specific financial sites that I deal with.  There is no web browsing on it and no email.  Plus it's powered down unless I'm using it which is roughly about once a week.

    That doesn't guarantee security of course, but it does improve the odds that my most valuable personal information will be safe from hackers.
    You forgot to put it inside a Faraday cage, surrounded by a moat full of sharks, in an airgapped room. 
    polymnia
  • Reply 76 of 90
    I wonder if the newer AMD chips inherited the flaw. If not, they are probably some happy pups.
  • Reply 77 of 90
    fastasleepfastasleep Posts: 6,408member
    thompr said:
    polymnia said:
    If this bug does go back years, and none of you have noticed yet, what is the big deal? If you don’t want to sacrifice the performance, don’t apply the patch. Wait until you get a new Mac with a new chip to update. The sky hasn’t fallen in the years this flaw has existed. Probably sill stay up there going forward. 

    I just bought a new MacBook Pro at the beginning of 2017, and every now and then I do use it for some serious scientific programming.  For some things that take hours to run, a 30% hit is going to be painful.   If the chip in that laptop is subject to this bug, then I'm sorry but your dismissive solution is not helpful.  There will be numerous updates to the operating system prior to me being ready to purchase a brand new machine, and these OS updates will likely all contain the patch.  So your solution would have me freeze my OS until such time as a new machine (without the bug) is available and I can afford to purchase it.  That's not a good position to be in, IMO.
    You don’t know that the tasks you’re talking about are going to take a wholesale 30% hit either. So speculating on how bad the software fix is going to be at this point isn’t helpful either. Especially since it’s already been partially fixed and nobody noticed a massive slowdown in their genome sequencing or whatever it is you’re doing. 
  • Reply 78 of 90
    foggyhillfoggyhill Posts: 4,767member
    thompr said:
    polymnia said:
    If this bug does go back years, and none of you have noticed yet, what is the big deal? If you don’t want to sacrifice the performance, don’t apply the patch. Wait until you get a new Mac with a new chip to update. The sky hasn’t fallen in the years this flaw has existed. Probably sill stay up there going forward. 

    I just bought a new MacBook Pro at the beginning of 2017, and every now and then I do use it for some serious scientific programming.  For some things that take hours to run, a 30% hit is going to be painful.   If the chip in that laptop is subject to this bug, then I'm sorry but your dismissive solution is not helpful.  There will be numerous updates to the operating system prior to me being ready to purchase a brand new machine, and these OS updates will likely all contain the patch.  So your solution would have me freeze my OS until such time as a new machine (without the bug) is available and I can afford to purchase it.  That's not a good position to be in, IMO.
    You don’t know that the tasks you’re talking about are going to take a wholesale 30% hit either. So speculating on how bad the software fix is going to be at this point isn’t helpful either. Especially since it’s already been partially fixed and nobody noticed a massive slowdown in their genome sequencing or whatever it is you’re doing. 
    The issue is not those that fix it like Apple which has not only quick fixes, but quick deployments as a matter of fact, but because its so wide, it will be in dozens of millions of devices that won't be fixed at all.
  • Reply 79 of 90
    GeorgeBMacGeorgeBMac Posts: 11,421member
    polymnia said:
    This is why I keep multiple computers.  Most notably I keep one in virtual lock-down status to use as a financial computer.  It stores my financial records and only accesses a very few specific financial sites that I deal with.  There is no web browsing on it and no email.  Plus it's powered down unless I'm using it which is roughly about once a week.

    That doesn't guarantee security of course, but it does improve the odds that my most valuable personal information will be safe from hackers.
    Where do you buy your tin foil hats?
    Tin Foil Hat?    LOL...
    ... No, I just don't like putting my personal financial info out there for people to steal...
    .......You apparently don't care about yours.   That's fine.
  • Reply 80 of 90
    GeorgeBMacGeorgeBMac Posts: 11,421member
    This is why I keep multiple computers.  Most notably I keep one in virtual lock-down status to use as a financial computer.  It stores my financial records and only accesses a very few specific financial sites that I deal with.  There is no web browsing on it and no email.  Plus it's powered down unless I'm using it which is roughly about once a week.

    That doesn't guarantee security of course, but it does improve the odds that my most valuable personal information will be safe from hackers.
    You forgot to put it inside a Faraday cage, surrounded by a moat full of sharks, in an airgapped room. 
    Good thinking!  I'll have to had that.   But no snakes.   I hate snakes!
    Actually, the computer cost me less than $150 a few years ago.  I later wiped and recommissioned it as a financial only machine.  It's a ThinkPad T60P with a dual core processor.   For my financial stuff it works great.  So for little or no money (I would otherwise have just retired the machine), I got a nice insurance policy.  No, not a guarantee -- but it does improve my odds.
Sign In or Register to comment.