Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers

Antivirus or malware protection is still possibly the first defense against the Meltdown and Spectre exploits, as they prevent the downloading and installation of code which would allow others to exploit these vulnerabilities. This is what Symantec says about these two..

Patching is the the other defense to ‘permanently’ close the exploit.

3 Likes

Unfortunately you can’t “permanently” fix a hardware issue with a software patch. It’s a bandaid, nothing more.

Apparently Linus isn’t a fan of Intel’s ‘fix’ :wink: in true Linus on lkml style !

https://lkml.org/lkml/2018/1/21/192

2 Likes

A BIOS flash is permanent enough. It inserts microcode that will be run every time your computer boots, and will prevent the hardware issue from being a problem.

Of course, long before Intel introduced its advanced branch prediction technologies a paper was published in 1995 warning of the dangers.

For those who have downloaded their BIOS update from the motherboard manufacturer… hold off. The original patch that Intel distributed (and yes, most of these problems belong to Intel alone) was apparently a little buggy. Hence Intel’s prevarication about ‘unexpected reboots’.

Finally, “How do I find out if I have this problem, and how bad it is?” Several tools have been developed; I have heard that one of the better ones is Inspectre (warning: apparently some AV gave early versions a ‘false positive’ because of the way it interrogates your machine):

https://www.grc.com/inspectre.htm

4 Likes

Many boards don’t get a BIOS update for these issues, more affected by this are older boards and they rely on the software patches to “fix” the issues.

1 Like

This is true - if your computer is more than five years old, then you have two likely problems.

One is that your CPU does not contain the commands that mitigate one of the bugs (and I always get confused about which is which) without significant slowdowns.

The other problem is that of manufacturers abandoning support for older devices. I don’t really know what can be done about these, beyond the mitigations that your operating system puts in place. (Apparently these are extremely easy for Linux users.)

On the positive side, most modern (at least the last ten years, and quite possibly much earlier) motherboards permit flashing the BIOS from within your operating system. Back in the old days it was a terrifying prospect that involved much knowledge of the command line and the muttering of superstitious incantations in the hope that you didn’t brick your PC. Modern motherboards even include a ‘secondary’ or backup BIOS in case you break things.

Finally, it is important to note that no exploits have been seen ‘in the wild’ for any of the Spectre or Meltdown problems - and they will be difficult to exploit unless you install software or run a server. The biggest vulnerability exists in web servers that deal with multiple users at the same time, and in which one user’s session may be able to deduce the memory contents from another user’s session based upon the differing speed of various operations.

1 Like

"Researchers at malware and security software testing company AV-TEST have discovered 139 samples of malware that “appear to be related to recently reported CPU vulnerabilities.” Although most of the samples they discovered seem to be based on proof-of-concept software created by security researchers the number of unique samples is on the rise. "

It went from 77 samples on Jan 17 to 119 samples on Jan 23, so things are speeding up.

This next one a bit over the top with it’s “Hundreds” but still worth the read

and this "But detecting other exploits related to these chip vulnerabilities could prove extremely difficult. While Intel and AMD have said there is no evidence the flaws have been exploited in the wild, the researchers who discovered the chip vulnerabilities say it’s “probably not” possible for organizations or users to tell whether Meltdown and Spectre have been used against them.

The exploitation does not leave any traces in traditional log files,” according to an FAQ on the Meltdown and Spectre research site."

““Most of the samples appear to be recompiled/extended versions of the POCs,” Marx said via email. “Interestingly, for various platforms like Windows, Linux and MacOS. Besides this, we also found the first JavaScript POC codes for web browsers like Internet Explorer, Chrome or FireFox in our database now.””

I also noticed that Intel at this time are only releasing patches for the last 5 years of affected CPUs and these are being sent to the various OEMs to then realease to their users…so very reliant on OEMs being active in patching their boards.

2 Likes

Okay, I apparently misunderestimated the power of opportunity to drive hackers. Still, did you have to link to Lifehacker? I prefer Bruce’s take on these things.

By the way, how do you do the ‘box’ link thingy? (I may have asked this before, but now is as good a time as any to distract readers from my error.)

2 Likes

The box link just happens as part of the site mechanics. Put the full link in and if this site can it will produce a boxed link but it doesn’t do it for every site.

Why do I use Lifehacker, well I like some of the writing style, but I use a large variety of sites. Mr Security sometimes/lots of times gets wordy when I want a “quick punch” instead :-). But I will try to refrain from linking LH so much and use others.

My performance hit has been around 18% day to day. The stated generalised hit for most home PCs is around 2 to 14% but if you are doing CPU intensive stuff (I do a bit of it) the hit is generally much more. Most home PC users don’t tax their computers (and do not notice the hit) but some also do.

2 Likes

You don’t have to listen to my grouching when considering where to get your links - get your news wherever you prefer, and I will try to keep my mouth shut about my own preferences.

Mostly.

Sometimes?

1 Like

6 posts were split to a new topic: Memories: The Days of More Secure Computing :smiley:

… not to be left out, AMD have developed their own set of ‘features’ …

Ryzenfall, Fallout, Chimera and Masterkey …

They sound interesting :wink: https://www.amdflaws.com/

4 Likes

Sometimes I think they do these things on purpose to generate ever new and profitable opportunities and include the costs of ‘fixing’ and liability in their business plans.

3 Likes

My other CPU:

Also has an attack vector:

Yeah you have to wonder. Perhaps its all a big game and we are the test case. If you notice dolphins leaving the planet in large numbers let me know please …

4 Likes

Are you channeling Douglas Adams perchance? :slight_smile:

2 Likes

More fixes …

… and some details … yeah, not fixing everything. No real surprises …

BUT we are “Advancing Security as the Silicon Level” - which I think means we realise how bad this publicity has been, we are doing new stuff like we should have done old stuff, and we will be doing more, and better-er … and stuff … oh, and security stuff … more of that too …

3 Likes

You can also consider the KRACK WiFi vulnerability’s. Then realise that nearly all devices first released more than two years ago are now scrap. It seems that all my perfectly working devices excluding my iPhone 8 are now just door stops. Why? Because none of them are getting updates for any of these risks. I’ve checked!

It’s great that this discussion is high lighting how the current solutions are progressing, or not? But what will be the end result?

Perhaps we also need to consider that not everyone will be able to cure for free! Should “Fit for Purpose” include a universal software maintenance obligation for a “reasonable useful life”. I’d suggest that is five years plus from date of purchase by my experience.

It would be useful to know what percentage of PC’s, laptops, smart phones, smart TV’s and IOT devices will never be updated. It would be useful to see a snapshot survey of Choice members to be able to put a cost on this, average per consumer.

IE the cost if we dumped all those at risk devices for new. It would be a massive cost and non productive burden on our economy. Might be ok if you are Gerry Harvey or JB?

50% of 11 million households x 2.3 (mobile + tablet or laptop + smart tv + …) = $25billion or maybe $50billion, liberally adjusted down excluding labour. Have a guess!

Ps: if you recognise the formula it’s the same one used for the NBN cost forecast. Attests that it is a reliable and accurate estimate.

4 Likes

The truffle-dogs have been working overtime …

4 Likes

Noted there are now a number of class actions proposed/pending including cloud service providers over the risks of exposure of their customer’s data.

And that Intel is now partnering with Microsoft to roll out firmware updates directly for Windows users. Intel is now bypassing hardware/OEM vendors whom it was previously relying on to provide the updates (unreliably?). Which may be good news where the manufacturer is no longer providing support. (Typically only 12 months, or for Sony PC owners who were dumped and sold off two years ago).

From: ITNEWS
By Juha Saarinen
May 4 2018
10:55AM
“C’T reported that one of the new vulnerabilities is a much more serious threat than the original Spectre bug, as it could be used to bypass virtual machine isolation from cloud host systems to steal sensitive data such as passwords and digital keys.”

Link to ITNEWS article

2 Likes

Zombieload (https://www.zdnet.com/article/how-to-test-mds-zombieload-patch-status-on-windows-systems/) has a new iteration called Zombieload v2 (https://www.zdnet.com/article/intels-cascade-lake-cpus-impacted-by-new-zombieload-v2-attack/). This new one affect Intel’s 10 series CPUs (and others released since 2013). Intel are releasing patches for the v2. If you can’t get the patch then MS have released an advisory on how to disable the affected Intel TSX instruction set. While these attacks are hard to enact by malicious parties they are still a risk that should be dealt with. If a home user the vulnerability may not be a great concern unless you use Hyper V virtualisation.

From the v2 article linked above:

"While all the MDS attacks can allow attackers to run malicious code against an Intel CPU, attackers can’t control what data they can target and extract.

MDS attacks, while very much possible, are inefficient when compared to other means of stealing data from a target, an opinion that other security experts have also expressed in the past.

However, the fact that day-to-day malware gangs won’t bother exploiting something as complex as an MDS attack, or Zombieload v2, that doesn’t mean the vulnerabilities should be ignored. Applying these microcode updates should be a priority for everyone who manages critical infrastructure or cloud data centers.

If users don’t want to update and deal with a potential performance dip due to yet another patch for speculative execution attacks, Intel also recommending disabling the CPU’s TSX support, if not used".

MS Advisory:

https://support.microsoft.com/en-us/help/4530989/guidance-for-protecting-against-intel-processor-machine-check-error

1 Like