FRANKFURT (Reuters) - Daniel Gruss didn’t sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel Corp (INTC.O)...
The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995.
Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) (AMD.O) and ARM Holdings, a unit of Japan’s Softbank (9984.T).
Both would enable a hacker to access secret passwords or photos from desktops, laptops, cloud servers or smartphones. It’s not known whether criminals have been able to carry out such attacks as neither Meltdown nor Spectre leave any traces in log files.
Unfortunately, history also shows that it generally doesn't seem to make a blind bit of difference whether corporations exhort their personnel to conform to avoidance of this or that unethical or illegal practice or "behaviours", because people (usually senior managers and executives) will attempt to do their damnedest to work around such "ethical" constraints where they see a potential pot of gold, or a savings, or a marketing advantage can be had.-IainB (January 04, 2018, 08:34 AM)
Meltdown and Spectre
Bugs in modern computers leak passwords and sensitive data.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
"Fear, uncertainty and doubt, known as the FUD concept, was coined in the 1970s by computer architect Gene Amdahl when he left IBM to start his own company. Amdahl later accused the prominent technology corporation of using FUD tactics to scare consumers into sticking with "safe" IBM products instead of purchasing competitors' products."
- <https://www.thefreelibrary.com/Effective+decision-making%3A+managing+fear%2C+uncertainty+and+doubt%3A+...-a0278509274>
The Meltdown vulnerability and AMD CPUs
AMD CPUs are not affected by the Meltdown vulnerability. However, depending on the usage scenario, the fixes released to the operating system can cause notable performance slow down. Also, there are reports coming from AMD CPU users that the Windows patch, KB4056892 is causing serious issues for them.
While one can quickly uninstall the appropriate update package, which is KB4056892, there is also a Registry tweak you can apply to disable the Meltdown fix.
This could improve your computer's performance.
Copied from: Disable Meltdown Fix on AMD CPUs After Installing KB4056892 - <https://winaero.com/blog/disable-meltdown-fix-amd-cpus-installing-kb4056892/>
Meltdown and Spectre: what you need to know
https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/
tags: Security world, AMD, ARM, Intel, Meltdown, memory, processor, Spectre
Malwarebytes Labs
UPDATE (as of 1/04/18): Since the Malwarebytes Database Update 1.0.3624, all Malwarebytes users are able to receive the Microsoft patch to mitigate Meltdown.
Overview
If you’ve been keeping up with computer news over the last few days, you might have heard about Meltdown and Spectre, and you might be wondering what they are and what they can do. Basically, Meltdown and Spectre are the names for multiple new vulnerabilities discovered and reported for numerous processors. Meltdown is a vulnerability for Intel processors while Spectre can be used to attack nearly all processor types.
The potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. For Meltdown, an actual malicious process needs to be running on the system to interact, while Spectre can be launched from the browser using a script.
Microsoft, Google, Mozilla, and other vendors have been releasing patches all day to help protect users from this vulnerability. Some of the updates from Microsoft may negatively interact with certain antivirus solutions. However, Malwarebytes is completely compatible with our latest database update. The best thing to do to protect yourself is to update your browsers and your operating system with these patches as soon as you see an update available.
For a quick guide on how to protect yourself from this threat, please check out “Meltdown and Spectre Vulnerabilities – what you should do to protect your computer” on the Malwarebytes support knowledge base.
Details
The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753), and rogue data cache load (CVE-2017-5754)—affect all modern processors.
If you’re wondering if you could be impacted, the answer is most certainly yes.
The vulnerabilities, named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.
Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs. What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation.
The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.
The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.
It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:
Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.
While there are no attacks reported in the wild as of yet, several Proof of Concepts have been made available, including this video that shows a memory extraction (using a non-disclosed POC). This is particularly damaging because 1. There aren’t many options for protection currently and 2. as previously stated, even if threat actors do spring to action, it might be impossible to verify if that’s the case.
Mitigations
Because the Meltdown and Spectre variants are hardware vulnerabilities, deploying security programs or adopting safer surfing habits will do little to protect against potential attack. However, a patch for the Meltdown variant has already been rolled out on Linux, macOS, and all supported versions of Windows.
According to our telemetry, most Malwarebytes users are already able to receive the latest Microsoft update. However, we are working to ensure that our entire user base has access to the patch.
Unfortunately, Microsoft’s fix comes with significant impact on performance, although estimates of how much vary greatly. An advisory from Microsoft recommends users to:
Keep computers up to date.
Install the applicable firmware update provided by OEM device manufacturers.
If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.
No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.
The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.
Cloud providers (Amazon, Online.net, DigitalOcean) also rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.
The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.
Vendor advisories:
Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
AMD: http://www.amd.com/en/corporate/speculative-execution
ARM: https://developer.arm.com/support/security-update
The post Meltdown and Spectre: what you need to know appeared first on Malwarebytes Labs.
Copied from: bq | Malwarebytes Unpacked - <https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/>
Risk Based Security brings some sanity to the Meltdown debacle (https://www.askwoody.com/2018/risk-based-security-brings-some-sanity-to-the-meltdown-debacle/)
Posted on January 9th, 2018 at 15:52 woody Comment on the AskWoody Lounge
I just finished reading this article, recommended by Kevin Beaumont. The Slow Burn of Meltdown and Spectre: Exploits, Lawsuits, and Perspective. (https://www.riskbasedsecurity.com/2018/01/the-slow-burn-of-meltdown-and-spectre-exploits-lawsuits-and-perspective/)
Here’s the conclusion:Vulnerabilities are disclosed every day, to the tune of over 20,000 new disclosures in 2017 alone. Just because a vulnerability receives a name, a website, and/or a marketing campaign does not necessarily mean it is high risk or that it will impact your organization. As always, we strongly encourage organizations to cut through the noise and focus on the details relevant to them, and make a decision based on that alone.
I repeat – forgive me if you’ve heard this before – but there are NO KNOWN Meltdown or Spectre exploits in the wild. Folks who run servers with sensitive data — banks, brokerage houses, military contractors, cryptocurrency exchanges — need to be concerned about Meltdown and Spectre in the near term, realizing that the data can only be snooped if you allow an unauthorized program to run on your server.
For everybody else, the first attacks (if there ever are any) are likely to come through web browsers. You need to harden your browser as soon as the update is available. You’ll want to install the new Windows patches as soon as they pass muster. And you need to get your BIOS or UEFI updated one of these days. But there’s no big rush.
What you’re witnessing is a colossal “Sky is Falling” routine, aided and abetted by folks who are going to make money from the havoc.
I do find the timing rather interesting...Yers, well, that's the thing about FUD: "My goodness! It just might be true! Can I take the risk?"
...But I'm never-the-less obligated...-Stoic Joker (January 10, 2018, 07:36 AM)
Easily examine and understand any Windows
system's hardware and software capability to
prevent Meltdown and Spectre attacks.
^^ Good link. Thanks. And the author is right - it is FUD, and generally, wherever one finds FUD, one will usually find an accompanying $commercial and/or a political motivation, if not simply an "ulterior" motive.The warnings about Spectre and Meltdown weren't FUD.-IainB (January 07, 2018, 01:46 AM)
Foreshadow/L1TF: Another highly publicized Intel flaw, complete with its own web site and logo (https://www.askwoody.com/2018/foreshadow-l1tf-another-highly-publicized-intel-flaw-complete-with-its-own-web-site-and-logo/)
Posted on August 14th, 2018 at 15:46 woody
Comment on the AskWoody Lounge
You’re going to see a whole bunch of explainers about this, yet another Meltdown/Spectre-class vulnerability in Intel processors.
Intel’s FAQ lists just about every Intel processor.
Microsoft’s FAQ explains how L1TF works.
And, yes, Foreshadow has its own web site. With a free-to-use high quality logo.
Let’s see if we get another crazy round of claims and patches — more sound and fury directed at a potential attack that, while real, hasn’t yet hit the fan.
You can tell it’s a co-ordinated disclosure because it was announced immediately after the Patch Tuesday releases.