Posted on 01/04/2018 6:45:29 AM PST by Red Badger
Only Intel machines are affected by Meltdown
Details have emerged on two major processor security flaws this week, and the industry is scrambling to issue fixes and secure machines for customers. Dubbed Meltdown and Spectre, the flaws affect nearly every device made in the past 20 years. The Meltdown flaw only affects Intel processors, and researchers have already released proof of concept code that could lead to attacks using Meltdown.
The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attackers process. That memory content could contain key strokes, passwords, and other valuable information. Researchers are already showing how easy this attack works on Linux machines, but Microsoft says it has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. "Protecting a Windows PC is complicated"
Protecting a Windows PC is complicated right now, and theres still a lot of unknowns. Microsoft, Google, and Mozilla are all issuing patches for their browsers as a first line of defence. Firefox 57 (the latest) includes a fix, as do the latest versions of Internet Explorer and Edge for Windows 10. Google says it will roll out a fix with Chrome 64 which is due to be released on January 23rd. Apple has not commented on how it plans to fix its Safari browser or even macOS. Chrome, Edge, and Firefox users on Windows wont really need to do much apart from accept the automatic updates to ensure theyre protected at the basic browser level.
For Windows itself, this is where things get messy. Microsoft has issued an emergency security patch through Windows Update, but if youre running third-party anti-virus software then its possible you wont see that patch yet. Security researchers are attempting to compile a list of anti-virus software thats supported, but its a bit of mess to say the least.
A firmware update from Intel is also required for additional hardware protection, and those will be distributed separately by OEMs. Its up to OEMs to release the relevant Intel firmware updates, and support information for those can be found at each OEM support website. If you built your own PC youll need to check with your OEM part suppliers for potential fixes.
If you own a Windows-powered PC or laptop, the best thing to do right now is ensure you have the latest Windows 10 updates and BIOS updates from Dell, HP, Lenovo, or one of the many other PC makers. Were hoping Microsoft or Intel creates a simple tool (they have a PowerShell script right now) to check protection for both the firmware and Windows updates, but until such a tool is available youll need to manually check or get familiar with PowerShell. Heres a quick step-by-step checklist to follow for now:
Update to the latest version of Chrome (on January 23rd) or Firefox 57 if you use either browser Check Windows Update and ensure KB4056892 is installed for Windows 10 Check your PC OEM website for support information and firmware updates and apply any immediately
These steps only currently provide protection against Meltdown, the more immediate threat of the CPU flaws. Spectre is still largely an unknown, and security researchers are advising that its more difficult to exploit than Meltdown. The New York Times reports that Spectre fixes will be a lot more complicated as they require a redesign or the processor and hardware changes, so we could be living with the threat of a Spectre attack for years to come.
Update, 9:15AM ET: Removed links to Intels detection tool that a now deleted Microsoft security blog may have incorrectly referenced.
What about puppies?
Can we have puppies?......................
Thanks to ShadowAce for the ping!!
Sorry to rain on your parade, but people who practice safe computing can still be compromised by malware, ransomware, etc. Ads that pop-in from even Google's ad rotations have been known to carry malicious content added after they've been vetted by Google. This is one of the known ways RansomWare has been pushed onto supposedly locked down computer networks.
Another way with Meltdown could be exploited is to hide malicious code in a steganographic image that could be called by a process loaded in another "look ahead" loaded into another. Javascript was just one modality of attack presumed as a means of using this vulnerability. The real problem associated with Meltdown and the look-ahead processing is that it can be exploited by so many other means until a way is found to vet the looking ahead processing that now is independent of any such vetting. ANYTHING can be stuck in there. If it IS useful to what is needed, it's used. If not, it's discarded. That look-ahead has access to the bus. . . and any data on it.
All a bad actor has to do is figure out how to insert his code in thereand no, it does not have to be a .exe file, just machine codeand it WILL be processed.
PLUS.....if a malware, virus or bad code is ‘new’ and never seen before, the ANTI-virus programs won’t know it and won’t do anything, just like your body’s immune system..........
Hey, Jeremiah, that is an Intel Core Letter "I" 7, not ONE SEVEN . . spoken: "EYE SEVEN."
You are not alone in this. A lot of people in the Apple world erroneously talked about the Mac OS EX. . . when it was actually a Roman Numeral for TEN, Mac OS TEN, with a pun for the underlying UNIX operating system. . . now they are referring to the new iPhone EX. . . when it is actually the iPhone TEN, also a Roman Numeral with the pun being it's the tenth anniversary iPhone.
“...Aw, Im running 10.10.5 Yosemite and have been reluctant to upgrade. Heard Hi Sierra can really slow down an older machine....”
I’m running 10.13.2 High Sierra on a mid-2010 iMac w/32gb of ram, and it hasn’t slowed this old beast down a bit. Of course, I’m not compiling mountains of raw computer code...just email, web browsing and real-time streaming market data.
But I think the fact that the current types of attacks have been talked about: https://pdfs.semanticscholar.org/e544/00824814fed2ef52bb84151b2fc04c863e99.pdf but not exploited from vectors like Javascript should be reason enough to not be too concerned.
Another way with Meltdown could be exploited is to hide malicious code in a steganographic image that could be called by a process loaded in another "look ahead" loaded into another.
As I have been pointing out, in every comment I have made, that requires running malicious code. It doesn't matter if that malicious code triggers other malicious code stegged into an image. It requires malicious user-mode code to start with.
All a bad actor has to do is figure out how to insert his code in thereand no, it does not have to be a .exe file, just machine code;and it WILL be processed.
Sure machine code will be processed. But arbitrary machine code cannot be processed from Javascript unless there is a bug in the JS machine that allows that. There have been such bugs, but this CPU flaw does not make them more likely. Also protections built into JS machines after rowhammer (which never really worked) also preclude the use of this CPU flaw.
Bottom line: malicious code has to run. There are not so many means to do that. Javascript is not one, nor is Flash, nor Java. I would not be too concerned. But given my second PDF link above, I would not be complacent either. I would practice safe computing even more vigorously given the new situation with Intel.
That's why I don't use or recommend AV except for the built-in Windows Defender since I have no good reason to turn it off. My point is to practice safe computing to avoid running malicious code. You don't need AV to do that.
why not? I thought linux was more secure on internet? Do these exploits affect linux more than windows?
[[If you don’t run malicious executables then the intel flaw can’t be exploited.]]
If this is true, then linux users should be very well protected against the intel flaw because it can’t run windows based malicious executables, right?
That’s an old pic which just increases its worth. Funny as hell. Thx.
I was trying to distinguish those from javascript, java, python, flash, ruby, or other scripted or interpreted languages that cannot run arbitrary (and very rarely used) instructions. Those instructions are generally needed (but not 100% of the time) to run these types of sides channel attacks. Also the timing of the instructions can be important and the scripted languages don't give a lot of control over timing.
No, it will not be sufficient. Anti-virus will also not be sufficient.
But at the same time, it’s hard to say yet exactly how easy this problem is to actually exploit against you - assuming you aren’t somehow tricked into downloading malicious software.
Thank you. I take care never to download any malicious software since I know my limits. Limits are basically typing and copy/pasting...
Mine’s about a yr newer than yours. Might try it. Just wish there was a way to revert if needed.
Thanks for clearing that up- do you think there would be many ELF executables written whereas linux isn’t as popular an os? I can patch my windows system, but not sure if linux will have a patch as well? Or is it just dependent on patchign the intel stuff and linux will then be protected somewhat too?
Patching is a somewhat different issue. I don't know how things will be patched but I do know that it won't require patching every EXE and ELF. That's because non-malicious EXEs and ELFs are not a problem. I think the patching will be in the kernel, but I'm not sure how you stop the potentially malicious behavior. One possibility may be to not patch anything but to add another layer of behavior-based defense. That would be a relatively simple monitoring program (probably added to the kernel) that would monitor for particular bad behavior by user mode EXEs or ELFs. The reason why behavior-based defense may be possible is that side channel attacks exhibit very distinct repetitive behavior they must repeat millions of times to execute an attack.
Then the first job of an attacking program would be to try to kill the monitor. But that's an arms race that is familiar to antivirus people. Perhaps antivirus vendors will add the capability, or perhaps the OS vendors or open source Linux kernel people will have to do it. Ultimately the chip vendors will have to fix it.
The updates exist and are out there, but if your antivirus software vendor hasn’t updated their code if they didn’t already support not making these calls to your hardware incorrectly, then you won’t see the update appear in windows update (there has to be a specific registry key present).
Look upthread just a bit at my last post and you’ll see a link there. I believe that is a much better explanation of what is going on and how to manage/fix the issue.
“...Mines about a yr newer than yours. Might try it. Just wish there was a way to revert if needed....”
I run a backup with Carbon Copy Cloner before I do any update and save it to an external drive. IF, for any reason, I needed to revert back, I can restore to my previous backup. I’ve never actually had to do it...at least not so far, but I believe it would work if I needed to.
FWIW, my machine is a 27” iMac 2.93 Ghz I7 w/32gb of ram and an updated 2TB hard drive. I’ve had no issues with High Sierra 10.13.2 on this older machine, but like I said, I’m not compiling mountains of hard core raw computer data either...just email, web browsing and real-time streaming of stock data. However, on any given weekday while monitoring the stock markets, I’ll have as many as 7 desktops open at any one given time. I have an another external Asus 27” monitor in vertical mode tied on as well. To date, I’ve not had any stability issues with the OSX.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.