The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks.
There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.
The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain key strokes, passwords, and other valuable information. Researchers are already showing how easy this attack works on Linux machines, but Microsoft says it has “not received any information to indicate that these vulnerabilities have been used to attack customers at this time.”
Windows users can mitigate against Meltdown by:
- Updating browsers (Firefox and Chrome have released updates)
- Run windows update and make sure KB4056892
- Run the detection tool issued by Intel to determine if your hardware is vulnerable
- If a firmware update is needed check for links to support information and run updates.
In other words update and patch - In other words number 4 on the CIS Top 20 Critical Security controls, numbers 2 and 3 in the Australian Security Directorates Top 4 security controls and number 9 in the NSA's Information Assurance Directorates Top 10 Mitigations.
VUSEC's Bosman confirmed that when Intel processors perform that speculative execution, they don't fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution.
...
Retrieving any data from that privileged peeking isn't simple, since once the processor stops its speculative execution and jumps back to the fork in its instructions, it throws out the results. But before it does, it stores them in its cache, a collection of temporary memory allotted to the processor to give it quick access to recent data. By carefully crafting requests to the processor and seeing how fast it responds, a hacker's code could figure out whether the requested data is in the cache or not. And with a series of speculative execution and cache probes, he or she can start to assemble parts of the computer's high privilege memory, including even sensitive personal information or passwords.
Google’s Project Zero bug hunting team has now published a detailed description of the behind-the-scenes research that’s been going on for the past few months. It’s both technical and jargon-heavy, but the main takeways are:
- In theory, various Intel, AMD and ARM processors have features related to speculative execution and caching that can be exploited as described above.
- AMD chips have so far only been exploited when using Linux with a non-default kernel feature enabled.
- Intel chips have been exploited so that an unprivileged, logged-in user can read out kernel data slowly but steadily.
(“Slowly” means that an attacker could suck out on the order of 1000 bytes per second, or approximately 100MBytes per day.)
- Intel chips have been exploited so that a root user in a guest virtual machine can read out host kernel data slowly but steadily.
Even if you assume that an attacker didn’t know where to focus his attempts, but could do no better than to grab live kernel data at random, you can consider this issue to be a bit like Heartbleed, where an attacker would often end up with garbage but might occasionally get lucky and grab hold of secret data such as passwords and private decryption keys.
Unlike Heartbleed, the attacker already needs a footprint on a vulnerable server, for example as a logged-in user with a command shell open, or as the owner of a virtual machine (VM) running on a hosting server. (In both cases the user ought to be constrained entirely to his own account or to his own VM.)The Register - Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs -
On Tuesday, we warned that a blueprint blunder in Intel's CPUs could allow applications, malware, and JavaScript running in web browsers, to obtain information they should not be allowed to access: the contents of the operating system kernel's private memory areas.
These zones often contain files cached from disk, a view onto the machine's entire physical memory, and other secrets. This should be invisible to normal programs.
Thanks to Intel's cockup – now codenamed Meltdown – that data is potentially accessible, meaning bad websites and malware can attempt to rifle through the computer's memory looking for credentials, RNG seeds, personal information, and more.
...
Finally, if you are of the opinion that us media types are being hysterical about this design blunder, check this out: CERT recommends throwing away your CPU and buying an non-vulnerable one to truly fix the issue.
This article by The Register is actually the best of the bunch and includes a video demonstration of a Meltdown attack.
SANS has a webcast scheduled to address what Meltdown and Spectre are and how to mitigate them today at 9 am Pacific.
(Sorry it was all Meltdown and Spectre today but you'll live - especially since I have no readers and am only addressing the voices in my head anyway - unless SKYNET seizes this opportunity to rise up and destroy mankind)
No comments:
Post a Comment