Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Exploiting Spectre, Meltdown CPU Flaws Emerges (securityweek.com)

Posted by EditorDavid on from the side-channel-hustles dept.

wiredmikey quotes SecurityWeek: Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks... On Wednesday, antivirus testing firm AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies... Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available proof of concept code. Andreas Marx, CEO of AV-TEST, believes different groups are working on the PoC exploits to determine if they can be used for some purpose. "Most likely, malicious purposes at some point," he said.

84 comments

  1. I hope they APT Intel by Anonymous Coward · · Score: 0

    And release full memory dumps of all the computers in that company for everyone to see. Those little greedy dip$hits that created the issue with their cheating in the first place and who refuse to provide fixed goods to the wronged parties

    1. Re:I hope they APT Intel by HiThere · · Score: 2

      The first part of your comment I agree with, but Intel probably *can't* provide compatible fixed versions of their CPUs except by disabling speculative execution, which would slow things down considerably, so just about nobody would want them. (And they could probably do that with a downloadable microcode update.)

      The unfortunate thing about this current set of news is that it's not just Meltdown that's being targeted, but also Spectre. If that can be successfully exploited, then it's a much more serious problem, as it affects nearly everything more powerful than a Raspberry Pi.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    2. Re:I hope they APT Intel by Anonymous Coward · · Score: 2, Informative

      Except AMD is far less vulnerable than Intel.

    3. Re:I hope they APT Intel by Anonymous Coward · · Score: 0

      Still not worried about this shit and I'm not applying performance killing patches. We lived with this "vulnerability" for over two decades. It's not going to suddenly be an issue.

      If your computers get infected with *any* kind of malware, you're pretty much fucked. This is no different and I have had defence mechanisms in place for decades to handle this kind of thing.

    4. Re:I hope they APT Intel by HiThere · · Score: 0

      Is AMD less vulnerable to Spectre? Really? That's not what I've gathered up until now. Meltdown is specific (essentialy) to Intel, but not Spectre.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    5. Re: I hope they APT Intel by Anonymous Coward · · Score: 0

      We've lived with this vulnerability without anyone (as far as we know) knowing about it for decades. Now all the bad guys know, and it can be exploited using javascript running from a website you visited. Intel shills might be in full blown damage mitigation mode, but we will NEVER trust Intel processors again following this.

    6. Re: I hope they APT Intel by Thumper_SVX · · Score: 1

      Educated bad guys know and have known for decades...

      (published 1995) - https://www.google.com/url?sa=...

      The only change now is that the script kiddies know. And it's not Intel, Spectre (the bug that's exploitable with Javascript in the browser) is a speculative execution problem that virtually all modern CPU's have. You're thinking Meltdown (which IS Intel specific as far as we know)

  2. Fearmongering bullshit article seeding FUD by klingens · · Score: 3, Insightful

    If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware! To be malware, some code has to be actually malicious, doing evil things like encrypting harddisks for ransom, sending spam, mining coins, etc.. Simply trying out a bug in existing software to get a better understanding or to write AV detection routines is not malware!

    Except maybe code from AV companies. That is probably always malware, no matter the intent or what it actually does

    1. Re:Fearmongering bullshit article seeding FUD by Dwedit · · Score: 2

      Isn't there this thing called Metasploit, where exploits get added in there, then malware just uses whatever exploits it wants to?

    2. Re:Fearmongering bullshit article seeding FUD by Baron_Yam · · Score: 5, Insightful

      >If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware!

      If a researcher, tester, AV company sends some PoC code opening calc.exe, then you can reasonably assume that malicious code based on the same exploit already exists and is probably further along.

    3. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 4, Insightful

      The time from proof of concept to full blown malicious code in the wild is measured in days. I'm happy for you that you have such a comforting false sense of security, but others of us know better.

    4. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      If they can get calc to run then they can get syskey to run. There's your ransomware...built right into Windows.

    5. Re:Fearmongering bullshit article seeding FUD by geek · · Score: 3, Informative

      >If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware!

      If a researcher, tester, AV company sends some PoC code opening calc.exe, then you can reasonably assume that malicious code based on the same exploit already exists and is probably further along.

      I'm working on my OSCE and I can confirm this. The code is out there, people are using it. To what degree of success is the real question. I've heard people say they were very successful but they could be bloviating.

    6. Re: Fearmongering bullshit article seeding FUD by UnknowingFool · · Score: 1

      So an exploit that affects virtually all the Intel processor out there in addition to some AMD ones as well as models of IBM and ARM processors shouldn't be taken seriously? It is an exploit that can be executed from JavaScript therefore from a web browser. How is that fear mongering by an AV vendor? Patch your systems and malware won't affect it.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    7. Re:Fearmongering bullshit article seeding FUD by Highdude702 · · Score: 1

      There is such a thing called Metasploit, but no it isn't an automated tool it is mainly for testing and manually pentesting stuff. You can however take exploits from it and combine them into your program, but if you wanted to add the entire tool it would be gigabytes large and would definitely be easily detected by people, not just AV software. The goal in malware, especially self spreading malware is to keep your executable as small as possible while still having all of the functionality you need.

    8. Re: Fearmongering bullshit article seeding FUD by Highdude702 · · Score: 1

      But mah clocks!! You are right, this should be patched immediately and correctly, but some vendors don't think you should be secure by default. They feel you should have to already know that their products are insecure and let you choose to make it secure or not.

    9. Re:Fearmongering bullshit article seeding FUD by kackle · · Score: 1

      First of all, it depends upon one's definition: Is 'malware emerges' the vector, or the damaging payload (or both)? Secondly, and I am ignorant to the mechanism, can such exploits include an .EXE or do they require it already be on the machine somewhere?

    10. Re: Fearmongering bullshit article seeding FUD by mea2214 · · Score: 1

      Patch your systems and malware won't affect it.

      Not that simple. AFAIK you need to update your BIOS. MS had to release a patch to roll back a buggy patch over this in Windows. Even with your system "patched" you won't know it's secure unless you can test it. There should be a PoC web site with a javascript exploit that will dump the contents of your kernel. I don't know of any as of yet. I prefer to take my chances and not patch anything right now until they get the patches bug free and have a way we can reliably test them. Based upon my use case and understanding of these exploits Meltdown won't affect me even without patching but Spectre might. Not everyone's use case will be the same however.

    11. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      You are right, this should be patched immediately and correctly

      In practice, that's immediately OR correctly.

    12. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      SO the opposite of Microsoft code?

      Ba-dum-Ching.

      I'll be here all night folks.

    13. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      Win32CreateProcess(...)

      You can run whatever you want from anywhere at any time ...

    14. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 1

      It is an exploit that can be executed from JavaScript

      LOL, sure it can...

      I've asked numerous people to show me a live demo of JavaScript using the Meltdown and Spectre "exploits" and none have ever responded. I just get directed to the questionable whitepaper, which isn't what I asked for and proves nothing.

      So prove it or shut up.

    15. Re: Fearmongering bullshit article seeding FUD by UnknowingFool · · Score: 2, Informative

      You know this thing called Google exists right? It took me literally 2 seconds to do a search. This was the first result So we're you not just wrong but also so lazy you couldn't spend 2 seconds to do a search?

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    16. Re:Fearmongering bullshit article seeding FUD by Dwedit · · Score: 1

      There is precedent for huge malware, look at Stuxnet.

    17. Re:Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      If a country launches a ballistic missile carrying a concrete warhead, then it is not an ICBM! To be an ICBM, the warhead actually has to be live, doing evil things like exploding, starting nuclear reactions and emitting fallout. Simply launching a missile to test whether it can carry a lump of concrete is not creating a nuclear capable ICBM!

    18. Re:Fearmongering bullshit article seeding FUD by Highdude702 · · Score: 1

      Not nearing the size you're suggesting. Even with all of the functionality that some malicious files have, they're still only megabytes large at most.

    19. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      And yet again an illiterate fearmongerer points to something completely irrelevant. I want a LIVE demo that I can go to and see it presenting my confidential data back to me. That page shows absolutely nothing but a bunch of bluster and some fake code.

      Show me a LIVE demo that WORKS.

    20. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      "I want, I want"...Nobody gives a shit if you want to bury your head in the sand and get infected.

    21. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      âoeInter-Continental Ballistic Missile.â Nope, nothing in there about a nuclear warhead. Using concrete may make it a foolish and ineffective ICBM, but it is still an ICBM.

    22. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      I love how you idiots keep trying to skirt around your burden of proof by spreading FUD. If you make a statement, then you better be prepared to back it up.

      Until I see a live demo as proof, then this is nothing to be concerned about. Everybody lived with the "vulnerability" for more than two decades without a single incident. I'll go on, with the full performance of my computers, and suffer absolutely zero ill effects for it.

      Nice tinfoil hat, by the way. How's your system performance doing with all of the kludges and patches? You have any less data stolen from you after being forced to install them by your puppet masters at Microsoft?

    23. Re: Fearmongering bullshit article seeding FUD by UnknowingFool · · Score: 1

      So you want someone to perform a live demo for your satisfaction even though numerous people have published code and analysis? No one owes you anything.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    24. Re: Fearmongering bullshit article seeding FUD by UnknowingFool · · Score: 1

      You wanted code. I linked it. Now you are saying that it's not "good enough" for you. That's shifting the burden. Here's what I see: Security professionals working with all the major OS consider this a major threat . Yet you keep on insisting on a LIVE demo. Maybe your level of security proficiency is so low that any burden of proof will never be enough. If someone showed you a live demo, will you assert that it could have been faked?

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    25. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      You wanted code.

      Now you're flat out lying. I said, and I quote, "I've asked numerous people to show me a live demo of JavaScript using the Meltdown and Spectre "exploits" and none have ever responded." Not only don't you know what you're talking about but you are also a blatant liar.

      Show us a live JavaScript demo of the exploit that people can actually test for themselves or shut up, liar.

    26. Re: Fearmongering bullshit article seeding FUD by Anonymous Coward · · Score: 0

      On the contrary. If you make an incredible statement (ie. "a massive vulnerability exists in almost all CPUs for the past 20 years only nobody noticed until now and if you don't slow down your PC with a crappy patch you will be pwned"), then you absolutely owe proof of that statement. Unless you are willing to provide said proof, then it's bullshit.

      On other words, put up or shut up.

    27. Re: Fearmongering bullshit article seeding FUD by UnknowingFool · · Score: 1

      You have to have a live demo, why? Is it because your level of proficiency isn't high enough to see the code and use it?

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  3. Well duh. by Anonymous Coward · · Score: 4, Insightful

    Did you really expect this massive, gaping security hole, that got a metric fuckton of media coverage, to go unexploited?

    1. Re:Well duh. by Anonymous Coward · · Score: 0

      Not the first massive, gaping hole that I've seen on the internet....

    2. Re:Well duh. by Highdude702 · · Score: 1

      Pfft you haven't been been around here long have you?

  4. I want to see a real exploit by CustomSolvers2 · · Score: 0

    I am not saying that it is impossible to be exploited, but much more difficult than what so much advertisement seems to imply. Logically, I am more than ready to be proven wrong. Also I do think that all this should be eventually fixed, at least, under the most demanding/vulnerable conditions. Anyone willing to put together a small virus (not doing anything bad + source code, evidently) to prove me wrong?

    --
    Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    1. Re:I want to see a real exploit by Highdude702 · · Score: 4, Informative

      Spectre is harder to exploit you're correct. Meltdown however is way more dangerous and not hard at all to implement. Heres some PoC links for you to look through.
      https://github.com/paboldin/me...
      https://github.com/gkaindl/mel...
      https://github.com/IAIK/meltdo...
      https://github.com/RealJTG/Mel...

      That was from a 5 second google search. I have only tested the top one myself but I know it works.

    2. Re:I want to see a real exploit by CustomSolvers2 · · Score: 4, Informative

      That was from a 5 second google search. I have only tested the top one myself but I know it works.

      Thanks and sorry for having been so lazy myself. Anyway, I also looked at the first one and it seems to deliver (didn't run it, just read the docs and saw the video) pretty much the same than what I have seen in some other places: memory dumps (from in principle protected locations). This is kind of demonstrating what the bug is about, but not the real exploit I meant. What I meant with real exploit was an application which might actually be used to perform whatever potentially-dangerous action on my computer. Having access to protected memory isn't ideal, true; but how could all that be easily use to accomplish whatever goal? How could you convert those memory locations into ways to trick whatever software to behave against my intent? Having just a memory dump isn't too useful by itself.

      Then, I took a look at the fourth one (with 482 stars!) which is a simple C file, with no instructions that, when executed, prints an a array of strings which might a song or something?! The readme says that it can read password from Chrome?! (by assuming that all the hidden fields are stored in the same way and in the same place in all the OSs, it might make sense but not in any other scenario. And why just Chrome?!). In any case, that code is just running the loop with the song, nothing else(!!).

      Then, I looked at the second one which is also a C file but much more complex than the aforementioned sample. This time I cannot know immediately what it does, so I run it and it printed out something about it working and what seems memory locations. Again, no instructions no explanation and, at first sight, no idea how this is supposed to be reading passwords from anywhere. I think that I have now more doubts than before your post (thanks again, anyway)! If reading passwords from a browser is so easy why aren't they including a clear code/application with clear instructions? Or even worse: why all of them are saying that everything works fine, that it is very scary when their codes don't seem to be doing anything? Perhaps I am a bit tired now and am I missing something or what?

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    3. Re:I want to see a real exploit by Anonymous Coward · · Score: 0

      I'm sure there are thousands of people around the world working hard on proving you wrong as we speak.

      If I could do it myself I would not be publishing my results here for you. I'd have better things to be doing with it.... if you see what I mean.

    4. Re:I want to see a real exploit by CustomSolvers2 · · Score: 1

      thousands of people around the world working hard on proving you wrong as we speak

      I have so many enemies? Because of something I said? I can change if they want! LOL. Yes, I get your point.

      If I could do it myself I would not be publishing my results here for you.

      I understand that this is the case with these things (researchers + public work way behind the malicious activity), but there has been so much publicity this time! And, after looking at some of the codes posted in a comment above, my doubts are even stronger. Anyway, it was just out of curiosity as far as I don't consider myself or my computers a target of this kind of things (poor + cautious).

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    5. Re:I want to see a real exploit by Anonymous Coward · · Score: 0

      Take any of the PoCs outputting memory. Set that start address to the base address of your target application (how to get this depends on the OS. In Linux you can look in /proc) or the kernel. Run the PoC, pipe the output through strings. Data will show up.

    6. Re:I want to see a real exploit by Anonymous Coward · · Score: 0

      The POC code might just have targeted Chrome because the password is stored in some easily guessable memory location. As far why it's important not to leak protected memory locations: you can read encryption keys through it; you don't need to actually install some rootkit on a server if you can get the SSL keys of the domain. That would be much harder to detect than someone logging in as root...

    7. Re:I want to see a real exploit by Anonymous Coward · · Score: 0

      Thanks, my shitty laptop is vulnerable, gotta switch ASAP to my AMD desktop. And uptrade this ugly thing.

    8. Re:I want to see a real exploit by Anonymous Coward · · Score: 0

      So in order for it to work, you have to actually download and run an executable just like any other malware out there.

      Wow, what an exploit. I'm shaking in my boots.

    9. Re: I want to see a real exploit by Anonymous Coward · · Score: 0

      Just because you're poor and don't have enemies doesn't mean you won't end up a target of mass ransomware or turn your computer into a mining bot or member of a botnet for ddosing. Most people with malware don't care and or don't know, they're still valuable... somebody's computers are getting compromised or massive botnets wouldn't even exist!

    10. Re: I want to see a real exploit by sound+vision · · Score: 1

      You download and execute code every time you open your web browser.

    11. Re:I want to see a real exploit by CustomSolvers2 · · Score: 1

      Take any of the PoCs outputting memory. Set that start address to the base address of your target application (how to get this depends on the OS. In Linux you can look in /proc) or the kernel. Run the PoC, pipe the output through strings. Data will show up.

      Let's see if I understand you correctly. Consider the following C code:

      char char1 = 'a';
      printf("%c", char1); //the value of char1, a.
      printf("%p", &char1); //memory address where char1 is stored.
      char* char2 = &char1;
      printf("%c", *char2); //same value than char1, a.
      printf("%p", char2); //same memory address than the one of char1.

      You can play around with the memory locations of all the variables (+ get their values) as much as you want within the same application. Now, if I print the value of the aforementioned memory location to a file and, while that program is still running, I execute a second program which reads that file and tries to get the value associated to that memory location, an error will happen because that memory address will not make any sense for that second program. But, due to this bug, there are cases where that situation can occur (reading certain memory location from a different application and getting the value stored there by that original application). Some of the listed codes generate a set of memory addresses with that "feature" which consequently can be read from any other application?! If I understand it correctly, it wouldn't be straightforward at all and would imply a ton of assumptions (why a variable is stored in exactly the same memory location? Why the given program, out of the tons of different possibilities, would be relying on exactly the approach allowing that? Is the type of that memory allocation always char? etc.); what makes the referred lack of instructions even weirder! Anyway, I might give it a shot in the afternoon and write here my impressions. Thanks for the explanation.

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    12. Re:I want to see a real exploit by CustomSolvers2 · · Score: 1

      Another issue I didn't mention but which you correctly pointed out: the memory location has to be added to the base address of the given application, what represents an additional difficulty (+ finding out said base address). Easy? No instructions? Weirder and weirder! Anyway, I will give it a try in some hours and share my impressions.

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    13. Re:I want to see a real exploit by CustomSolvers2 · · Score: 1

      because the password is stored in some easily guessable memory location

      Not just easily guessable, exactly the same every time!!! What sounds quite weird! At least, by looking at what these codes are supposed to be doing, they are generating memory locations regardless of anything else including Chrome!! The underlying idea is that Chrome stores all the passwords (and only the passwords!) in the same memory locations (which might change from computer to computer or even after restarting it, but which are the same for all the running applications)!!! Lots of very weird assumptions, but well... these might be extremely faulty codes, not saying that this is a basic requirement for the referred bug (no idea though).

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    14. Re:I want to see a real exploit by Anonymous Coward · · Score: 0

      That's what PoCs are, Proof of Concepts. That it doesn't come with massive documentation, deploy/maintenance instructions is part of what makes it PoC.
      They're designed to show "some" usage, but could by anything but reading passwords from memory.
      It's when AI viruses can incorporate these exploits in non-deterministic manner, it's way overdue to fix our security models.

    15. Re:I want to see a real exploit by CustomSolvers2 · · Score: 1

      This has been weird... I have posted right now a reasonably big reply with conclusions after some tests/research which hasn't been stored. A bit tired I guess. I am not willing to re-write everything. The short summary is that I wasn't able to find a way for a process, supposed to only access a given address space (its regions are defined in /proc/PID/maps; this is the most similar thing I could find to your "base address"), to do anything with the memory allocated by another one. Regardless of the fact that certain highly sensitive, OS-accessible memory isn't properly managed, the question of how to access that memory remains. Even under ideal conditions (admin privileges, perfect information about the memory addresses and data types), a process running on the give OS can only access memory locations within its assigned range.

      How can this be overcome? How can all these memory-dumps become useful? How could that famous-but-not-found-so-far app able to read passwords from Chrome be built? Even by having all the information regarding the memory location of the given strings, how could them be read by a random process? I think that this are all the main ideas which I wrote in that longer-&-now-lost post. If I misunderstood any bit or anyone knows about a ready-to-use sample delivering a tangible result, please let me know.

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    16. Re: I want to see a real exploit by Joey+Vegetables · · Score: 1

      My network connection is usually down. I couldn't be downloading code every time my browser opens if I wanted to, you insensitive clod! :)

      --

      Nonaggression works!
    17. Re: I want to see a real exploit by Anonymous Coward · · Score: 0

      LOL, bullshit.

      HTML is a formatting language, not program code.

      JavaScript is a scripting language that is also sandboxed, not program code. It's also blocked by default in my browser (I can't speak on your obviously poor security practices though).

      Show me a LIVE DEMO of a web page that can access confidential data from background program, such as KeePass, and display it back to me. You can't, because you're talking out of your ass.

    18. Re: I want to see a real exploit by sound+vision · · Score: 1

      JS running in your browser *would* be sandboxed... if the CPU didn't let memory leak between every single user process, as well as the kernel. Which, Golly Gee, is the entire problem here.

      I do run NoScript, which will probably stop some drive-by attacks. But there are also sites that I need to actually work as intended - for example, the sites where I've been applying for jobs lately. The choice I'm left with becomes conducting an audit of a third-party's web infrastructure and JS for each job I apply to, or not applying for any jobs.

      And so it appears you lack even a cursory understanding of the bug, or my security practices, but feel confident enough to tell me I'm talking out of my ass. Dunnig-Kreuger in effect, or just another of the shill army? "Sad!"

    19. Re:I want to see a real exploit by CustomSolvers2 · · Score: 1

      Clarification just in case: regardless of the tremendously low quality (+ dishonesty; please, refer to the aforementioned repository including a doing-nothing simple file with 400+ stars in GitHub!!) of some of the available codes, the whole meltdown premise seems very difficult (if possible at all) to be exploited as far as one thing is knowing certain memory addresses and a completely different story is being able to actually retrieve information which is stored there. In any case, note that most of my experience is focused on the algorithm-developing side of things by eminently relying on managed languages. I have some low-levelish experience (in C), but knowing how everything is working at the memory-level is certainly not my strongest suit. Perhaps I missed something. As said, more than happy to get any kind of feedback or tangible references (= pretty much the opposite to a video showing random numbers, incredible claims without code/programs to support them or similar faith-based resources).

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    20. Re: I want to see a real exploit by Anonymous Coward · · Score: 0

      Show me the live demo of it stealing my data by merely visiting a website or your words are 100% bullshit.

    21. Re:I want to see a real exploit by CustomSolvers2 · · Score: 1

      That's what PoCs are, Proof of Concepts.

      (Sorry about the delay in replying. I saw your post right now by pure accident. Bear in mind that one of the drawbacks of posting anonymously here is that I don't get any warning when you reply to one of my posts).

      So, you are saying that proving a concept is "developing" a piece of software not doing anything at all to prove the given concept? You are saying that writing a simple loop reading/displaying the words included in a simple array (a song or a poem or just a random nonsense), making ridiculously inaccurate claims in the readme file and getting over 400 stars is proving something? Perhaps you are right. It definitively proves something: the huge amount of dishonesty and/or lack of knowledge and/or gullibility and/or fanaticism that you can easily find in (certain areas of) internet.

      If the idea you want to prove is that it is possible to know certain memory addresses which, in theory, shouldn't be known by that user/process, you would have to perform some actions to accomplish that goal (why these specific addresses should be hidden? Under which conditions you can know about them and how that access could be avoided?, etc.), via comments, different I/O scenarios or similar. This would have been an acceptably good PoC, but still not what I was looking for. If you want to deliver what I think that is the basic requirement to consider this a serious problem, you would have to work a bit more. Additionally to the aforementioned proof that the given memory addresses shouldn't be known, you would have to also prove that you can access the contents stored in said addresses. Or more graphically: after proving that the address 0x000whatever shouldn't be known by the given user/application, you would have to be able to prove that program2 can retrieve from that memory address the character 'a' that program1 stored there (= code actually performing the advertised real-time reading of Chrome passwords).

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
  5. Check your Faraday hats by Anonymous Coward · · Score: 0

    Everyone, make sure your Faraday hats are grounded. Anyone consider that this news of all modern stuff being compromised and unfixable is just a ploy to force everyone to upgrade their hardware and software, so that the new backdoors become universal?

  6. See how good My AV is.. by Stan92057 · · Score: 1

    Well now well see just how good my AV is..I didn't patch im on win 7 ultimate upgrade from Vista full. It would be a HUGE PITA to recover lol but i refuse to go win 10. im not paying for an OS that forces ads on me or controls what i choose to install on MY hardware..you get the point...

    --
    Jack of all trades,master of none
    1. Re:See how good My AV is.. by Nivag064 · · Score: 2

      Well now well see just how good my AV is..I didn't patch im on win 7 ultimate upgrade from Vista full. It would be a HUGE PITA to recover lol but i refuse to go win 10. im not paying for an OS that forces ads on me or controls what i choose to install on MY hardware..you get the point...

      You should consider upgrading to Linux!

    2. Re:See how good My AV is.. by HiThere · · Score: 1

      While I agree with your sentiments, that doesn't address *this* problem. This is a hardware (well, at least microcode) problem, and all OSes are vulnerable.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    3. Re:See how good My AV is.. by Anonymous Coward · · Score: 0

      Congratulations. You won! This is the most idiotic comment of the day. Well done!

    4. Re:See how good My AV is.. by Anonymous Coward · · Score: 0

      Except that Windows 7 and 8.1 won't run on the new fixed CPUs, so your only options are Linux or Windows 10.

    5. Re:See how good My AV is.. by HiThere · · Score: 1

      Yii! Did they really do *that*?

      Of course, MS wasn't expecting Meltdown to show up, but that their patches should disable it on fixed systems should be a reason to put them out of business.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    6. Re:See how good My AV is.. by Anonymous Coward · · Score: 0

      Of course they will. Why wouldn't they?

      They may not take advantage of new instructions introduced with the new CPUs, but the CPUs are still backward compatible with the old instruction sets and therefore software, including Windows 7 and 8.

  7. attack surface by Anonymous Coward · · Score: 0

    this is a blessing in disguise:
    disabling javascript in the browser should reduce the attack surface to ... very little? and help keep the web ... saner : ]

  8. Simple solution by eclectro · · Score: 2

    Get all passwords and documents you care about off the pc so there is nothing for spectre to read. The spectre attacks are not detectable so antivirus programs likely will not detect them. Running a secure Linux rather than Windows still might be the best hope, but not for attacks taking place through the browser. Perhaps have an "empty" machine with just a browser for internet connectivity and browsing/surfing.

    --
    Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
    1. Re:Simple solution by abies · · Score: 2

      Perhaps have an "empty" machine with just a browser for internet connectivity and browsing/surfing.

      You mean unimportant surfing like accessing bank account, bitcoin wallet and whatever?
      If these things are accessible to hackers, I don't know if I care that much if they are able to read my 3 years old Witcher 3 savegames. Or opensource code I'll upload to github next day anyway.

      For 99.99% of the people, only things they really need to protect are things they do on the internet. Having secure, internet-less machine is not very useful for most of us.

    2. Re:Simple solution by Anonymous Coward · · Score: 0

      Well - My bank account can only be accessed by using a generated code from an device. This code is different every session, and every transaction I do. This device is not coupled to the computer, and only gives the right code when I type in my personal (and secret) number combination. So - I doubt if anyone can do anything with the code that's in my computer memory, because it can only be used one time. After that you need to generate a new 8-digit code, to do anything new.

      And no - I do not use a software wallet to store passwords. I just keep them stored in a safe place without any connection to my computer.

    3. Re:Simple solution by khandom08 · · Score: 1

      And no - I do not use a software wallet to store passwords. I just keep them stored in a safe place without any connection to my computer.

      https://vbtelco.com/wp-content...

    4. Re:Simple solution by ZosX · · Score: 1

      From what I understand the current spectre attacks would take code to run locally for them to exploit it.

      --
      zosxavius photography
    5. Re:Simple solution by Anonymous Coward · · Score: 0

      at least get yourself a handful of cheap small USB keys and preload some unetbootin utilities, so you can restart your hardware.
      so then you can access all your personal files and storage that you DO have recent backups of, on disconnected media, right?
      you DIDN'T ensure your backups were up-to-date when you heard about Meltdown? hmmmmm.....

  9. Wake me @ rooted via OpenSSH w/ Spectre|Meltdown by Seven+Spirals · · Score: 0

    I know I'm a bad person for wanting to see the blood, but where are the fireworks?? I mean this is supposed to be the biggest, baddest, least-detectable, most-exploitable thing since rpc.statd and Sendmail! C'MON you Chinese commie pinko robot exploit h0x0xr army! Hit me with everything you got! To quote an old sage, "I'll tell you what you cocksucker. You try to hit me and I will kill you. Don't try to hit me."

    Seriously though, has this not been the shit-talker-est set of exploits of the century? Where's the fire folks? In. The. Wild. They are already being reported and they don't seem to be doing 4/5ths of 5/8ths of fuck all. Oh, noes! They are going to dump my ring buffer! Call the president! Holy fuck! If it's that bad then do it through OpenSSH on an OpenBSD host or I call bullshit.

  10. It cannot be any worse than Intel (ME ) by pigsycyberbully · · Score: 0

    When I click the link it wants me to give them my email address before I can read the article. It cannot be any worse than Intel (ME )
    The HP Z840 workstation BIOS has 3 menu layers to switch it off so it declares. But I do not believe it switches it off it hides it. When running the Intel-SA-00075 Detection and Mitigation Tool it says not vulnerable does not get a response from it. If I move clip 40 and switch on the machine BIOS flashes a message before booting about it being vulnerable and download the patch fix from HP.
    http://oi67.tinypic.com/zwc5xl...

  11. Re: Wake me @ rooted via OpenSSH w/ Spectre|Meltdo by Anonymous Coward · · Score: 0

    I'm strongly against the anti Russia fervor over the last year, but you can probably imagine exploits like this are a lot more concerning to people working inside a government or with security clearances, I'd also say those are the same people (vault 7) who are working the hardest and spending the most to incorporate this into their attack suites

  12. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  13. Spectre v2 by DrYak · · Score: 1

    AMD considers their CPUs potentially vulnerable to Spectre Variant 2 - "Branch Target Injection". (The one were one attacker application is able to do it bidding into a completely different and innocent target application)

    Some more recent AMD processors do indirect branch prediction.
    But the way they do this indirect branch prediction is completely different.
    Currently the Google demo code against Intel Xeon doesn't work (well, obviously).
    Nobody has managed to write a successful exploit of that variant.
    AMD engineer believe that it's a terribly difficult task that might not be doable.
    So they might indeed end up being more or less Intel-specific-ish.

    Sèectre variant 1 - "boundary check bypass" is the one affecting every CPU that those speculative execution and is basically "speculative execution working as it should/as documented, but now somebody has found a way to use it as a side-channel attack to have a software see its own data".

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Spectre v2 by HiThere · · Score: 1

      OK, that makes sense. I've never gotten the various versions of Spectre distinguished in my mind...or memory. I tend to think of them all as variant 1.

      It sounds like AMD should come out of this quite well.

      I can't decide whether variant 1 sounds "possibly dangerous" or not. I suppose it depends on how applications segment their data. But I'm really skeptical about speculative execution in hyperthreads in any case. I think that it's an indication of overly complex processors, where simpler and more would be a better choice. (OTOH, given the way applications are currently written, I can see why they did it, I just think it's a poor local optimum. Yes, it's the top of the local hill, but the mountain is over there... Hill climbing often gets stuck at poor local optimums.)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  14. Can AVs protect from all related attacks? by Anonymous Coward · · Score: 0

    Serious question - or are we all at their mercy?

  15. Spectre ; Hyper threading by DrYak · · Score: 1

    It sounds like AMD should come out of this quite well.

    At least much better than the giant pile of mess that is Intel.
    That's why some experts are pissed at Intel trying to muddy things and pretend all CPUs are equal.
    (Nope. All CPU are equal in *Spectre v1* only.
    Intel's peculiar way to optimize at the cost of everything else including safety and sanity stands out a lot in Spectre v2 and Meltdown).

    I can't decide whether variant 1 sounds "possibly dangerous" or not. I suppose it depends on how applications segment their data.

    Yup.
    There's a reason why web browsers have moved (Chrome) or are moving (the whole reason to switch Firefox from XUL to WebExtensions is to enable Electrolysis by default) to multi-proc models. Eventually none of the critical data (e.g.: Password Manager extensions) and externally provided arbitrary code (Javascript on websites) will be living in the same process.
    And there's a reason why the JITting of eBPF isn't enabled in the Linux kernel by default.

    But I'm really skeptical about speculative execution in hyperthreads in any case.

    Hyperthreading and speculative execution are completely orthogonal to each other.

    They are two completely different strategies in answering the problem of how to keep the pipeline fed, each time it stalls (e.g.: while waiting for something to be fetched from the memory, or some long computation to finish).

    You don't know what you should do next :
    - Speculative execution : ...so you make your best guess, and try to do it anyway. If your guess turns out right, you're gaining some execution speed.
    - Hyperthread: ...but there are N other task currently wait for which you DO know what to do next. Do them instead.

    Speculative execution comes at lots of complexity (in order to be able to invalidate wrong turns) with devil lurking in the implementations details (side-channels, security checks done too late).
    Hyperthreading is much closer to normal execution and simply require doubling some already existing facilities in order to enable the CPU tracking N tasks.

    OTOH, given the way applications are currently written, I can see why they did it, I just think it's a poor local optimum.

    Hyperthreading is the *better* solution... except that, for it to work, it requires to have N other tasks in the wait.
    Hyperthreading works better in heavily multi-tasking use cases. So you'll find it on servers (typical server-only CPUs like the UltraSparc Niagaras had 8 threads per CPU core) and on GPUs (as anyone used to CUDA knows, the basic strategy is keeping as fucking many threads in flight as possible).

    It works on task which are heavily parallel (tons of servers and daemons, or tons of pixels, etc.)

    But it doesn't help on task that as mostly single threaded so it doesn't look nice on lots of benchmarks (e.g.: older games, lots of compression tasks).

    In other words, Multithreading won't make your Windows go faster (Even more so as Windows has traditionally lagged behind the starte of the art process schedulers).
    "Local optimum" as you say.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]