Security News Second wave of Spectre-like CPU security flaws won't be fixed for a while

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.theregister.co.uk/2018/05/09/spectr_ng_fix_delayed/
Intel needs more time and it could be Q3 before all the patches for OSes and VMs land

The new bunch of Spectre-like flaws revealed last week won't be patched for at least 12 days.

German outlet Heise, which broke news of the eight Spectre-like vulnerabilities last week has now reported that Intel wants disclosure of the flaws delayed until at least May 21.

“Intel is now planning a coordinated release on May 21, 2018. New microcode updates are due to be released on this date”, Jürgen Schmidt reported on May 7.
Last week, Heise noted that one participant in the planned coordinated release would include a Google Project Zero disclosure, which as far as The Register can discern has not yet happened.
Click to expand...

If disclosure and patches arrive in May, they won't complete Intel's response to the bugs, Schmidt reported. Further patches, tentatively scheduled for the third quarter, will be needed to protect VM hosts from attacks launched from guests.
In addition to microcode fixes from Intel, operating system-level patches will also be necessary.
Click to expand...


Vulture South asked Intel to comment on the Heise report, and received a non-response saying it takes security very, very seriously, is working with anyone who can or should help to fix things. "We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations," the company said. "As a best practice, we continue to encourage everyone to keep their systems up-to-date.”

Thanks for that last bit of advice, Intel. We can't imagine anyone thought of it before.
Click to expand...
 
  • Like
Reactions: Weebarra, upnorth, frogboy and 2 others
D

Deleted member 65228

jogs said:
It will be patched then a new one will be discovered.
Click to expand...
Probably because it comes from an optimization feature and is a flaw in a feature design embedded in the hardware/firmware.

Spectre is not a problem for you depending on your computer habits and configuration. If you're using features on most modern web-browsers like the Site Isolation feature on Google Chrome then you're a lot safer while browsing against JavaScript-based Spectre exploitation. Aside from that, you'll have to be hit by an attacker deploying ANOTHER zero-day exploit for RCE or grant local-based code execution so the attacker can perform RCE that way, since Spectre requires arbitrary code execution within the targeted process.

Spectre isn't Meltdown, it grants you to read memory you shouldn't have been able to read of a specific target. For this to happen, you have to be executing code under the context of that specific target. Whereas, Meltdown provided read access to the kernel (and write access for Page Table Entries post-Meltdown patch from Microsoft for Windows 7 64-bit and Window Server 2012), which was a lot more dangerous considering it didn't require arbitrary code execution nor required a specific process target (which made a lot more targets vulnerable over-all).

Bear in mind that any of them would probably be difficult to apply in the real-world because memory reading/retrieval can be really slow and forensics on the read memory can be difficult to piece things together as well. Unless it is a pretty specific targeted attack it will probably end up being a waste of time or even more difficult IMO.

If you have any security solutions, you can enable their self-defense if you had disabled it, and then they are likely to not grant arbitrary code execution within the context of their processes -> safe against Spectre to a reasonable extent, you'd have to exploit the self-defense prior to Spectre when targeting a protected process.

I should probably mention that there's process protection (named MemGuard think) features in software like AppGuard as well, that can be handy I guess (to a reasonable degree) if you use it.
 
  • Like
Reactions: Weebarra and upnorth
D

Deleted member 65228

I should probably note as well that Microsoft have started applying the LFENCE instruction in certain areas automatically if you're a software engineer and are on the latest version of Visual Studio for native software development (e.g. C, C++) at-least... You'd need the /Qspectre flag enabled as well. LFENCE instruction from x86 architecture will cause a hold until that area should be continued, so when speculative referencing goes ahead, it'll be stopped from going further for time being because of that LFENCE -> only will continue past that point if in the end the code execution flow led there.

Not a bad idea at all, a good one IMO.
 
  • Like
Reactions: Weebarra and upnorth
You must log in or register to reply here.

Similar threads

vtqhtr413
    • Wow
    • Like
Intel says Friday's mystery 'security update' microcode isn't really a security update
Replies
0
Views
861
News Archive
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • +Reputation
    • Like
    • Thanks
ZDI: The July 2023 Security Update Review
Replies
2
Views
1,257
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • Wow
    • Sad
Patches for new Retbleed AMD and Intel microprocessor vulnerability may have significant overhead
Replies
4
Views
980
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top