Security Alert Security researchers discover seven more speculative execution attacks like Spectre and Meltdown

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,519
One of the biggest security stories of 2018 has been the discovery of the Meltdown and Spectre chip flaws. Known as speculative execution exploits, the flaws make it possible to steal potentially sensitive information and there has been an on-going battle to issue patches wherever possible.

Just as things were starting to die down a little, security researchers have revealed details of no fewer than seven more speculative execution attacks. While some of these attack vectors have already been mitigated against, this is not the case for all of them.
As detailed by Ars Technica, researchers have undertaken a systematic analysis of the techniques involved in the Spectre and Meltdown exploits, and this is how the new variants have been discovered.
One of the newly-discovered exploits uses Intel's Protection Keys for Userspace (PKU), and Peter Bright explains:
...
....
 
5

509322

kermit-the-frog-flail.gif
 

DeepWeb

Level 25
Verified
Top poster
Well-known
Jul 1, 2017
1,421
This is good news. HP has updated my BIOS 3x this year already which is amazing. Usually OEMs only update BIOS once a year or sometimes even completely forget about their old devices. This whole Spectre/Meltdown thing has them on their toes and I am very happy to update my BIOS/UEFI twice a year as it should! The new microcode is not just providing security improvements but also other improvements especially in thermal management. I can literally feel the difference with my laptop on my lap. It's simply not getting as hot as it used to.

Btw Intel said this:
The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers. Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, & the College of William and Mary for their ongoing research.​
So if you are on the latest microcode from July/August, you're fine.
 
  • Like
Reactions: AtlBo and BryanB

SumTingWong

Level 26
Verified
Top poster
Apr 2, 2018
1,597
Nothing surprise here.

It needs a malicious application that can exploit Spectre and Meltdown to infect your system. Your security product should stop it on the first place.
 
  • Like
Reactions: AtlBo

Slyguy

Level 44
Jan 27, 2017
3,319
I don't think most people realize the level to which these techniques have been exploited by certain actors for many years.

I read a security journal a couple years ago where Israeli Intelligence bragged they were a decade+ ahead of everyone else with their ability to conduct interdiction on systems and perform spying operations on computer hardware. They bragged to the point I wouldn't doubt for a minute this bragging resulted in some more careful examination of Intel and ultimately with the Meltdown discoveries. After all, Intel is largely an Israeli firm (the former CEO admitted such) and most of their R&D is conducted in Israeli at the behest of the Israeli Intelligence, and Intel R&D facilities in some cases, share offices with specific training facilities. There is an open door in Haifa between Unit8200 interns and Intel. This isn't speculation, it's fact and it should be exposed that many of these speculative CVE's aren't actually accidental.

This is the problem when you engineer something with reduced security or backdoors, they'll get exposed - eventually.
 

AtlBo

Level 28
Verified
Top poster
Content Creator
Well-known
Dec 29, 2014
1,723
This is the problem when you engineer something with reduced security or backdoors, they'll get exposed - eventually.

Great point about the issue being exposed and the possibility that the Intel exploits were engineered (or at least perhaps a "planned and coincidental accident" of efficient chip design). However, I think these exploits also point to how rushed the entire industry was and has been to get to people with personal computing. I don't care what it's called, etc., but that force meant worries for alot of governments. Hardware changing and improving daily...how do you regulate software standards? Not to take their side, but I can can understand to an extent why governments, also responsible for the safe operation and care of armed nuclear missiles and working and functional nuclear power plants and the like, would want to have a handle on what to expect in potentially dangerous scenarios. But it's ugly and can be done in a much better way obviously. The same thing can be accomplished with full net monitoring , complex and intense scenario examination, and people on the ground "reading the streets"...the old school ways are the best ways to do security it seems to me, and the simpler the better. These ways don't require unverified trust on the part of anyone. Maybe think of it this way. Remove consumer based big business from the national security picture, and the challenge becomes magnitudes simpler, plainer, and clearer. It also becomes trustable for the people, because they in one way gain a trusted friend in their company. Also, those who buy products can be more assured that the focus of the companies making the products is not divided.

Thanks for you insights on security matters. I think things will steadily calm down and get better over the next 10 years I guess I would say.

BTW, I am no security insider by any means. Probably this is obvious :). Yes, all of this just seems to be plain. With all the questions surrounding MS and Windows going back to Win 3.1, I guess it's hard for me to imagine that these vulnerabilities weren't "engineered".
 

Slyguy

Level 44
Jan 27, 2017
3,319
The good news is, a lot of eyes are on Intel right now. As these things get fixed certain specific actors are losing access to a lot of valuable tools and techniques. There is some worry out and about amongst those... Someone, I think it was Clapper? Recently said the 'golden age' of spying on electronic/computers/internet is coming to a close. That more and more methods, techniques and exploits are closing off access to previously accessible targets.

Think about it - just 10 years ago nobody cared, everyone used Gmail or Hotmail. Encryption wasn't talked about much except by techies, prosumers and IT Guys. Everyone just piled into Best Buy for the cheap $19 routers. VPN use was very low, about 4% of total internet users. Two factor what? Now even the most average of average Joe's is often spotting using encrypted email services, TFA, and/or buying up things like Gryphon's for their home. I've spotted some of the most non-savvy PC users I know using TFA now.

It's no wonder the golden age of rampant, unrestricted spying is ending, right? When Grandma Erma has a Tutanota account you know the spylords are unhappy.
 

DeepWeb

Level 25
Verified
Top poster
Well-known
Jul 1, 2017
1,421
Btw it's ridiculously difficult to find the latest BIOS updates for most OEMs thanks to their incompetent web design. For example HP does not bother updating the driver pages for older devices. Not only that. Check this out.
This is the latest HP Security bulletin:
HPSBHF03573 rev. 14 - Side-Channel Analysis Method | HP® Customer Support

This is the bulletin from 1 month ago:
HPSBHF03584 rev. 7 - Derivative Side-Channel Analysis Method | HP® Customer Support

The bulletin from a month ago offers a more recent BIOS update than the current security bulletin and it provides a patch for the vulnerability in this article too! I posted it in my setup thread a few weeks ago.
I'm just puzzled. Did HP lose track of their own updates?? Incompetent. Not to mention 99% of HP users don't even know how to find the security bulletin (I just typed my BIOS version number +1 increment higher and luckily came across this). No way anyone does that.
I wonder if more recent computers offer BIOS update through Windows Update like a driver. That would help the average joe a lot.
 
Last edited:

Slyguy

Level 44
Jan 27, 2017
3,319
This kind of crap used to keep me up at night.

However the good news (for me) is I don't generally work on systems impacted by this stuff anymore. Isolated, embedded systems with custom hardware profiles and microcode updating done inhouse on a very limited spread of hardware/software. Linux included. So I don't lose sleep as much these days. (y)

PS: My motherboard company for my gaming rig released yet another patch that contains microcode on the 20th. These things keep rolling out for newer hardware, but that older stuff? Ugh.