Q&A Spectre and Meltdown

Joined
Aug 18, 2015
Messages
74
#1
Hi i dont know a lot about computers or the workings but with the scare of meltdown and spectre can we not get a new mother board and proccessos fitted in our old pc or is it not worth the faffing about and cost or what is the chance of little old me getting hacked just surfing the net not going on naughty sights like porn ect thanks . ps just by a new pc
 

shmu26

Level 63
Joined
Jul 3, 2015
Messages
5,282
OS
Windows 10
#3
Hi i dont know a lot about computers or the workings but with the scare of meltdown and spectre can we not get a new mother board and proccessos fitted in our old pc or is it not worth the faffing about and cost or what is the chance of little old me getting hacked just surfing the net not going on naughty sights like porn ect thanks . ps just by a new pc
You will be safe, as long as you do a few basic things.
1 Use a secure version of Windows, such as Windows 7 and up. The higher the number, the better.
2 Use a safe browser, such as Chrome or Edge or Firefox. There are others, but these are a few good ones.
3 Keep Windows and your software updated.

Forget about replacing your motherboard or processor, in most cases it means getting a whole new computer. It's not worth it, because no hacker is going to spend time and money to target you with that kind of advanced attack. They are going after high-profile targets.

And most important, be an intelligent computer user.
Don't click on things that promise easy money, or try to scare you. Don't open email attachments unless you are sure they are legit. If in doubt, ask the sender. It is common for people you know to lose control of their email account, and you will get spammy or malicious email from their address. So always stay aware.

I see that @BoraMurdar already answered you. Follow his advice!
 
D

Deleted member 65228

Guest
#4
Even if you were a high value target, the chances of being affected by Meltdown or Spectre is low. Rumours claim that there were many samples found in the wild exploiting either of them, however more trustworthy sources claimed that to be false. I've neither seen any samples in the wild exploiting either vulnerabilities yet.

If an attacker wanted to exploit your system using the Spectre vulnerabilities, they'd need local access as far as I am aware. I am not sure if it can be done via JavaScript (which in all fairness is indeed "local" -> the browser process) however you can use security features like @shmu26 said which is supported by most mainstream browser vendors, and they also usually come equipped with sandboxing mechanisms now.

Microsoft Edge uses AppContainer, and all Chromium-based browsers do support sandbox containing (unless of course someone re-compiled the source code with the feature removed or disabled it via the settings programmatically - both of which are possible). I am not sure about Firefox but I'm sure they have some security features by now at-least.

Exploitation of both vulnerabilities have some form of issue. For example, performance... It isn't "efficient" in the sense that it'd take awhile to actually recover data which shouldn't be read by the attacker which is actually meaningful. Some memory locations are harder than others and even if the potential for exploitation is there, it's using the exploitation to it's true potential which can be difficult for a majority of attackers in the real-world.

Let proof-of-concepts be... Proof-of-concepts. A proof-of-concept is one thing but real-world usage is another.

Microsoft released a rather big update for Windows (big in the sense of the changes) and it changes how the Windows Kernel operates with user-mode to kernel-mode transition. This is why there were rumours about potential performance degradation, although it's been proven now that it wasn't so bad after all and only really affects businesses who are dependent on servers or home users/businesses who are using software which is user-mode based and is quite demanding. This 'rather big update' mitigates the Meltdown vulnerability to a good level from software-side. Prior to the patch update, the Operating System kernel was simply "hidden" and not truly "separated", although thanks to Kernel Page Table Isolation implementation, this is no longer true... It is genuinely separated now. This pretty much stops Meltdown exploitation from being effective.

The Spectre vulnerabilities aren't as bad anymore because Microsoft released an update to one of the biggest Integrated Development Environment's (IDE) dubbed Visual Studio (which they actually own) which supports a new linker feature to automatically insert an instruction when required. There's an Assembly instruction for the x86 architecture LFENCE and it basically causes a hold up until all previous checks have been performed, and thus is inserted where vulnerable code is automatically identified - which prevents the speculation execution from being effective and "mitigates" one of the Spectre vulnerabilities to a good level.

As long as you keep all of your software up-to-date and make use of browser security features, you'll be fine.

I'm going to quote something very important 3 times.

Keep your software updated and don't be click happy. Stay safe!
Keep your software updated and don't be click happy. Stay safe!
Keep your software updated and don't be click happy. Stay safe!
Remember that!
 
D

Deleted member 65228

Guest
#6
I also want to iterate on a separate post (the original was quite large as it was) that malware authors are primarily interested in banking malware, ransomware, crypto-currency mining malware and adware.

You could say that Meltdown could have been extremely beneficial for banking malware development because it could allow an attacker to read memory belonging to browser processes (which would leak sensitive data potentially such as credentials) but such data would not be "clear" and it wouldn't be a fast process either. It'd be much simpler for an attacker to install a form-grabber/WebInject into the browser to target banking website credentials, or to just locate where saved passwords are stored and use the browser's own APIs for decryption (which is commonly done with Firefox for the record).

Ransomware is designed by default to demand a ransom in exchange for a decryption key, and to my surprise, it is true that you may get a decryption key back once you've paid the ransom. However, you can never trust someone who has infected your system and there's no guarantee. Some ransomware can be decrypted by a third-party due to a weak encryption algorithm or leaked keys which may potentially be valid for the affected files of yours, whereas some have no chance for decryption. Moving on, it's designed to encrypt files as quickly as possible and this in turn gets attackers a lot of money because people do give in depending on how important the data is, or out of fear... Which is a shame really because it's people who pay the ransom which encourage malware authors to stay interested in the ransomware business, and causes a rise of new development's for it.

Crypto-currency mining malware is a new one, and banking malware is also started to target crypto-currency wallets more and more. Crypto-currency mining is the act of using your system resources to generate income, and while I don't really understand how it works fully hence not being into crypto-currency (always thought it was the same as gambling to be honest), I know enough to know that it uses up system resources. Malware for crypto-currency mining will hide and try to use your system resources. If an attacker can get enough infections, they can be generating a lot of income each month depending on the life of the infection and the system resources the system's of infected personals have.

Adware is adware, I'm sure you're already very familiar with it. Adware tends to make money from data collection (usually illegal) and advertisements/additional installation bundling. It can make a lot of money to the big actors in the Adware business, which is a shame once again.

Those are some of the most prevalent threats out there, and crypto-currency mining malware is a new one recently on the rise in the game of malware development. I don't think Meltdown or Spectre will be a huge issue and I would be surprised if an attacker (especially a normal attacker who is developing for the home targets) will be capable of actually utilising it for true potential with all the recent patch updates and software updates to take on-board these vulnerabilities. It just won't be very effective in comparison to quickly stealing saved passwords on-disk among other things which is a lot faster and has a higher success ratio,

We also need to remember that home targeted malware is... home targeted malware. A majority of black-hats developing to attack home users aren't experienced and likely don't even know what they are doing. Do you know how common it is for samples in the wild to be relying on copy-pasted code? Many samples are full of bugs and vulnerabilities (which can be abused to help beat them for removal or in the case of ransomware, decrypt the affected files).

Unless you're a high value target you don't really need to worry, and even then, the likelihood is even an actor like Microsoft hasn't been targeted with Meltdown nor Spectre exploitation in a malware package unless it was by a government state actor (which is unlikely because they could get data through other means, and also legally, and it'd be more effective that way).

One thing we all should keep in mind that we can never be 100% safe and it implies not only to the digital world but also to the real world.
Exactly.

We all have weaknesses because we are all human. Meltdown and Spectre could be similar to a fake job interview to steal your pitched ideas and make money before cutting you out of the picture, or someone claiming to be someone they aren't to grab personal information which can then be used for identity theft and thus lead to fraud (using real-life to do it).

Keep a system image backup/back up all your data, keep your software updated at all times (except for Windows update - waiting a week is fine IMO because sometimes faulty updates show up), don't be click-happy and have good security software relying on a layered combination to help combat any potential threats lurking if you get unlucky.
 
Last edited by a moderator:

shmu26

Level 63
Joined
Jul 3, 2015
Messages
5,282
OS
Windows 10
#8
I personally would not apply a patch that involves the BIOS/firmware, even if the patch is guaranteed good, because the chances of borking the motherboard in the process are many times greater than the chances of thereby preventing infection.
 
P

plat1098

Guest
#12
There's nothing updated yet for my Lenovo Skylake model since December of last year. I'm not sweating it. I paid hearty money for the processor so I protect my investment while weighing the risks of staying vulnerable to Spectre until the microcode has been well-established. That's the dilemma: being vulnerable or risking performance degrades/failures. You paid for certain hardware and now you're obliged to compromise. Intel needs to pay for this--hoping some of those lawsuits pan out.

Edit: Here's the latest I could find on the progress of the Spectre updates:

Intel® Product Security Center
 
Last edited by a moderator:
Joined
Jul 1, 2017
Messages
622
OS
Windows 10
Antivirus
Emsisoft
#13
After disabling MS patches for these exploits, Intel re-released the affected Microcodes for skylake stating they were not having reboot issues.
Thank you. I should have clarified I meant the BIOS patches. I will wait until Linus opinion on whether the new wave of microcode is good. After reading horror stories about CPUs dying after getting a BIOS update, I will wait and let others be the Guinea pigs. (y):notworthy:
 
D

Deleted member 65228

Guest
#14
All of these issues stem from optimisation.

The issue with Meltdown is due to lack of security checks, hence why it's for Intel only right now. Intel didn't do enough checks, it assumed the caller is trusted, whereas this isn't the case with AMD. However, some of the Spectre variants still apply for AMD CPUs.

The LFENCE mitigation is a good one to battle one of the Spectre variants though. It stands for "load fence" and causes the memory load operations to change. This means if we have a block of code which uses an array to access memory nested within a conditional statement, and we apply the LFENCE instruction (part of the x86 instruction set), then the memory operations using the array nested within the conditional statement won't be executed unless the conditional statement turns out to follow execution flow to the block of code nested within it. Without the LFENCE instruction, the load operations are optimised and thus the block of code performing the memory access may occur in advance, even if it turned out that it shouldn't have been executed in the end for that session.

The latest version of Visual Studio (by Microsoft since they own Visual Studio) implemented a new linker feature which will support automatic analysis and identification of code potentially vulnerable to one of the Spectre variants, and insertion of the LFENCE instruction where deemed necessary. However, LFENCE usage does reduce performance because you miss out on that speculative execution optimisation feature for that location of execution flow - when used correctly it won't be necessarily noticeable and have a real effect on performance, although when over-used irresponsibly/incorrectly it will potentially cause noticeable performance issues, hence why Microsoft implemented the feature after the recent media outbreak to help developers re-compile their software and be automatically strengthened against Spectre should their code have been vulnerable to the specific variant that the LFENCE usage technically "mitigates".

Meltdown was the easiest one out of the two to exploit since Spectre is dependent on actual software packages. Meltdown was due to the how the OS kernel works, and thus Kernel Page Table Isolation (KPTI) prevents the attack, whereas Spectre is software-dependent. Meltdown allows read-access to kernel-mode memory whereas Spectre allows read-access to memory for user-mode processes (when read-access shouldn't be allowed, that is). Spectre works by tricking the software in question to access areas in memory arbitrarily.

Spectre is a lot harder to utilise with security software, or any software which is "protected" from access on the local environment because you have to be executing under the context of the target process to cause it to read memory arbitrarily. If a software package doesn't allow arbitrary code execution, then you have to find a work-around to that protection mechanism. An example of gaining arbitrary code execution would be via code injection (e.g. shell-code or DLL), hence why self-defence mechanisms incorporated into mainstream AV products are beneficial to AV vendors to prevent them from being that "affected".

It should be possible for the browser to be exploited via Spectre with JavaScript due to JavaScript being executed locally under the browser process, and because of features JavaScript supports. The multiple process security feature is beneficial because it separates each loaded document (with it's corresponding scripts) under a separate process, meaning each tab window is on another process. This means that if Spectre did happen to be exploited via a web-based exploit using JavaScript (for example), only the memory for the process for that tab could be potentially read without consent, instead of it being for all of the browser processes. This minimises impact damage in the case of browser-based exploitation because it prevents a potential data-leak for the data stored in-memory for the other browser processes; the attacker will have less data which can be accessed with the exploit.

For anyone wondering why the multiple processes for web-browser tabs/the recent security features help mitigate the attack further, now you know why. It's because if the vulnerability is exploited, only the memory for that new individual process can be accessed arbitrarily.

If you keep self-defence mechanisms enabled for your security software then it'll be safer against Spectre as well. An attacker would need to find a way around the self-defence mechanisms (which is certainly not easy from user-mode with the big vendors like Avast and Kaspersky) for remote-code execution, and they'd also need to do it for all of the security software package process' for it to be effective (especially the SYSTEM process for that security software package).

Meltdown:
- Access kernel-mode memory with read access. Due to the target being the OS' kernel itself and not a specific third-party kernel-mode software component, it potentially provides read-access to the entire kernel... Thus exposing third-party kernel-mode software's memory as well as all user-mode process' memory
- Not very efficient in terms of speed. It would take a long time to go through everything and may be difficult to access certain areas at the same time, you'd need to know where to look
- You'd need to be capable of making use of the read memory with the returned buffer/s
- Mitigated further with Kernel Page Table Isolation (KPTI) which is implemented into Windows, OS X and Linux now

Spectre:
- Access to user-mode memory with read access
- Requires arbitrary code execution within the process holding the memory which is wanted to be read arbitrarily, which also means the vulnerability (when exploited) can only be used for specific targets
- The attacker must know of a target on the local environment which holds vulnerable code and actually trigger code execution of the vulnerable code (AFAIK)
- Mitigated further with automatic insertion of the LFENCE instruction when required and general safe practices when developing software and working with sensitive data/memory

Neither of them are very useful to the average attacker due to the resources/time consumption required to make it effective. It's much more efficient and simpler for an attacker to take a standard, common approach. If they are after sensitive data, they will just use local-based malware pushed via online downloads and malicious e-mail attachments and get it from victims. They could always go for the spear phishing approach targeting business employees. It really depends on the sensitive data which the attacker is after and also the victim target.

In all fairness, manufacturers tried hard with optimisation to make us happy because all of us are impatient. This doesn't mean it isn't their fault though, if the technology is vulnerable, then that's on them. The issue isn't only CPU manufacturers though, the issue is also insecure/unsafe programming practices which lead to bugs which can be taken advantage of to actually make these vulnerabilities effective (this note is regarding Spectre - as I noted, safe and secure programming practices and reduce the risk and even prevent Spectre attacks from actually being of any use/not being possible).

It's a pretty big mess but things will clear up eventually in-time. We'll never forget about it entirely, and Intel is doing not so good because of it all (although they are not the only one who had "issues"), but that is life.
 
Joined
Jul 1, 2017
Messages
622
OS
Windows 10
Antivirus
Emsisoft
#15
So. Update from Intel.
https://software.intel.com/sites/de...line-A-Branch-Target-Injection-Mitigation.pdf

It seems they are going with Google's retpoline idea. I don't have anywhere close of the understanding of this as Opcode and vasudev have, but I read that Google's concept provided a solution that had a much much smaller performance impact and Google has applied their own patch to their servers weeks ago.
 
D

Deleted member 65228

Guest
#16
There's also a new policy implemented by Microsoft for processes regarding indirect branch prediction (also for Spectre): UpdateProcThreadAttribute function (Windows)

It'll be the PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON flag.
This flag can be used by processes to protect against sibling hardware threads (hyperthreads) from interfering with indirect branch predictions. Processes that have sensitive information in their address space should consider enabling this flag to protect against attacks involving indirect branch prediction (such as CVE-2017-5715).
Note the following though.
Windows 10, version 1709: The following value is available only in Windows 10, version 1709 or later and only with the January 2018 Windows security updates and any applicable firmware updates from the OEM device manufacturer.
 
Joined
Nov 8, 2014
Messages
1,268
OS
Windows 10
Antivirus
Microsoft
#17
Thank you. I should have clarified I meant the BIOS patches. I will wait until Linus opinion on whether the new wave of microcode is good. After reading horror stories about CPUs dying after getting a BIOS update, I will wait and let others be the Guinea pigs. (y):notworthy:
Even I meant BIOS patches with new microcode. CPU workloads seems to take little hit <10% whilst 4k R/W in CDM suffered a lot, especially NVMe drives.
 
Likes: DeepWeb
Joined
Jan 25, 2018
Messages
266
OS
Windows 10
Antivirus
F-Secure
#20
specter and meltdown, a concession among the big companies to release the vulnerable existing leaks of the main products, so that software developers conspiring urged to create new patches that slow down the equipment and so people bored by the slowness of their equipment are forced to return to buy a new Complete Hardware, They want on people to enter 2020 with new super computers.
 
Likes: Vasudev
Forgot your password?