Researchers reveal Variant 4 of Spectre vulnerability

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, May 22, 2018.

  1. Hilbert Hagedoorn

    Hilbert Hagedoorn Don Vito Corleone Staff Member

    Messages:
    48,317
    Likes Received:
    18,405
    GPU:
    AMD | NVIDIA
  2. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    7,955
    Likes Received:
    4,336
    GPU:
    HIS R9 290
    These companies really need to stop giving examples of how to take advantage of exploits. They do realize that some of us have no way of getting our CPUs patched, right? For the most part, Spectre and Meltdown were a non-threat. They've been a "problem" for over a decade, and only up until recently were they actually an issue since they were brought to everyone's attention. Stuff like this needs to be patched silently, for the benefit of everyone.
     
    HitokiriX, TheDeeGee, Silva and 3 others like this.
  3. Kool64

    Kool64 Ancient Guru

    Messages:
    1,655
    Likes Received:
    782
    GPU:
    Gigabyte 4070
    Next thing you know these researchers will tell us that licking the heat spreader causes a vulnerability.
     
    Silva likes this.
  4. mbk1969

    mbk1969 Ancient Guru

    Messages:
    15,505
    Likes Received:
    13,526
    GPU:
    GF RTX 4070
    I am curious whether researchers publish tools (which they develop) in binary and/or source form.
     

  5. Dragondale13

    Dragondale13 Ancient Guru

    Messages:
    1,526
    Likes Received:
    243
    GPU:
    GTX 1070 AMP! • H75
  6. Denial

    Denial Ancient Guru

    Messages:
    14,201
    Likes Received:
    4,105
    GPU:
    EVGA RTX 3080
    I'd argue that users having no way of getting their CPU's patched is a bigger reason for those users to know about the issue than keep it secret. Even if they silently patch, the changes are going to show up in the kernel source for open systems and hackers will put two and two together. Either that or it will just leak through the netsec community regardless - tens of thousands of people work on securing these kernels - you're not going to keep that secret. This has been happening for years.

    Responsible disclosure is something we covered in our ethics class at RIT - there is a lot of good reasons for disclosing vulnerabilities to the public and a lot of really intelligent people sat down and thought about the pros and cons and built a framework for properly disclosing. I think the 90 day deadline Project Zero gives companies is about as good as it gets and their guidelines are generally agreed upon as best practice in the industry. After that it's up to public scrutiny to keep these companies on their toes and allowing the public to make informed decisions about their security (replacing their processor if it cannot be patched).
     
    yasamoka likes this.
  7. vonSternberg

    vonSternberg Member Guru

    Messages:
    162
    Likes Received:
    52
    GPU:
    RX 560D
    So has anyone ever been affected by either Spectre or Meltdown? All I see is news about "new vulnerabilities" but never have I heard of someone actually having problems with this thing.

    Google only yields results to said news.
     
    jaggerwild and tensai28 like this.
  8. alanm

    alanm Ancient Guru

    Messages:
    12,222
    Likes Received:
    4,408
    GPU:
    RTX 4080
    I'll bet every hacker and malware creator on the planet has been vigorously active in trying to exploit these vulnerabilities ever since they were made public. And that they knew nothing about it before it was made public. Our security has been severely weakened as a consequence of announcing these vulnerabilities to the world.
     
    Clawedge, TheDeeGee and schmidtbag like this.
  9. Denial

    Denial Ancient Guru

    Messages:
    14,201
    Likes Received:
    4,105
    GPU:
    EVGA RTX 3080
    Spectre is more target specific/complex than meltdown but both attack vectors are rather sophisticated. They require complex malware to be written to take advantage of them - the problem with both though is that they can't be detected.. the payload could but you wouldn't know if either attack occurred. So any breach could potentially lead to sensitive data being leaked off the target machine and no one would know better.

    Yeah except the majority of the netsec community knew about the breach weeks before the disclosure. Again, there are literally tens of thousands of people working on these kernel security patches between ARM/Intel/AMD/Microsoft/Linux/IBM/Etc - you're not going to keep it secret so the best case is give the good guys a head start and then let everyone know after a set amount of time so they can choose the best way to secure themselves.

    Not to mention all the other issues there are with keeping that stuff secret. You already have people here claiming that the majority of exploits are government installed backdoors.. can you imagine if there was a concerted effort to keep them all hidden? The tinfoil hat nonsense would be 50x worse. Or the fact that Intel new about the exploit nearly 6 months before it was disclosed and took it's sweet time developing and validating fixes -- until it went public. Now as a consumer I'm supposed to just trust these companies to fix these problems without me knowing about it? Yeah right.
     
    Last edited: May 22, 2018
    yasamoka, vonSternberg and alanm like this.
  10. alanm

    alanm Ancient Guru

    Messages:
    12,222
    Likes Received:
    4,408
    GPU:
    RTX 4080
    Point well made. Still have a feeling we were compromised to some extent by a lot of the never-do-gooders who would not have known about it otherwise.
     

  11. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    7,955
    Likes Received:
    4,336
    GPU:
    HIS R9 290
    I strongly disagree. Look at it in this way - you can either:
    A. Tell everyone about the problems and how they're exploited, where it becomes a race between either patching or exploiting the vulnerabilities. When there are people on platforms that can't/won't be patched, telling everyone about the problems ensures they are vulnerable.
    B. Tell everyone there are major low-level problems and what can/will be fixed, but be remain very vague about everything else. That way, people are aware there's an issue, but hackers don't know how to take advantage of it on time.
    C. Don't mention anything to the public and patch everything silently. There can still be patches marked "security updates". Like many such updates, they can be left generalized and ambiguous, so they'd totally slip under the radar of hackers. Security updates to OSes are a regular thing, and I don't think the average hacker knows how to interpret CPU microcode, so the risk is very minimal. You are right in the sense that a hacker could keep tabs on updates (particularly with open-source OSes) but by the time that hackers both discover the update and how to exploit it, they're too late. If the details about the update are kept quiet, there's nothing obvious to the hacker about what is affected by the exploit.

    So in other words, if you go with option C, there's an incredibly slim chance a malicious hacker will succeed, let alone discover the problem in the first place. If you go with option B, the probability is much higher, but it encourages people to buy newer and more secure hardware so the long-term results are better. When you go with option A, all you're doing is encouraging hackers to take action.

    Option A is really no different than playing a poker game where you tell all the players what your hand is before the betting starts. Option B, meanwhile, is someone who just has a bad poker-face. Option C is the one who has a chance of winning the game, even if they have a bad hand. Doesn't mean C will win, but they're much more likely to.
     
    Last edited: May 22, 2018
  12. Dragondale13

    Dragondale13 Ancient Guru

    Messages:
    1,526
    Likes Received:
    243
    GPU:
    GTX 1070 AMP! • H75
  13. nosirrahx

    nosirrahx Master Guru

    Messages:
    450
    Likes Received:
    139
    GPU:
    HD7700
    @schmidtbag

    You vastly underestimate the resources and intelligence of the malware author side of the equation. Disclosing info does not help the bad guys, they have all of this info and more at their disposal.

    Disclosing the information gives as many people as possible access to what they need to create mitigation.

    Disclosure is required if you want firmware, OS, browser and online resources to all have the best chances of becoming immune to a new exploit.
     
  14. nevcairiel

    nevcairiel Master Guru

    Messages:
    875
    Likes Received:
    369
    GPU:
    4090
    Your main argument was about people that cannot get patches for some reason, so how can any hacker be "too late" when the door is never closing?

    In the 21st century, information cannot be kept secret. It'll get out, if only when some un-initiated security researches that wasn't "in" on everything reads the kernel changes and starts figuring it out. Thats basically how the initial Spectre leaked (among other things), it was commited to the Linux Kernel. That was only a week before the planned disclosure date, but it still got out before it was meant to.

    There are other aspects as well. Spectre 1 basically has to be (partly) mitigated in software, so you have to inform all software developers whats going on so they can take the required steps as well.
     
  15. Denial

    Denial Ancient Guru

    Messages:
    14,201
    Likes Received:
    4,105
    GPU:
    EVGA RTX 3080
    It's not this simple. For starters companies have no incentive to patch non-disclosed issues and even less incentive to share it with competitors and/or SIPs. The vulnerabilities are typically leaked by researchers internal to these companies and/or exploited by them - so they essentially are in the wild regardless to disclosure or not, except now no one even knows what to look for or even to look. There are like a billion other reasons - like I said we had an entire section of our ethics course dedicated to reasonable disclosure and why it's an important part of the security model. And while I can't remember all the of the specific reasons (it was over 10 years ago now) I know that there are tens of thousands of people that put a ton of philosophical thought and/or research into it similar to papers like this:

    http://www.techzoom.net/Papers/Modeling_The_Security_Ecosystem_(2009).pdf

    And the general consensus among them is the best way to handle it is to fully disclose the exploit after a period of time. It gives security teams of various companies time to patch their code with a headstart and after disclosure it gives companies that may not have been notified knowledge of the issue and 3rd party security companies the ability to mitigate it + it gives the public a chance to secure themselves and provides an incentive for the companies to patch the issues in a timely matter.

    For meltdown/spectre they had 180 days, for lesser attacks they have 90 days. That seems like a decent amount of time considering the severity of the exploit.
     
    yasamoka and Dragondale13 like this.

  16. WareTernal

    WareTernal Master Guru

    Messages:
    267
    Likes Received:
    53
    GPU:
    XFX RX 7800 XT
    Microcode updates going back to Sandy Bridge:
    https://support.microsoft.com/en-us...or-windows-10-version-1803-and-windows-server

    Intel has released BIOS updates back to Cougar Point/Sandy Bridge - I'm not seeing that from ASUS, MSI, or Gigabyte. My DP67DE got a BIOS even though it was EOL on 1/1/14 and the last BIOS was from 6/22/12. They did a good job covering the Q-series boards. Sadly they skipped my DZ77GA-70K, but they did make an update for DZ87KLT-75K.
     
    Dragondale13 likes this.
  17. warlord

    warlord Guest

    Messages:
    2,760
    Likes Received:
    927
    GPU:
    Null
    This crap months now around PC industry, I'll pray for nuclear war,[​IMG] if it doesn't stop. It is like noise for real life PC users. Propaganda at its finest, brain washing.

    Oh God! Spectre! Variants! Meltdown! blah blah blah blah blah, 25 yeas behind PC screen, but I cannot tolerate this society anymore. I wish for a global format.
     
  18. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    7,955
    Likes Received:
    4,336
    GPU:
    HIS R9 290
    And I can argue condifently the opposite of that. Remember, these vulnerabilities have been around for years and there is no evidence they have ever been exploited, even today. If malware authors were as successful as you claim, this problem would've been noted a long time ago.

    No, my point is since there are CPUs and OSes that can't/won't be patched, you don't want to unnecessarily draw attention to them, and how to exploit them. So in other words, in option A, you're not only told the door open, but you're also told where it is. In option B, you're told the door exists and is open, but not where it is. In option C, you're not told the door exists. There's a much smaller chance to exploit an open door that you don't know about.
    Understood, but it is possible to delay the inevitable, and in doing so, you can reduce the damage. This is what I find the most crucial. When you tell hackers there's a problem and give enough specifics about how to exploit it before a patch has been widely deployed, you are doing a disservice to the public.
    Right, in which case informing the public is totally fine. But I'm referring more to the hardware-specific problems, and problems where software updates can't realistically be deployed (such as many ARM systems).

    Except to my understanding, most (not all) of these security issues only affect a select few devs (particularly, OS/kernel devs). Seeing as many of these devs are the ones who discovered the vulnerabilities in the first place (suggesting it is important to them), it makes sense they would have the incentive to fix the problems without publicizing it.
    These are no ordinary security problems. Even at a hardware level, these are a bit unusual.
    The worst thing you can do about ethics or morality is assume they apply universally (they don't) which in turn affects whether the action is justifiable. That's why people get culture shock when visiting certain countries, or why political differences exist within a single country or across generations. I'm not saying that what these tens of thousands of people think is wrong - what I'm saying is there are exceptions. And in the case with these vulnerabilities, there is a glaring exception:
    Millions of devices will not be patched.
    By telling hackers a problem exists, who is affected, and how to exploit it, you are actively putting people in danger who may have no solution. That is indisputably unethical by any definition. It is not realistic to expect all of them to transition to a new platform.

    This is no ordinary security problem, and it should not be treated as such.
     
  19. JamesSneed

    JamesSneed Ancient Guru

    Messages:
    1,689
    Likes Received:
    960
    GPU:
    GTX 1070
    I guess this will be one more reason to upgrade my Ryzen CPU when Zen 2 comes out, given they have a fix in silicone so perf isn't affected.
     
  20. nosirrahx

    nosirrahx Master Guru

    Messages:
    450
    Likes Received:
    139
    GPU:
    HD7700
    It was a new class of exploit and now that this class is know the research against it is actively being funded.

    You would also be surprised to learn that what you see in the news happened long ago in most cases. If the bad guys have access to an unknown exploit it wont be used to infect millions of Joe/Jane computers, it will be used in targeted attacks against high profile targets exclusively.

    The bad guys only disclose their tools once they are well known in the form of regular malware that affects everyone. Their most effective tools wont be used anywhere there are a lot of eyes.
     

Share This Page