This week in computer security

Joined
Nov 5, 2006
Messages
21,952
Location
Old Europe
Are police mails just forgery of emails or something different ?
-
read article. Vaguely that sounds like old news. The software for this stuff is really lame and easy to hack (from what I remember reading - what's that conference they have with the hackers). In fact they demonstrated that you could hack even 'secure' voting systems in under 20 minutes with no prior knowledge of the system. Some of it is just using windows known exploits and some of it is the lameity of how these systems are secure and lack of secure transport layers.
 
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston
Last edited:
Joined
Nov 8, 2014
Messages
12,085
@Ripper; - bad stuff all around….Interesting to see that AMD has another security issue: the glee expressed by some AMD supporters was quite disgusting. The general view was that AMD was immune to security issues and superior in every way etc etc. The word hubris springs to mind :)
 
Joined
Aug 23, 2007
Messages
2,144
Location
Cape Town, South Africa
Well there are two different flaws. The 'amd' flaw; from my reading sounds less like a chip flaw and software running on amd processor flaw so I will give them a pass here. Also this 'flaw' is very difficult to utilize so on first reading success rate via hackers will be low (success is obtaining sensitive information once a virus is installed). The first flaw is much more serious and is a hardware level bug. Shame on intel.

[I run intel processors not amd].

booboo said:
@Ripper; - bad stuff all around….Interesting to see that AMD has another security issue: the glee expressed by some AMD supporters was quite disgusting. The general view was that AMD was immune to security issues and superior in every way etc etc. The word hubris springs to mind :)
Click to expand...
 
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston
Both flaws are related, in that they potentially allow speculative operations on the CPU to be exploited. The Intel case is more serious, as it allows speculative operations access to kernel memory in a way which can bypass the security checks, which is very dangerous. The Spectre exploit that affects all major CPUs is similar, but only allows for more difficult attacks that may be less practical. There is a suggestion that speculative CPU operations may now be generally considered insecure in their current form, which would be a big problem.

The Intel exploit, being so nasty, requires a very heavy-handed fix on the OS, in which the efficient method of switching from kernel mode to user mode must be abandoned in favor of a more rigid and inefficient, but safer, technique. This will result in a performance penalty in some situations, which could be significant. Hopefully, because games are largely user mode tasks, any impact will be minimal.
 
Last edited:
Joined
Nov 8, 2014
Messages
12,085
Exactly what you said in the last sentence.
Gamers shouldn't care about these vulnerabilities at all.
 
Joined
Apr 12, 2009
Messages
23,459
That's what they are saying, but I'm going to wait and see before applying the patch. If I hear about major slow downs in games or just everyday computing, I will not get the patch.
 
Joined
Oct 2, 2009
Messages
2,246
Location
Pacific NorthWest, USA!
I think it'll be hard to avoid the patch - I expect MS will force it as a mandatory update to the kernel. I've heard, though, that there will be an option to boot into insecure mode, which will be vulnerable, but faster.
 
Joined
Nov 8, 2014
Messages
12,085
They are only related in that they potentially allow access to sensitive information outside of the program address space. They are - from a technical perspective - that is how they obtain this information - unrelated.

Ripper said:
Both flaws are related, in that they potentially allow speculative operations on the CPU to be exploited. The Intel case is more serious, as it allows speculative operations access to kernel memory in a way which can bypass the security checks, which is very dangerous. The Spectre exploit that affects all major CPUs is similar, but only allows for more difficult attacks that may be less practical. There is a suggestion that speculative CPU operations may now be generally considered insecure in their current form, which would be a big problem.

The Intel exploit, being so nasty, requires a very heavy-handed fix on the OS, in which the efficient method of switching from kernel mode to user mode must be abandoned in favor of a more rigid and inefficient, but safer, technique. This will result in a performance penalty in some situations, which could be significant. Hopefully, because games are largely user mode tasks, any impact will be minimal.
Click to expand...
 
Joined
Oct 20, 2006
Messages
7,758
Location
usa - no longer boston
you said:
They are only related in that they potentially allow access to sensitive information outside of the program address space. They are - from a technical perspective - that is how they obtain this information - unrelated.
Click to expand...

I would say they are closely related, in that they are variants of essentially the same problem. Have a look at Google's own technical assessment.

https://googleprojectzero.blogspot.nl/2018/01/reading-privileged-memory-with-side.html

Both vulnerabilities are classified under a single article as "Reading privileged memory with a side-channel", and they go so far as to define Spectre as variants 1 and 2, and Meltdown as variant 3. Both vulnerabilities occur due to a lack of security in the speculative execution behavior of modern CPUs. I think it's fair to say they are related from a "technical perspective".
 
Joined
Nov 8, 2014
Messages
12,085
Before any of these are possible, your PC needs to be compromised first. You need to (unknowingly) install something. Also it can read memory it does not have access to, but that memory does not necessarily have to contain any information that is usable. It could, but it all depends on what you do on your PC.
Obviously, a lot of people do not take security that seriously, I understand quite a number of people don’t even patch their OS, so it will definitely have its impact.

For PCs, the best solution would be for Intel to deliver processor chips where the issues are fixed, but they probably would like to sell their stock first.
 
Joined
Aug 30, 2006
Messages
11,223
From what I've read, although Intel could improve their chips to protect against the Meltdown variant, getting rid of the wider class of Spectre vulnerabilities could be a much taller order, and require going back to the drawing board on some key aspects of current CPU design. Could take years.
 
Joined
Nov 8, 2014
Messages
12,085
Nasty indeed. The browser manufacturers are scrambling to introduce measures that will block or make harder the javascript attacks, but this still leaves us in a very unsatisfactory and unsafe position. This relies upon the correctness of the browser - any bugs, flaws, or unknown attacks could still allow access to kernel memory of the system, and potentially escalate privilege to own the system.
 
Joined
Nov 8, 2014
Messages
12,085
joxer said:
Exactly what you said in the last sentence.
Gamers shouldn't care about these vulnerabilities at all.
Click to expand...
Yeah - well, in a direct sense anyway, I don't think this is any more terrible than any of the 100 latest virusi that popped up. I guess BOINC may run slower after the patch but no big deal there.

Indirect issues are another matter… like my electric company giving away my bank account info because the supposedly secure cloud service they use to process it gives it away to an abusive process running at the same time.

Fortnight us doing an upgrade to fix the issue: http://www.pcgamer.com/fortnite-ser...-for-the-next-week-because-of-meltdown-patch/
 
Last edited:
Joined
Aug 3, 2008
Messages
8,253
Location
Kansas City
Joined
Aug 13, 2013
Messages
2,871
you said:
Microsoft reports that older hardware (haswell and earlier) will see significant slowdown (esp under versions of windows older than windows 10).
https://www.engadget.com/2018/01/09/microsoft-meltdown-spectre-performance-hit/
Click to expand...

Yes, it's not good. In Linux land, where things are more open, there's been a lot of benchmarking with the new patches on various workloads. There seems to be three main patches: KPTI - which enforces stricter and slower segregation of kernel and user memory for Meltdown, Retopoline - which frustrates some variants of Spectre, and the microkernel updates. Taken together, the impact is pretty heavy in some scenarios, and degrades general performance to some degree.
 
Joined
Nov 8, 2014
Messages
12,085
Yep, if you are like me and many others who are holding onto windows 7 come hell or high water, this "fix" hits those systems hard. No way in hell am I downloading this patch.

Not only that, but there are reports that the patch itself is causing blue screens and microsoft had to remove it just to fix the patch. This is just one more reason why I hate the new versions of windows, because it is all about auto-patching and microsoft took the control away from the user. I always have the windows update to notify me only, and then I decide whether to get the patches, just in case microsoft releases crap like this.

The patch is called "2018-01 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4056894)" for those who want to avoid it.
 
Joined
Oct 2, 2009
Messages
2,246
Location
Pacific NorthWest, USA!
You must log in or register to reply here.
Back
Top Bottom