Meltdown and Spectre - Security flaws put virtually all phones, computers at risk

[kach22i]

I heard about this on NPR this morning.

Meltdown and Spectre

Security flaws put virtually all phones, computers at risk
https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO

Quote:

FRANKFURT/SAN FRANCISCO (Reuters) - Security researchers on Wednesday disclosed a set of security flaws that they said could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel Corp, Advanced Micro Devices Inc and ARM Holdings.

A Critical Intel Flaw Breaks Basic Security for Most Computers
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/

Quote:

Earlier this week, security researchers took note of a series of changes Linux and Windows developers began rolling out in beta updates to address a critical security flaw: A bug in Intel chips allows low-privilege processes to access memory in the computer's kernel, the machine's most privileged inner sanctum. Theoretical attacks that exploit that bug, based on quirks in shortcuts Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer or smartphone. And on multi-user machines, like the servers run by Google Cloud Services or Amazon Web Services, they could even allow hackers to break out of one user's process, and instead snoop on other processes running on the same shared server......................

Although both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer's memory, while Spectre steals data from the memory of other applications running on a machine. And while the researchers say that Meltdown is limited to Intel chips, they say that they've verified Spectre attacks on AMD and ARM processors, as well.

The fix they are working on will may slow down your computer and or phone.

https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/

Quote:

Register, which was also the first to report on the Intel flaw, those delays could be as much as 30 percent in some cases, although some processes and newer processors are likely to experience less significant slowdowns.

Or not?


Chip Design Flaw Not Limited to Intel, Researchers Say
https://www.pcmag.com/news/358249/intel-chips-have-a-major-design-flaw-and-the-fix-means-slowe

Quote:

UPDATE: In a statement, Intel said the problem isn't unique to Intel products and denied that it would drag down performance for the average computer user.

These updates are not reassuring.

https://www.pcmag.com/news/358249/intel-chips-have-a-major-design-flaw-and-the-fix-means-slowe

Quote:

UPDATE 2: The Intel flaw involves two vulnerabilities that can be used to steal your passwords, emails, and any other sensitive data you have on your computer, according to the security researchers who uncovered the bugs.

They gave them their own logos..................oh boy.

https://www.pcmag.com/news/358249/intel-chips-have-a-major-design-flaw-and-the-fix-means-slowe

[pwd72s]

Being not computer savvy at all, I understand none of the above. I think I figured out that my cheap TRAC phone, which isn't a "smart phone" is the safe one. Otherwise, the desktop is vulnerable. Only solace is that I've never posted a card number on the net, but it's probably listed in the 'puter of anybody I've given a phone order to.

[URY914]

The real question is will my wife be able to find out my porn accounts?

[GH85Carrera]

I guess for people that work with highly sensitive documents, it may well be a real problem for a short while.

For the fast majority of us, I an not too worried. It is scary the information I have on my iPhone. From access to my bank accounts to the data files for my personal Quicken files to my company files. I back up my computer data files to my phone. In case of a fire or a burglary, my computer has passwords, and my phone is always with me. I figure if the FBI can't hack into an iPhone, it is secure from any thief that steals it. I do make a backup of some data that is taken over to my business partners house and put on the RAID. I need to do that more often.

[jyl]

I don't think it's much of an issue for a single user device like a phone or PC. This vulnerability requires malicious code to be running undetected on the device. If that's the case then you're pretty compromised anyway. I guess it could be used to defeat encryption on the device.

Seems like more of an issue for a server shared by multiple users. Because one user could run malicious code that gets at other users' data.

These two vulnerabilities will be addressed with patches, which may slow some applications but probably not most by much, and CPU designers will be taking the vulnerabilities into account when designing the next chips.

I'm not saying this isn't worrisome, but Equifax just exposed sensitive financial and personal data for a third of the US and that didn't require any fancy architecture vulnerability.

[kach22i]

Thank you for your voices on this.

It really sounded like there is nothing a user can do to fix, and it's up to future patches.

[jyl]

Yeah, and seems likely that your PC Mac or phone has already been patched. The industry has been secretly working on this for six months or so. It's pretty impressive actually.

https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

[kach22i]

Quote:

Originally Posted by jyl

The industry has been secretly working on this for six months or so. ............

I told my wife when the news broke yesterday that if we are hearing about it now, the damage is already done and it's been a long known problem in the industry.

We only know what they want us to know.

[legion]

I guess the my next computer will have an AMD processor.

[kach22i]

Quote:

Originally Posted by legion

I guess the my next computer will have an AMD processor.

Because then you would only have to worry about Specter type attacks and not Meltdown?

From the article recently posted:
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

Quote:

It's true that AMD didn't actually reveal the details of the flaw before the embargo was up, but one of the company's developers came very close. Just after Christmas, an AMD developer contributed a Linux patch that excluded AMD chips from the Meltdown mitigation. In the note with that patch, the developer wrote, "The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."

[legion]

I'm reading the arstechnica article now.

The television news report I saw last night stated that the new flaw was only an Intel problem. It also didn't say that there were two flaws. Typical news reports where the reporters know nothing of the topic...

[RKDinOKC]

These flaws do not effect you unless you get malware that takes advantage of it. Malware in an email or on a web site takes action on your part to install and run. Think before you click a link.

It will be quite some time before this is actually patched and may require a new computer since part of it is an actual processor flaw.

But again, it takes some kind of malware to take advantage. Anti-Virus software does NOT stop malware. You do.

[GH85Carrera]

Actually a good antivirus will stop malware from running. We use one software package that we paid a LOT of money to buy. It is how we make 3D computer models from aerial photos of cities or a specific site. It is not used a lot worldwide and I have to go and disable the anti-virus completely just to install it. And every update is the same thing, disable the antivirus first. It is real annoying, but it works.

[masraum]