CRITICAL: Meltdown and Specter CPU Bugs

[kuwanger]

I think that this scare is overblown, the likelihood of millions of people being hacked is very low.

Yes and no. Millions of people are hacked all the time. Odds are good that social engineering or other exploits will be more useful anyways--most hacking of users doesn't even need to spy on the kernel or whatever except possibly as a means to defeat ASLR or the like for the initial exploit. The real risk, IMHO, was (and still is) hackers getting access to private keys on cloud services to escalate to getting signing keys which then can be used to sign malware, forge SSL certificates, etc. Trying to clean up that mess for a lot of businesses and trying to well communicate users how to resolve it would be the worst of it. It doesn't help that most companies would pull an Intel and dissemble on what happened, be slow to acknowledge it happened, and generally try to shift blame away from the severity of it.

The real issue, IMHO, is that side-channel attacks on caches and speculation have both proved to be viable. Add in row hammer, and it seems more and more likely that some day someone will decide to write a malicious worm and do a lot of damage on the internet. Ironically, we're better off now precisely because malware writers are mostly financially interested and they want the internet to keep functioning. I don't think that's going to last forever. My gut feeling is this is going to blow over like rowhammer mostly has, people (especially in infrastructure) are going to make a half-hearted attempt to address the issue, and someone grey hat is going to decide that the world needs to be "taught a lesson".

 

[sansnumen]

Yes and no. Millions of people are hacked all the time. Odds are good that social engineering or other exploits will be more useful anyways--most hacking of users doesn't even need to spy on the kernel or whatever except possibly as a means to defeat ASLR or the like for the initial exploit. The real risk, IMHO, was (and still is) hackers getting access to private keys on cloud services to escalate to getting signing keys which then can be used to sign malware, forge SSL certificates, etc. Trying to clean up that mess for a lot of businesses and trying to well communicate users how to resolve it would be the worst of it. It doesn't help that most companies would pull an Intel and dissemble on what happened, be slow to acknowledge it happened, and generally try to shift blame away from the severity of it.

The real issue, IMHO, is that side-channel attacks on caches and speculation have both proved to be viable. Add in row hammer, and it seems more and more likely that some day someone will decide to write a malicious worm and do a lot of damage on the internet. Ironically, we're better off now precisely because malware writers are mostly financially interested and they want the internet to keep functioning. I don't think that's going to last forever. My gut feeling is this is going to blow over like rowhammer mostly has, people (especially in infrastructure) are going to make a half-hearted attempt to address the issue, and someone grey hat is going to decide that the world needs to be "taught a lesson".

I doubt that will happen. What is more concerning is foreign adversaries bringing down critical infrastructure like when hackers caused massive blackouts on the East Coast.

 

[330]

You really think someone is going to dig though low level machine code to hack your shit? I doubt it.

How easy is it to make a script to automatically sniff certain information from the cache?

 

[kuwanger]

I doubt that will happen. What is more concerning is foreign adversaries bringing down critical infrastructure like when hackers caused massive blackouts on the East Coast.

While I won't say that can't happen, I don't see that being something that Meltdown or Specter specifically granting. Now, using those tools to install spying software...although that too probably wouldn't likely require Meltdown or Specter.

 

[Xzi]

Has Microsoft released a meltdown fix on Windows update yet? Or are we still waiting on that?

 

[sansnumen]

While I won't say that can't happen, I don't see that being something that Meltdown or Specter specifically granting. Now, using those tools to install spying software...although that too probably wouldn't likely require Meltdown or Specter.

Spectre exploits can only read data. It's dangerous when dealing with servers and public crypto. For example, someone could steal some SSL keys and then impersonate legit https sites and steal credentials using fake sites with a legit SSL certificate. Scary stuff.

--------------------- MERGED ---------------------------

Has Microsoft released a meltdown fix on Windows update yet? Or are we still waiting on that?

Updates are rolling out now, however ancient PCs with ancient AMD chips like the Athlon 64 are bluescreening with the Meltdown/Spectre update.

 

[Psionic Roshambo]

Can this be used on game consoles to get encryption keys? Like maybe some good stuff can come out of this train wreck lol

 

[leerpsp]

Can this be used on game consoles to get encryption keys? Like maybe some good stuff can come out of this train wreck lol

Any things possible. But after I took the update with my laptop with an intel core i7 3.0GHz Microsoft edge stoped loading pages and windows will no longer take any more updates so I don't know what they did but i'm broke

 

[Xzi]

Any things possible. But after I took the update with my laptop with an intel core i7 3.0GHz Microsoft edge stoped loading pages and windows will no longer take any more updates so I don't know what they did but i'm broke

Damn that sucks. Probably gonna have to format that bish and update fresh.

 

[the_randomizer]

Spectre exploits can only read data. It's dangerous when dealing with servers and public crypto. For example, someone could steal some SSL keys and then impersonate legit https sites and steal credentials using fake sites with a legit SSL certificate. Scary stuff.

--------------------- MERGED ---------------------------



Updates are rolling out now, however ancient PCs with ancient AMD chips like the Athlon 64 are bluescreening with the Meltdown/Spectre update.

I'm wondering WTF would use those kinds of machines in 2018.

 

[sansnumen]

I'm wondering WTF would use those kinds of machines in 2018.

I've seen lots of potatoes around town that are still running XP. I usually see them in banks and hospitals and even some ATM machines.

 

[leerpsp]

Damn that sucks. Probably gonna have to format that bish and update fresh.

...... man that is gonna suck i'll have to back up my files and everything... I'm gonna hold off for at lest 2 more days before i do a reinstall.

 

[330]

I'm wondering WTF would use those kinds of machines in 2018.

Public schools! Hahaha...haha...hah...


I'm not that old yet I did my final High School exam with Office 97

 

[Armadillo]

Bios updates with the updated Microcode for spectre variant 2 have started to roll out for more boards now.

MSI have the z370 updates out now and will be rolling out updates for 100 series, 200 series, x299 and x99. Full list here
https://www.msi.com/news/detail/rKU...NhahW-TFJ96dI7K7NA9rKUsihP5smlrCseaHQstFxJw~~

Gigabyte are doing much the same and seem like they will only go back to x99.
http://www.gigabyte.eu/Press/News/1586

Gigabyte don't have anything up yet at the moment, just the press release and incomplete list.

Not seen any announcements from others. Z370 will obviously get it from everyone.

 

[MasterControl90]

Bios updates with the updated Microcode for spectre variant 2 have started to roll out for more boards now.

MSI have the z370 updates out now and will be rolling out updates for 100 series, 200 series, x299 and x99. Full list here
https://www.msi.com/news/detail/rKU...NhahW-TFJ96dI7K7NA9rKUsihP5smlrCseaHQstFxJw~~

Gigabyte are doing much the same and seem like they will only go back to x99.
http://www.gigabyte.eu/Press/News/1586

Gigabyte don't have anything up yet at the moment, just the press release and incomplete list.

Not seen any announcements from others. Z370 will obviously get it from everyone.

So no update at the moment for haswell, that's a shame :/

 

[the_randomizer]

So no update at the moment for haswell, that's a shame :/

Will there be one at all?

 

[MasterControl90]

Will there be one at all?

X99 runs haswell-e (same architecture but 6 and up cores) CPUs, so I don't see why they shouldn't update consumer haswell as well (no pun intended)

 

[Armadillo]

Forgot Asus list.

https://www.asus.com/News/V5urzYAT6myCC1o2

Same deal as the others. Back to X99, although only two of their X99 boards listed for some reason.

X99 runs haswell-e (same architecture but 6 and up cores) CPUs, so I don't see why they shouldn't update consumer haswell as well (no pun intended)

Gigabyte might be doing z97. Someone on another forum asked them and apparently they said z97 is being worked on.

You would think haswell would get an update from most, but haswell has been off the market much longer than x99. X99 was still the current hedt platform untill the middle of last year.

 

[sansnumen]

Unfortunately Intel screwed up big because they are telling people to hold off on accepting microcode updates. Apparently drivers are behaving incorrectly with Intel's new microcode updates. You have been warned.

 

[MasterControl90]

Unfortunately Intel screwed up big because they are telling people to hold off on accepting microcode updates. Apparently drivers are behaving incorrectly with Intel's new microcode updates. You have been warned.

I suppose they are rushing them out a bit too much