Getting root would require additional exploits on top of this. This is information leak rather than escalation of privilege.
For comparison, a typical iOS jailbreak often involves 7 or so different exploits chained together.
Getting root would require additional exploits on top of this. This is information leak rather than escalation of privilege.
For comparison, a typical iOS jailbreak often involves 7 or so different exploits chained together.
Looks like MS is pushing the cumulative update out ahead of Patch Tuesday. I’m downloading it on my desktop, but my Surface Book hasn’t gotten it yet. And I’m not on any fast or slow rings. Just the normal, everyday user ring.
Yup, it’s KB4056892.
https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
They are saying the exploit could work in javascript on a webpage.
Details and POC are obviously still under embargo.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)
Demo of meltdown linked in article above.
Hmm yes this is also concerning
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
Yikes
Computer security experts have discovered two major security flaws in the microprocessors inside nearly all of the world’s computers.
The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers, servers running in so-called cloud computer networks.
There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.
Further
Amazon told customers of its Amazon Web Services cloud service that the vulnerability “has existed for more than 20 years in modern processor architectures.” It said that it had already protected nearly all instances of A.W.S. that use Amazon’s tailored version of the Linux operating system software, and said Wednesday that it would apply the Microsoft patch.
And the cherry on top
The other flaw, Spectre, affects most processors now in use, though the researchers believe this flaw is more difficult to exploit. There is no known fix for it, and it is not clear what chip makers like Intel will do to address the problem.
Spectre is a problem in the fundamental way processors are designed, and the threat from Spectre is “going to live with us for decades,” said Mr. Kocher, the president and chief scientist at Cryptography Research, a division of Rambus.
“Whereas Meltdown is an urgent crisis, Spectre affects virtually all fast microprocessors,” Mr. Kocher said. An emphasis on speed while designing new chips has left them vulnerable to security issues, he said.
“We’ve really screwed up,” Mr. Kocher said. “There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”
Wow this is terrible, I run simulation code often for my job on Intel processors and every % slowdown affects how productive I can be.
Question for those in the know: is there any way to use this exploit to figure out passwords that involve clicking specific buttons on a screen (commonly seen in online banking)?
There’s no practical exploit for these attacks known at this time. I am only halfway through the project zero write up but it strikes me as the kind of thing that you pretty much have to be a nation state to exploit. I think that it is far more likely to be usable against devices with a cloned environment running on them (like a point of sales terminal) than ad hoc systems.
Yup. Practical exploits are possible but hard to pull off, in a way.
Is that always the case, or is that the case until someone makes an attack kit that anyone can download?
Possibly this, but it still might be hard to string an effective attack together if all that is leaking are literal bits at a time. I have not read the PZ stuff yet, but my impression is the bug does not allow you to target specific areas of memory, so getting meaningful data would require a lot of time and some super skills to reconcile?
How do we know someone hasn’t been using the exploit for a few weeks or longer and is sitting on all the data it’s collected for later use?
We don’t, but this is no different from any other 0-day in that regard.
VMware’s initial advisory is up:
https://www.vmware.com/security/advisories/VMSA-2018-0002.html
Up to date versions of vSphere 5.5 and above are apparently unaffected (current GA is 6.5) - I gather previous patches addressed other issues that mitigate this as well (they disabled as default Transparent Page Sharing back in vSphere 5.5 which mitigated Rowhammer).
Now that means the ESXi OS itself, which makes sense since even if an attacker had access it does not run untrusted user mode code. Guest OS’s are still vulnerable themselves and require patching as per MS/Linux, etc guidance. Performance impact will come down to effect of guest patching. But my read of their take is that is that even a vulnerable guest could not execute code that would read adjacent memory on the host. I think anyway. Initial advisory anyway, I expect further info will be posted by them and all related vendors as this is better understood.
If your simulation is on Linux there’s a boot flag you can use to not use the work around, provided you fully understand the security ramifications of doing so.
Google informed the major players of this flaw back in June.
what about cyrix 686?