[BreachExchange] Meltdown and Spectre – The Gifts That Keep On Giving
Inga Goddijn
inga at riskbasedsecurity.com
Tue Mar 6 09:11:59 EST 2018
https://www.riskbasedsecurity.com/2018/03/meltdown-and-spectre-the-gifts-that-keep-on-giving/
It’s been some time since the news of the Intel processor vulnerabilities
dubbed Meltdown and Spectre broke. We wrote a blog on the initial
disclosure and subsequent press frenzy on January 4th, and an update on
January 9th covering additional aspects of the fallout. In the last month
and a half, the news coverage has been slow and steady with many aspects
flying under the radar. While many vulnerabilities with a patch may be out
of sight and out of mind, the problems with these patches continue to roll
in.
General
Since the disclosures, Intel has come under increasing fire and direct
questions. Last month The Register tore into Intel on Twitter in a thread
charging them with lying to just about everyone.
This turned out to be the least of their worries, as the chairman of the
House Energy and Commerce Committee, Greg Walden from Oregon, voiced
concern that China had knowledge of Meltdown and Spectre before the U.S.
government. This concern comes after the Wall Street Journal reported that
Intel shared the vulnerability information with several companies,
including some from China. According to SC Magazine Waldens’ committee sent
a letter to Intel among other companies on January 24th, asking them “to
explain their actions that lead to the public disclosure of the flaws
taking place six months after Intel was informed”. Intel replied to the
letter saying “it abided by standard industry practices in how and when it
disclosed the Spectre/Meltdown vulnerabilities in its processors”.
In our second blog, we gave some details that showed that these
vulnerabilities were not exactly new under the ‘Disclosure History
Addendum’ section. The prior work was thought to go back to 2005 based on
discussions at the time. Trammell Hudson pointed out that the foundation of
Meltdown and Spectre, speculative execution, was called out in a 1995 paper
titled “The Intel 80×86 Processor Architecture: Pitfalls for Secure
Systems“. It should be no surprise that Meltdown and Spectre are thought to
be the tip of the iceberg, with additional platforms and vulnerabilities
likely to be affected. In fact, talk of new variants are already making the
rounds with names such as MeltdownPrime, SpectrePrime, and Prime+Probe.
Finally, for those who enjoy the challenge of defense, AMD is looking for
help!
Skyfall & Solace
Around January 17, after the wave of press and fear around Meltdown and
Spectre, word started spreading of more chip vulnerabilities dubbed Skyfall
and Solace. A website was created for them with a vague and but menacing
warning that details would be published soon.
Five days after launch, after a considerable amount of speculation and
panic, along with a healthy dose of skepticism, the site was updated to
explain the teased vulnerabilities were not forthcoming, and just a hoax.
The new message tried to warn of the dangers of going to unknown sites,
saying that it could have hosted malware or a 0-day. The ‘lesson’ imparted
came across as naive and simplistic to some, and labeled as ‘attention
seeking’ by others. It should also be noted that this ‘Skyfall’ attack has
nothing to do with the 2001 attack under the same name.
Legal
As we started to cover in the last blog, the legal action over Meltdown and
Spectre is certainly interesting and likely to change the narrative on
vulnerabilities and liability to some degree. After the first wave of
lawsuits against Intel, AMD found themselves facing their own class-action
lawsuit “over false and misleading statements”. That quickly turned into at
least four class-action suits against AMD. In the same theme, Apple found
themselves on the receiving of a class-action lawsuit filed in California,
accusing them of not keeping products as secure as they advertised. These
lawsuits, regardless of disposition, will be important in legal circles as
it further establishes that advertising security may have repercussions. On
the back of the 2013 FTC action against TRENDnet camera vulnerabilities,
that was based on claims in “numerous product descriptions that they were
‘secure’”.
In addition to the disputed claims of security from Intel, at least one
class-action lawsuit also brings up that Intel’s CEO, Brian Krzanich, sold
millions of dollars of shares after Intel was informed of the
vulnerabilities, but before they were publicly disclosed. In addition to
the 30 or more lawsuits currently pending, Krzanich is not facing a fun
year ahead.
Detection & Testing
As patches continue to roll out and organizations still work on deploying
them to the vast majority of systems, more information and methods for
detecting the vulnerability have come to light. For example, Cody Pierce
has written an article about using hardware performance counters to detect
the attacks. Anders Fogh also pointed out that his proof-of-concept for
detecting cache side-channel attacks from BlackHat Briefings 2015 also
detects the Meltdown attack, reminding us again that the foundations for
this attack and defense pre-date Meltdown’s disclosure.
Matt Miller pointed out that Microsoft has released Powershell tools that
can query the status of Windows to determine if the mitigations for two of
the vulnerabilities are in place. On the flip side, more and more
proofs-of-concept are being released that demonstrate the attacks, if your
mind leans toward the ‘red’ side. Even worse for the ‘blue’ side, it has
been reported that exploitation can bypass Intel’s SGX defenses and be used
to snoop on enclaves.
Impact, Patches, and More Failure
Patches to mitigate Meltdown and Spectre from vendors have been problematic
to say the least. In addition to what was covered in our prior blog, there
has been a steady stream of patches that are causing serious issues for
customers. We’ve put together the below round-up of some of the articles
covering this mess, for those that want to read further. A brief sampling
of the news makes it clear that administrators are not having a good time
as they continue to try to mitigate for Spectre and Meltdown – and this
comes on top of their usual work of keeping systems patched and up to date.
We’ll continue to monitor this story as it develops.
- 2018-01-04 – Meltdown: the latest news on two major CPU security bugs (The
Verge
<https://www.theverge.com/2018/1/4/16850516/intel-meltdown-spectre-bug-patch-cpu-security-flaw-news>
)
- 2018-01-07 – Measuring OS X Meltdown Patches Performance (Reverse
Engineering Mac OS X Blog
<https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/>
)
- 2018-01-08 – Important information about Microsoft Meltdown CPU
security fixes, antivirus vendors and you (Double Pulsar
<https://doublepulsar.com/important-information-about-microsoft-meltdown-cpu-security-fixes-antivirus-vendors-and-you-a852ba0292ec>
)
- 2018-01-08 – More stuff broken amid Microsoft’s efforts to fix
Meltdown/Spectre vulns (The Register
<http://www.theregister.co.uk/2018/01/08/meltdown_fix_security_problems/>
)
- 2018-01-09 – Meltdown, Spectre bug patch slowdown gets real – and what
you can do about it (The Register
<http://www.theregister.co.uk/2018/01/09/meltdown_spectre_slowdown/>)
- 2018-01-09 – IBM melts down fixing Meltdown as processes and patches
stutter (The Register
<http://www.theregister.co.uk/2018/01/09/ibm_meltdown_spectre_patch_issues/>
)
- 2018-01-09 – CPU bug patch saga: Antivirus tools caught with their
hands in the Windows cookie jar (The Register
<http://www.theregister.co.uk/2018/01/09/meltdown_patch_anti_malware_conflict/>
)
- 2018-01-10 – Meltdown & Spectre Patches Causing Boot Issues for Ubuntu
16.04 Computers (Bleeping Computer
<https://www.bleepingcomputer.com/news/software/meltdown-and-spectre-patches-causing-boot-issues-for-ubuntu-16-04-computers/>
)
- 2018-01-10 – Intel, Microsoft confess: Meltdown, Spectre may slow your
servers (The Register
<http://www.theregister.co.uk/2018/01/10/intel_allows_that_meltdown_and_spectre_may_slow_servers_down/>
)
- 2018-01-10 – IBM’s complete Meltdown fix won’t land until mid-February
(The Register
<http://www.theregister.co.uk/2018/01/10/ibm_meltdown_spectre_patches_not_arriving_until_mid_february/>
)
- 2018-01-10 – A mess of Microsoft patches, warnings about slowdowns —
and antivirus proves crucial (Computer World
<https://www.computerworld.com/article/3246633/microsoft-windows/a-mess-of-microsoft-patches-warnings-about-slowdowns-and-antivirus-proves-crucial.html>
)
- 2018-01-12 – Intel’s Meltdown fix freaked out some Broadwells,
Haswells (The Register
<http://www.theregister.co.uk/2018/01/12/intel_warns_meltdown_spectre_fixes_make_broadwells_haswells_unstable/>
)
- 2018-01-15 – Now Meltdown patches are making industrial control
systems lurch (The Register
<https://www.theregister.co.uk/2018/01/15/meltdown_ics/>)
- 2018-01-15 – Google claims its Spectre patch results in ‘no
degradation’ to system performance (The Inquirer
<https://www.theinquirer.net/inquirer/news/3024392/google-claims-its-spectre-patch-results-in-no-degradation-to-system-performance>
)
- 2018-01-18 – Intel Claims 90 Percent of Affected CPUs Have Live
Patches Just as Rumors of New Attacks Arrive (Gizmodo
<https://gizmodo.com/intel-claims-90-percent-of-affected-cpus-have-live-patc-1822192075>)
[90%, really?! – RBS]
- 2018-01-21 – RedHat reverts patches to mitigate Spectre Variant 2 (
Ghacks
<https://www.ghacks.net/2018/01/21/redhat-reverts-patches-to-mitigate-spectre-variant-2/>
)
- 2018-01-22 – Intel advises companies to stop installing
Spectre/Meltdown update (SC Magazine
<https://www.scmagazine.com/intel-advises-companies-to-stop/article/738625/>
)
- 2018-01-22 – Meltdown/Spectre week three: World still knee-deep in
something nasty (The Register
<http://www.theregister.co.uk/2018/01/22/meltdown_spectre_week_three_the_good_the_bad_and_the_wtf/>
)
- 2018-02-22 – Here We Go Again: Intel Releases Updated Spectre
Patches (Bleeping
Computer
<https://www.bleepingcomputer.com/news/hardware/here-we-go-again-intel-releases-updated-spectre-patches/>
)
- 2018-01-23 – HP Reissuing BIOS Updates After Buggy Intel Meltdown and
Spectre Updates (Bleeping Computer
<https://www.bleepingcomputer.com/news/hardware/hp-reissuing-bios-updates-after-buggy-intel-meltdown-and-spectre-updates/>
)
- 2018-01-23 – Dell Advising All Customers To Not Install Spectre BIOS
Updates (Bleeping Computer
<https://www.bleepingcomputer.com/news/security/dell-advising-all-customers-to-not-install-spectre-bios-updates/>
)
- 2018-01-23 – Intel Halts Spectre/Meltdown Patching for Broadwell and
Haswell Systems (ThreatPost
<https://threatpost.com/intel-halts-spectre-meltdown-patching-for-broadwell-and-haswell-systems/129615/>
)
- 2018-01-26 – Intel’s 9th-generation ‘Ice Lake’ CPUs will have fixes
for Meltdown, Spectre (Digital Trends
<https://www.digitaltrends.com/computing/intel-meltdown-spectre-silicon-fixes-ice-lake/>
)
- 2018-01-30 – Microsoft rushes Spectre patch to disable Intel’s broken
update (Tech Target
<http://searchsecurity.techtarget.com/news/252434059/Microsoft-rushes-Spectre-patch-to-disable-Intels-broken-update>
)
- 2018-02-09 – VMware sticks finger in Meltdown/Spectre dike for virtual
appliances (The Register
<https://www.theregister.co.uk/2018/02/09/vmware_temp_fixes_for_meltdown_spectre_for_virtual_appliances/>
)
- 2018-02-14 – Microsoft’s compiler-level Spectre fix shows how hard
this problem will be to solve (Ars Technica
<https://arstechnica.com/gadgets/2018/02/microsofts-compiler-level-spectre-fix-shows-how-hard-this-problem-will-be-to-solve/>
)
- 2018-02-28 – Intel Releases Updated Spectre Fixes for Broadwell and
Haswell Chips (ThreatPost
<https://threatpost.com/intel-releases-updated-spectre-fixes-for-broadwell-and-haswell-chips/130144/>
)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180306/45ae8bcb/attachment.html>
More information about the BreachExchange
mailing list