Hardware & Technical All CPU's affected by SPECTRE Vulnerability

[GammaZ]

By not executing code that exploits that vulnerability, or preventing it from executing in a way that causes harm.

For example, the Firefox 57.0.4 patch prevents (or seriously mitigates) javascript from being used as an attack vector: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

There is a crapton of hardware errata in any modern processor, and firmware or software mitigations are common practice. Eventually, once essentially everything is patched, it will be exceedingly rare to find an attack vector even on vulnerable hardware, and people will stop trying to take advantage of the vulnerability because the number of viable targets will be minuscule.

Meltdown and Spectre are pretty serious issues, but it's not the end of the world.

Anyway, the AV patches mention aren't so AV can protect against Meltdown and Specter (they can't, except by detecting and quarantining malware/viruses that use it), it's so the Windows mitigations don't brick the AV (which essentially use rootkits that the Windows patch would break, making unpatched versions of the AV nonfunctional).

But it has to detect the code that exploits vulnerability first, which is, both judging by common sense and the original paper published by research team which discovered vulnerability is "theoretically possible but highly unlikely".

Yes, sure there are a lot of CPU (and not only CPU) "bugs" which can be exploited, rowhammer is nasty one too as an example, and some of them are not even completely mitigated especially in home PC-s, but when there is such hype around some of them it usually leads to a lot of exploits "in the wild"...

Patching AV itself to protect it from exploit makes sense though, unlike claims about protecting OS...


Also, played around with proof-of-concept code which was published along with the paper, and it is a lot of fun. For example it was easily capable of breaching guest isolation from inside VM running on rather old version of vmware player on unpatched windows.

 

[Necronaught]

Personally I'm partying like it's £19.99

Wetherspoons?

 

[Morbad]

But it has to detect the code that exploits vulnerability first

No, it doesn't.

Using the Firefox/javascript example, the two initial fixes make the exploit far harder to use by reducing the accuracy of the timers provided and blocking access to the sharedarraybuffer. Since these are timing attacks, not being able to use a high resolution timer dramatically decreases the likelyhood of them being able to compromise data.

 

[GammaZ]

No, it doesn't.

Using the Firefox/javascript example, the two initial fixes make the exploit far harder to use by reducing the accuracy of the timers provided and blocking access to the sharedarraybuffer. Since these are timing attacks, not being able to use a high resolution timer dramatically decreases the likelyhood of them being able to compromise data.

Firefox is kind of a special case here, since java script they are talking about is executed within its sandbox, not by OS directly. As a result it is possible to limit what can be done by java script in this case.
How does it apply to AV though?

 

[ITZC0ATL]

I work in cyber security and have wrote up a piece with info about Meltdown and Spectre. The below segments are all written in lay-person terms, so should hopefully be understandable for people who aren't knee deep in IT security.

How do Meltdown and Spectre work?

Spoiler

There has also been a lot of confusion around what exactly these two vulnerabilities are, and more importantly, how to protect yourself and your business against them so please do read on. Almost any electronic device with a processor is fair game to at least one of these vulnerabilities, be it a server, PC, mobile or smart device.

Firstly, it’s important to explain what exactly speculative execution is, as this is the CPU feature that both vulnerabilities take advantage of. Speculative execution makes for much quicker and more efficient processing, as without it, your processor would be idling most of the time. To put it simply, it takes time for your PC to speak to itself. Your CPU and RAM will both read/write much quicker than, say, your hard drive. There can also be multiple stages to go through when reading/writing to RAM and subsequently the CPU, and this will all add time to each process you undertake. However, through speculative execution, your processor essentially tries to ‘guess’ what the outcome of a query may be. Then, when the actual result comes in from the rest of your PC, if the guess was correct then your CPU has saved you time and will proceed to the next step, or if the guess comes back incorrect, the CPU simply discards that fork and then works with the updated information. Speculative execution has been a core feature in processors for over two decades now, and more often than not, the guesses are correct and save us processing time. This is where Meltdown and Spectre come in. They both take advantage of this feature, although in different ways.

What’s the difference between Meltdown and Spectre?

Spoiler

In order to be more efficient, certain security checks are not present during speculative execution. Meltdown is able to ‘trick’ your CPU into speculative execution, and then exploits it into allowing the malware unrestricted access to read everything the CPU accesses, through the cache. The scary part? Meltdown can use this vulnerability to read the CPU cache of not just the user that ran the malware, but of any user on that machine, even administrator accounts. So far, this one is only believed to affect Intel and ARM processors (good news for any AMD users).

Spectre, on the other hand, is a bit more technical and a bit more nasty – and it affects all modern CPUs. This vulnerability doesn’t just access the data used in speculative execution, it manipulates it. To take a quick example, let’s say you’ve been asked what the answer to 2 + 2 is, and you’ve been asked to check it 100 times. Chances are, if you do the math 99 times and the answer is always 4, then you’re going to assume that the 100th time will also yield the answer 4. This is essentially how your processor is able to ‘guess’ what’s going to come next. However, Spectre is able to take advantage of this by ‘training’ your CPU and running a process hundreds of times in an attempt to manipulate what it will guess – allowing it to control the speculative execution. Again, this can allow hackers access to important data, such as your passwords, which in turn give them access to everything else on your PC or even on your network. Antivirus software won’t do anything to protect against either exploit.

How do Meltdown and Spectre infect a PC?

Spoiler

At the moment, there have been no cases on these vulnerabilities being used out in the wild. These flaws have existed in most CPUs for the over 20 years, and Spectre in particular is quite tricky to actually execute. However, there has never been more money in cyber crime, which has attracted some very talented programmers over to the dark side, and that’s before you even consider that cyber attacks are starting to see use as political weapons by countries around the world.

The most common vector for these kind of attacks is usually phishing, either through emails or browser-based attacks. An example of such a scenario is an ordinary user at work, who has no admin privileges, browsing the web. They could stumble across a phishing website, which are surprising common and can look quite legitimate, and the site could execute JavaScript to download and install the malware on their machine. This could then access, say, the password of an account on that PC with admin rights, and spread itself across the network. Only one such vulnerable machine would need to be found on a network, even if all the others had been patched.

Another way that malware could be downloaded onto an unsuspecting user’s PC is through third party advertisements online. You could be on a legitimate website that you’ve used many times before which serves ads. Even if the site itself is safe, the ads come from other companies and can sometimes contain malicious code. You don’t even need to click on the ad in some cases, just loading the webpage is enough to let the ad infect your PC. We recommend the use of ad blocking software to counter this.

Regarding the whole snaffu with antivirus, what's basically happening is that the way some AV software interacts with the kernal has caused incompatibilities with the new Microsoft cumulative security patch. There have been cases on the patch installing on PCs without compatible AV and experiencing Blue Screen of Death. Hence, AV vendors are required to update the registry in order to confirm compatibility with the patch before Windows will download and install it.

You can check online if you AV is compatible or if they've gotten around to adding that registry entry yet. If your AV is compatible but you haven't got the patch, you can add the registry entry manually in order to get the patch a bit quicker (which is what I did).

But as others have said, this vulnerability has been around for a while, under the radar, and is quite technically complex to exploit. I wouldn't worry too much. Patches will come down for this from multiple vendors, so just make sure you keep your patch levels up to date across your devices and programs (which everyone should be doing anyway) and chances are you'll be fine

 

[Morbad]

Firefox is kind of a special case here, since java script they are talking about is executed within its sandbox, not by OS directly. As a result it is possible to limit what can be done by java script in this case.
How does it apply to AV though?

It doesn't, I was speaking more of the Spectre vulnerability as a whole.

Once all the software is patched, you are going to need to run dodgy binaries for anything to have an attack vector. That's where good AV comes in.

 

[GammaZ]

It doesn't, I was speaking more of the Spectre vulnerability as a whole.

Once all the software is patched, you are going to need to run dodgy binaries for anything to have an attack vector. That's where good AV comes in.

Yes, and then AV can also have signatures for known implementations and catch them this way. Still no 100% guarantee though, because a dodgy binary which is not one of the known implementations still can accidentally "sneak" though...

Another interesting thought about AV... how well are their sandboxes isolated? It happened before with some AV and looks very likely now that unpatched AV can be more dangerous then complete lack of one. I mean you open a page, it contains download link for some binary. Even before you confirm/cancel download it is downloaded into browser cache and then checked by AV by executing it inside of its sandbox. If sandbox cannot isolate it properly, which is highly likely, here we go, user does not even need to confirm download...

 

[Manticore]

Regarding the whole snaffu with antivirus, what's basically happening is that the way some AV software interacts with the kernal has caused incompatibilities with the new Microsoft cumulative security patch. There have been cases on the patch installing on PCs without compatible AV and experiencing Blue Screen of Death. Hence, AV vendors are required to update the registry in order to confirm compatibility with the patch before Windows will download and install it.

You can check online if you AV is compatible or if they've gotten around to adding that registry entry yet. If your AV is compatible but you haven't got the patch, you can add the registry entry manually in order to get the patch a bit quicker (which is what I did).

But as others have said, this vulnerability has been around for a while, under the radar, and is quite technically complex to exploit. I wouldn't worry too much. Patches will come down for this from multiple vendors, so just make sure you keep your patch levels up to date across your devices and programs (which everyone should be doing anyway) and chances are you'll be fine

Yes; I was going to discuss this and you are spot on with that information. Most antivirus software (at least the ones that seem to be top ten most popular etc.) have patched adding the appropriate registry key that M$ wants to see before it does whatever it needs to do to Windows.

Even if this current issue wasn't such a big issue internet and computer security is an ongoing process and not an end in itself (my opinion but you sound like an expert to me).