Meltdown and Spectre – almost everything gets patched

Wow what a first week this year – a huge leak and everyone was freaking out (including me) because we finally realized that hardware can’t be trusted. But what was done after the leak? Let’s talk about it! We are talking btw about CVE-2017-5715 +  CVE-2017-5753  + CVE-2017-5754.

Spectre and Meltdown security flaws

Software patches

  • PaleMoon isn’t vulnerable
  • Firefox has moved to multiple processes but keep in mind tabs are still divided by X processes (X being the number of processes picked in settings), so one tab is still on the same process as others as long as you have more than a couple open. A patch was rolling out since 57.0.4. More details here.
  • Google Chrome isn’t patched (yet) but there testing their own implementation, in the meantime enabling the site isolation about:flag does the trick.
  • Microsoft patched the hole already in the latest out-of-date-patchday and explained what to do.
  • Other Browsers like Opera & IE getting the patches soon.
  • According to Alex Ionescu macOS is also not affected by the hole.

Hardware patches

  • Intel still says it’s a software bug not a hardware one. But imho it’s just strategic to not admit in public that this hole exist since the beginning and newer CPUs never getting patches.
  • Googles own test against Branch Target Injection is in the pipeline.
  • The gaming performance under Windows and Linux aren’t much affected according to some benchmarks. But printing iframes in an isolated store might cause some errors in all Browsers, this (I guess) is on the to do list.
  • However Microsoft patch isn’t enough, as some users already noticed. The firmware part is still open, even if the OS itself got patched and script to detect the holes in the OS and firmware is available via powershell “Install-Module SpeculationControl”.
  • Google has announced that they’ve already rolled out Android updates with ARM’s recommended mitigations to supported Nexus and Pixel devices, but these updates don’t include all of the necessary upstream fixes from the Linux kernel.
  • Apple also was responding and gave us an good article about the issue.
  • Microsoft Azure user getting an advise to work this out.
  • Rasperry Pi isn’t affected at all.

The problem is that this isn’t the end and while there analysing the hole some questions still remain. It’s not clear just what the full security ramifications of Spectre are – while Meltdown is the more immediate threat, how it works and how to mitigate it are fairly well documented. Spectre however is a definite wildcard right now. There are multiple proof of concept attacks as it stands, but more broadly speaking, Spectre attacks are a new class of attacks not quite like anything vendors have seen before. As a result no one is completely confident that they understand the full security ramifications of the exploit. There is a risk that Spectre attacks can be used for more than what’s currently understood.

Resource

  • Analysis of Speculative Execution Side Channels (pdf)
  • Intel Issues Updates to Protect Systems from Security Exploits (newsroom.intel.com)
  • Facts about The New Security Research Findings and Intel Products (intel.com)
  • Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method (security-center.intel.com)
  • Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability (support.microsoft.com)

  • Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism (developer.arm.com)
  • More details about mitigations for the CPU Speculative Execution issue (security.googleblog.com)
  • [RFC] Retpoline: Binary mitigation for branch-target-injection (aka “Spectre”) (lkml.org)
  • Retpoline: a software construct for preventing branch-target-injection (support.google.com)
  • [PATCH 4.4 00/37] 4.4.110-stable review (lkml.org)
  • [PATCH 4.9 00/39] 4.9.75-stable review (lkml.org)
  • Avoid speculative indirect calls in kernel by Linus Torvalds (lkml.org)
  • performance.now() (developer.mozilla.org)
  • Information Security is a Priority at AMD (amd.com)
Advertisements

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: