Security Market Segment LS
Thursday, 04 January 2018 12:25

Fixes rushed out for Intel CPU bugs as embargo collapses Featured

By

Serious security flaws caused by "speculative execution" have been found in Intel CPUs from the Pentium Pro onwards, with multiple research teams being credited with the discoveries.

Software patches have been released by both the Linux kernel team and Microsoft; the Linux patch was released last month, and it was expected that there would be an embargo on releasing details of the bug until 9 January, which is when Microsoft releases its monthly updates. Microsoft released a fix overnight. The company also posted information on how it would be securing its Azure customers.

The bugs have been named Meltdown and Spectre and even have their own logos! A comprehensive account of the vulnerabilities and a Q and A is available here. Some AMD and ARM processors are also vulnerable to Spectre.

The Linux patch did not even include comments in the code, in order to keep details of the bug quiet.

But security by obscurity rarely works and it did not work in this case either. Google justified breaking the embargo, saying: "We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."

Three exploits were described: bounds check bypass, branch target injection and rogue data cache load.

While both Google's Project Zero team and Intel claimed that the bugs affected CPUs from other manufacturers too, AMD was categorical in saying that its processors were not affected. The Project Zero detailed write-up is here.

Intel said in a media statement: "Recent reports that these exploits are caused by a 'bug' or a 'flaw' and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits."

But AMD's Tom Lendacky wrote in a post to the Linux kernel mailing list: "AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.

"The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."

meltdown code

ARM said the majority of its processors were not affected. "The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism," the company said. It provided a list of the processors that it said were affected.

Linux expert Russell Coker told iTWire in response to queries: "Speculative execution is where when a program branches (eg. an 'if' condition) the CPU starts executing the code on the most likely branch and then discards it if the other branch is taken. The bug MIGHT be something like performing speculative execution without adequate access checks such that a hostile application could have an instruction in what the CPU considers the most likely code path after a branch that accesses some memory and then sees what happens when it runs. AMD CPUs apparently don't have the bug in question."

He said there was a reasonable use case for systems that did not need such kernel security. "A significant portion of Linux systems are single-user workstations. For such a system you have one UID that deals with all the data from the Internet (and is therefore at risk of compromise) which also has access to all secrets (Internet banking passwords, GPG keys, ssh keys, etc).

"On such a single-user workstation the UID in question is generally used to access root via sudo or similar, and therefore an attacker who gets that UID can get root with a little patience and not much skill. For such a single user workstation (like the systems most Linux users have on their desktops) the new kernel won't provide any real benefit."

spectre

Russell said there were some things that could be done to improve security of single-user workstations. "For starters, encourage users to use a different session for tasks that need root access, even CTRL-ALT-F1 to get a text console will do. Programs that need stored passwords or cryptographic keys (such as mail clients, GPG, ssh clients, etc) could use a proxy running under a different UID to store the secret data so a compromise of the main account wouldn't immediately give everything away.

"Such techniques could make regular user compromise on a single-user workstation inadequate to get all access and therefore make kernel security important for single user systems."

But, he added that the way current Linux workstations were used for single users (i.e. one non-root UID that does everything) meant that root access wasn't important for a hostile party. "By getting access to the regular UID of the user they can read all mail, get ssh and GPG keys, read key presses (Internet banking passwords etc), and do everything else they would want to do. For someone running such a system there probably isn't much benefit in installing a patched kernel."

Russell was quick to point out that he was not advocating the avoidance of security patches. "Note that I'm not saying 'don't install security fixes'. I'm just noting that a typical home user Linux system has bigger security problems than the potential of a hostile program finding out address space randomisation information to permit other attacks on the kernel."

He said that from what was currently known about this security flaw there was no solid information on it being directly exploitable and it seemed to be merely a way of permitting other exploits.

"But we should consider the possibility that the researchers who discovered this flaw didn't discover all the possible ways of exploiting it," he added.

"It could be that in a matter of days or weeks someone will come out with a more effective exploit which will make this more serious, i.e. direct root access rather than merely extracting data to help other exploits."

Intel shares took a beating after news of the flaws broke, with a fall of as much as 5.5%, the most since October 2016. AMD surged 8.8% on the news while Nvidia went up by 6.3%.

DIGITAL MARKETING HAS NO SOCIAL DISTANCING OR TRAVEL RESTRICTIONS

As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email andrew.matler@itwire.com

CONTACT US!

LAYER 1 ENCRIPTION A KEY TO CYBER-SECURITY SOLUTION

Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.

DOWNLOAD!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments