PDA

View Full Version : All Intel Processors Made in the Last Decade Might Have a Massive Security Flaw


Jeff P
01-03-2018, 11:39 AM
.
.
Article at Gizmodo|by Tom McKay
Report: All Intel Processors Made in the Last Decade Might Have a Massive Security Flaw:
https://gizmodo.com/report-all-intel-processors-made-in-the-last-decade-mi-1821728240

There's small screwups and big screwups. Here is tremendously huge screwup: Virtually all Intel processors produced in the last decade have a major security hole that could allow "normal user programs—from database applications to JavaScript in web browsers—to discern to some extent the layout or contents of protected kernel memory areas," the Register reported on Tuesday.

Essentially, modern Intel processors have a design flaw that could allow malicious programs to read protected areas of a device's kernel memory (memory dedicated to the most essential core components of an operating system and their interactions with system hardware). This flaw could potentially expose protected information like passwords. Since the error is baked into the Intel x86-64 hardware, it requires an OS-level overwrite to patch—on every major operating system, including Windows, Linux, and macOS.

The exact details of the design flaw and to what extent users are vulnerable are being kept under wraps for now, per the Register, though since developers appear to be rushing towards patching systems in coming weeks it is likely very bad. In the absolute worst-case speculative scenario, something as simple as JavaScript running on a webpage or cloud-hosted malware could gain access to some of the most sensitive inner workings of an Intel-based device.

Because the fix entails severing kernel memory entirely from user processes, patched OSes could potentially see a massive performance hit of "five to 30 percent slowdown, depending on the task and processor model"


Great.

Just what every owner of a PC or Laptop with an Intel chip needs.

Just for fun, check out the comments beneath the article:
10 years for it to be discovered by legit researchers. No telling when state-level or other groups knew about it.

Happy Wednesday everyone,


-jp

.

xtb
01-03-2018, 01:14 PM
Time to buy some AMD stock!

JustRalph
01-03-2018, 01:26 PM
Looks purposeful to me

headhawg
01-03-2018, 10:53 PM
I don't know if it's purposeful or if it's more like laziness/indifference. Before AMD produced the Athlon in the late 90s, Intel wasn't doing much innovation in the CPU market because they didn't have to. It wasn't until AMD took a significant bite out of their market share with low-priced overclock-able CPUs that Intel got off their collective asses and started releasing better technology. Maybe they were sitting on their laurels again and pushed out a flawed design. How long has Intel known about it is another question.

This flaw is not good. Not good at all.

wilderness
01-03-2018, 11:36 PM
At last there is an upside to my XP32's ;)

Guess the XP64 with the early quad (not plugged up in more than a year) is questionable.

headhawg
01-04-2018, 06:57 PM
Some reports say that Intel knew about the flaw in June. CEO sells $39 mil of stock/options in November. Coincidence? No. Criminal. I'm switching to AMD procs if at all possible. I would be worried if I had Intel stock.

JustRalph
01-04-2018, 07:32 PM
https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw

A serious friggin mess

Tom
01-05-2018, 09:29 AM
At last there is an upside to my XP32's ;)

Guess the XP64 with the early quad (not plugged up in more than a year) is questionable.

+1

XP Forever~!:headbanger:

Jeff P
01-05-2018, 02:46 PM
Interesting point of view (from a market analysis perspective) being expressed by the author of an article that appeared on the SeekingAlpha.com site.

Intel Security Risk Is Much Worse Than Management Commentary Indicates:
https://seekingalpha.com/article/4135558-intel-security-risk-much-worse-management-commentary-indicates

In our view, the security problem is a much bigger problem than Intel is acknowledging, and Intel investors will be in for a very rough ride for the next couple of years. While Intel may not have much of a problem on the consumer side from this security issue, in our view, Intel's data center business is at a serious risk.


The following comment posted beneath the article kind of caught my attention:
Dannotech

Comments (261) |+ Follow |Send Message

@Jbitzerjr

The way the attacks works is that I could, as a C++ developer, buy a subscription to Azure, write a simple program that does some data analytics in the cloud, load it with my exploit, upload that program to the Azure cloud and let it run. And even though it a purely user-mode application, it has access to the machine and is constantly scraping data from other client OS's on that machine by peeking into the Kernel memory without the datacenter having any knowledge that the attack is happening.

There is no telling who might be my virtual neighbors on that machine, but what if it's a bank's web sight? The attacker could easy scrape account numbers and passwords as users login.

So yea, this is way bigger than on-site bad actors.



-jp

.

headhawg
01-05-2018, 03:17 PM
XP Forever~!:headbanger:This is hardware level stuff; the OS has very little to do with the actual flaw. So if you want to stay completely off the Internet -- completely -- you're probably safe. Otherwise, you could be using Win10, XP, Win98 or Linux and still have major major problems as JeffP highlighted in his last post. I patched my Win7 box yesterday, but I'm not that confident in it. My computer seems slower as a side-effect, but that could just be my perception.

The vulnerability info and potential attack vectors are more than likely already on the Dark Web. Good luck folks.

wilderness
01-05-2018, 05:03 PM
headhawg,
Although somewhat correct, not entirely.
Motherboards and CPU's, were designed with specific OS's in mind.
Attempting to put XP32 on one the latest quad-core (perhaps even some very older dual-cores) does more harm than good.
Attempting to put Win10 one a machine designed for XP32 is nearly impossible.

The earliest press release touches on the same subject, however subtly.

We may never see a list of exactly what Intel CPU's are vulnerable, however the early XP32 CPU's are certainly less likely.

There's some very, very old threads here regarding the capabilities on software monitoring users and their use in OS beyond XP. Reflecting back on those thoughts certainly allows thought for these most recent Intel vulnerabilities.

headhawg
01-05-2018, 06:33 PM
headhawg,
Although somewhat correct, not entirely.
Motherboards and CPU's, were designed with specific OS's in mind.
Attempting to put XP32 on one the latest quad-core (perhaps even some very older dual-cores) does more harm than good.
Attempting to put Win10 one a machine designed for XP32 is nearly impossible.Either I don't understand what you mean or I will respectfully disagree. It's a matter of economics. Why would Intel or ASUS care what OS Microsoft is trying to sell? Those companies are trying to sell processors and motherboards. As long as the OS code could compile correctly it will run. M$ would need to be concerned about new CPU instructions, but that's what the compilers are for. Motherboards are tied to the CPU/chipset but not the OS unless it can't be compiled. So your XP machine might be safe as it may have a CPU that isn't on the Spectre/Meltdown list. I can assure you that I can run XP (both 32 and 64 bit flavors) on my current machine which has a Core I5 Ivy Bridge processor. Win8 would have been the current OS at the time that CPU family was released so I fail to see how your explanation is valid.

_______
01-05-2018, 09:58 PM
https://seekingalpha.com/article/4135651-intel-meltdown-spectre-vulnerabilities-explained

I found the storage locker analogy embedded here somewhat useful in explaining the flaw.

I’m not entirely incompetent in my understanding of computers but will admit that this was beyond my understanding. I hope the analogy withstands scrutiny from others who have more complete knowlege. Let me know.

AltonKelsey
01-06-2018, 12:08 AM
Based on my reading of the flaw , anyone running a motherboard bios that is not going to be updated by the manufacturer, has a problem.

Without that bios patch, a windows patch is only a partial solution.

I don't see them issuing patches for the 1000's of older bios still in use.

headhawg
01-06-2018, 09:09 AM
Intel's spin on the problem: Side-channel Analysis (https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html)

PaceAdvantage
01-06-2018, 11:11 PM
Intel's spin on the problem: Side-channel Analysis (https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html)When they say "it must be running locally on a system" that sounds good and all...but something can be running locally on a system after it is downloaded from the web or malware is obtained by browsing a malicious site...yes?

What is the real difference between this security hole, or a hole in Windows itself (which as we know, has had MANY), that allows a malicious actor to capitalize on said security hole?

The only difference is, how easily and efficiently can the hole be closed. With Windows, it's usually a patch.

With Intel CPUs and chipsets, how do we close it? Not sure why a BIOS update would fix this...but I guess somehow it would?

So, bottom line, I'm not sure why everyone is going insane over this. There are Windows security breaches all the time...and they are patched. Windows is run by the majority of the world.

Now we have a security breach in INTEL chips...I suppose INTEL runs the majority of the world's computers.

Why is it somehow different or cataclysmic this time around?

headhawg
01-07-2018, 12:19 AM
When they say "it must be running locally on a system" that sounds good and all...but something can be running locally on a system after it is downloaded from the web or malware is obtained by browsing a malicious site...yes?
Yes.

What is the real difference between this security hole, or a hole in Windows itself (which as we know, has had MANY), that allows a malicious actor to capitalize on said security hole?
Because it affects more devices including those not running Windows. Plus, we're talking about a hardware level problem that will involve more than one company issuing a patch. And we're talking about reading kernel memory here. Basically having access to everything that happens on a computer. Eeesh.
With Intel CPUs and chipsets, how do we close it? Not sure why a BIOS update would fix this...but I guess somehow it would?My educated guess is that the Intel has to rewrite the CPU microcode. Current BIOSes will not be able to run it properly unless they are updated. As someone mentioned previously, I doubt that motherboard manufacturers are going to update all the old(er) BIOSes.

Why is it somehow different or cataclysmic this time around?I think that no antivirus/antimalware will be able to detect a problem. You could be antimalware-protected to the hilt and it won't do any good. And what if your motherboard BIOS won't get an update?

PaceAdvantage
01-07-2018, 12:36 AM
I don't know...I still see this the same way I would see a big ol' security breach in Windows that happens all the time.

What's the worst thing someone can get off my computer? My passwords and my personal information. Plenty of malware and viruses have been scouring Windows PCs for passwords and personal information for years.

And since the majority of windows users run INTEL chips, what really is the difference here?

I still don't see the whole "end of the world" thing here...I see it as yet another vulnerability with my computer, whether it be with Microsoft Windows or Intel CPUs.

Now, if INTEL comes out and says there is no way to effectively fix this, then we might have an EOTW scenario...

headhawg
01-07-2018, 09:09 AM
Now, if INTEL comes out and says there is no way to effectively fix this, then we might have an EOTW scenario...I guess what I am saying is that this is a much larger problem because: 1) a LOT more devices are affected (including the "invulnerable" Apple and Linux products); 2) not all devices may be able to implement Intel's fix; and 3) due to the way the info is stolen user won't know that their device has been compromised.

What's the worst thing someone can get off my computer? My passwords and my personal information. Plenty of malware and viruses have been scouring Windows PCs for passwords and personal information for years. True, but an attack based on this flaw would effectively give a hacker administrative rights to your machine even after you changed passwords a million times. So that could lead to someone having a skeleton key to anyone's system, including those on the cloud. Data could be stolen/deleted, new ransomware could be created, and yes, passwords/personal info could be stolen.

Sounds pretty EOTW-ish to me. Let's hope it's not. I'm not ready to give up the Internet just yet.

Jeff P
01-07-2018, 12:44 PM
...What is the real difference between this security hole, or a hole in Windows itself (which as we know, has had MANY), that allows a malicious actor to capitalize on said security hole?...

Why is it somehow different or cataclysmic this time around?

It's not an end of the world scenario.

But, to my way of thinking, it's nastier this time around because other than staying completely off the internet - there really isn't an ironclad way to protect yourself.

Or maybe it's been that way for a while and I am just now finding out about it.

Patching your own machine doesn't mean you aren't vulnerable. Using a machine with a non-Intel chip doesn't mean you aren't vulnerable.

Consider the comment that I quoted beneath the article at the following link:
https://seekingalpha.com/article/4135558-intel-security-risk-much-worse-management-commentary-indicates

Dannotech

Comments (261) |+ Follow |Send Message

@Jbitzerjr

The way the attacks works is that I could, as a C++ developer, buy a subscription to Azure, write a simple program that does some data analytics in the cloud, load it with my exploit, upload that program to the Azure cloud and let it run. And even though it a purely user-mode application, it has access to the machine and is constantly scraping data from other client OS's on that machine by peeking into the Kernel memory without the datacenter having any knowledge that the attack is happening.

There is no telling who might be my virtual neighbors on that machine, but what if it's a bank's web sight? The attacker could easy scrape account numbers and passwords as users login.

So yea, this is way bigger than on-site bad actors.

Suppose for the sake of argument you are using a machine with an Intel chip that's been patched, or you are using a machine with an AMD chip that isn't vulnerable to the exploit -- and while browsing the web you visit a site hosted on a server that hasn't been patched and has one of the newer Intel chips subject to the exploit.

Also suppose for the sake of argument that I am a hacker, and that I am hosting a site on that same server - a site that you never even visit - and that as part of my site, I am running a web service I wrote for the sole purpose of harvesting keyboard characters keyed by visitors who are browsing all of the other sites hosted on that same server - including the site you went there to visit using your patched machine.

As soon as you log into that site: I am now in possession of your login credentials. Suppose for the sake of argument they are:
username: johnsmith @ aol.com
password: jsmith_ #417

Let's further suppose that the site you were visiting is a horse racing message board and it just so happens that's the only site in the world where you are using username johnsmith @ aol.com with password jsmith_ #417.

So the only thing I as a hacker can do with those log in credentials is log into that site and make posts as you.

Like you said: No biggie.

But I'm guessing that if I am able to harvest enough username/passwords:

There are probably a LOT of john smiths out there who are using the same username/password across multiple sites -- including those where real money is handled... paypal, banks, brokerage houses, etc.

The difference here is that patching your own machine, or using a machine with a chipset that isn't vulnerable to the exploits doesn't protect you.

Unless you stay completely off the internet you are literally relying on all web hosts everywhere to maintain servers that have been patched.

Off the top of my head, I'm guessing something like 99.999% of all legitimate web hosts are going to patch their servers as soon as patches become available (and keep them patched.)

But I'm also guessing there are always going to be bad actors who will intentionally operate server farms on machines that are never going to be patched.

I'm also guessing these bad actors will be hosting sites on those machines where the sole objective is to entice as many john smiths as possible to visit, create an account, and log in -- in hopes of harvesting login credentials that can be used somewhere else.

Like I said, maybe it's been that way for a while and I am just now finding out about it.

To my way of thinking, because the only way to really protect yourself is to stay completely off the internet: These exploits seem like a very big deal.




-jp

.

PaceAdvantage
01-07-2018, 05:27 PM
Good points Jeff...some I hadn't thought about.

headhawg
01-09-2018, 07:05 PM
What Windows and CPU combinations will take a performance hit due to Spectre/Meltdown? M$ Secure (https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/)

OverlayHunter
01-13-2018, 03:33 AM
Can VPN help with this problem?

headhawg
01-13-2018, 08:42 AM
No, a VPN won't help with this problem. Spectre/Meltdown works at the CPU level not at the IP network level.

JustRalph
01-13-2018, 09:15 AM
I spoke to someone yesterday that works in the industry. I asked how long until itís safe to buy an Intel based system.

He said Intel has thousands of vulnerable chips in the retail channel that would have to be destroyed and they are balking at doing that.

I was just about to pull the trigger on a new machine. My contact says I should be prepared to wait until 3rd quarter of 2018:eek:

OverlayHunter
01-13-2018, 09:52 PM
Thanks to all who have contributed to this thread.

Is there any consensus on what percentage of computers are expected to be actually affected?

headhawg
01-14-2018, 10:21 AM
The Meltdown exploit affects every Intel processor made since the Pentium, but AMD CPUs are relatively safe from it. ARM processors are also affected. All brands of CPUs are affected by the Spectre exploit. Just assume the device your using is affected and follow whatever guidelines are given to apply the stop-gap fix(es). And they are stop-gap. There is no permanent fix to the problem until new CPU architecture is designed. That's going to be a while; see JR's last post.