How much should an individual worry about Zombieload?

[Fasauceome]

I've been looking into things like Spectre and meltdown, and now Zombieload, and I understand how the vulnerabilities manifest themselves and the damage they do, but one thing is very hard to discern. How does this affect my computer? Or more specifically, how do I catch this "virus?" Do I need to download and run a malicious program, like a Trojan, or can it run on a random webpage and ignore antivirus, or does someone need administrator access like with Ryzen Fall?

 

Are there simple, safe habits I can use to avoid these vulnerabilities, like any other virus?

[AlTech]

10 minutes ago, fasauceome said:

I've been looking into things like Spectre and meltdown, and now Zombieload, and I understand how the vulnerabilities manifest themselves and the damage they do, but one thing is very hard to discern. How does this affect my computer? Or more specifically, how do I catch this "virus?" Do I need to download and run a malicious program, like a Trojan, or can it run on a random webpage and ignore antivirus, or does someone need administrator access like with Ryzen Fall?

From what I've read Zombieload can be triggered from javascript stuff on webpages as well as local programs.

 

Administrator access is definitely not required. Viewing an infected website seems to be all it takes.

 

Intel and the CVE Organization (that's not the actual name of the organization but I don't know the actual name) have determined that this class of vulnerability is ranked as "medium" severity which means really bad but it means there is the potential for worse stuff.

 

All this means that you do need to apply all possible mitigations and if your CPU isn't being supported such as the X58 platform then it's probably worth no longer connecting it to the internet.

10 minutes ago, fasauceome said:

Are there simple, safe habits I can use to avoid these vulnerabilities, like any other virus?

Updating your OS and firmware (there's a Micro-code update being rolled out through the usual channels such as Windows update for windows users).

 

Some experts believe completely disabling Hyper Threading is the only real way to be safe. Google has taken the hard stance to disable HT on their platforms.

 

If you've got an affected CPU which has Hyper Threading then it's probably worthwhile disabling Hyper Threading.

[Worstcaster]

3 minutes ago, AluminiumTech said:

Some experts believe completely disabling Hyper Threading is the only real way to be safe. Google has taken the hard stance to disable HT on their platforms.

 

If you've got an affected CPU which has Hyper Threading then it's probably worthwhile disabling Hyper Threading.

Jay just did a video on disabling the hyperthreading.  Apparently if you are just gaming it doesn't make a huge difference.

 

 

[dfsdfgfkjsefoiqzemnd]

For regular consumers the risk seems to be minimal.  For datacenters it's a huge issue because one user could be running malicious code on the server to read what's happening in another user's process. 

 

IF Spectre, Meltdown and Zombieload ever become real-life threats, for you as a regular user it would mean that your machine would have to get infected by malware containing those exploits in order for the exploits to do their thing.  If you get any kind of malware on your system you're screwed anyway.

 

EDIT : Actually it looks like Zombieload can be done through the browser as well, no need to install any malware.  But as long as we don't see it being done in the real world I still wouldn't worry too much. 

[porina]

My take: Don't panic!

 

Keep up with Windows Updates. If available, get bios updates with new microcode, but it is possible for Windows to load microcode too although it isn't very clear if or when they do. Keep separate backups of important data, which you should do regardless.

 

These attacks are not in themselves that significant unless you make money from FUD like AV companies. The danger comes if multiple exploits are used in combination to gain control of your system. It's like a difference between sniffing data, and using that data to form an attack. The more opportunities you close, the less likely a successful attack will be.

[Arika]

Not very. There has been no evidence of it being used in the wild and buy the time someone figures it out it's going to have all mitigations in place

[Fasauceome]

4 minutes ago, Arika S said:

Not very. There has been no evidence of it being used in the wild and buy the time someone figures it out it's going to have all mitigations in place

It's just hard to find out what the attack vectors are, since the articles (rightly) assume most people reading are using their browser raw no rubber, with little consideration in mind 

[Tristerin]

1 minute ago, fasauceome said:

 browser raw no rubber

+1

[Tristerin]

What the average user should do, is join Team Red - yeah that's the real answer!  Or take your CPU and neuter it   I have nothing relevant to add to this topic, other than stealing the description "browser raw no rubber"

[Arika]

5 minutes ago, fasauceome said:

It's just hard to find out what the attack vectors are

According to Intel and the security researchers that found it, it's not a simple thing to exploit, but it's mostly mitigated by not downloading dodgy shit and using something like a script blocker on your browser plus all the updates that will be coming soon.

 

Quote

What the average user should do, is join Team Red

i wonder how many people have non-HT CPUs (like my i5) that are freaking the fuck out over something that doesn't actually affect them. 

[AlTech]

2 hours ago, Worstcaster said:

snip

That will depend on the game and also depending on the number of cores and threads a CPU has.

 

I expect a 2C/4T and 4C/8T CPU to be hit worse than the 6C/12T and 8C/16T CPUs.

38 minutes ago, fasauceome said:

It's just hard to find out what the attack vectors are, since the articles (rightly) assume most people reading are using their browser raw no rubber, with little consideration in mind 

From what I can gather the other attack vector is running a malicious program or a virus which takes advantage of this type of vulnerability..

[Arika]

1 minute ago, ReggieGRS said:

My bad if this sounds dumb but VPN doesn't help at all against that i'm assuming?

nope. any malicious scripts still interact directly with the CPU regardless of which servers you hopped through to access the infected website

[DezGalbie]

It's hard to quantify exactly how much someone should worry about something.

But my take on it is that you should worry about it less than you worry about heart disease, and more than you worry about being molested by Bigfoot.

Somewhere in that kind of range.

[Fasauceome]

12 minutes ago, DezGalbie said:

more than you worry about being molested by Bigfoot.

I live right next to a wooded area, maybe I worry more than you think

[Zodiark1593]

3 hours ago, AluminiumTech said:

 

 

All this means that you do need to apply all possible mitigations and if your CPU isn't being supported such as the X58 platform then it's probably worth no longer connecting it to the internet.

 

I've a laptop loaned out to my sister from 2010. Has an i5-560M in it (2C 4T), and hasn't recieved an update from the manufacturer since I got the thing. Reference graphics drivers had to be hacked in to run Windows 10, for one example. Certainly nothing in regards to BIOS updates. Don't really have anything else to loan her though. Big concern?

[AlTech]

Just now, Zodiark1593 said:

I've a laptop loaned out to my sister from 2010. Has an i5-560M in it (2C 4T), and hasn't recieved an update from the manufacturer since I got the thing. Reference graphics drivers had to be hacked in to run Windows 10, for one example. Certainly nothing in regards to BIOS updates. Don't really have anything else to loan her though. Big concern?

Oh yeah definitely.

 

Assuming there's no Meltdown or Spectre mitigations either then VERY BIG CONCERN. Otherwise just BIG CONCERN.

[Kisai]

3 hours ago, fasauceome said:

I've been looking into things like Spectre and meltdown, and now Zombieload, and I understand how the vulnerabilities manifest themselves and the damage they do, but one thing is very hard to discern. How does this affect my computer? Or more specifically, how do I catch this "virus?" Do I need to download and run a malicious program, like a Trojan, or can it run on a random webpage and ignore antivirus, or does someone need administrator access like with Ryzen Fall?

 

Are there simple, safe habits I can use to avoid these vulnerabilities, like any other virus?

It really depends.

Server:

Patch immediately. Especially if it's a cloud/vps/vm server. eg all Amazon AWS services. At this point all patches applied loses up to 20% of the CPU performance. So over-sold virtual servers are going to suffer, and this equates to a 20% loss in revenue. Turn HT off.

 

Games:

Patch immediately if the game client has user-editable client loadable code (eg HTML5 games, Unity, Cocos2D, RPG Maker MV, etc), turn HT off for all other games, patch or not.

 

Business:

Patch always. Turn HT off on machines that run or access user-editable script. 

 

In short, you should be looking for a BIOS patch if you have an Intel Haswell CPU or newer. (i7-4xxx, i5-4xxx, i3-4xxx, Pentium 3550, and Celeron 2xxx). 

 

Should you be worried? Not terribly. The major target will be anything that can run node.js (servers), nw.js (node webkit, used by most HTML5 games in stand-alone mode) , CEF (Chromium Embeddable Framework) used by applications (eg MMO launchers, Spotify, Adobe software, etc) , Electron (used by Slack, Whatsapp), and such. 

 

Any "virus" like activity will likely be targeting servers however. It's not efficient to use these exploits to get data, so you have to know what you're trying to get in the first place, and the target would likely be something you have to login to, that also runs arbitrary script (eg ads.)

[Zodiark1593]

1 minute ago, AluminiumTech said:

Oh yeah definitely.

 

Assuming there's no Meltdown or Spectre mitigations either then VERY BIG CONCERN. Otherwise just BIG CONCERN.

I don't plan to take it out of commission as of now since, performance-wise, the thing is quite speedy for net surfing and brute forces YouTube's VP9 1080P pretty well. Updates have been made as best as possible though between Windows (actually further along than my desktop as the laptop has good internet) and the browsers.

[Zodiark1593]

9 minutes ago, Kisai said:

 

 

Games:

Patch immediately if the game client has user-editable client loadable code (eg HTML5 games, Unity, Cocos2D, RPG Maker MV, etc), turn HT off for all other games, patch or not.

 

For a number of very demanding games, losing HT can be a pretty grevious performance hit for quad core users.

[Kisai]

6 minutes ago, Zodiark1593 said:

For a number of very demanding games, losing HT can be a pretty grevious performance hit for quad core users.

Not really. Usually you get more out of turning HT off unless the game uses DX12/Vulkan with a multithreaded renderer. DX9 games are capped to the performance of the fastest cpu core, and you're usually better of forcing it not to run on the HT core.

 

Regardless, HT's performance is basically a way to take advantage of sloppy multi-process (eg pre-fork model, or the "tabs" in all current browsers) programming rather than encourage threading. That is why HT is dangerous for the web browser if exploitable. This is why WASM (WebAssembly) should be turned off by default.

 

3 minutes ago, ReggieGRS said:

Is it true Zombieload only affects Kaby Lake and older?

Are 9900K owners safe from this?

It only affects Intel chips with HT turned on, 8th and 9th generation chips may be immune. https://mdsattacks.com/ , test it yourself.

 

https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html

 

The big thing is that once the vulnerability is proven and in the wild, you never know how it will be exploited.

 

[Zodiark1593]

1 minute ago, Kisai said:

Not really. Usually you get more out of turning HT off unless the game uses DX12/Vulkan with a multithreaded renderer. DX9 games are capped to the performance of the fastest cpu core, and you're usually better of forcing it not to run on the HT core.

 

Regardless, HT's performance is basically a way to take advantage of sloppy multi-process (eg pre-fork model, or the "tabs" in all current browsers) programming rather than encourage threading. That is why HT is dangerous for the web browser if exploitable. This is why WASM (WebAssembly) should be turned off by default.

 

 

 

Where SMT is used (Hyperthreading is SMT) the "HT cores" are treated as equal class citizens to the "Real cores". Whether the task is being performed on the "HT" or "Real" core is irrelevant so long as the load on the cores (the physical ones) are being managed accordingly. Windows is able to differentiate which threads belong to which core, so you won't usually see the issue of running your main game thread on the same core that's handling your video encode.

 

In a highly controlled environment where code is written as closely to ideal as possible and little or no external code is allowed to run, SMT, and even OoO excecution would not be necessary to extract as much performance as possible from the cpu. Modern CPUs are wide and deep enough that it is quite difficult to keep all of the pipelines fully occupied at all times. The role of SMT is to allow another, entirely different task to take advantage of unused cpu resources without the overhead of flushing the internal caches and registers, resulting in greater overall throughput from the one cpu core, albeit, with a consequence to security, varying with implementation.

[dgsddfgdfhgs]

is the HT i3 the main target? business pc tends to be low end with important data.

and if you disable HT you will just have 2 core left~

[PlayStation 2]

Meh. I like AMD as much as the next guy but most of the freaking out about it is really fucking pointless. Unless you're actively gong on sites with malicious code (or run a server), there's not too much to really worry about.

[Drak3]

7 minutes ago, Dan Castellaneta said:

Unless you're actively gong on sites with malicious code

That's potentially every site running Google Adsense.

[Arika]

13 minutes ago, Drak3 said:

That's potentially every site running Google Adsense.

adblockers and script blockers are basically a necessity these days