Vulnerabilities in Exynos modems allow remote code execution - Google Pixel, Samsung and Vivo phones affected

[LAwLz]

5 hours ago, Uttamattamakin said:

Being vigilant to security threats is not being "hysterical".   Being prepared is crucial if your business  or your life depend on your phone(s) working.  Lots of us prepare for the worst, and consider the good and bad possibilities, without being emotional about it.  

Yes it is, if you aren't capable of bringing nuance and understanding of the situation into the conversation.

Being emotional is exactly what people are being, because we don't have much information to go by. Screaming about how this will result in people dying when we don't even know the scope is ridiculous, and it is absolutely being emotional. You are being controlled by fear, not reason.

 

 

5 hours ago, jagdtigger said:

The only thing bad here is your attitude. An RCE is no joke, especially if it doesnt require anything on the user side...... Its especailly bad since some whackjob thought locking down phones will do wonders for security. Its pretty much snake-oil..... (i mean the locked bootloader)

I am not sure what you are talking about.

Of course an RCE is serious, and some of these vulnerabilities are serious. But there is a difference between "we should take this seriously" and "we should panic!". I see a lot of people in the latter category, and not a lot of people trying to actually learn what is happening. It seems like a lot of people who have no idea what is happening are the ones who have very strong feelings and opinions about this, which is bad. The less info you got, the less strong opinions you should have, because those opinions will just be based on emotions rather than reason, and that's very bad when talking about security related subjects.

 

Also, I am not sure what you are talking about regarding snake-oil. I think you might be using the word incorrectly.

Locked bootloaders are not snake oil. They serve a very important purpose, which is bringing security to the software developers as well as users. In some cases (because security is a complex subject and you can't think in black and white terms), the locked bootloader might become a hindrance but in general that is quite rare (except when the phone is out of support).

But in any case it is not snake oil, and from what I know Samsung and Google phones lets you unlock the bootloaders if you want, so I am not sure what you are mad about. Locked bootloaders doesn't have anything to do with this topic either. It feels like you just shoehorned that into the conversation because you're mad about it or something.

[LAwLz]

55 minutes ago, HenrySalayne said:

Lucky coincidence.

The Samsung S series might come with Qualcomm SoCs in the US, but the A series does not (e.g. A53). And with the wide range of affected phones and wearables, there is probably a considerable amount of users in the US.

 

Might also be worth mentioning that Qualcomm chipsets are also vulnerable to RCE exploits at the time of writing.

The same patch that fixes one of the Exynos exploits also contain fixes to two critical Qualcomm chipset vulnerabilities (one of which is a modem vulnerability with a CVSS score of 9.8).

 

These things are not that uncommon.

In 2020, Check Point found over 400 vulnerabilities in Qualcomm's DSP alone. It's just that, like with most vulnerabilities, people barely knew about it and the issues were fixed before people could be scared.

[Donut417]

1 hour ago, HenrySalayne said:

Lucky coincidence.

The Samsung S series might come with Qualcomm SoCs in the US, but the A series does not (e.g. A53). And with the wide range of affected phones and wearables, there is probably a considerable amount of users in the US.

 

The A23 is Snapdragon, so it looks like it's going to depend on the model itself. Because the A14 does use Exynos. I wonder if they are using Exynos in the lower price point products. Im not sure where Exynos fits in compared to Qualcomm or Apple (I use an iPhone). 

 

Well the government leaned on Samsung before due to security updates, if they dont come up with a solution Im sure the government will lean on them again to find a solution. But it does suck for people in the US because T Mobile is the only carrier with a 2G network and all 3G networks have been sunsetted, at least from the major carriers. So most people cant turn off WiFi calling or VoLTE if they actually need to use it as a phone. 

[Uttamattamakin]

3 hours ago, LAwLz said:

Yes it is, if you aren't capable of bringing nuance and understanding of the situation into the conversation.

Being emotional is exactly what people are being, because we don't have much information to go by. Screaming about how this will result in people dying when we don't even know the scope is ridiculous, and it is absolutely being emotional. You are being controlled by fear, not reason.

I didn't say "will" but could.  The way to react to something dire that could happen is to take preventative action.  It's just like buckling your seatbelt.  
 

2 hours ago, Donut417 said:

The A23 is Snapdragon, so it looks like it's going to depend on the model itself. Because the A14 does use Exynos. I wonder if they are using Exynos in the lower price point products. Im not sure where Exynos fits in compared to Qualcomm or Apple (I use an iPhone). 

So now users will need to look deep into the details of their phones SOC.  IMHO carriers and sellers should be the ones sending a notification about this.  The vast VAST majority of users will have no idea about that.  Much less any possible automotive issues.  Who knows and can name the specific processors used in their car? 

 

2 hours ago, Donut417 said:

...

Agree with all of this. 
 

[wanderingfool2]

6 hours ago, LAwLz said:

We don't know that.

Yes, yes we do.  Like I mentioned we already know that Pixel 6 hasn't been updated.  Then are the carriers to consider, which don't always release the security updates in a timely manor.

 

Samsung Galaxy Z Flip for example won't get an update until March 21 for Fido customers....I'm still waiting for the Feb security update on my phone...still haven't gotten it yet.

 

6 hours ago, LAwLz said:

Yes, but we don't even know if they are patched or not, how hard they would be to execute, or what limitations they could have.

We don't even know how big or small the potential group of affected devices are.

We know based on the guidelines of Project Zero that it would have to be a significant threat of potential exploitation.  It's quite clearly laid out in the project zero blog.  It's literally the chips that controls the baseband that's exploitable so it's safe to say that products that used that chip will be vulnerable if they utilize the exploitable feature (Wi-Fi calling and VoLTE)

 

Quote

compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number

 

6 hours ago, LAwLz said:

I find it kind of insulting that you don't think I know what war dialing is. I probably know more about computer security than the rest of this thread combined. No need to lecture me.

Then you should know that when something like Project Zero announces something like this and the delay then you shouldn't be all dismissive as though it doesn't have a potential for real impact.

 

You were the one who made it seem like I was claiming it was going to be the end of the world, where I merely was pointing out that vehicles are affected by this and it is a real concern which can be a reason why they would delay releasing details.

 

7 hours ago, LAwLz said:

It might be big, or it might be very small. We don't know, so until we do know I suggest you stop saying that things are a certain way when we don't know.

We don't know if the impact on cars is massive, so don't say it is.

It's asinine to try assuming that there might not be an impact.  The fact that they specifically mention the auto version of the chip being affected by this means they must think there is an impact on cars.  Again, it's hardware level exploit here so we do know to a certain extent that cars will be vulnerable to it if they used it.

 

Like I said, the chip that's exploitable is responsible for the camera system in the vehicle as well.  It's asinine to try pretending that it might not have an impact...when there is a lack of details and it's concerning security it's better to assume the worst and hope for the best; than waiting it out and seeing how bad it might be.

 

7 hours ago, LAwLz said:

It depends on which component of the vehicle it affects. Again, with security related things it is very important to get details right, and right now we don't have much details.

There is a very big difference between "a hacker can make your music player stop playing music" and "a hacker can control the steering and gas functions in your car".

Again, see above, the auto chip also handles the cameras.  Those systems have also been interconnected in vehicles for a while now (even like 10 years ago there was an exploit that allowed hackers to turn off the engines of a jeep while on the highway).

[hishnash]

The scary part of these is how the system SOC in many cases on phones is not configured with memory protection in place so composing hardware like the modem means you can get full RW access to system memory (including equitable memory on the cpu) making it very easy to jump from a modem breach to a system breach.  For sure opting to not have IMMU protections on a mobile cpu will save power and make the chip smaller but it does leave you venerable to attacks like this.  

[LAwLz]

5 hours ago, wanderingfool2 said:

Then you should know that when something like Project Zero announces something like this and the delay then you shouldn't be all dismissive as though it doesn't have a potential for real impact.

I find it very difficult to have a conversation with you and others in this thread when it is very clear that you don't read my posts and are just making a bunch of strawman arguments.

I never said this doesn't have a potential for real impact. What I said is that we don't know enough about this to actually know what is likely to happen and that we should stop assuming the worst, because it just makes people hysterical.

There is a very big difference between "this might happen", "this is likely to happen" and "this is what is actually happening". That's the nuance that is missing from this conversation (from some parties).

 

If we want to catastrophize this, we might as well say this is the world of the world, because it might be the case that this chip is used in something that somehow controls nuclear weapon, so this will result in nuclear war.

What do you think are the odds that this will result in cars running people over or crashing? 

 

 

 

5 hours ago, wanderingfool2 said:

You were the one who made it seem like I was claiming it was going to be the end of the world, where I merely was pointing out that vehicles are affected by this and it is a real concern which can be a reason why they would delay releasing details.

This entire conversation started because someone compared this to Spectre and Meltdown to "show the gravity of the situation".

My response was that it wasn't as serious as those two, to which you replied that since this affect cars it could have deadly consequences. My response was that you were jumping to conclusions and that we don't know if it could have deadly consequences and that in any case it wasn't as serious as Spectre and Meltdown. Your response was once again talking about how this could result in peoples' deaths because it was related to cars and that the "impact on cars is massive" and how this was serious.

 

The post after was someone saying that they were horrified because it affected cars and then started talking about how they could potentially lose their job because of this. It's clearly a lot of hysteria about this going on and I am trying to bring some middle ground between to the conversation.

 

I then once again said that this is a serious vulnerability but that we don't know what impact it might have, if it will be big or small, so we shouldn't stop saying things will be a certain (catastrophic) way when we don't know.

 

I think that you and some other people are so far to the extreme end of reactions that it becomes hard for you to take in someone being a bit more nuanced. That's why you response to my posts when I say "we don't know what will happen" with "stop saying we know nothing will happen!", which is happening several times in this post alone.

 

 

5 hours ago, wanderingfool2 said:

It's asinine to try assuming that there might not be an impact. 

I never did.

 

5 hours ago, wanderingfool2 said:

The fact that they specifically mention the auto version of the chip being affected by this means they must think there is an impact on cars.

I never said it wouldn't impact cars.

 

5 hours ago, wanderingfool2 said:

Again, it's hardware level exploit here so we do know to a certain extent that cars will be vulnerable to it if they used it.

Yes, but we don't know to which extent which is a very important detail that is missing.

 

5 hours ago, wanderingfool2 said:

It's asinine to try pretending that it might not have an impact

I never did.

I explicitly said the opposite of what you are trying to claim I said.

 

 

5 hours ago, wanderingfool2 said:

when there is a lack of details and it's concerning security it's better to assume the worst and hope for the best

No it isn't. Because if we assumed the worst then we'd all burry ourselves in bunkers right now waiting for nuclear war.

You shouldn't automatically assume the worst and hope for the best. That's a very ignorance and amateurish way of handling things. Because it only works if you are ignorant and don't act that way on 99% of all threats that exists. Like I mentioned earlier, the same patch that fixes some or all of these Exynos issues also patch several issues in Qualcomm chips that have been classified as more serious, yet I don't see anyone panicking over those.

At any point in time your phone probably has several security vulnerabilities, as well as your PC, laptop, car and so on. We don't act as if the worst thing will happen with those, right? 

I am not sure why this particular thing became such big news when similar things (serious vulnerabilities in things like modems going unpatched for a while) happens every other month and nobody bats an eye.

[wanderingfool2]

2 hours ago, LAwLz said:

I find it very difficult to have a conversation with you and others in this thread when it is very clear that you don't read my posts and are just making a bunch of strawman arguments.

Lets see, this is you right?

On 3/17/2023 at 5:21 AM, LAwLz said:

I don't think this is that big of a deal, and it's most certainly not as serious as Spectre or Meltdown.

Two statements that are highly dismissive statements.  And as a note, we don't know whether or not this could become as bad as spectre or meltdown because we don't know the eventual mechanism of exploit and how much of it can be fixed; given that it's hardware related.  btw, if you have read the original post as well it was making a comparison of a famous example of when it was delayed (not specifying it was).

 

2 hours ago, LAwLz said:

I then once again said that this is a serious vulnerability but that we don't know what impact it might have, if it will be big or small, so we shouldn't stop saying things will be a certain (catastrophic) way when we don't know.

And you are claiming me of stawman arguments?  I literally brought up the cars in response to you saying it's not a big deal.  You literally have no way of knowings its a big deal, which is why I gave up the example of how it might affect a car.  And your first response was if I was crying that the world was ending and that I was comparing to spectre.  You literally said that you don't think it's that big of a deal.

 

I never said it was certain, I was giving examples of what might be possible because you were lollygagging around being dismissive of the fact that this could have serious real world impacts.

 

You have been dismissive to any examples of a potential issue.  The fact is, I brought up the car example because it is a real world concern as having access to RCE has shown what it's capable of, so

 

The simple fact is you claim

[HenrySalayne]

2 hours ago, LAwLz said:

This entire conversation started because someone compared this to Spectre and Meltdown to "show the gravity of the situation".

This might have been your tl;dr but that's not really what was written:

On 3/17/2023 at 12:31 PM, HenrySalayne said:

Contrary to their general policy, Project Zero even decided to withhold four vulnerabilities from disclosure. This is only the seventh time that happened with another popular example being Spectre and Meltdown. It really shows the gravity of the situation.

Like I said, I don't know enough (like most of us) about the details and this is not my line of work. But considering how often it happens that these vulnerabilities end up not being disclosed, the researchers are obviously concerned about the impact of this vulnerability and patching takes some time.

 

Meltdown was first discovered on Intel processors but later similar attacks have been found on other platforms including ARM and Power processors (and for Spectre also AMD processors) The non-disclosure of this particular vulnerability could also hint that it is more widely spread than we currently know. It is unlikely Samsung build modems up from scratch for every iteration. 

 

Since we don't have any more information yet, we should remember that we are just speculating.

[LAwLz]

7 hours ago, wanderingfool2 said:

Lets see, this is you right?

Yep, that is me. I don't thinks this is a big deal, and comparing it to spectre and meltdown is quite frankly stupid. I am not sure why you keep making that comparison. Can we just drop it? 

 

 

7 hours ago, wanderingfool2 said:

Two statements that are highly dismissive statements.

Yes, because I am trying to keep the discussion level headed and not be in panic mode like a lot of other people. You might not have noticed this, but some people who say they agree with you are describing their feelings as "horrified", and you talking about how it will cause cars to kill people and that the impact is for sure massive is not exactly helping keep the discussion level headed.

We have no evidence of the exploit even being used and yet you are in this thread proclaiming that the impact is massive. You're just spreading FUD. 

 

 

7 hours ago, wanderingfool2 said:

And as a note, we don't know whether or not this could become as bad as spectre or meltdown because we don't know the eventual mechanism of exploit and how much of it can be fixed; given that it's hardware related.

I can say for sure that this won't be as bad as spectre or meldown. Wanna know how I can know that for sure? Because Spectre and Meltdown basically affected 100% of processors. This affects less than 10% of modems. The amount of vulnerable devices is laughably small in comparison. For example this won't affect any servers, which was the major risk factor with Spectre and Meltdown.

The exploit itself might be worse (we don't know), but how many devices that are at risk is a very important aspect that you are just brushing under the rug here.

 

 

7 hours ago, wanderingfool2 said:

btw, if you have read the original post as well it was making a comparison of a famous example of when it was delayed (not specifying it was).

When you say something along the lines of "X is very serious because it is similar to when Y happened" it is very obvious that the statement is trying to convey the feeling that the two situations are alike. In this case, the situations are barely anything alike so I find the comparison misleading at best. Again, this is nothing like Spectre and Meltdown. The comparisons are ridiculous and only made to try and drum up fear.

 

 

7 hours ago, wanderingfool2 said:

I never said it was certain

Yes you did. You said, among other things stuff like this:  

On 3/17/2023 at 5:46 PM, wanderingfool2 said:

The impact on cars is massive

My response to that was that we don't know how big the impact might be because we don't even know which cars have this chip, and we don't know to what extent the chip controls the cars. Your response to me saying "we don't know how big the impact can be" was a strawman argument about how I was apparently trying to claim there was no risk.

 

This is basically how the conversation has gone down in my eyes:

 

OP: This is super serious. Remember Spectre and Meltdown?

Me: I don't think it is that serious. It won't be as big of an issue as Spectre and Meltdown.

You: Yes it is serious. People might die from this and it might be as serious or more serious than Spectre and Meltdown.

Me: I think it's stupid to assume the worst. We should hold off on the doomsday thoughts until we know more about it.

Other person: The things Wanderingfool2 wrote really scared me. I am horrified by all this.

Me: You should calm down. There is no need to panic yet because we don't know enough to assess the situation properly.

You: We should all act as if our worse fears are true. We should assume the worst thing possible is going to happen, and in this case that's for example cars killing people. We should assume that's going to happen.

 

 

 

 

7 hours ago, HenrySalayne said:

Since we don't have any more information yet, we should remember that we are just speculating.

I don't have any issues with people speculating.

What I have an issue with are people speculating and then saying things like:  

16 hours ago, wanderingfool2 said:

it's better to assume the worst and hope for the best; than waiting it out and seeing how bad it might be.

Because then all of a sudden people are letting their fears and assumptions dictate how they behave, which often just leads to bad decisions. We shouldn't assume our speculations are true. We already have people in this thread saying they are terrified, and telling those people to assume the worst and act accordingly to those emotions is not going to help anyone.

[captain_to_fire]

On 3/17/2023 at 7:31 PM, HenrySalayne said:

turn off WiFI calling and VoLTE.

Damn. These two features are quite useful. WiFi calling allows of calls and texts even on an area with poor coverage, and VoLTE is basically HD Voice which makes calls sound crystal clear.

[Vishera]

At least the Exynos 8895 in my phone is not affected.

[HenrySalayne]

1 minute ago, Vishera said:

At least the Exynos 8895 in my phone is not affected.

Yet.

 

 

[wanderingfool2]

On 3/18/2023 at 4:12 PM, LAwLz said:

Yep, that is me. I don't thinks this is a big deal, and comparing it to spectre and meltdown is quite frankly stupid. I am not sure why you keep making that comparison. Can we just drop it? 

Illiterate?  What is stupid is bringing up spectre/meltdown originally while quoting me trying to pretend that I was making a comparison between the two despite the fact that I didn't mention it at all in original post.  Or you saying that we don't know but you come out categorically stating as a fact that it's not worse than spectre/meltdown.

 

My statement about spectre is that you can't tell whether or not it has more or less impact.  I hope you can see the foolishness of your argument that you keep stating as though the two can't be compared and not as serious while simultaneously claiming there isn't enough evidence to show what the exploitability of this.

 

Again, Project Zero doesn't just delay exploit released for any odd reason.  They delay it if the release would have a significant impact on it, which is where Spectre and Meltdown came into play as those were the most notable that were delayed...it's also worth noting that this actually does share similarities in that it's a hardware level exploit that can gain access to execution of code (except in this scenario it's a remote access).

 

On 3/18/2023 at 4:12 PM, LAwLz said:

I can say for sure that this won't be as bad as spectre or meldown. Wanna know how I can know that for sure? Because Spectre and Meltdown basically affected 100% of processors. This affects less than 10% of modems. The amount of vulnerable devices is laughably small in comparison. For example this won't affect any servers, which was the major risk factor with Spectre and Meltdown.

The exploit itself might be worse (we don't know), but how many devices that are at risk is a very important aspect that you are just brushing under the rug here.

That is a foolish statement.  Judging soley based on criteria of # of devices.

 

A RCE is exponentially worse than CE.  Spectre/Meltdown you had to run it, so yea it did affect servers more but it's foolhardy to assume that there couldn't be larger affects based on a RCE.  e.g. EternalBlue despite being "less bad" than spectre/meltdown caused a whole lot more damage.

 

The fact is we don't know the full extent of vulnerability...

 

On 3/18/2023 at 4:12 PM, LAwLz said:

You might not have noticed this, but some people who say they agree with you are describing their feelings as "horrified", and you talking about how it will cause cars to kill people and that the impact is for sure massive is not exactly helping keep the discussion level headed.

Again, your illiteracy is rearing it's head.  I didn't talk about it killing people.  If you bothered to even comprehend what I was replying to you would have realized I was talking about the fact that the exploit affects automotive chips, who are notoriosly slow in updating their systems, and that it poses a risk factor which might be why the delayed the update.

 

It literally was an example to explain why they might have delayed the update as well.

 

You are claiming you know more about security, yet you are essentially claiming it's not serious in your first post.  It's the same asinine response I got from the MSP back when they didn't setup the DMZ so the servers in the DMZ could see the entire network "[Oh but it was a fully patched server it doesn't matter that it was part of the entire network]"  "PCI compliance is overkill".

 

On 3/18/2023 at 4:12 PM, LAwLz said:

"X is very serious because it is similar to when Y happened"

And if you bothered to read, no one said that.  It was literally a statement of saying that PZ has only delayed it 7 times with the most notable being Spectre/Meltdown.  It's literally giving an example of a previous time that most people know about.  If they mentioned any other one everyone would be like "what??"

 

On 3/18/2023 at 4:12 PM, LAwLz said:

Because then all of a sudden people are letting their fears and assumptions dictate how they behave, which often just leads to bad decisions. We shouldn't assume our speculations are true. We already have people in this thread saying they are terrified, and telling those people to assume the worst and act accordingly to those emotions is not going to help anyone.

When it comes to safeguarding devices, yes I always assume the worst when a RCE comes about affecting hardware I control.  I've learned that the hard way when a system I had got hit with a zero-day (fully patched, firewalls, etc) [Not ironically it was the DMZ and fully backed up].

[LAwLz]

 

14 hours ago, wanderingfool2 said:

Illiterate?  What is stupid is bringing up spectre/meltdown originally while quoting me trying to pretend that I was making a comparison between the two despite the fact that I didn't mention it at all in original post.  Or you saying that we don't know but you come out categorically stating as a fact that it's not worse than spectre/meltdown.

No need for personal attacks.

You did not mention it, but you quoted me and replied to a part where I was specifically talking about a comparison with Spectre and Meltdown. As a result, you were talking about it. That's how the rules of conversations goes. If I mention something and you reply to that specific sentence, your own sentence is expected and should be about the thing I talked about. 

You quoted me saying "[this] is not a serious as Spectre or Meltdown" by saying "it depends". That is you making a comparison again Spectre and Meltdown.

 

And yes, I can categorically say this isn't worse than Spectre or Meltdown. At least not when looking at a global impact. 

 

 

14 hours ago, wanderingfool2 said:

My statement about spectre is that you can't tell whether or not it has more or less impact.  I hope you can see the foolishness of your argument that you keep stating as though the two can't be compared and not as serious while simultaneously claiming there isn't enough evidence to show what the exploitability of this.

There are multiple things we have to consider when judging how serious something is. On one hand, we can judge it from a single device perspective. How big of an impact does something have on a single device or user. That is rarely relevant however, especially not when talking about news. We don't get a ton of media attention about a custom application I wrote having a vulnerability in it because it will just affect a handful of people. Even if the vulnerability is very severe, the number of systems affected keeps it from being a global disaster.

 

Let's say Spectre/Meltdown was a 4 in potential damage and a 5 in number of affected systems. We can multiply those together to get a decent "seriousness score".

4*5 = 20

 

This vulnerability might be more serious, let's say a 5, but it only affects a fairly small number of systems in the grand scheme of things, so let's set that number to 2.

5*2 = 10.

 

Even though the potential impact might be bigger, the number of systems (and in my opinion, the type of system) keeps it from being anywhere near as big of an issue as Spectre and Meltdown. This is just a simple example of how to calculate these things. A real calculation would factor in more things and probably assign different numbers as well so please do not use this as me saying "Spectre was exactly twice as dangerous".

 

 

14 hours ago, wanderingfool2 said:

Again, Project Zero doesn't just delay exploit released for any odd reason.  They delay it if the release would have a significant impact on it, which is where Spectre and Meltdown came into play as those were the most notable that were delayed...it's also worth noting that this actually does share similarities in that it's a hardware level exploit that can gain access to execution of code (except in this scenario it's a remote access).

The reason why Project Zero delays the disclose of an issue is not just based on the impact. They consider several factors when delaying a disclosure which all more or less boil down to how much benefit the disclosure would provide vs the damage it would cause. They also factor in how willing the vendor is to fix the issue. 

For example one of the vulnerabilities they withhold only had a CVSS base score of 5.5 (CVE-2020-27950). They have published far more serious vulnerabilities without extensions.

Them withholding a vulnerability does not automatically mean "this is super serious", which I think is the impression that a lot of people in this thread are under.

 

 

15 hours ago, wanderingfool2 said:

That is a foolish statement.  Judging soley based on criteria of # of devices.

Good thing I am not judging this solely based on how many devices are affected. I am factoring in the number of devices because it's an important part of the equation, but not the only one. Stop with the strawman arguments.

 

 

15 hours ago, wanderingfool2 said:

A RCE is exponentially worse than CE.  Spectre/Meltdown you had to run it, so yea it did affect servers more but it's foolhardy to assume that there couldn't be larger affects based on a RCE.  e.g. EternalBlue despite being "less bad" than spectre/meltdown caused a whole lot more damage.

By "CE" do you mean command execution? Or do you mean "code execution" and you just dropped the "remote" part? I feel like you are making up your own abbreviations here and I'd prefer if you refrain from doing so. It makes the conversation very hard to follow because I am not sure what you mean.

 

I don't think you understood why Spectre and Meltdown were dangerous if you think you had to run them for them to cause damage. If you ask me, there were two serious scenarios with Spectre and Meltdown.

The first scenario were you personally executing malicious code that utilized it, without you even realizing it. For example one of the first discussions were about websites using JavaScript to extract information from memory. That was a real risk that was luckily for everyone somewhat fixed quickly.

 

But the biggest risk was to datacenters. What Spectre and Meltdown enabled was for someone to rent for example a service on Azure, execute specially crafted code, and then steal information from other Azure customers. It didn't matter if for example the servers hosting Outlook.com didn't run any compromised code. Someone who ended up being hosted on the same machine could still steal login credentials to Outlook users, for example. LastPass having their databases leak from an AWS service? If Spectre hadn't been patched those databases could potentially have been stolen without needing to target a developer and gain access that way. 

 

I also think it's worth pointing out that it was possible to execute a Spectre-based attack remotely such as in the case of NetSpectre. It was more impractical though and as a result was never that big of a risk, which is just another example of how multiple factors have to be considered when evaluating a threat.

 

Anyway, security is a very complex subject and you have to factor in several things when evaluating the situation. It's not enough to just freak out as soon as some specific word like RCE is mentioned.

 

 

15 hours ago, wanderingfool2 said:

Again, your illiteracy is rearing it's head.  I didn't talk about it killing people.

Again, no need for personal attacks. Also you did talk about it killing people:  

On 3/17/2023 at 4:46 PM, wanderingfool2 said:

So these exploits could have actual deadly consequences.

What do you think "deadly consequences" mean if not "it might kill people"?

 

 

15 hours ago, wanderingfool2 said:

You are claiming you know more about security, yet you are essentially claiming it's not serious in your first post.  It's the same asinine response I got from the MSP back when they didn't setup the DMZ so the servers in the DMZ could see the entire network "[Oh but it was a fully patched server it doesn't matter that it was part of the entire network]"  "PCI compliance is overkill".

I never claimed it wasn't a serious issue. In fact, I have in several posts referred to them as serious vulnerabilities.

What I said was that I don't think Project Zero not disclosing it was that big of a deal, and I don't think these vulnerabilities are as serious as Spectre or Meltdown.

 

Not sure what your story about some MSP have to do with this thread. It just comes off as an attempt to boast about some unrelated situation that nobody except you know anything about and that you may or may not be misrepresenting.

 

 

15 hours ago, wanderingfool2 said:

And if you bothered to read, no one said that.  It was literally a statement of saying that PZ has only delayed it 7 times with the most notable being Spectre/Meltdown.  It's literally giving an example of a previous time that most people know about.  If they mentioned any other one everyone would be like "what??"

I suggest you reread the OP. This is what they said:  

On 3/17/2023 at 12:31 PM, HenrySalayne said:

This is only the seventh time that happened with another popular example being Spectre and Meltdown. It really shows the gravity of the situation.

This is a comparison and not just a small sidenote because of the "it really shows the gravity of the situation" sentence which comes afterwards.

The two sentences quoted above operate the same way as saying "X is very serious because it is similar to when Y happened".

If we break down the sentences this is what was said:

• Situation X (the Exynos exploit) was brought up.
• Then OP draws attention to the fact that X shares a similarity with situation Y (Spectre and Meltdown).
• Then concludes by saying that because they share this similarity, it is an indication of how serious the situation is.

This is a comparison. I am not sure how anyone can interpret it as anything else.

A comparison is when someone looks for similarities or dissimilarities between two things. In this case, the OP found one similarity, pointed that one out and then said that the presence of this similarity is an indicator of how serious the situation is. I took issue with OP bringing up Spectre and Meltdown, pointing out one similarity and then going "it [the similarity brought up in the previous sentence] shows the gravity of the situation", because it doesn't. The disclosure being delayed is not an indicator of how serious the situation is. 
 

 

15 hours ago, wanderingfool2 said:

When it comes to safeguarding devices, yes I always assume the worst when a RCE comes about affecting hardware I control.  I've learned that the hard way when a system I had got hit with a zero-day (fully patched, firewalls, etc) [Not ironically it was the DMZ and fully backed up].

Then I hope you are ignorant about the vast majority of vulnerabilities out there, because if you always assume the worst thing possibly will happen then you will end up severely crippled. 

Judging things like the likelihood and damages of a vulnerability is a very important part of security and risk assessment/management. Disregarding all that because it is easier to just always assume the worst is kind of the lazy way out.

[HenrySalayne]

4 hours ago, LAwLz said:

This is a comparison and not just a small sidenote because of the "it really shows the gravity of the situation" sentence which comes afterwards.

The two sentences quoted above operate the same way as saying "X is very serious because it is similar to when Y happened".

If we break down the sentences this is what was said:

• Situation X (the Exynos exploit) was brought up.
• Then OP draws attention to the fact that X shares a similarity with situation Y (Spectre and Meltdown).
• Then concludes by saying that because they share this similarity, it is an indication of how serious the situation is.

This is a comparison. I am not sure how anyone can interpret it as anything else.

A comparison is when someone looks for similarities or dissimilarities between two things. In this case, the OP found one similarity, pointed that one out and then said that the presence of this similarity is an indicator of how serious the situation is. I took issue with OP bringing up Spectre and Meltdown, pointing out one similarity and then going "it [the similarity brought up in the previous sentence] shows the gravity of the situation", because it doesn't.

Thanks for your interpretation, but the author disagrees. "It" does not refer to "example", "It" refers to the non-disclosure. It would be unusual to refer to "example" in the subordinate clause with "it" in the following sentence. 

 

5 hours ago, LAwLz said:

The disclosure being delayed is not an indicator of how serious the situation is. 

It most definitely is. The combination of the likeliness it will be exploited and the severity of damage was a key factor of their decision. 

Project Zero is generally not too fond to extend their disclosure deadline. Time is a critical factor when it comes to patching vulnerabilities. It takes a very good reason to make an exception from their policy. 

[LAwLz]

New info have been released.

The other three critical vulnerabilities now have CVE-IDs.

The Pixel March security update actually fixed all the critical vulnerabilities, even though they originally only mentioned one of them in the patch notes. I would be very surprised if the Samsung patch doesn't include the fixes as well. Just that they haven't updated it yet.

 

 

 

6 hours ago, HenrySalayne said:

It most definitely is. The combination of the likeliness it will be exploited and the severity of damage was a key factor of their decision. 

Project Zero is generally not too fond to extend their disclosure deadline. Time is a critical factor when it comes to patching vulnerabilities. It takes a very good reason to make an exception from their policy. 

Severity is one factor but not the sole factor, which is why I don't think you can point to them extending the disclosure deadline and then go "this is evidence that this is very serious" which is what you did in the OP. Likelihood of the vulnerability being used is another factor, but these two are not the only factors.

Them extending the deadline really isn't a good indicator of how serious something is. They can have several reasons for delaying the release that aren't directly related to severity level.

[HenrySalayne]

13 minutes ago, LAwLz said:

Severity is one factor but not the sole factor, which is why I don't think you can point to them extending the disclosure deadline and then go "this is evidence that this is very serious" which is what you did in the OP. Likelihood of the vulnerability being used is another factor, but these two are not the only factors.

Them extending the deadline really isn't a good indicator of how serious something is. They can have several reasons for delaying the release that aren't directly related to severity level.

Which are?

Quote

Due to a very rare combination of level of access (extent of damage) these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted (probability of occurrence), we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution.

Quote

Have there been any cases where an exception to the disclosure deadline policy has been given?

Yes, in 6 out of 1797 cases the disclosure deadlines for Project Zero's issues were extended by Google: