Official responses Meltdown & Spectre vunlerability

[NumLock21]

With the recent security flaw discovered to strongly affect Intel processors, which range from current ones to those that span the past decade, they have made a official response on this made. Also include are official response from AMD, Google, whom are the ones who have discovered this vunlerability, ARM, and Microsoft. The findings weren't suppose to be released until January 9th 2018, under a NDA. Due ot the importance of this info, the NDA was abruptly ended and the info is now released.

 

Google
 

Quote

 

The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.

 

 

 

 

ARM

Quote

This method requires malware running locally and could result in data being accessed from privileged memory. Our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.

 

AMD

Quote

There has been recent press coverage regarding a potential security issue related to modern microprocessors and speculative execution. Information security is a priority at AMD, and our security architects follow the technology ecosystem closely for new threats. The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.
The described threat has not been seen in the public domain.
When AMD learned that researchers had discovered a new CPU attack targeting the speculative execution functionality used by multiple chip companies’ products, we immediately engaged across the ecosystem to address the teams’ findings.

Intel

Quote

 

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

 

 

Microsoft

Quote

We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.

 

https://videocardz.com/74580/amd-arm-google-intel-and-microsoft-issue-official-statements-on-discovered-security-flaws

[Vandorlot]

I already heard of this but am just wondering how they would get onto the system (if this was released of course). Is it downloaded to the pc onto the os and then attacks the kernel?

[Crunchy Dragon]

Just now, Vandorlot said:

I already heard of this but am just wondering how they would get onto the system (if this was released of course). Is it downloaded to the pc onto the os and then attacks the kernel?

Sounds that way, according to ARM

 

Quote

This method requires malware running locally

So basically the same rules as usual for keeping your PC clean and malware-free, you'll basically be fine(other than the performance hit from patching this).

[NumLock21]

Patch from Microsoft. Manual download and install

• •    Windows 10 Fall Creators Update is receiving KB4056892 (Build 16299.192)
• •    Windows 10 Creators Update Version 17033 gets KB4056891 (Build 15063.850)
• •    Version 1607 is getting KB4056890 (Build 14393.2007)
• •    1511 receives KB4056888 (Build 10586.1356) – for enterprise and education only.
• •    The original Windows 10 version is receiving KB4056893 (Build 10240.17738) – for enterprise only.

[Helly]

At least 1 of the flaws can be exploited through javascript already, it is expected that more and different types will follow, so just visiting a website could be enough. Update ur browsers as well ?

[Curufinwe_wins]

Yay. Patch your shit and be done with it.

 

Imagine that.

[Arika]

1 minute ago, Curufinwe_wins said:

Yay. Patch your shit and be done with it.

 

Imagine that.

just like everything else that people have been losing their minds over. cant wait until the threads about this stop.

[Techicolors]

while we're on the topic of official responses, Apple released their response 

 

https://support.apple.com/en-us/HT208394

 

Quote

Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

 

[mynameisjuan]

3 minutes ago, Sierra Fox said:

just like everything else that people have been losing their minds over. cant wait until the threads about this stop.

Same....bugs happen. Not the end of the world. 

[RadiatingLight]

37 minutes ago, Helly said:

At least 1 of the flaws can be exploited through javascript already, it is expected that more and different types will follow, so just visiting a website could be enough. Update ur browsers as well ?

Funnily enough, chrome isn't updated yet, but Edge, Firefox, and Internet Explorer are all safe.

[RadiatingLight]

26 minutes ago, Curufinwe_wins said:

Yay. Patch your shit and be done with it.

 

Imagine that.

Patches only work for meltdown though...

Spectre AFAIK is a hardware-level bug that can't be mitigated in software at all, so we need a new CPU architecture to fix that one.

[Curufinwe_wins]

Just now, RadiatingLight said:

Funnily enough, chrome isn't updated yet, but Edge, Firefox, and Internet Explorer are all safe.

Edge and Internet Explorer are actually almost constantly "safer" than any other main-stream browsers (at least since the Win 8 era). They also tend to be the slowest heh.

[Curufinwe_wins]

4 minutes ago, RadiatingLight said:

Patches only work for meltdown though...

Spectre AFAIK is a hardware-level bug that can't be mitigated in software at all, so we need a new CPU architecture to fix that one.

Microcode updates are expected to fix all of that regardless. And there are software patches, they just don't technically fix the actual issue, but rather attempt to make the exploit unreachable. Both methods are the spaces in which perhaps there will be higher levels of performance degradation, but I don't expect significant impact regardless.

 

Intel's official statement is that the sets of fixes already out and being pushed over the next short time patches all of the vulnerabilities.

 

Hardware fixes probably won't come until the generation after this one though.

[Helly]

I noticed that no one in any reaction speaks of a windows 7(or 8.1 for that matter) update. Anyone got a link for that if it exists? Or is it no longer getting security updates? Seems like a shitty thing considering so many people still use it (not me which is why i ask for a link instead of searching for it myself :P). Microsoft using all this for another chance at pushing ppl to win10 maybe?

[RefresherMan]

Does this actually give me a valid reason to upgrade to W10 now?

[MaxBunny]

4 minutes ago, RefresherMan said:

Does this actually give me a valid reason to upgrade to W10 now?

If you're using Windows 95 or below then you're fine and this doesn't affect you.

[RefresherMan]

Just now, MaxBunny said:

If you're using Windows 95 or below then you're fine and this doesn't affect you.

I'm on Windows 7 though, and a lot of other people are too

[Matu20]

8 minutes ago, RefresherMan said:

I'm on Windows 7 though, and a lot of other people are too

Then you're at risk, W7 ain't here to save your ass this time.

[RefresherMan]

2 hours ago, Matu20 said:

Then you're at risk, W7 ain't here to save your ass this time.

Actually, I just installed the patch mate

 

 

W7 for life, or until Microsoft stops supporting it haha.

 

 

[Bit_Guardian]

3 minutes ago, RefresherMan said:

Actually, I just installed the patch mate

 

 

W7 for life, or until Microsoft stops supporting it haha.

 

 

And then you'll switch to a real man's OS, like OpenSUSE.

[RefresherMan]

22 minutes ago, Bit_Guardian said:

And then you'll switch to a real man's OS, like OpenSUSE.

Hehe. I actually do some game development in the Godot engine. And it loves Linux, in fact, I tried it on Linux Mint and scene previewing was 100ms faster. (Very noticeable, compared to Windows)

[jagdtigger]

6 hours ago, Curufinwe_wins said:

Yay. Patch your shit and be done with it.

 

Imagine that.

Patch a hole so others cant steal your data but at the same time it makes an another hole for the maker of the patch, or leave open the original hole... I couldnt ask for better choices. /s

[elfensky]

6 hours ago, Helly said:

At least 1 of the flaws can be exploited through javascript already, it is expected that more and different types will follow, so just visiting a website could be enough. Update ur browsers as well ?

Dammit. Thanks for the heads up. I'll just have to update windows asap and hope for the best.

[LAwLz]

HPE has also released a statement to their internal users and partners.

Both Intel and AMD proactively contacted HPE and they are working on fixes right now.

 

They expect "very minimal impact to system performance" but also say that "any slower performance resulting from the OS and microprocessor patch updates will vary based on the OS and workload".

[asus killer]

I am more concerned about my android phone, does this affect it also? I hear nothing about patches for phones.