Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Understanding CPU Vulnerabilities: Meltdown & Spectre


  • Please log in to reply
8 replies to this topic

#1 Oxonsi

Oxonsi

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 09 May 2018 - 12:49 PM

I understand these are hardware vulnerabilities related to processor design and unintended side effects of speculative execution.  Of the two, Meltdown is easier to fix, and can be (largely) addressed by OS updates.  There are two variants of Spectre, making it a class of attack more than a specific vulnerability.  While Spectre can be mitigated through OS and browser updates, it requires BIOS / UEFI firmware updates to fully address.  Both Meltdown and Spectre put personal data at risk, allowing an attacker to extract information from system memory [e.g. passwords, credit card details], really anything that has not been cleared from the system cache.

 

My question is:  do Meltdown and Spectre require malicious code to execute on the target machine in order to work?  I understand that traditional security software such as anti-virus, etc. will not recognize nor protect one from Meltdown and Spectre.  And no system is 100% secure and fool-proof, but if one exercises sound security practices including keeping browsers and other software updated, using a multi-layered approach of anti-malware, anti-exploit, and firewall software ... should one be reasonably protected from Meltdown & Spectre without the specific patches?

 

The reason I ask is:  I have an older system originally purchased spring of 2012.  My motherboard, ASUS Rampage IV Extreme, apparently does not yet have a BIOS / UEFI update to address Spectre.  Also, I am on Windows 10 and have the patch addressing Meltdown, but I do note that the system is noticeably less responsive...  One needs to decide between protection from Meltdown vs system performance.  Given the seriousness of the vulnerability [potential identity theft], it would seem foolish to choose anything other than the best protection.  But I don't know how great the risk is if one decides to disable the patch while maintaining otherwise sound security practices.

 

I do know malicious code is usually insidious, often relying on social engineering to induce the user to say temporarily disable their AV, or escalate privilege to admin, etc.  There are also malvertising and forced downloads, etc.  It is difficult to 100% avoid allowing malicious code to run.

 

I would appreciate any feedback.  Thanks!


Edited by Oxonsi, 09 May 2018 - 12:50 PM.


BC AdBot (Login to Remove)

 


#2 cunikcz

cunikcz

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 09 May 2018 - 04:59 PM

Hi,

These Hardware Vulnerabilities can't fix anything. It's deep in Hardware. Antivirus cannot protect you from this things

#3 badtoad

badtoad

  • Members
  • 157 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 10 May 2018 - 04:48 AM

The problem with Spectre and Meltdown is experts cannot even agree if they have been seen in the wild. I uninstalled Spectre patch and disabled Meltdown because they were causing issues. In my opinion I think the threat has been hyped. Yes you can be hacked but you could also win the lottery.



#4 midimusicman79

midimusicman79

  • Members
  • 645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:12:06 AM

Posted 10 May 2018 - 08:05 AM

Hi, Oxonsi!

 

FWIW: Gibson Research InSpectre test for Meltdown & Spectre vulnerabilities is available from here;

 

https://www.grc.com/inspectre.htm

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free and Unchecky, WFW, FFQ with uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#5 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 7,755 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:06:06 PM

Posted 10 May 2018 - 10:00 AM

Oxonsi wrote, in part:  It is difficult to 100% avoid allowing malicious code to run.

 

To which I am replying, "No, it is not, quite the opposite."   Virtually any form of malicious code you can name, with very rare exceptions, are loaded on to a computer and executed due to direct user action.  It is exceedingly rare to get infections of any sort if you simply follow some basic rules for safe computing.

 

Our own Quietman7  has written extensively on the subject of security.  The following are three "must reads:"

 
 
 
 
I have not had in infection on any system I own for decades now, and I am not "extremely cautious" about interacting with cyberspace, just reasonably cautious.  It really is not difficult to avoid most of the things that can infect a computer if you're the slightest bit circumspect about where you visit, what you click on, and what you download.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#6 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 7,755 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:06:06 PM

Posted 10 May 2018 - 10:06 AM

Yes you can be hacked but you could also win the lottery.

 

And the fact of the matter is that "big dollar hacking" tends to be aimed at "big dollar targets."

 

If the goal is making money, rather than just making a reputation for oneself as being skilled enough to compromise something, the individual user is not, in any way, the most likely target.  Not that they're never the target, but it all comes down to making an accurate risk assessment.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#7 Oxonsi

Oxonsi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 10 May 2018 - 02:10 PM

Thanks for the replies.

 

britechguy, I guess you are correct.  I also have not been infected in many years.  I suppose my perception that it is easy to be infected comes from the prevalence of infections among the general public.  But that is no doubt due to any combination of:  basic computer illiteracy, carelessness, and risky habits, etc.  Much of the malware is stealthy in praying on human gullibility, etc.  And even some relatively informed people are not aware of weaponized Office documents, malvertising on reputable websites, etc.  That's why I said it is difficult to 100% avoid malicious code.

 

I also do not believe I am a target.  If hackers scan online for computers that are vulnerable to Meltdown and Spectre, then I could theoretically be identified as a viable target.  But my understanding is that my router and computer are not responding to unsolicited contacts, so my system should be "invisible" to hackers scanning for targets.

 

And I'm guessing that in order to execute a Meltdown or Spectre attack, the cybercriminal would need either physical access to the computer or remote access.  I'm not too worried about physical access because I have not had a break-in to the house attempted in the 20+ years of living here.  And I would be surprised if an intruder tried to execute malicious code on the computer; more likely they'd just steal the computer.

 

It would theoretically be possible for a RAT (remote access Trojan) to get through my defenses and operate undetected.  And then I imagine the cybercriminal could execute a Meltdown or Spectre attack on the system.  Without patching the attack would go undetected and un-prevented.  This is a stealth attack which could go completely unnoticed until one day one discovers their identity stolen.  And even then one may not realize it was stolen through a compromised computer...  Unlike ransomware attacks where one definitely becomes aware an attack has taken place!

 

Both of those scenarios seem unlikely to me.  Existing layers of security should prevent or detect and delete a RAT.  So unless I'm missing something, it is unlikely one would ever experience a Meltdown or Spectre attack.  But maybe I'm missing something in that an attacker doesn't require some kind of access to the computer to perform these attacks?


Edited by Oxonsi, 10 May 2018 - 02:17 PM.


#8 Oxonsi

Oxonsi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 10 May 2018 - 02:13 PM

Thanks for the links.  I will be definitely be interested in reading those.  I'm trying to educate myself as much as possible :)



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 10 May 2018 - 02:46 PM

Spectre & Meltdown is/was a significant risk for VPS, cloud services, ...

Many of them patched before the vulnerabilities were publicly announced.

 

The attack scenario: rent a CPU on a shared infrastructure, run the exploit and steal data from other servers running on the same infrastructure.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users