Mac, PC or smartphone? A major security flaw SNAFU.

[Geek-9pm]

A number of media brfoadcasts today say that Apple and otghers know of two major  security flaws. The flaws are not softrware exactly. Rather, it is something inside the chips made by Intel or others.
Here is one of these stories:
http://www.ktvb.com/news/nation-world/mac-pc-or-smartphone-major-security-flaw-what-to-do-intel-cpu/505063383

Apple says all of its Macs, iPhones and iPads contain a security flaw that requires an update. It's not alone. Any owner of a PC, tablet or smartphone should make sure that automatic software updates for their operating systems are enabled after security researchers this week revealed a broad flaw in Intel and other chips that could allow hackers to access data previously thought to be secure.

Question: How did this happen? 

EDIT: Another link:
https://www.technologyreview.com/s/609891/at-least-3-billion-computer-chips-have-the-spectre-security-hole/

Its chief U.S. competitor, AMD, which has been gaining ground on Intel, said in a blog post  that its chips are not vulnerable to Meltdown and there is a “near zero risk” from one variant of Spectre and zero risk from another.

[BC_Programmer]

IMO, The media response to the flaw is vastly overblown, which is about what you can expect for any security-related issue.

"Meltdown" is a security issue related to speculative execution on Intel Processors which (allegedly) dates to the Pentium Pro and affects all x86 processors save certain Atom chips. It allows local processes, by carefully manipulating their specific Assembly instructions and use of the CPU cache, paired with tight timing (it is a race condition, after all) to possibly read small segments of memory from areas within the process address space that they would typically be restricted from accessing.

Spectre is a related vulnerability which is largely the same but doesn't allow directly reading information but allows otherwise restricted information to be "guessed" based on specific timings of page faults under certain instructions.

As far as I can tell, both exploits require the ability to execute direct machine code- eg Local Machine access, so the attack surface is not particularly wide. Of course, a vulnerability in a web browser which allows a piece of javascript to "escape" the sandbox and run arbitrary assembly code might be able to read restricted memory addresses....

But then we also have ASLR, which randomizes the Address Space Layout of processes in largely unpredictable ways. And the process is incredibly slow to read these areas of memory as the  turnaround time is rather long (for software) and the throughput is small. You would have to no precisely where to look for something to get anything that was particularly valuable/secure.

There are claims that this will allow free access, via Javascript, to all of your physical Memory; or that it will allow malicious websites to steal SSL certificates and signing keys. But it only allows access within the same process address  space and things like SSL certificates and signing keys aren't usually kept in Kernel memory anyway- a javascript exploit that allows you to read the process memory of the browser normally doesn't really need an exploit to run amuck.

And it's unclear how ASLR might factor into this, as well. It seems like at best it will make the segments of data that are from privileged areas of memory that are accessible to user-mode code through the vulnerability unpredictable.

 
Personally I think the media response is the same old security circus they make about every "security issue" the only real winners are the vendors of security software, who get more customers because everyday users have been frightened by the idiotic coverage. The fact that infecting your typical user typically requires nothing more than a readme file saying to shut off their AV and to run it as administrator, and certainly doesn't require some elaborate, complicated CPU security flaw that requires assembly language and tight timings to pull off.

[DaveLembke]

This was topic of discussion at work today as for it was in yesterdays newspaper.  As BC stated it I feel is the security circus "scare tactic's" which makes for news ratings to draw attention and make it sound way worse than it really is.

In addition to the winners being the vendors of security software, this likely also caused some over paranoid users to ditch their Intel computers for a new AMD system since AMD doesnt have this first flaw.

The second flaw affects all processors Intel and AMD, and Phones & Tablets with ARM based processors and it looks to be easily patched.


http://www.zdnet.com/article/security-flaws-affect-every-intel-chip-since-1995-arm-processors-vulnerable/

I'm curious though how javascript could pull off such a means to read memory outside of its scope unless its something along the lines of accessing array elements outside of the normal scope to try to read in information that is outside of that of the javascript program itself. In my years of hobbyist programming I have accidentally accessed array elements outside of the scope such as when forgetting that arrays start at 0 and not 1 and so I call to array[64] to get the 64th element, but its actually the 65th element and if you have 64 characters stored etc, its really between 0 and 63 and so whatever is read in at array[64] is whatever was last stored at the memory address and its unpredictable what the output would be.

In other languages there are methods of accessing memory directly to get whatever is stored at specific addresses as well as if you know a memory address that is used for specific pieces of information you can exploit that to grab info or force change info which is how a lot of game cheats work by memory injection to make a game god mode where the value is refreshed to maximum even if the game itself has reduction calculations that are suppose to reduce hit points or health bar of a player etc, it constantly tops the value off or the value is set to a huge number. In my tinkering with javascript, it has felt as if there are very tight controls on what is and isn't allowed. Calling to an array element outside of the scope however last i knew wasnt restricted and still doable to grab whatever is in memory at that placeholder.  But to read in memory from some other means, I am not aware of any methods with javascript due to the limitations in place of its design.  Additionally due to inability to write to file from javascript its not like you can create another file type from javascript and then call to that to execute which other script and programming methods are not restricted

[Geek-9pm]

In some of the articles about the 'fix' is a concern the 'fix' will slow down the CPU. Such  would be a concern to companies that do a lot of data processing. They may prefer to ignore the risk and go for better throughput with  the very small risk of getting an infection.
Some administrators would rather not have a patch that reduces the throughput even if it makes the CPU only 7% slower.

[DaveLembke]

If there is a performance hit then hopefully there is a choice on implementing it in a corporate environment via and update server, however with Windows 10 its a forced update at this time for non-corporate systems.

I have a year old Dell Core i3-5015U 2.1Ghz Laptop that is Windows 10 that I haven't turned on in about 4 months because I prefer Windows 7 for what I use my laptops for. I will run a benchmark I guess offline and then save that data and then roll it forward to all updates and run a benchmark after and see if there is any change to what the CPU can crunch for single and multithreaded tasks.

[BC_Programmer]

Meltdown is fixable. It involves patching context switches between user and kernel mode to account for the possibility of the flaw. This reduces the performance of such calls. That is what will affect software performance.

However, realistically, the context switches were already one of the most time-intensive things that could be done, so software already avoids them at all costs. The patch is speculated to reduce performance as much as 30% but so far even synthetic benchmarks have shown very little real-world difference in most applications. A few companies have had problems which they have now blamed on the patch for reducing performance as much as 60% which I'm skeptical of.

Spectre is not fixable in existing chips. It is much harder to exploit though and doesn't give much information.

As far as Javascript- that was sort of my point. Exploiting these security issues requires rather low level access to be able to run Machine code instructions, which is not something you can do in Javascript, which means that utilizing Meltdown or Spectre from javascript will require also exploiting far more serious browser security problems that would allow, for example, a javascript string to be directly executed as machine code, or something.

At the point where untrusted software is able to directly execute machine-code instructions on your PC I think the "battle is lost" anyway. Aspects like UAC or AV software can protect you but at that point your system is effectively compromised.

As I mentioned for the majority of consumer systems, these sorts of exploits are entirely redundant. It wouldn't make sense to design an elaborate scheme involving obscure, low-level exploits in the hardware when so many people are security-ignorant and happily turn off their AV because you claim your software is a "false positive" and then wonder where the malware keeps coming from.