Spoiler Alert: New Security Vulnerability Found Affecting Intel CPUs

[moproblems99]

While that is true, the default Windows config doesn't allow for remote exploitation. A user/admin would need to deliberately open up a system to be vulnerable, which no one is foolish/stupid enough to do, effectively making physical access a requirement.

If that were true, things like privilege escalation exploits wouldn't exists. The truth is, if someone wants your data, they will get it. No matter where it is. At home, a data center, your phone. The web is fundamentally insecure.

The security that most of us have is that we are simply not interesting enough or profitable enough to target as individuals. That is why corporations and data centers are the target. You can bury your head in the sand all you want but it doesn't change anything.

 

[lexluthermiester]

If that were true, things like privilege escalation exploits wouldn't exists. The truth is, if someone wants your data, they will get it. No matter where it is. At home, a data center, your phone. The web is fundamentally insecure.

Can't argue with that, because it's true. What I meant was that these particular vulnerabilities are very fundamentally difficult to pull off remotely.

 

[Deleted member 158293]

WHOOAA! Didn't realize this could be done in conjunction to speed up simple java script attack vectors

Now, this has the potential to get real bad, relatively quickly and not just for servers once the hacking tools become more common and readily available.

 

[SoNic67]

I am sure AMD CPUs are affected too... This is not negligence, it is a principle bug. Every processor needs speculative execution , or else will crawl. And that opens the gate to this kind of attacks.
They just didn't found the AMD one yet.

It's funny that a similar comment above got down voted.

 

[lexluthermiester]

WHOOAA! Didn't realize this could be done in conjunction to speed up simple java script attack vectors

Thinking I missed something. Where did you read that?

 

[Deleted member 158293]

Thinking I missed something. Where did you read that?

You can read through the research paper (tedious even if you understand it), but here is a good summary of how it could be done.

Basically in principal (until systematically proven, but by the looks of it, sure seems likely) the exploit can run at the same time as a simple web site java script.

ie: The exploit can lift the information from server memory operations when lets say... it could be comparing passwords in memory for authorization and feed it back to the running java script which could just use it in a brute force attack, without needing the brute force anymore.

Do this fast enough even 2FA could be exploited.

 

[moproblems99]

You can read through the research paper (tedious even if you understand it), but here is a good summary of how it could be done.

Basically in principal (until systematically proven, but by the looks of it, sure seems likely) the exploit can run at the same time as a simple web site java script.

ie: The exploit can lift the information from server memory operations when lets say... it could be comparing passwords in memory for authorization and feed it back to the running java script which could just use it in a brute force attack, without needing the brute force anymore.

Do this fast enough even 2FA could be exploited.

The problem is that the attacker needs to get the script on the server to begin with. That requires at least successfully exploiting one other vulnerability which is likely going to be XSS (cross site scripting) because a ridiculously high number of sites are vulnerable (read: nearly any).

 

[Deleted member 158293]

The problem is that the attacker needs to get the script on the server to begin with. That requires at least successfully exploiting one other vulnerability which is likely going to be XSS (cross site scripting) because a ridiculously high number of sites are vulnerable (read: nearly any).

Or maybe turn it around to the user's computer using a password manager, which is probably much easier to infect than a "well patched" server.

The possibilities are wide open at this point. The more I'm reading, the more this seems like the most flexible exploit I've seen in a very long time.

 

[Zyll Goliat]

More about this on Game Debate

 

[moproblems99]

Or maybe turn it around to the user's computer using a password manager, which is probably much easier to infect than a "well patched" server.

The possibilities are wide open at this point. The more I'm reading, the more this seems like the most flexible exploit I've seen in a very long time.

Javascript will be the scourge of the internet for a while. The problem with the web is the insecurity is built into the HTTP protocol itself as being an RFC compliant server means you have to be backwards compatible with previous HTTP versions. Just look up HTTP 0.9 and then proceed to cry.

 

[syrup]

If it ain't broke don't fix...

Still mourning the loss of that approach with software in the Internet era, but at least we hadn't so far been 'forced' to unnecessarily upgrade PC hardware to maintain security.

 

[Melvis]

lol Classic

 

[John Naylor]

In my opinion, it is great that security is finally getting highlighted. Now people will understand that 90% of business don't give two poos about protecting your data. This may not be a problem for consumers...until it is. Just remember the processors sitting in all those data centers holding all of your data. Then you find out that every piece of software and hardware you use on a daily basis makes Swiss cheese look like concrete because security and privacy is the first thing that gets thrown out the windows when the budget hammer comes down. Disgusting, frankly.

Truth be told, 9/10 users don't need to worry about this. Most of these attacks require people that actually know what they are doing. The morons will get sniffed out before they have a chance to do anything.

I find the biggest attention threads like this is fans of both sides doing oneupsmanship each time a new vulnerability is discovered. For example, if someone asks whether Corsair AIOs presents a real world risk , I could do a web search and I'd find .... Ok is doesn't happen often but it does happen so that's not 100% ... you decide if it's worth the risk.

https://forums.tomshardware.com/threads/my-corsair-h60-exploded.326466/
h ttps://www.reddit.com/r/buildapc/comments/4pxjp2/corsair_h100i_v2_exploded_on_my_3_day_old_build/

But if if some one asks whether this or that vulnerability from AMD / Intel presents a risk ... I have yet to come up with any real world scenario where someone says "this happened to me"

 

[moproblems99]

You're quite right. It is very unlikely anyone will deal with this directly. But it could affect any of us indirectly.

Neither 'side' should gloat. Any CPU that performs speculative execution is flawed.

 

[R-T-B]

So in other words they discovered the NSA's back door.

Yeah, no. Timing based attacks and stuff like this really aren't backdoors but incredibly advanced reverse engineering of an incredibly complex machine. If it's a backdoor, it's a helluva bad one.

Nah. This is likely a legitimate bug. The NSA backdoor is in the Intel Management Engine.
https://en.wikipedia.org/wiki/Intel_Management_Engine

See my post where I disect and scrub the management engine from some asrock boards. TL;DR: Even that is not really able to function as a backdoor.

So you would have to have code running on the machine that sits there looking for the moment when it can intercept a full address to a page in memory, and then grab that out of memory, in the hopes that it has sensitive data in there.

And after I grab that sensitive data and figure out how to use it, I will clean my house with a toothpick.

On datacenters that rent out servers this is a real issue. Suddenly anyone with a login that can execute anything can privilege escalate.

Beyond that, it's of limited scope.

If that were true, things like privilege escalation exploits wouldn't exists. The truth is, if someone wants your data, they will get it. No matter where it is. At home, a data center, your phone. The web is fundamentally insecure.

It's all about making the data harder to get than it is worth.

That barrier works. Things like this massively break down that barrier, though.

bulldozer it is not...

Piledriver it is

Begun, the clone wars has...

/yoda speak

 

[jaggerwild]

You can read through the research paper (tedious even if you understand it), but here is a good summary of how it could be done.

Basically in principal (until systematically proven, but by the looks of it, sure seems likely) the exploit can run at the same time as a simple web site java script.

ie: The exploit can lift the information from server memory operations when lets say... it could be comparing passwords in memory for authorization and feed it back to the running java script which could just use it in a brute force attack, without needing the brute force anymore.

Do this fast enough even 2FA could be exploited.

Its posts like this that make this site laughable!!!! OH more FEAR PLEASE!!!!!!

 

[ArbitraryAffection]

I am sure AMD CPUs are affected too... This is not negligence, it is a principle bug. Every processor needs speculative execution , or else will crawl. And that opens the gate to this kind of attacks.
They just didn't found the AMD one yet.

It's funny that a similar comment above got down voted.

Pains me to say it but you are likely correct. Intel has much higher marketshare and of course most people are going to try to target Intel architecture first.

 

[Deleted member 158293]

Its posts like this that make this site laughable!!!! OH more FEAR PLEASE!!!!!!

There's plenty more, search for yourself. Or better yet, read the research paper.

 

[hat]

Pains me to say it but you are likely correct. Intel has much higher marketshare and of course most people are going to try to target Intel architecture first.

I'm sure AMD will suddenly get lots more attention when/if EPYC makes a significant dent in Intel's market share in the server space...

It's like one of the oldest arguments for using Linux, or even Mac. "Everyone makes viruses for Windows! There are no viruses for Linux/Mac". Because Windows is by far the bigger target...

 

[lexluthermiester]

It's like one of the oldest arguments for using Linux, or even Mac. "Everyone makes viruses for Windows! There are no viruses for Linux/Mac". Because Windows is by far the bigger target...

Which we all know that is a load of nonsense. There are even Unix and BSD virii/malware.

 

[hat]

Probably. 10 years ago I didn't question that statement, but today I am aware that, even though Windows is still by far the most popular desktop OS, Linux is in heavy use in server environments. Surely it's a big enough target for someone to bother with?

 

[R-T-B]

Which we all know that is a load of nonsense. There are even Unix and BSD virii/malware.

Personally, I'm more afraid to run an unpatched linux server than a Windows one.

Why? One word. Root. Root is way too powerful.

 

[lexluthermiester]

Personally, I'm more afraid to run an unpatched linux server than a Windows one.

Why? One word. Root. Root is way too powerful.

While you have a point, there are measures and fail-safes that can and do protect from such problems.

 

[moproblems99]

While you have a point, there are measures and fail-safes that can and do protect from such problems.

root is game over.

 

[lexluthermiester]

root is game over.

Root is nothing more than Administrator functionality. Works the exact same way in Windows. Calling it "game over" is making a mountain out of an ant-hill.