Meltdown and Spectre

mactexmactex CISSP, GCIA, GCED, GSEC, GCCC, CCNA Cyber Ops, A+, N+, S+Member Posts: 80 ■■■□□□□□□□
Just seeing if this is consuming anyone else's day like it is mine.

https://meltdownattack.com/

Comments

  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,179 ■■■■■■■■□□
  • mactexmactex CISSP, GCIA, GCED, GSEC, GCCC, CCNA Cyber Ops, A+, N+, S+ Member Posts: 80 ■■■□□□□□□□
    tedjames wrote: »

    Yeah; Twitter has been blowing up since yesterday. I'm curious if anyone has patched on a large scale yet and noticed any performance hit.
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,179 ■■■■■■■■□□
    SANS conducted a webinar about it today. If you have a SANS account, you can view the slides and presentation.
  • mactexmactex CISSP, GCIA, GCED, GSEC, GCCC, CCNA Cyber Ops, A+, N+, S+ Member Posts: 80 ■■■□□□□□□□
    I did. That webinar was impossible to get in with all of the hysteria.
  • Danielm7Danielm7 Member Posts: 2,306 ■■■■■■■■□□
    Today was mostly planning, so it'll involve pretty much all systems I'm sure it'll be a problem for everyone.
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    cve-2017-5754
    Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache
  • BlackBeretBlackBeret Member Posts: 684 ■■■■■□□□□□
    >local user access

    Meaning the ability to run code locally. VM's, shared servers, client side execution like javascript, etc.. I found one article detailing an attack against browser based password managers via javascript. These two attacks are definitely reaching further than I thought and much faster.
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,179 ■■■■■■■■□□
  • J_86J_86 Member Posts: 262 ■■□□□□□□□□
    tedjames wrote: »
    SANS conducted a webinar about it today. If you have a SANS account, you can view the slides and presentation.

    Yeah I had issues getting into it as well. They posted the webcast as an OnDemand video late yesterday.
  • 636-555-3226636-555-3226 Member Posts: 976 ■■■■■□□□□□
    Not sure what all the hype is about. Yeah if you're a cloud virtualization provider, but for most individuals & businesses it's not a big deal.

    Meltdown is only privilege escalation, not remote code execution. Individuals who don't download and run random crap all day should be fine. Most businesses I know give users admin anyway, so that's not going to matter. Even for users who are users, just make sure they don't download and run random crap.

    Spectre is a bit more interesting, but I at least haven't seen any exploits out there yet, and even then applicability depends on the exploit. Maybe if you're hacking someone's sandboxed browser, but you'll need to get them to browse to your malicious website. Maybe malvertisements, but even then there's a few layers of defenses.

    IMO, yeah, patch, but 99% of people don't need to go crazy about it. news orgs are just looking for headlines & clickbait
  • mactexmactex CISSP, GCIA, GCED, GSEC, GCCC, CCNA Cyber Ops, A+, N+, S+ Member Posts: 80 ■■■□□□□□□□
    Not sure what all the hype is about. Yeah if you're a cloud virtualization provider, but for most individuals & businesses it's not a big deal.

    Meltdown is only privilege escalation, not remote code execution. Individuals who don't download and run random crap all day should be fine. Most businesses I know give users admin anyway, so that's not going to matter. Even for users who are users, just make sure they don't download and run random crap.

    Spectre is a bit more interesting, but I at least haven't seen any exploits out there yet, and even then applicability depends on the exploit. Maybe if you're hacking someone's sandboxed browser, but you'll need to get them to browse to your malicious website. Maybe malvertisements, but even then there's a few layers of defenses.

    IMO, yeah, patch, but 99% of people don't need to go crazy about it. news orgs are just looking for headlines & clickbait

    Completely agree. Unfortunately; my execs read the news from time to time. There still needs to be a delivery vehicle like any malware, so that explains why everyone is pointing at AV. It looks like Spectre uses the physical architecture to access the side channel;so that will have to be a remove and replace hardware; which isnt gonna happen right away in most cases.
  • J_86J_86 Member Posts: 262 ■■□□□□□□□□
    Not sure what all the hype is about. Yeah if you're a cloud virtualization provider, but for most individuals & businesses it's not a big deal.

    Meltdown is only privilege escalation, not remote code execution. Individuals who don't download and run random crap all day should be fine. Most businesses I know give users admin anyway, so that's not going to matter. Even for users who are users, just make sure they don't download and run random crap.

    Spectre is a bit more interesting, but I at least haven't seen any exploits out there yet, and even then applicability depends on the exploit. Maybe if you're hacking someone's sandboxed browser, but you'll need to get them to browse to your malicious website. Maybe malvertisements, but even then there's a few layers of defenses.

    IMO, yeah, patch, but 99% of people don't need to go crazy about it. news orgs are just looking for headlines & clickbait


    Ha ha yes, that is actually what one of the first slides in the SANS webcast was about. "The sky isn't falling" and "Media reports will likely seek to sensationalize these vulnerabilities".
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,179 ■■■■■■■■□□
    Looks like SANS actually posted the webinar to YouTube: https://www.youtube.com/watch?v=8FFSQwrLsfE
Sign In or Register to comment.