Meltdown and Spectre

mactex

Just seeing if this is consuming anyone else's day like it is mine.

https://meltdownattack.com/

tedjames

Wait, there's more!

https://twitter.com/misc0110/status/948706387491786752

mactex

tedjames wrote: »

Wait, there's more!

https://twitter.com/misc0110/status/948706387491786752

Yeah; Twitter has been blowing up since yesterday. I'm curious if anyone has patched on a large scale yet and noticed any performance hit.

tedjames

SANS conducted a webinar about it today. If you have a SANS account, you can view the slides and presentation.

mactex

I did. That webinar was impossible to get in with all of the hysteria.

Danielm7

Today was mostly planning, so it'll involve pretty much all systems I'm sure it'll be a problem for everyone.

TheFORCE

cve-2017-5754
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache

BlackBeret

>local user access

Meaning the ability to run code locally. VM's, shared servers, client side execution like javascript, etc.. I found one article detailing an attack against browser based password managers via javascript. These two attacks are definitely reaching further than I thought and much faster.

tedjames

Microsoft just released this:

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

J_86

tedjames wrote: »

SANS conducted a webinar about it today. If you have a SANS account, you can view the slides and presentation.

Yeah I had issues getting into it as well. They posted the webcast as an OnDemand video late yesterday.

636-555-3226

Not sure what all the hype is about. Yeah if you're a cloud virtualization provider, but for most individuals & businesses it's not a big deal.

Meltdown is only privilege escalation, not remote code execution. Individuals who don't download and run random crap all day should be fine. Most businesses I know give users admin anyway, so that's not going to matter. Even for users who are users, just make sure they don't download and run random crap.

Spectre is a bit more interesting, but I at least haven't seen any exploits out there yet, and even then applicability depends on the exploit. Maybe if you're hacking someone's sandboxed browser, but you'll need to get them to browse to your malicious website. Maybe malvertisements, but even then there's a few layers of defenses.

IMO, yeah, patch, but 99% of people don't need to go crazy about it. news orgs are just looking for headlines & clickbait

mactex

636-555-3226 wrote: »

Not sure what all the hype is about. Yeah if you're a cloud virtualization provider, but for most individuals & businesses it's not a big deal.

Meltdown is only privilege escalation, not remote code execution. Individuals who don't download and run random crap all day should be fine. Most businesses I know give users admin anyway, so that's not going to matter. Even for users who are users, just make sure they don't download and run random crap.

Spectre is a bit more interesting, but I at least haven't seen any exploits out there yet, and even then applicability depends on the exploit. Maybe if you're hacking someone's sandboxed browser, but you'll need to get them to browse to your malicious website. Maybe malvertisements, but even then there's a few layers of defenses.

IMO, yeah, patch, but 99% of people don't need to go crazy about it. news orgs are just looking for headlines & clickbait

Completely agree. Unfortunately; my execs read the news from time to time. There still needs to be a delivery vehicle like any malware, so that explains why everyone is pointing at AV. It looks like Spectre uses the physical architecture to access the side channel;so that will have to be a remove and replace hardware; which isnt gonna happen right away in most cases.

J_86

636-555-3226 wrote: »

Not sure what all the hype is about. Yeah if you're a cloud virtualization provider, but for most individuals & businesses it's not a big deal.

Meltdown is only privilege escalation, not remote code execution. Individuals who don't download and run random crap all day should be fine. Most businesses I know give users admin anyway, so that's not going to matter. Even for users who are users, just make sure they don't download and run random crap.

Spectre is a bit more interesting, but I at least haven't seen any exploits out there yet, and even then applicability depends on the exploit. Maybe if you're hacking someone's sandboxed browser, but you'll need to get them to browse to your malicious website. Maybe malvertisements, but even then there's a few layers of defenses.

IMO, yeah, patch, but 99% of people don't need to go crazy about it. news orgs are just looking for headlines & clickbait

Ha ha yes, that is actually what one of the first slides in the SANS webcast was about. "The sky isn't falling" and "Media reports will likely seek to sensationalize these vulnerabilities".

tedjames

More from Microsoft: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

tedjames

Looks like SANS actually posted the webinar to YouTube: https://www.youtube.com/watch?v=8FFSQwrLsfE