Discuss: Major CPU Security Flaws

Hewlett-packard / Hp pavilion g6 notebook p...
January 4, 2018 at 05:09:47
Specs: Windows 10, 1.4 GHz / 5610 MB
Hi all,

This week's poll question is about news that operating system teams are scrambling to fix major security vulnerabilities discovered in Intel and other processors. Discuss here if you think these issues are a major blow to the chipmaker, and, if you like, the poll results themselves.

Thanks,
Justin


See More: Discuss: Major CPU Security Flaws

Report •

#1
January 4, 2018 at 06:18:24
no, if its true amd has the same issue

i5-6600K@4.669GHz/4.364GHz cache@1.33v | 2x4GB Crucial-DDR4-2133@14-14-14-28 1T 2740MHz@1.3v | ASUS Z170-K | Samsung 250GB SSD 850 EVO | MSI RX 570 4GB@1410cc&2150mc bios-powertune-mod | Corsair VS450


Report •

#2
January 4, 2018 at 12:33:03
No, the chipmakers will ride it somehow. There are already patches for Windows 10.

Always pop back and let us know the outcome - thanks


Report •

#3
January 6, 2018 at 13:42:45
Is this a flaw that will be fixed (or has already been fixed) in
the next microprocessors to be released? Where can I see
a list of affected processors?

-- Jeff, in Minneapolis


Report •

Related Solutions

#4
January 6, 2018 at 14:16:09
As I understand it the current fixes are effectively workarounds to keep javascript being used to hack into the kernel. There has been an update to browsers such as Firefox for the same reason and MACs are, or have been, dealt with. It seems the proper fix is to replace the CPU. The issue is apparently worse for Intel CPUs. The risk is also fairly low for ordinary single user situations. Cloud usage and other interactions increase the risk.

I've no info about specific CPUs but it seems it affects all to varying degrees. See this (or similar) which is likely to be more accurate than my quick summary:
http://www.trustedreviews.com/news/...
"Meltdown" seems to be the worse one, affecting Intel. "Spectre" affects AMD.
Most likely more information will come along in due course so keep an eye on Google.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#5
January 6, 2018 at 20:17:58
There was no mention of antimalware programs.
What about those?

-- Jeff, in Minneapolis


Report •

#6
January 7, 2018 at 02:51:14
This site claims to have a list of intel CPU affected by Spectre and Meltdown:
https://www.tweaktown.com/news/6041...

Report •

#7
January 7, 2018 at 08:30:49
Jeff

Presumably antimalware programs will be updated as necessary if a threat is found (if that's what you mean). There is no known threat at present but whilst the vulnerability exists then various different attacks could arrive.

Always pop back and let us know the outcome - thanks


Report •

#8
January 7, 2018 at 16:55:35
I didn't know what I meant when I posted, but now I do.
In effect, I asked whether antimalware programs are now
watching for any program that attacks the vulnerabilities.
That is, I wouldn't expect an antimalware program to have
a list of known burglars and alert me if it detects one of
them trying to enter my home-- Instead, I expect it to watch
my vulnerable window and alert me if anyone tries to go
through it. I see no reason for antimalware makers to wait
for malware to show up before they produce a defense
against it.

-- Jeff, in Minneapolis

message edited by Jeff Root


Report •

#9
January 7, 2018 at 17:02:57
You're expecting them to come up with a program's hash value before the program's written? Do you have access to some sort of time machine, or something? Otherwise, you're going to have to provide a definition of "malicious" that's concrete enough to program against, blocks everything you don't want, and does not block anything you want.

How To Ask Questions The Smart Way


Report •

#10
January 7, 2018 at 17:24:23
Razor2.3 wrote:
> You're expecting them to come up with a program's
> hash value before the program's written?

No.

> Do you have access to some sort of time machine,
> or something?

No.

> Otherwise, you're going to have to provide a definition
> of "malicious" that's concrete enough to program against,

A program that attacks the vulnerabilities.

> blocks everything you don't want, and does not block
> anything you want.

If something attacks the vulnerabilities, it is blocked, but if
I want it, I would tell the antimalware program not to block it.

Vastly simpler and easier than keeping fingerprints of all
known malware in existence on every computer.

-- Jeff, in Minneapolis


Report •

#11
January 7, 2018 at 17:56:15
If something attacks the vulnerabilities, it is blocked, but if
I want it, I would tell the antimalware program not to block it.

That is exactly how phishing email/websites works; they make you want it to have.... remember, curiosity killed the cat!!


Report •

#12
January 7, 2018 at 18:14:22
So you're expecting malware authors to protect you from something no one knew about, before it was known? Taking it back to your burglar issue, isn't that like complaining that the window ajar sensor didn't detect someone making and entering through a hole in the wall?

Considering we're talking about exploits involving how a CPU looks at a chunk of data and decides how best to execute it, I'm not sure how you would do so without fingerprinting. Verify every chunk of code before running it? That'd cost a few dozen operations for every operation attempted. End users already rightfully complain if an anti-malware product costs you a 10% performance hit. There are legitimate conversations going on right now in IT shops, deciding if they want to take the 10%-30% CPU performance hit in applying Intel's fix. Now you're expecting them to accept they only get 10% performance to protect them from something they don't know and may not exist?

How To Ask Questions The Smart Way


Report •

#13
January 7, 2018 at 19:41:09
Jeff
See this:
https://en.wikipedia.org/wiki/Heuri...
It's Heuristics - looking for virus like activity, and often part of a virus scan. See the last part of MalwareBytes Threat Scan timeline for example.

Generally the bad guys will be ahead of the good guys. I think if there were simpler methods possible they would have been incorporated by now, but you could always rise to the challenge and make lots of dough...

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#14
January 8, 2018 at 09:27:36
Jeff > If something attacks the vulnerabilities, it is blocked, but if
Jeff > I want it, I would tell the antimalware program not to block it.

sluc > That is exactly how phishing email/websites works; they
sluc > make you want it to have.... remember, curiosity killed the cat!!

That is also exactly how advertising works. By making you
want whetever they are selling. Do you have something that
prevents you from buying things you want when those things
are bad for you?

Okay, you do if you are married. But you never override your
spouse's recommendation? You never buy things without consulting
your spouse first, and then discover that you should have?

You are saying that when existing antimalware finds a match
to a malware fingerprint, it prevents the malware from running
and does not allow the user to override that decision, but my
antimalware program wouldn't work because the user can override
its decision. Even though the only difference between them is
in how they detect an attack, and there is no difference in
how they handle it once detected.

-- Jeff, in Minneapolis


Report •

#15
January 8, 2018 at 09:29:58
Razor2.3

> So you're expecting malware authors to protect you from
> something no one knew about, before it was known?

Antimalware authors. Yes, of course.

The walls of my apartment and the locked door protect me
from Mrs. Kravitz strolling into my bedroom whenever she
feels like having a conversation with me. The architects
who designed the building didn't know Mrs. Kravitz exists.
They didn't need to know she exists in order to design a
building that would block her from entering my bedroom
unless I let her in.

> Taking it back to your burglar issue, isn't that like
> complaining that the window ajar sensor didn't detect
> someone making and entering through a hole in the wall?

No, not at all. That mangles the analogy so badly that
it is like you didn't think about it before you wrote it.

My analogy was and is that antimalware programs which
depend on matching malware fingerprints are like checking
every person who tries to enter my home against a list of
known criminals, and blocking them if they are on the list,
while my suggested method is to not allow anyone to climb
in through my window (a known vulnerability) or the chimney
(another known vulnerability) unless I specifically say
that they should be allowed to do so.

Malware capable of making the equivalent of a hole in my
wall is malware that does not exploit any vulnerability.
It is malware that can break in even if there is no
vulnerability. What kind of malware is that?

> Considering we're talking about exploits involving how
> a CPU looks at a chunk of data and decides how best to
> execute it, I'm not sure how you would do so without
> fingerprinting. Verify every chunk of code before
> running it?

That's how fingerprinting works, verifying every chunk
of code before running it, to be sure it doesn't match
a fingerprint.

> That'd cost a few dozen operations for every operation
> attempted. End users already rightfully complain if an
> anti-malware product costs you a 10% performance hit.
> There are legitimate conversations going on right now
> in IT shops, deciding if they want to take the 10%-30%
> CPU performance hit in applying Intel's fix. Now you're
> expecting them to accept they only get 10% performance
> to protect them from something they don't know and may
> not exist?

I'm expecting them to lock the windows and doors so that
nobody gets in without my permission, instead of examining
everyone who tries to get in to determine whether they
match the description of someone on the list of known bad
guys. Simpler, easier, quicker to execute, and smaller,
only requiring updates when new vulnerabilities are
discovered, not when new malware is discovered. One lock
per vulnerability instead of one fingerprint per exploit.

-- Jeff, in Minneapolis


Report •

#16
January 8, 2018 at 12:22:05
Jeff

In your last para #15 you seem to be suggesting a concept which would have a gigantic overhead.
Also every computer owner would presumably have their own set of permissions. The nearest thing we have to this is a firewall. The idea is interesting but you don't say how you would engineer this and I doubt if it is practical.

Always pop back and let us know the outcome - thanks


Report •

#17
January 8, 2018 at 14:04:44
Jeff Root: They didn't need to know she exists in order to design a building that would block her from entering my bedroom unless I let her in.
Sure. You can do that now with any PC. Just disconnect it from any network, forever. Also, don't let anyone have physical access to the box. Perfectly safe.

Jeff Root: That mangles the analogy so badly that it is like you didn't think about it before you wrote it.
It's sounding more like you don't have anything but a basic grasp of the issues at hand.

Jeff Root: unless I specifically say that they should be allowed to do so.
Again, how does anyone know what you've explicitly allowed? At the end of the day, the CPU is looking at a list of numbers, thinking it should convert them into instructions and execute them. The only way for you to get what you want would be to write your own OS, and your own utilities. Then, everything that happens, happens because you've explicitly permitted it. We know, because you wrote the code. The closest practical model of what you're asking for is Android's permission system, which asks for your permission for well defined, high level permission sets. Note that even that won't prevent these current rounds of attacks, since ARM CPUs are also vulnerable to these attacks.

Jeff Root: Malware capable of making the equivalent of a hole in my wall is malware that does not exploit any vulnerability. It is malware that can break in even if there is no vulnerability. What kind of malware is that?
Sounds like you're over evaluating your home's structural integrity. Unless you live in a fortified bunker, your walls are most likely vulnerable to a sledge hammer. Your locks to a pick. Your windows to a brick.

Jeff Root: That's how fingerprinting works
That's not how fingerprinting works. Each antimalware product has its own algorithm, but they typically scan all or part of an executable, generating a hash. This hash is compared to a list of known hashes, where a collision indicates possible known malicious software.

Jeff Root: I'm expecting them to lock the windows and doors so that nobody gets in without my permission
We have hardware for that. Amazon is selling them for $6.50. Just apply directly to the network cable. Optionally, any HID cable as well.

How To Ask Questions The Smart Way

message edited by Razor2.3


Report •

#18
January 8, 2018 at 22:14:55
Derek wrote:

> In your last para #15 you seem to be suggesting a
> concept which would have a gigantic overhead.

It seems the opposite to me. Existing antimalware
programs scan questionable files for known malware
fingerprints. There could be dozens of fingerprints
per vulnerability. There are new exploits requiring
new fingerprints all the time. I'm suggesting that
scanning questionable files for the actual access of
vulnerabilities would require significantly less
overhead, since the number of vulnerabilities is
much less than the number of different exploits of
those vulnerabilities. And new vulnerabilities are
discovered far less often than new exploits.

> Also every computer owner would presumably have their
> own set of permissions. The nearest thing we have to
> this is a firewall.

Yes and yes.

> The idea is interesting but you don't say how you
> would engineer this and I doubt if it is practical.

I don't know. It seems pretty straightforward.

-- Jeff, in Minneapolis


Report •

#19
January 8, 2018 at 22:22:23
Jeff Root:
> They didn't need to know she exists in order to
> design a building that would block her from entering
> my bedroom unless I let her in.

Razor2.3:
> Sure. You can do that now with any PC. Just disconnect
> it from any network, forever. Also, don't let anyone
> have physical access to the box. Perfectly safe.

You are just being contrary. This has no relevance to
either the real vulnerabilties or my analogy.

The analogy works fine. If I want Mrs. Kravitz to have
access to my apartment, I can give her my key. If I want
a program to be able to run on my computer, whether using
existing antimalware or my suggested antimalware, I can
tell the antimalware program to let it run. Otherwise,
Mrs. Kravitz is kept out by the walls, closed windows,
and locked doors, and identified malware is prevented from
running by the antimalware program.

Jeff Root:
> That mangles the analogy so badly that it is like you didn't
> think about it before you wrote it.

Razor2.3:
> It's sounding more like you don't have anything but a basic
> grasp of the issues at hand.

That's true. I don't have anything but a rudimentary grasp
of what is involved.

Jeff Root:
> unless I specifically say that they should be allowed to do so.

Razor2.3:
> Again, how does anyone know what you've explicitly allowed?

Who needs to know that?

Razor2.3:
> At the end of the day, the CPU is looking at a list of numbers,
> thinking it should convert them into instructions and execute them.
> The only way for you to get what you want would be to write your
> own OS, and your own utilities.

Or someone else could do it. Microsoft could. Intel could.
Or someone could make antimalware that works as I suggest.
Lots of people could do that.

Razor2.3:
> The closest practical model of what you're asking for is
> Android's permission system, which asks for your permission
> for well defined, high level permission sets.

Yes. I'm suggesting that the known vulnerabilities exploited
by malware be treated the same way.

Jeff Root:
> Malware capable of making the equivalent of a hole in my wall
> is malware that does not exploit any vulnerability. It is
> malware that can break in even if there is no vulnerability.
> What kind of malware is that?

Razor2.3:
> Sounds like you're over evaluating your home's structural
> integrity. Unless you live in a fortified bunker, your walls
> are most likely vulnerable to a sledge hammer.

Sounds like you can't deal with analogies. Or at least, not
this particular analogy. You are being ridiculous. I repeat
my question: What kind of malware is analogous to an intruder
who uses a sledge hammer to break into my apartment by going
through a wall? Is it the kind of malware that existing
antimalware programs protect against? Is it the kind of
malware that would exploit the two new vulnerabilities which
prompted this thread?

Razor2.3:
> Your locks to a pick. Your windows to a brick.

Those are analogous vulnerabilities and exploits. Breaking
through a wall with a sledgehammer is ignoring the analogy
and just being contrary. It makes no meaningful point.

Jeff Root:
> That's how fingerprinting works

Razor2.3:
> That's not how fingerprinting works. Each antimalware product
> has its own algorithm, but they typically scan all or part of
> an executable, generating a hash. This hash is compared to a
> list of known hashes, where a collision indicates possible
> known malicious software.

I don't know enough about it to be sure your description of
how it works entirely accurate, but I'd say my description
is consistent with yours. Yours just includes a couple of
additional details.

-- Jeff, in Minneapolis


Report •

Ask Question