News Posts matching "vulnerability"

Return to Keyword Browsing

New "Spectre" Variant Hits Intel CPUs, Company Promises Quarterly Microcode Updates

A new variant of the "Spectre" CPU vulnerability was discovered affecting Intel processors, by security researchers Vladimir Kiriansky and Carl Waldspurger, who are eligible to bag a USD $100,000 bounty by Intel, inviting researchers to sniff out vulnerabilities from its processors. This discovery, chronicled under CVE-2018-3693, is among 12 new CVEs Intel will publish later this week. The company is also expected to announce quarterly CPU microcode updates to allay fears of its enterprise customers.

The new vulnerability, like most other "Spectre" variants, targets the speculative execution engine of the processor, in a bounds-check bypass store attack. A malicious program already running on the affected machine can alter function pointers and return addresses in the speculative execution engine, thereby redirecting the flow of data out of protected memory address-spaces, making it visible to malware. This data could be anything, including cryptographic keys, passwords, and other sensitive information, according to "The Register." Intel chronicled this vulnerability in section 2.2.1 of its revised speculative execution side-channel attacks whitepaper. You can also catch a more detailed whitepaper from the researchers themselves.

Intel Processors Hit by "Lazy FP State Restore" Vulnerability

Security researchers have discovered a vulnerability affecting all modern Intel Core and Xeon processors, which is an exploit of a performance optimization feature called "lazy FP state restore," which can be exploited to sniff out sensitive information, including cryptographic keys used to protect sensitive data. The flaw affects all x86 micro-architectures by Intel, "Sandy Bridge" and later.

The "lazy FP state restore" feature is a set of commands used to temporarily store or restore the FPU states of applications running "lazily" (as opposed to "eagerly"). Red Hat put out an advisory stating that numbers held in FPU registers could be used to access sensitive information about the activities of other applications, including encryption keys. Intel began working with popular OS vendors to quickly roll out software patches against the vulnerability.

Intel Platform Vulnerability Lets Malware Erase or Block UEFI Firmware Updates

A new Intel platform vulnerability emerged, chronicled by the company under CVE-2017-5703, dated April 3, which could let malware erase your motherboard UEFI BIOS, or render the EEPROM chip storing it "read-only" forever, preventing future BIOS updates, exploiting vulnerabilities in Intel's implementation of the SPI (serial peripheral interface) on its platforms. The vulnerability affects all Intel processors dating all the way back to 5th generation "Broadwell." The company quietly passed on fixes to its OEM partners to release as BIOS updates.

The vulnerability came to light in the public as Lenovo, Intel's largest OEM partner, deployed BIOS updates for its vulnerable products, while detailing it. Lenovo describes the vulnerability as "the configuration of the system firmware device (SPI flash) could allow an attacker to block BIOS/UEFI updates, or to selectively erase or corrupt portions of the firmware." It goes on to add that "this would most likely result in a visible malfunction, but could in rare circumstances result in arbitrary code execution." Intel said it discovered the vulnerability internally and hasn't noticed any exploits in the wild that take advantage of it. "Issue is root-caused, and the mitigation is known and available," the company said in a security advisory. "To Intel's knowledge, the issue has not been seen externally."

Intel Stops Development, Deployment of Spectre Microcode Update for Several CPU Families

Intel on their latest Microcode Revision Guidance Guide has apparently stopped development of mitigations for some of its processor families that still haven't been updated to combat the threat of Spectre. The odyssey for the return to form of security on Intel products has been a steep, and a slow one, as the company has struggled to deploy mitigations for speculative code execution on its processor families that run it. Updates for some families of products, however - such as Penryn, Wolfdale, Bloomfield and Yorkfield, among others - are apparently not going to get an update at all.

New "BranchScope" Side-channel CPU Vulnerability Threatens Modern Processors

In the age of cyber-security vulnerabilities being named by their discoverers, much like incoming tropical storms, the latest, which exploits speculative execution of modern processors, is named "BranchScope," discovered by academics from four US universities, Dmitry Evtyushkin, Ryan Riley, Nael Abu-Ghazaleh, and Dmitry Ponomarev. The vulnerability has been successfully tested on Intel "Sandy Bridge," "Haswell," and "Skylake" micro-architectures, and remains to be tested on AMD processors. It bears similarities to "Spectre" variant 2, in that it is an exploit of the branch prediction features of modern CPUs.

BranchScope differs from Spectre variant 2, in that while the latter exploits the branch target buffer, BranchScope goes after the directional branch predictor, a component that decides which speculative operations to execute. By misdirecting it, attackers can make the CPU read and spit out data from the memory previously inaccessible. The worst part? You don't need administrative privileges to run the exploit, it can be run from the user-space. Unlike CTS-Labs, the people behind the BranchScope discovery appear to have alerted hardware manufacturers significantly in advance, before publishing their paper (all of it, including technicals). They will present their work at the 23rd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2018), later today.

CTS Labs Sent AMD and Other Companies a Research Package with Proof-of-Concept Code

CTS Labs, the Israel-based IT security research company behind Tuesday's explosive AMD Ryzen security vulnerabilities report, responded to questions posed by TechPowerUp. One of the biggest of these, which is also on the minds of skeptics, is the ominous lack of proof-of-concept code or binaries being part of their initial public report (in contrast to the Meltdown/Spectre reports that went into technical details about the exploit). CTS Labs stated to TechPowerUp that it has sent AMD, along with other big tech companies a "complete research package," which includes "full technical write-ups about the vulnerabilities," "functional proof-of-concept exploit code," and "instructions on how to reproduce each vulnerability." It stated that besides AMD, the research package was sent to Microsoft, HP, Dell, Symantec, FireEye, and Cisco Systems, to help them develop patches and mitigation.

An unwritten yet generally accepted practice in the IT security industry upon discovery of such vulnerabilities, is for researchers to give companies in question at least 90 days to design a software patch, harden infrastructure, or implement other mitigation. 90 days is in stark contrast to the 24 hours AMD got from CTS Labs. CTS Labs confirmed to TechPowerUp that it indeed shared its research package with AMD (and the other companies) just 24 hours prior to making its report public, but urged those disgruntled with this decision to look at the situation objectively. "If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation."

Intel Considers Buying Out Broadcom

In a sequence of events perfectly illustrated by the stock image below, Intel is reportedly mulling the acquisition of Broadcom, which is still making efforts to acquire Qualcomm; the Wall Street Journal reported late last week. Shares of Intel fell 1 percent on this report. A successful acquisition of Qualcomm by Broadcom would result in a seemingly-American silicon supergiant that could pose a threat to Intel's position in the industry, observes CNBC. Both Intel and Broadcom spokespersons refuse to comment the WSJ report, terming it as "deal chatter."

Broadcom recently swayed Qualcomm board its way ahead of a crucial vote for the acquisition, prompting a CFIUS investigation, by American regulators, which has the legal power to halt the acquisition if national security implications emerge. Taking advantage of this, and its relatively stable outlook despite the recent CPU vulnerability mess, Intel is looking to mop up a seemingly foreign Broadcom. Other industry giants such as Microsoft and Google have expressed extreme concern with the developments in this deal, particularly with Apple's "sway" over it.

Intel Expands Bug Bounty Program in Wake Of Spectre, Meltdown Flaws

(Editor's Note: This move by Intel aims to expand their bug-bounty program to specifically include side-channel attacks, such as those that can be leverage on the Spectre and Meltdown exploits. The company is also increasing the rewards it will give the researchers who find new flaws, a move that aims to employ the masses' knowledge and ingenuity to try and reach the hard-earned bonus at the end of the vulnerability - all while saving Intel much more money than it's paying to bug hunters.)

At Intel, we believe that working with security researchers is a crucial part of identifying and mitigating potential security issues in our products. Similar to other companies, one of the ways we've made this part of our operating model is through a bug bounty program. The Intel Bug Bounty Program was launched in March 2017 to incentivize security researchers to collaborate with us to find and report potential vulnerabilities. This, in turn, helps us strengthen the security of our products, while also enabling a responsible and coordinated disclosure process.

ASUSTOR Responds to Intel Meltdown and Spectre Vulnerabilities

ASUSTOR Inc. is releasing ADM to version 3.0.5 to fix the Meltdown security vulnerability in Intel CPUs. The models receiving an update are: AS3100, AS3200, AS5000, AS5100, AS6100, AS6200, AS6300, AS6400 and AS7000 series. For the AS6302T and AS6404T NAS devices, ASUSTOR is releasing a BIOS update to patch the Meltdown and Spectre vulnerabilities. Other x86 NAS will be patched as soon as Intel releases a patch.

For ASUSTOR's other models, they will be patched as soon as an updated Linux kernel is released. On non-Intel CPU models, ASUSTOR is also continuing to work with the other relevant CPU manufacturers. ASUSTOR takes security very seriously. When further information is released, customers will be informed through the appropriate channels.

Microsoft Issues Update to Rollback Intel Spectre, Meltdown Problematic Patches

Multiple reports pegged some issues on Intel's rapid-fire, microcode and software response towards addressing the Spectre and Meltdown vulnerabilities, with Intel themselves coming forward, admitting to the problems' existence, and urging users not to perform said updates. However, Intel's press release wasn't very clear on whether or not users would be able to rollback changes in order to recover their machines' stability. Microsoft has taken the matter into its own hands, via an out of band update for Windows, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 - "Branch target injection vulnerability."

In Microsoft's testing, this particular update is the one that the company has found to be associated the most with stability issues on host machines, and their out of band update seems to mitigate these completely. Microsoft is also adding the possibility for users to either disable or enable the troublesome mitigation themselves, manually, via registry changes. Microsoft seems to have taken the job of cleaning house on themselves, after Intel's apparent hasty move to restore security to systems based on their CPUs.

US Lawmakers to Pull Up Intel, ARM, Microsoft, and Amazon for Spectre Secrecy

In the wake of reports surrounding the secrecy and selective disclosure of information related to the Meltdown and Spectre vulnerabilities leading up to the eventual January 3 public release, US lawmakers are unhappy with leading tech firms Intel, Microsoft, ARM, Apple, and Amazon. The five companies, among a few unnamed others, are being pulled up by a house committee over allegations of selective access of vital information that caught many American companies off guard on the January 3rd. Barring a few tech giants, thousands of American companies were unaware, and hence unprepared for Meltdown and Spectre until January 3, and are now spending vast resources to overhaul their IT infrastructure at breakneck pace.

In letters such as this one, addressed to CEOs of big tech firms, lawmakers criticized the secrecy and selective disclosure of information to safeguard IT infrastructure, which has left thousands of American companies out in the lurch, having to spend vast amounts of money securing their infrastructure. "While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," they write.

Intel Warned China of Meltdown and Spectre Before the US Government

It's no surprise that leading Chinese tech companies have close associations with the Chinese Government and the PLA. Intel has waded into controversial waters as reports point to the chipmaker sharing information about its products' vulnerability to Meltdown and Spectre with Chinese tech companies before warning the United States Government, potentially giving the Chinese government either a head-start into securing its IT infrastructure, or exploiting that of a foreign government.

Lenovo and Alibaba were among the first big tech companies to be informed about Meltdown and Spectre; Lenovo is Intel's biggest PC OEM customer, while Alibaba is the world's largest e-commerce platform and cloud-computing service provider. Both companies are known to have close associations with the Chinese government. The United States Government was not part of the first group of companies informed about the deadly vulnerabilities.

ASRock Outs Newer BIOS Updates to Correct Reboot Issues Post Security Patches

ASRock was just informed by Intel that they disclosed the reboot issue on the former microcode released earlier. To fix the security vulnerability (SA-00088), ASRock is still waiting for Intel's further support and we're committed to work closely with them to develop and update new BIOS for our 8/9/100/200/Z370/X99/X299 motherboard series. To mitigate this issue promptly and constructively, we will keep our customers posted on our official website, please refer to this page. For Intel's official announcement, please refer to this page.

ASRock is aware that the current Intel microcode version might be defected by security vulnerabilities. We recommend users update their systems by flashing the latest BIOS once the revision microcode is released from Intel. To mitigate this issue promptly and constructively, please refer to below links for more info and stayed tuned.
DOWNLOAD: Latest ASRock BIOS Updates

Intel's Patch for Meltdown, Spectre "Complete and Utter Garbage:" Linus Torvalds

Linus Torvalds, creator of Linux, the most popular datacenter operating system, proclaimed Intel's patches for the recent Meltdown and Spectre CPU vulnerabilities "complete and utter garbage." Torvalds continues to work on the innermost code of Linux, and has been closely associated with kernel patches that are supposed to work in conjunction with updated CPU microcode to mitigate the two vulnerabilities that threaten to severely compromise security of data-centers and cloud-computing service providers.

Torvalds, in a heated public chain-mail with David Woodhouse, an Amazon engineer based out of the UK, called Intel's fix "insane" and questioned its intent behind making the patch "toggle-able" (any admin can disable the patch to a seemingly cataclysmic vulnerability, which can bring down a Fortune 500 company). Torvalds also takes issue with redundant fixes to vulnerabilities already patched by Google Project Zero "retpoline" technique. Later down in the thread, Woodhouse admits that there's no good reason for Intel's patches to be an "opt-in." Intel commented on this exchange with a vanilla-flavored potato: "We take the feedback of industry partners seriously. We are actively engaging with the Linux community, including Linus, as we seek to work together on solutions."

Skyfall and Solace Could be the First Attacks Based on Meltdown and Spectre?

Out of the blue, a website popped up titled "Skyfall and Solace," which describes itself as two of the first attacks that exploit the Spectre and Meltdown vulnerabilities (it doesn't detail which attack exploits what vulnerability). A whois lookup reveals that the person(s) behind this website may not be the same one(s) behind the Spectre and Meltdown website. The elephant in the room, of course, is that the two attacks are named after "James Bond" films "Skyfall" and "Quantum of Solace." The website's only piece of text ends with "Full details are still under embargo and will be published soon when chip manufacturers and Operating System vendors have prepared patches," and that one should "watch this space for more." We doubt the credibility of this threat. Anyone who has designed attacks that exploit known vulnerabilities won't enter embargoes with "chip manufacturers and operating system vendors" who have already developed mitigation to the vulnerabilities.

AMD Is Served: Class Action Lawsuit Launched Over Spectre Vulnerabilities

Despite the grunt of the media's attention and overall customer rage having been thrown largely at Intel, AMD hasn't moved past the Spectre/Meltdown well, meltdown, unscathed. News has surfaced that at least two law firms have announced their intention of filing a class action lawsuit against AMD, accusing the company of not having disclosed their products' Spectre vulnerability, despite knowledge of said vulnerabilities.

AMD stated loud and clear that their processors weren't affected by the Meltdown flaw. However, regarding Spectre, AMD's terms weren't as clear cut. The company stated that its CPUs were vulnerable to the Spectre 1 flaw (patchable at a OS level), but said that vulnerability to Spectre 2's variant had "near-zero risk of exploitation". At the same time, the company also said that "GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors", adding that "While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat.

Adding Insult to Injury: Fake Spectre, Meltdown Patch Pushes Malware to Users

A Malwarebytes report calls attention to the latest occurrence in the inevitable trend that that ensues a particular security vulnerability being given coverage by the media. As users' attention to the vulnerability is heightened, so is their search for a solution, for a way to reduce the risk of exposition. Hence, users search for patches; and hence, some fake patches surface that take advantage of the more distracted, or less informed, of those who really just want to be left at peace.

Case in point: Malwarebytes has identified a recently-registered domain that is particularly targeting German users (remember: you can be next; it's just a matter of Google translating the page for it be targeting you as well). The website is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors, and is affiliated with the German Federal Office for Information Security (BSI) - all good, right?

Hack Like It's 1998: Sites Still Vulnerable to Revived ROBOT Exploit

Another week, yet another security bulletin in tech news, with yet another vulnerability that joins the fray of both Intel's meltdown and Western Digital's MyCloud hacks. A team of researchers recently wrote a paper they titled "Return Of Bleichenbacher's Oracle Threat (ROBOT)". This paper went on to show how a well-known, circa 1998 exploit is still a viable way to take advantage of websites of even big name companies and services, such as Facebook and PayPal (in total, around 2.8% of the top 1 million sites also tested positive). The ROBOT exploit, a critical, 19-year-old vulnerability that allows attackers to decrypt encrypted data and sign communications using compromised sites' secret encryption key, is still valid. Only, it's 19 years later.

The heart of the issue stems from a vulnerability that was discovered in 1998 by researcher Daniel Bleichenbacher, who found the vulnerability in the TLS predecessor known as secure sockets layer. The attack is dubbed an Oracle threat because attackers can write specialized queries to which the websites and affected systems respond with "Yes" or "No"; as such, it's possible, given enough time, for attackers to build up the amount of disclosed sensitive information and get a clear picture of the protected data. To the flaw's discovery by Bleichenbacher, SSL architects apparently responded in a B-movie type of way, which nevertheless might have been needed to keep all systems green: by designing workarounds on top of workarounds, rather than removing or rewriting the faulty RSA algorithm.

NVIDIA Releases GeForce 390.65 WHQL Drivers

NVIDIA today released GeForce 390.65 WHQL drivers. These drivers come game-ready for "Fortnite," including support for ShadowPlay Highlights in the "Battle Royale" mode of the game. The drivers also introduce NVIDIA Freestyle technology, which lets you apply custom post-processing effects for your game, or choose from several included post-FX filters. More importantly, the drivers introduce security updates against "Spectre" variant 2 (CVE-2017-5753) vulnerability. The drivers also provide pop-up notifications when an external GPU is connected or disconnected. Grab the drivers from the link below.
DOWNLOAD: NVIDIA GeForce 390.65 WHQL

Western Digital Ships "Someone's Backdoor" With My Cloud Drives

Western Digital has seemingly been shipping their My Cloud personal network attached storage solutions with an integrated backdoor. It's not really that complicated a backdoor either - a malicious user should always be able to use it. That stems from the fact that it's a hard coded backdoor with unchangeable credentials - logging in to someone's My Cloud is as simple as inputing "mydlinkBRionyg" as the Administrator username and "abc12345cba" as the respective password. Once logged in, shell access is unlocked, which allows for easy injection of commands.

The backdoor has been published by James Bercegay, with GulfTech Research and Development, and was disclosed to Western Digital on June 12th 2017. However, since more than 6 months have passed with no patch or solution having been deployed, the researchers disclosed and published the vulnerability, which should (should) finally prompt WD to action on fixing the issue. Making things even worse, no user action is required to enable attackers to take advantage of the exploit - simply visiting malicious websites can leave the drives wide open for exploit - and the outing of a Metasploit module for this very vulnerability means that the code is now out there, and Western Digital has a race in its hands. The thing is, it needn't have.

Intel Braces for an Avalanche of Class Action Lawsuits

Following reports of Intel's gross mishandling of its CPU vulnerabilities Spectre (CVE-2017-5753 and CVE-2017-5715), and Meltdown (CVE-2017-5754); particularly its decision to not call off 8th generation Core "Coffee Lake" processor launch after learning of its vulnerability; and a general barrage of "false marketing" allegations, with a dash of "insider trading" allegations added to the mix, the company is bracing for an avalanche of class-action lawsuits in the US, and similar legal action around the world.

Owners of Intel CPU-based computers in California, Oregon, and Indiana, have filed separate complaints alleging that Intel sold vulnerable processors even after the discovery of Meltdown and Spectre; that the chips being sold were "inherently faulty," and that patches that fix them are both an "inadequate response to the problem," and "hurt performance" (false marketing about performance), by 5 to 30 percent. All three complainants are in the process of building Classes.

Intel Released "Coffee Lake" Knowing it Was Vulnerable to Spectre and Meltdown

By the time Intel launched its 8th generation Core "Coffee Lake" desktop processor family (September 25, 2017, with October 5 availability), the company was fully aware that the product it is releasing was vulnerable to the three vulnerabilities plaguing its processors today, the two more publicized of which, are "Spectre" and "Meltdown." Google Project Zero teams published their findings on three key vulnerabilities, Spectre (CVE-2017-5753 and CVE-2017-5715); and Meltdown (CVE-2017-5754) in mid-2017, shared with hardware manufacturers under embargo; well before Intel launched "Coffee Lake." Their findings were made public on January 3, 2018.

Intel's engineers would have had sufficient time to understand the severity of the vulnerability, as "Coffee Lake" is essentially the same micro-architecture as "Kaby Lake" and "Skylake." As one security researcher puts it, this could affect Intel's liability when 8th generation Core processor customers decide on a class-action lawsuit. As if that wasn't worse, "Skylake" and later micro-architectures could require micro-code updates in addition to OS kernel patches to work around the vulnerabilities. The three micro-architectures are expected to face a performance-hit, despite Intel extracting colorful statements from its main cloud-computing customers that performance isn't affected "in the real-world." The company was also well aware of Spectre and Meltdown before its CEO dumped $22 million in company stock and options (while investors and the SEC were unaware of the vulnerabilities).

Intel Aware of CPU Flaws Before CEO Brian Krzanich Planned $24M Stock Sale

The news and details on Intel's most recent chip flaw have been coming in almost faster than news outlets can put them out, and it just seems that the company is going through a phase where news are seldom good. New information has come to light that paint Intel CEO's Brian Krzanich's sale of $24M worth of stocks in November 24th in a negative spotlight, euphemisms be allowed. We (meaning, this editor) previously dismissed the share sale as a pre-planned event that didn't show any kind of shady wrongdoing in the face of news breaking out regarding Intel's VM security flaw. However, it seems as if it pays off to be negative rather than positive in the world at large, and the skeptic in me is saying "serves you right".

AMD Updates on AMD Processor Security Status

There has been recent press coverage regarding a potential security issue related to modern microprocessors and speculative execution. Information security is a priority at AMD, and our security architects follow the technology ecosystem closely for new threats. It is important to understand how the speculative execution vulnerability described in the research relates to AMD products, but please keep in mind the following:
  • The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.
  • The described threat has not been seen in the public domain.

Dear Intel, If a Glaring Exploit Affects Intel CPUs and Not AMD, It's a Flaw

Intel tried desperately in a press note late Wednesday to brush aside allegations that the recent hardware security-vulnerability are a "bug" or a "flaw," and that the media is exaggerating the issue, notwithstanding the facts that the vulnerability only affects Intel x86 processors and not AMD x86 processors (despite the attempt to make it appear in the press-release as if the vulnerability is widespread among other CPU vendors such as AMD and ARM by simply throwing their brand names into the text); notwithstanding the fact that Intel, Linux kernel lead developers with questionable intentions, and other OS vendors such as Microsoft are keeping their correspondence under embargoes and their Linux kernel update mechanism is less than transparent; notwithstanding the fact that Intel shares are on a slump at the expense of AMD and NVIDIA shares, and CEO Brian Kraznich sold a lot of Intel stock while Intel was secretly firefighting this issue.

The exploits, titled "Meltdown," is rather glaring to be a simple vulnerability, and is described by the people who discovered it, as a bug. Apparently, it lets software running on one virtual machine (VM) access data of another VM, which hits at the very foundations of cloud-computing (integrity and security of virtual machines), and keeps customers wanting cost-effective cloud services at bay. It critically affects the very business models of Amazon, Google, Microsoft, and Alibaba, some of the world's largest cloud computing providers; and strikes at the economics of choosing Intel processors over AMD, in cloud-computing data centers, since the software patches that mitigate the vulnerability, if implemented ethically, significantly reduce performance of machines running Intel processors and not machines running AMD processors (that don't require the patch in the first place). You can read Intel's goalpost-shifting masterpiece after the break.
Return to Keyword Browsing