Hundreds Of Meltdown, Spectre Malware Samples Found In The Wild

Status
Not open for further replies.

techy1966

Reputable
Jul 31, 2015
149
3
4,685
Thanks for the heads up & this clearly shows I was right about the fact that the people that exposed these problems should have just kept their mouths shut to the public and let the companies involved just handle the problem and get the fixes out without alerting the goon squad of low life's that like to prey on people for the glory of it all to gain higher ranks in the goon squad community.
 


You're right in that only Microsoft, AMD, Intel, and ARM vendors really needed to know for the time being. However, without public pressure, these companies would implement these fixes slowly, instead of rushing them into their next designs like they're doing now.

 

bigdragon

Distinguished
Oct 19, 2011
1,107
547
20,160
I'm more frustrated that Intel's 5-years of fixes are being cut down to 2-years or less for many customers. Motherboard, system, and firmware vendors are not coping with this scale of a problem. X79 computers with Ivy Bridge-E should be supported by patches given the 5-year time frame, but good luck getting OEMs to pass along those patches. Same goes for X99 and Haswell-E. "Supported" but not really. Frustrating.
 

kinggremlin

Distinguished
Jul 14, 2009
574
41
19,010
They absolutely should have announced these exploits to the public to put pressure on companies to patch them. However, what they should not have released to the public was the poc code. That was flat out idiotic. There is zero reason that code needed to be released to demonstrate the threat wasn't just theoretical. If companies don't come clean to the public and work to patch the flaw as quickly as possible after you announce the flaws, then you threaten to release the code. If still nothing happens then you release the code.
 

pjc72779

Prominent
Jan 14, 2018
6
0
510
Intel better get moving. No BIOS update yet for my Intel motherboard or HP laptop. This is really getting worrisome.
 


Agreed. This would give them ample time to actually make a Proper "Fix" vs SHIT SHIT WE GOT TO FIX THIS NOW! and look what happens? bugs bugs and more bugs.
 

scvpunkae86

Prominent
Jan 14, 2018
4
0
510
I mean, if the only people who could fix these issues were the vendors and manufacturers, i would agree with not releasing it to the public. But some of the greatest work done is crowd sourced, and I am sure for every hundred people trying to exploit this, there has to be at least one person out there writing code to prevent spectre and meltdown. Maybe someone from the consumer community can help?
 

InvalidError

Titan
Moderator

While this may work for software bugs where companies can fix the bugs but choose not to, the same cannot be said about HARDWARE bugs and side-channel attacks where a field fix is likely to be impossible or incomplete regardless of how much pressure you put on the manufacturer.

To make that worse, the definitive fix in the form of new hardware designed to address those attacks are at least a year away from the date where CPU manufacturers get notified simply due to the 6+ months from engineering changes, through regression testing to tape-out and 4-6 months from tape-out to production when all goes well. From there, it may be 5+ years before most people and companies are done upgrading their systems to more secure CPUs.

There is no quick fix for hardware-related exploits. Even in a best-case scenario, you're looking at hundreds of millions of potentially vulnerable devices remaining online for the next several years.

However, keep in mind that exploiting Meltdown and Spectre requiires local code execution, which means that your system has already been compromised by some other way before any of those exploits can actually be used on your system, unlike software bugs which often enable remote code execution and unintended execution of a malicious payload.
 

bv90andy

Distinguished
Apr 2, 2009
599
0
18,990


You do realize that Intel told their Chinese partners long ago about the vulnerability, before they even told the US government. So it is safe to assume that the Chinese government has been trying to exploit this for at least 6 months. The reason no viruses where found could simply be because the vulnerabilities have been used until now only in targeted attacks against individuals and/or because the anti-virus companies have not been aware of these attacks.
 

Simon Anderson

Distinguished
Sep 22, 2013
77
0
18,630
"should have just kept their mouths shut to the public and let the companies involved just handle the problem and get the fixes out without alerting the goon squad" (anonymous... now sure how you quote properly lol)

"It was made public in conjunction with another vulnerability, Meltdown, on January 3, 2018, after the affected hardware vendors had already been made aware of the issue on June 1, 2017" - Spectre Wikpedia article

Apparently they were notified 6 months prior to public release apparently. Not sure if OS vendors were notified at same time? From what Linus Torvalds was saying, Intel's attempt at patching the hardware is all a load of crap, just a flag that can be disabled in software... From what I can tell, there's nothing that can "fix" the hardware on existing chips... i.e. there's no programmable ROM to fix it (could be wrong, haven't really researched that much...)
 

alextheblue

Distinguished
"We may eventually see OS vendors develop some fixes, such as Google’s Retpoline, that fix the flaws at the OS-level."

Retpoline isn't an "OS-level fix" by itself, really. It requires you to recompile each piece of software. Even if the fix is as good as they claim, it isn't always ideal when you start looking at custom software companies often rely on. It also may tack on to the performance impact for some types of enterprise workloads. So failing a recompile with Retpoline, your best hope is a combination of OS PLUS hardware and/or microcode mitigations, both of which Intel is seriously struggling with.
 

bit_user

Polypheme
Ambassador

I support the idea that the release of the code shouldn't coincide with the public announcement. I would favor a further delay, between the two. However, I think they might need to follow a fixed policy, in order for their actions to be legally defensible. Otherwise, they could be vulnerable to coercion by vendors, or perhaps even litigation.

Also, the purpose of the PoC code isn't only to prove their claims - it's also needed by customers (think big OEMs or data center customers) to verify that the manufacturers really did fix the problem. Even PC utility makers, like SiSoft or anti-virus vendors could include the code to check if your system is still vulnerable.
 

bit_user

Polypheme
Ambassador

I think it's only needed in the kernel and potentially a few other bits of privileged code (e.g. VM hypervisors).

If all userspace code needed to be recompiled with it... then yeah, just forget about that.
 

vincevdc

Distinguished
May 13, 2009
8
0
18,510
The one crucial piece of information missing from this report is the exploit deployment method. Is it hacked or untrusted web sites? Inserted into applications?

The actual exploit, to be effective, requires that a) there is secret data in memory at the time the malicious code runs, b) all outbound traffic from the computer is allowed, and c) the system or service secured by that data can be accessed by the hacker.
 
I have a pretty good basic understanding of the PC but frankly I don't really understand exactly how serious this issue is now or will be given more patches (or better malicious hacks) across recent and past systems.
 

jimbob343

Prominent
Feb 1, 2018
1
0
510
Bug bounties often require you to notify them and give them 6 months to a year before you release info about the issue. It is enough time to get a patch out before the crunch happens when it is released.

They absolutely have to be released otherwise they tend to never patch then...I have seen issues that exists for years.... The samba share issue used for wannacry was what...6 years old and never patched..
 

tazmo8448

Distinguished
Dec 23, 2011
232
2
18,695
People aren't using common sense when it comes to divulging information..no matter what realm we're talking about. People love to be the first one out of the chute to point fingers or expose things that really don't need to be made public.
My biggest question is, does it create new issues like the previous one? What are the ramifications if any to or with the patch and that sort of thing.
 

Kaz_2_

Prominent
Jul 12, 2017
24
0
510
getting worse for Intel they usually work in software level. harder for hardware better switch AMD. Intel security is outdated
 

Kaz_2_

Prominent
Jul 12, 2017
24
0
510
getting worser for Intel. Its sad many customers still buying the vulnerable cpu. Intel security isnt new they are created from decade no wonder it is easy to hack. Better switch to AMD than sorry.
 

jordoncomp

Prominent
Oct 25, 2017
2
0
510
Fixed Windows PCs since 95, now that I'm partially retired I switched to Mint XFCE as a 6 month experiment on my daily desktop. It's been a year and a half. I hate Microsoft and Intel is about as bad. Linux has completely patched Spectre and Meltdown. Yes a slight hit in speed. All Intel's fault. They knew of this potential 10 years ago. The way Linux patched the problem is brilliant and was done without regard to the date of your purchase like money hungry MS and company.
 

bit_user

Polypheme
Ambassador

The microcode-level patches are still supplied by Intel & AMD.
 

John_507

Commendable
Oct 12, 2016
2
0
1,510
NONE of these are actually exploits. None can retrieve data. Still nothing to worry about. Not one exploit that has actually worked. So this is still a non issue.
 
Status
Not open for further replies.