Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

[zinfamous]

^apparently iOS is horribly exploitable, like many have been telling you for some time.

 

[Fanatical Meat]

^apparently iOS is horribly exploitable, like many have been telling you for some time.

Funny thing is windows phone was pretty secure for the time but everyone rejected it

 

[IEC]

It is worth noting that none of the exploits bypassed the new, PAC-based JIT hardenings that are enabled on A12 devices.

“It feels like the amount of effort that went into the exploits is very significant,” said Charles Holmes, a managing principal research consultant who focuses on mobile security at Atredis partners. “Maintaining capabilities off of the last three years of iOS and a combination of hardware devices and firmware—a lot of time and effort went into that. My gut feels like some nation was behind maintaining that capability.”

Now, add in two additional snippets of information:
1) Several of the "targets" were in China
2) The exploit kit transmitted everything in cleartext, indicating the sponsor did not care if anyone found out information was being exfiltrated

Hmm, I wonder what nation has a restive minority group they like spying on, and the government has total control of the networks? I wonder why media outlets intentionally neglect to mention this association?

/OT

Of course, this isn't the only recent pwnage-level security bug:
See recent Chrome bug

Another day, another exploit. "Nothing is beyond our reach."

 

[Yeroon]

Funny thing is windows phone was pretty secure for the time but everyone rejected it

Its even more secure now, if you consider security through obscurity to be a thing.
I'm still rocking a 1020.

 

[Fanatical Meat]

Its even more secure now, if you consider security through obscurity to be a thing.
I'm still rocking a 1020.

Too true, my final windows phone Nokia 630 never had any web ads or Facebook ads. Nobody bought them because the audience was so small.
When I moved to an iPhone I was shocked how many mobile ads had appeared in my 7 year absence.

 

[coercitiv]

iPhones have never been "obscure" and Apple has never depended on security by obscurity for the iOS platform.

https://twitter.com/i/web/status/1167484209474097152

Not allowing inspection tools to be used in iOS seems pretty obscure to me.

 

[DrMrLordX]

Keep telling yourself this. You're wrong.

Uh? I don't recall iPads being used as server hardware.

 

[mattiasnyc]

Its even more secure now, if you consider security through obscurity to be a thing.
I'm still rocking a 1020.

I just gave up on my Lumia 950 like a month ago. I'm amazed by how ahead of its time it was in several ways.

People are sheep. Win phone should have killed it.

 

[Fanatical Meat]

I just gave up on my Lumia 950 like a month ago. I'm amazed by how ahead of its time it was in several ways.

People are sheep. Win phone should have killed it.

Lack of useful apps killed it
Microsoft’s hope that being easy to port apps from google/Apple was foolish. Why would either company allow MS to collect money for them.

 

[darkswordsman17]

Fortunatley for server admins, iOS is not used in their practice. The bossman who has an iPad in the executive office, however, might be a liability to the company.

I think he's saying that there's quite a few companies where the admins have to take iOS into account as they let their employees use iPhones and iPads. That actually caused one of the security issues with iOS that Apple patched earlier this year, where they have a program for enterprise customers to have a special certification that lets them manage the apps without the normal Apple locks.

https://arstechnica.com/gadgets/2019/02/google-and-facebook-werent-the-only-ones-breaking-apples-rules-to-distribute-apps/

I wouldn't be surprised if compromised end user devices could be used as vectors to exploit flaws in the servers as well.

iPhones have never been "obscure" and Apple has never depended on security by obscurity for the iOS platform. It has always been locked down far tighter than Android. Apple doesn't want unauthorized non-AppStore code to run, even if it's not malicious.

iOS has always had a far greater emphasis on security than Android.

Sorry you're absolutely wrong about this, but then I'm fairly certain you know what they meant by obscurity in this case and are just trying to be argumentative. Apple has hardly been open about their security methods and that's actually gotten worse over time as they now just go "we have a secure processor, it handles everything, trust us!" which we're seeing is actually not secure because if the secure processor can be compromised or exploited it can defeat the rest of the security measures.

Just because Android is as big of a mess (I would've said far bigger mess until the rampant number of iOS exploits have actually made it sadly far too similar) doesn't mean the security issues with Apple are less of a problem so I don't even know what your argument there is, not that I'm surprised you'd argue in this manner given the general behavior you've shown in discussing topics on here.

https://arstechnica.com/information-technology/2019/09/for-the-first-time-ever-android-0days-cost-more-than-ios-exploits/

But keep pretending like iOS doesn't have MAJOR security issues in spite of Apple's fluff that they're doing so much for security.

See above, Apple has to let some external management or else they wouldn't be used in those markets, and that has opened things up to lots of exploits.

 

[scannall]

But keep pretending like iOS doesn't have MAJOR security issues in spite of Apple's fluff that they're doing so much for security.

See above, Apple has to let some external management or else they wouldn't be used in those markets, and that has opened things up to lots of exploits.

Anything that connects to the internet can be exploited. Including iOS devices. I would suggest though that Apple is far more likely than any Android vendor to actually patch and push the updates. And for a much longer period of time.

 

[darkswordsman17]

Lack of useful apps killed it
Microsoft’s hope that being easy to port apps from google/Apple was foolish. Why would either company allow MS to collect money for them.

The thing is, I don't think it was difficult to port apps to it. That's not the issue really, the issue is maintaining those apps and providing support. Companies didn't make enough money from users on those devices to make it worth the support costs. Microsoft was even porting apps themselves to try and entice companies to go with it, but they weren't biting because having workable apps was never the issue.

Microsoft developed a full on translation layer that would've let native Android apps run on Windows Phone. I'm guessing though that Google basically told them to stop or else expect the mother of all lawsuits (they'd already been constantly fighting leading to Google pulling their apps like YouTube from Windows Phone, and then Google got mad when Microsoft coded their own), and so Microsoft chose to kill that which killed Windows Phone. And then focus on making iOS and Android apps, which since they're moving to their products as services, it doesn't matter to them what you run it on as long as you might be subscribing to Office or Xbox or whatever. That was an easy call for Microsoft, as they no longer have the costs of supporting the OS, trying to push devices and market and all the other stuff (and they spent and lost billions on Windows Phone). They just do the apps. Which, I'm sure Microsoft would prefer more control, which is why they've been building up ARM support on normal Windows. Which they don't need to worry about native support that much, as most likely things are going to move to where devices are fairly simple terminals used to communicate with the cloud which will do the heavy processing. And Microsoft will have control over that. Even Apple and Google are moving that direction.

 

[coercitiv]

I would suggest though that Apple is far more likely than any Android vendor to actually patch and push the updates. And for a much longer period of time.

There's no patch & update to be had when the vulnerabilities are hidden. The implant left no trace on the device, only used exploit chains to load itself in RAM. A simple device reboot would erase it, but by that time it would have already uploaded enough sensitive data to allow (permanent) access to the victim's online accounts.

The only (very) good news is the latest gen of iPhones is not vulnerable. The devastating news is the rest of the devices were exploited for years. (IIRC it started around 2016). Think about it: even if Apple patches the next day after discovery, the iPhone 6s was exploited for most of it's shelf life.

 

[pandemonium]

iPhones have never been "obscure" and Apple has never depended on security by obscurity for the iOS platform. It has always been locked down far tighter than Android. Apple doesn't want unauthorized non-AppStore code to run, even if it's not malicious.

iOS has always had a far greater emphasis on security than Android.

Not quite true any more.

 

[amd6502]

And all that it took was going to one of a number of popular websites. That's the biggest shocker.

Now this is a more general problem, that advertisers have the ability to to easily deploy malware. There really need to be accountabiliy measures in this space.

All scripts need to be archived, with authors and contacts, so that if a malicious script is found (where this script's maliciousness is clearly intentional and by design) that those accountable are made to answer for it.

 

[DrMrLordX]

I think he's saying that there's quite a few companies where the admins have to take iOS into account as they let their employees use iPhones and iPads.

. . . such as a clueless executive, or what have you. I get that much. You think they'd be segmented from core infrastructure though.

 

[JustMe21]

I was wondering if there's any mention of how things look on the 10th gen Intel processors and I mean as in someone outside of Intel has tested it and confirmed everything looks okay? I also haven't seen much mention of patching on the low end for Atom and AMD's AM1 platform.

 

[DrMrLordX]

I also haven't seen much mention of patching on the low end for Atom and AMD's AM1 platform.

From briefly looking at product pages for a few AM1 motherboards, I can tell you that Asus and Gigabyte (at least) don't look like they've got BIOS revisions newer than ones released in 2016. Whatever vulnerabilities there were in Kabini are pretty much still there.

 

[darkswordsman17]

. . . such as a clueless executive, or what have you. I get that much. You think they'd be segmented from core infrastructure though.

The issue is that, they are becoming part of the core infrastructure, because people want their smartphones and are transitioning to them being integral to their workflow (and that's gonna get worse when AR systems start to take off). Its not just the owners and ignorant execs, the entire company (including the IT people) want the slick devices. Blackberries weren't cutting it any more. Heck, even Google and Microsoft were forced to allow iOS and support it, and then Apple was forced to capitulate security options for large organizations. Heck, its enough that even high ranking (highest ranking really) government officials are even willing to compromise things so they can use their devices.

Anything that connects to the internet can be exploited. Including iOS devices. I would suggest though that Apple is far more likely than any Android vendor to actually patch and push the updates. And for a much longer period of time.

Yes, yes, spare me the nonsense argument (FYI, devices that can't connect are also exploitable). Again, this isn't about saying that others are as bad or worse. In fact, your attitude is exactly some of the problem. We're seeing that faith/trust in Apple (or any company/person) is misguided, and that the people saying we shouldn't be trusting Apple just because they do a big show claiming they're more secure turned out to be right. I would agree they're more likely to patch than Android, but when its still this ridiculously terribly pathetically bad, then it doesn't even hardly matter.

As others pointed out, if the company isn't aware of the problem they can't patch it. And then we get to behavior like Intel's which is to just plain ignore it altogether.

 

[darkswordsman17]

Back on topic, another day, another Intel security issue:

Weakness in Intel chips lets researchers steal encrypted SSH keystrokes

DDIO makes servers faster. It can also allow rogue servers to covertly steal data.

arstechnica.com

At least Intel isn't ignoring it, guess we'll see if Anandtech will like they have been other Intel vulnerabilities lately.

 

[DrMrLordX]

Heck, its enough that even high ranking (highest ranking really) government officials are even willing to compromise things so they can use their devices.

Those are the ones I expect to present the biggest security problems to organizations these days.

Back on topic, another day, another Intel security issue:

I had completely forgotten about DDIO. Actually I don't remember if I ever knew about it in the first place. Why am I not surprised? Disabling RDMA looks like it could have some pretty serious performance implications for clusters.

 

[moinmoin]

Back on topic, another day, another Intel security issue:

Weakness in Intel chips lets researchers steal encrypted SSH keystrokes

DDIO makes servers faster. It can also allow rogue servers to covertly steal data.

arstechnica.com

At least Intel isn't ignoring it, guess we'll see if Anandtech will like they have been other Intel vulnerabilities lately.

Another day, another cache base attack exposing Intel's lack of access right enforcement on the cache. That's one deep rabbit hole.

I had completely forgotten about DDIO. Actually I don't remember if I ever knew about it in the first place. Why am I not surprised? Disabling RDMA looks like it could have some pretty serious performance implications for clusters.

RDMA is only used as convenience by the researchers, it's DDIO that needs to be turned off. And DDIO is a transparent performance improvement, so transparent that it apparently can't be secured. One would guess after early examples like Firewire system architects would get the memo that unrestricted direct memory access from outside the CPU is always a bad idea.

 

[DrMrLordX]

Well, you've got to disable one or the other, but yes, ultimately, you've got to turn off DDIO.

 

[joesiv]

It's surprising it took so long for this exploit to be found. I take it AMD doesn't have a similar "optimization?"

 

[cortexa99]

After consideration I decide not to open new thread, I have an old DDR2 machine need to renew for emergency usage, the choice is between AMD PhenomII & Intel Core2.
But we already suffer from the Specture/Meltdown and some other bugs since last year, do these bugs have performance impact in PhenomII & Core2?
Seems both AMD&Intel give up fixing bugs for old CPU architecture, If I use newest Win10 with these old machine, it would means the bug is still here & have performance impact, right?
Are there any bench/experiment that show how the Spectre/Meltdown affect old machine performance? (especially 45nm, 32nm architecture for both Intel&AMD)