Chip flaw discovered in Intel, ARM, and AMD

2»

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2018

    Thanks, guys. It is just me being a bit alarmed that even "private" system memory is not private anymore (feels like the 80ies with no memory protection). That lead me directly to think about the most valuable application I'm running on all my platforms: 1Password!

    @boboAgile: Hear hear! I don't think there's any disagreement about that. But do I think we need to take a step back and look at the big picture here.

    1. What does Spectre and Meltdown enable?
    2. What does the browser allow access to?
    3. And, as a result, what information is available to an attacker leveraging all of this in the browser?

    First, these vulnerabilities (#1) potentially allow a process with access to system memory to access data from another process's system memory at the OS level.

    Second, while the browser (#2) has access to system memory, all webpages (and other resources, like extensions) are sandboxed within the browser and do not have access to system memory (except by exploiting a very different critical vulnerability, if found).

    Finally, even when using the 1Password extension (#3) in the browser, your data doesn't live there; it's only sent (whether by the native app or server) and decrypted on demand; and even then, it's only available in the tab/window process where it is filled.

    Everything you've said above is correct, but websites in a modern browser do not have access to user space in the OS. It's important not to conflate the two. That's why the Meltdown paper you referenced above doesn't even mention the words "browser" or "web page": all of this privilege comes from the privilege of running alongside other processes in the OS itself, not being Javascript stuck sandboxed in the browser. Breaking out of that requires another vulnerability of a very different kind. I do realize that some of my comments above, if taken out of context, could confused things; but there we're talking about within the browser.

    So, while it may be possible for an attacker to use one of these vulnerabilities to read some memory, it's the browser itself that's at risk (its own password manager has to be accessible tab/window processes, for obvious reasons). Browser vendors' approach is, therefore, twofold:

    • Mitigate Spectre and Meltdown vulnerabilities within the browser to prevent data leakage between tab/window process and the browser itself (new)
    • Maintain the integrity of browser sandboxing to prevent webpages from breaking out (as always) — which could also allow them to leverage these new vulnerabilities to do more than they otherwise could.

    Someone using the browser as an attack vector will need to break out of the browser in order to leverage these vulnerabilities against other apps running on the system though. So, the thing that's different with these vulnerabilities is that there's a new way for malware running on your system to get information with less privilege. And, as always, keeping the system free of malware is crucial, as, even without Spectre or Meltdown, that could allow someone to steal your 1Password data (or anything else) as you access it. So, in the end, it isn't that our approach as users should change at all, only that there's yet another risk to allowing our machines to be compromised — which of course can be a wake-up call for any of us not being as vigilant as we could be when it comes to installing unknown software. So the real concern is running something malicious at the OS level, but that's been a problem all along. What's new is that there's another way (well, two) that power can be used today.

    P.S. this breach may be relatively new to me and others but it is actually not so complex and knowing that this was possible on Intel processors since the mid-90ies one has to wonder who already took advantage of it... :(

    That's an excellent point, and for those of us in positions where we may be subject to targeted attacks from nation states and/or other dedicated hackers, it's certainly going to be a concern. I don't happen to be a very interesting target myself — one which would command the time, energy, and resources for someone to go after me in particular — and, ultimately, because of the points described above, even in that instance it would not be quick and easy to get something of value this way, especially if it were something in particular they were after. Ultimately, it would be much more time-efficient and cost-effective for them just kidnap and detain (and perhaps torture) someone to get what they want. Definitely scary to think about, but most of us have only modest risk (if any) of facing something a threat like this, unless we're heads of state or a large multinational. As users we need to take responsibility, not install stuff on our machines that we shouldn't. Ultimately the buck stops there. Any security measures can be bypassed by the owner of the machine behaving promiscuously. That goes for all of us, whether we're "ordinary" or "extraordinary" people.

    I apologize if my earlier remarks glossed over some of this. It isn't always clear to me just what information is already clear and can be built upon, and I don't want to be too much of a bore. Sometimes it's useful to break things down to the barest elements though, so hopefully this helps others get a better sense of the risks here, especially in relation to 1Password. Cheers! :)

  • wkleem
    wkleem
    Community Member
    edited January 2018

    I have also discovered, as this is an Intel chip vulnerability that only the manufacturer can fix, that Intel's Management Engine has a vulnerability too! It is earlier than and separate from Meltdown and Spectre.

    https://intel.com/content/www/us/en/support/articles/000025619/software.html

  • AGAlumB
    AGAlumB
    1Password Alumni

    Yeah, there have been a few issues there the past year or so. Unfortunately the burden is often on us as users to try to keep up with these things. No small task. :(

  • gabe2018
    gabe2018
    Community Member

    I am surely not a tech computer guy so I am sure saying stupid things and confusing clipboard with ram but...
    Would maybe be safer to copy manually (keyboard) passwords from 1password instead of cut&paste them or using browser add-ons?
    Or, 1password could have an optional "safer mode" displaying password as images so only manually copying the password is allowed?

  • AlwaysSortaCurious
    AlwaysSortaCurious
    Community Member

    Honestly, the way i read these vulnerabilities, cuts to the core (no pun) of computing. No matter what you do at the OS level, its the underlying hardware thats at issue. There needs to be remediation with tbe OS and firmware.

  • darrenNZ
    darrenNZ
    Community Member

    @gabe2018

    If somebody can gain access to the CPU then there's nothing that can be done to protect yourself. Once an attacker has control of the heart of the system, it's no longer under your control.

    As AlwaysSortaCurious said,

    No matter what you do at the OS level, its the underlying hardware thats at issue.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I am surely not a tech computer guy so I am sure saying stupid things and confusing clipboard with ram but... Would maybe be safer to copy manually (keyboard) passwords from 1password instead of cut&paste them or using browser add-ons? Or, 1password could have an optional "safer mode" displaying password as images so only manually copying the password is allowed?

    @gabe2018: Using the 1Password browser extensions (provided you aren't granting other extensions access to everything 1Password does on webpages!) to fill information is safer than copy and paste since it bypasses the clipboard. I don't know about you, but when I do copy something to the clipboard, I often forget it's there until much, much later. 1Password can automatically clear it over time, but not having sensitive data on the clipboard is best since all running apps have access to that. That's not to say that 1Password can protect you from your machine being compromised, but every bit helps.

    Honestly, the way i read these vulnerabilities, cuts to the core (no pun) of computing. No matter what you do at the OS level, its the underlying hardware thats at issue. There needs to be remediation with tbe OS and firmware.

    @AlwaysSortaCurious: But yeah, this is why we often get a bit preachy about people going to great lengths to run out of date devices, OSes, and browsers: we're all using 1Password to keep us more secure, and using it in an unsafe environment it counterproductive to that. :(

  • wkleem
    wkleem
    Community Member

    Hi

    There are now attempts to check the PC for vulnerabilities with Microsoft’s PowerShell 5.1. Plus GUI versions from GRC and Ashampoo so far.

    https://m.windowscentral.com/how-check-if-your-pc-still-vulnerable-meltdown-and-spectre-exploits

  • AGAlumB
    AGAlumB
    1Password Alumni

    Great for Windows. Here's hoping some similar tools are made for other platforms as well. :) :+1:

  • wkleem
    wkleem
    Community Member

    Hi Brent

    Part of the mitigation will come from replacing JavaScript a 20+ year old technology. Firefox 58 will have Web Assembly which in theory is a good thing but will take time to adopt.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I don't see Javascript being replaced any time soon, but it seems like the browser vendors especially are on top of adding additional protections to be safe. :)

  • wkleem
    wkleem
    Community Member
  • AGAlumB
    AGAlumB
    1Password Alumni

    Yup. It was only a matter of time. I'm just glad that the OS vendors have been quick to push out patches (even with a few hiccups), and I know they're working on other mitigations as well. This is going to be where we're all at for a long, long time.

  • wkleem
    wkleem
    Community Member
    edited April 2018

    https://theregister.co.uk/2018/04/04/intel_spectre_microcode_updates/

    It may be of interest to someone have the Spectre/Meltdown faults but may not know if the problem is fixable. In my case, because Sony is out of the PC business, My Vaio may never get patched irrespective of the CPU status. Also, my laptop has slowed down.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Those sound like good excuses to get a new one. I should start saving too... :lol:

This discussion has been closed.