
Meltdown-Spectre: Malware is already being tested by attackers - okket
http://www.zdnet.com/article/meltdown-spectre-malware-is-already-being-tested-by-attackers/
======
Bitcoin_McPonzi
Here's how it can be exploited:

A popup that says "Intel has detected your computer is vulnerable to Meltdown.
Click here to install the fix."

~~~
gnu8
One drawback to giving branding to these otherwise complex and obscure
vulnerabilities. It wouldn’t be so effective to say “Intel has detected your
computer is vulnerable to a cache side channel attack. Click here to install
the fix.”

~~~
DarronWyke
As I sardonically stated on Twitter, it's not a real vulnerability until it
has a catchy name and logo. It's the newest node.js hipster pentesting tech.

~~~
simlevesque
It's as useless as bashing node.js in an unrelated conversation.

------
forgotmypw
Can someone please help me clear something up, as I have not been able to
figure it out for sure myself...

If I understand correctly, it is possible to perform these exploits with
JavaScript. What about without?

Let's say I set javascript.enabled=false, is it possible to do break out of
the browser's sandbox with just HTML5 + CSS? I have read that today it is
"Turing-complete"...

~~~
cm2187
I understand the only way it can be exploited in javascript relies on access
to a very precise timing API, which is trivial for browser vendors to make
less precise. I wouldn't worry too much about javascript at least as far as
this vulnerability is concerned.

~~~
fragmede
Because of javascript's wide surface area, it's nigh-impossible for browser
manufactures to be _sure_ that they've disabled indirect access to timing
data.

The original proof of concept didn't even use a "precise timing API", it
features `while(true){ i++; }` to increment a counter, and pulled timing
information out of that side-channel.

It is trivial for the browser vendors to disable access to a specific API, but
we're in for a game of whack-a-mole.

Dismiss the exploitability of javascript at your own peril - sure, WebWorkers
and SharedArrayBuffer are this week's blocked timing attack, but smart money
says there are other ways to get timing information that are unpatched.

~~~
user5994461
The while true used a very specific memory API that was disabled in all
browsers the week the bug was disclosed.

------
lukeqsee
I've assumed since the exploits were published that viable attacks existed to
exploit them. Does that make me too cynical?

Of what advantage is it for attackers to publish that they are using a
particular exploit? Especially due to the nature of these exploits, they would
more than likely be silent attacks.

~~~
saget
Yeah, the white papers are pretty clear on how to replicate it, though it
seemed it would still take no small effort to get it working at a higher level
(IIRC they used kernel modules to pull it off).

Here's the meltdown repo from the paper if your interested:
[https://github.com/IAIK/meltdown](https://github.com/IAIK/meltdown)

------
ohiovr
Could someone with php and a remote page reloader access data in the other
shared hosts? I was told a shared hosts computer can sometimes have thousands
of web accounts and domains. Seems like a limitless opportunity for stealing
backend information. I hope I'm wrong.

~~~
Kalium
You're almost certainly right. And a lot of those hosts do not reliably do a
good job of staying current on patching.

------
campuscodi
Infosec experts have pointed out this article contains some inaccuracies:
[https://www.virusbulletin.com/blog/2018/02/there-no-
evidence...](https://www.virusbulletin.com/blog/2018/02/there-no-evidence-
wild-malware-using-meltdown-or-spectre/)

------
sp332
Counterpoint: "There is no evidence in-the-wild malware is using Meltdown or
Spectre" [https://www.virusbulletin.com/blog/2018/02/there-no-
evidence...](https://www.virusbulletin.com/blog/2018/02/there-no-evidence-
wild-malware-using-meltdown-or-spectre/)

~~~
LandR
>> the Flash Player patch Adobe will release next week.

Part of me thinks you could read that sentence this week, next week, a month
or 6 months from now and it will still hold true...

~~~
Zekio
that would only stay true until was it 2020 where they stop flash player
support

------
amelius
> A successful attack could expose passwords and other secrets.

Perhaps this is a good moment for the IT-world to start eradicating the use of
passwords.

EDIT: Of course this will not solve every problem related to these
vulnerabilities, but it might go a long way, especially if possible exploits
are taken into account when designing new systems.

~~~
pmlnr
And replace it with what exactly? Physical devices - Yubikey - are a neat
idea, but not everything supports them. Biometrics is not password, that's a
username replacement.

Also, it doesn't matter. Passwords, secret hashes, ssh keys; anything can be
accidentally acquired.

~~~
0xFFC
Exactly, fingerprints (and more generally biometrics) are usernames, not
passwords.

~~~
DarronWyke
Fingerprints are not passwords or usernames. They're another form of
authentication.

Remember: MFA is a two-or-more combination of: something you know (password,
pin, etc.), something you have (keycard, token, fob, etc.), something you are
(fingerprint, iris scan, voice recognition, etc.), and potentially even
somewhere you are (geolocation).

