HANDJOJO 11 Posted January 5, 2018 Share Posted January 5, 2018 (edited) Dear ESET Support, Please inform whether ESET Products has have protection for Meltdown & Spectre Intel Processor malware, if not yet please advise how to prevent this malware come to my computer. Awaiting the reply. Thanks Edited January 5, 2018 by Aryeh Goretsky topic edited for clarity Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 166 Posted January 5, 2018 Most Valued Members Share Posted January 5, 2018 You need to download the update from microsoft via windows update Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 353 Posted January 5, 2018 ESET Moderators Share Posted January 5, 2018 Hello, Please see the ESET's response to Meltdown and Spectre CPU vulnerabilities thread for latest information. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 6, 2018 Share Posted January 6, 2018 Appears Symantec has a heuristic detection capability for these exploits: https://www.symantec.com/security_response/writeup.jsp?docid=2018-010508-3826-99&tabid=2 . Eset have anything likewise in the works? Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 7, 2018 Share Posted January 7, 2018 (edited) I will also add someone has developed a nifty test tool to determine if your browser is vulnerable to a Javascript Meltdown Spectre attack: "httpx://repl.it/repls/DeliriousGreenOxpecker" Click on the "Run" tab and it simulates a browser based Meltdown Spectre attack. If you see the wording "The Magic Words are Squeamish Ossifrage" in the displayed output, your browser cache data can be intercepted. This tool could be used as a starting point in building heuristic based detection into Eset's JavaScript monitoring .dll injected into the browser? Obviously if you have applied the current Microsoft OS patches for the Meltdown and Spectre vulnerabilities and you are using IE11 or Edge, the above test will fail - hopefully that is. Ditto for the current release of FireFox or if its "noscript" extension is enabled. -EDIT- The actual proof of concept is here along with tests against various processors shown in the comments: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6 Edited January 8, 2018 by itman removing URL Link to comment Share on other sites More sharing options...
Most Valued Members planet 232 Posted January 8, 2018 Most Valued Members Share Posted January 8, 2018 (edited) 7 hours ago, itman said: If you see the wording "The Magic Words are Squeamish Ossifrage" in the displayed output, your browser cache data can be intercepted. [...] the above test will fail - hopefully that is. Ditto for the current release of FireFox or if its "noscript" extension is enabled. Somewhat off topic, but interestingly on macOS 10.13.2 and Firefox 57.0.4, that test didn't fail and I saw those words. Apparently both 10.13.2 and 57.0.4 were versions that resolved these. Got some Googling to do. Edited January 8, 2018 by planet Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 8, 2018 Share Posted January 8, 2018 (edited) 6 hours ago, planet said: Somewhat off topic, but interestingly on macOS 10.13.2 and Firefox 57.0.4, that test didn't fail and I saw those words. Did you apply the Mac OS update? Quote Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation. https://support.apple.com/en-us/HT208394 Also if you have Noscript set in FireFox, you have to allow the web page shown for the test. The test is actually being run from a web server. Edited January 8, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 8, 2018 Share Posted January 8, 2018 (edited) @planet you might want to read this: https://www.bleepingcomputer.com/news/apple/apple-releases-security-updates-for-spectre-cpu-flaw/ Supposedly, Apple has only patched the Meltdown exploit and not the Spectre one as far as macOS 10.13.2 goes . The test I posted is for Spectre. Edited January 8, 2018 by itman Link to comment Share on other sites More sharing options...
Most Valued Members planet 232 Posted January 8, 2018 Most Valued Members Share Posted January 8, 2018 1 hour ago, itman said: @planet you might want to read this: https://www.bleepingcomputer.com/news/apple/apple-releases-security-updates-for-spectre-cpu-flaw/ Supposedly, Apple has only patched the Meltdown exploit and not the Spectre one as far as macOS 10.13.2 goes . The test I posted is for Spectre. The update appeared just now, and I've installed it. I then ran the test again in both Firefox and Safari (as this update apparently patches both macOS and Safari), and both browsers still showed the message in the test. I'm not using NoScript in Firefox, and version 57.0.4 apparently patched Spectre... https://github.com/hannob/meltdownspectre-patches Is this test valid for my configuration? Surely these updates I've got now that apparently addressed both Spectre and Meltdown are meant to stop that test from showing me that message? Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 8, 2018 Share Posted January 8, 2018 (edited) 32 minutes ago, planet said: Is this test valid for my configuration? Might only work on Win OSes. -EDIT- Or.......... Patched FireFox can't stop it based on this: Quote David Lawdovsky @dlawdovsky Jan 7 Replying to @MichalPurzynski @aionescu This still works even on patched Firefox. https://twitter.com/MichalPurzynski/status/949943285551788032 Edited January 8, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 9, 2018 Share Posted January 9, 2018 Quote Detection of Meltdown and Spectre Kernel memory violations are generated relatively infrequently by regular software. However, any process attempting to exploit Meltdown would generate thousands of such violations over a short duration. Capsule8 suggests that a system designed to monitor for an abundance of segmentation violations for kernel memory addresses (especially from the same PID) could be used to detect meltdown exploits in action. Endgame recommends monitoring for cache timing attacks using hardware performance counters. In their blog, they examine methods to detect signs of Meltdown exploitation using TSX counters, page flush counters, and by counting last-level-cache (LLC) micro operations. They also examine how it might be possible to detect Spectre attacks by recording speculative branch execution leaks. https://labsblog.f-secure.com/2018/01/09/some-notes-on-meltdown-and-spectre/ Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 14, 2018 Share Posted January 14, 2018 (edited) Here's a great article by networkworld.com that I believe correctly assesses the threat posted by the Meltdown and Spectre exploits: https://www.networkworld.com/article/3245813/security/meltdown-and-spectre-exploits-cutting-through-the-fud.html#tk.nww-fsb . This states basically if you're a desktop user, you really should not be concerned about it other than to apply all recent OS and app patches issued in regards to it: Meltdown and Spectre exploits: Cutting through the FUD Quote These aren't things smaller-scale computers, like PCs and smartphones, need to worry much about, as the amount of effort involved would highly favor exploitation at large data center machines rather than personal machines. It’s about “bang for the buck” for the hacker. Additionally, I for one have no intention of applying any BIOS upgrades for the mitigation since most issued to date are causing major issues and are being revoked by their OEM issuers. Edited January 14, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 21, 2018 Share Posted January 21, 2018 (edited) I am going to duplicate a posting below I made on wilderssecutity.com that I believe will "demystify" a lot in regards to Meltdown and Spectre vulnerabilities. I will then make some additional recommendations on how you can protect yourself against Spectre vulnerabilities. The following from SANS pretty much sums up the Meltdown and Spectre vulnerabilities. Since Meltdown attacks the OS kernel, I would say that it is the worst of the two: Here's is the full SANS article on the subject which is definitely worth a read: http:// https://www.renditioninfosec.com/files/Rendition_Infosec_Meltdown_and_Spectre.pdf As far as browser mitigations go, besides apply the software patches, is the following. I find it ironic that a protection mechanism, i.e. sandboxing, is what is being exploited : Quote Spectre is most likely to be exploited in applications that allow users to run some code in a sandbox. Spectre will allow the code in a sandbox. Spectre will allow the attacker to escape the sandbox and leak data elsewhere in the process. This is most useful in a browser where one tab may contain attacker code while another tab contains sensitive information that should not be accessible to the attacker.Isolating each tab in its own process would mitigate this type of attack. As far as Meltdown is concerned, OS update patches will mitigate it. Additionally, AMD processors are not vulnerable to Meltdown. Sprectre is a different matter altogether. Both OS and application update patches need to be applied. Additionally, BIOS firmware updates need to applied. Furthermore, a number of security expects have outright stated until new CPU processors are introduced into the marketplace, this vulnerability will not be fully mitigated. Again, refer to the above SANS chart. What is currently most vulnerable to Spectre attacks - browsers. For those that have not read the above linked SANS article is one important point to note: Quote Spectre can only read memory from the current process, not the kernel and other physical memory. Next refer to what I underlined in the above first quote box.There is current one browser, IE11, that can be configured to do just that. When a new tab is opened in IE11, a new child process of itself is spawned in effect isolating its allocated memory from other currently running tabbed instances. Another browser option is to use Chrome configured for strict site isolation in the web browser. Finally, Edge might be able to be configured similar to that stated for IE11 although I have tested it yet. Edited January 21, 2018 by itman Link to comment Share on other sites More sharing options...
k.crabbe 3 Posted January 21, 2018 Share Posted January 21, 2018 Thanks for the information and explanations itman. It is very much appreciated. Link to comment Share on other sites More sharing options...
Recommended Posts