MELTDOWN & SPECTRE MALWARE PROTECTION

[HANDJOJO 11]

Dear ESET Support,

Please inform whether ESET Products has have protection for Meltdown & Spectre Intel Processor malware, if not yet please advise how to prevent this malware come to my computer.

Awaiting the reply.

Thanks 

Edited January 5, 2018 by Aryeh Goretsky
topic edited for clarity

[cyberhash 166]

You need to download the update from microsoft via windows update

[Aryeh Goretsky 353]

Hello,

Please see the ESET's response to Meltdown and Spectre CPU vulnerabilities thread for latest information.

Regards,

Aryeh Goretsky

[itman 1,538]

Appears Symantec has a heuristic detection capability for these exploits: https://www.symantec.com/security_response/writeup.jsp?docid=2018-010508-3826-99&tabid=2 . Eset have anything likewise in the works?

[itman 1,538]

I will also add someone has developed a nifty test tool to determine if your browser is vulnerable to a Javascript Meltdown Spectre attack: "httpx://repl.it/repls/DeliriousGreenOxpecker" Click on the "Run" tab and it simulates a browser based Meltdown Spectre attack. If you see the wording "The Magic Words are Squeamish Ossifrage" in the displayed output, your browser cache data can be intercepted. This tool could be used as a starting point in building heuristic based detection into Eset's JavaScript monitoring .dll injected into the browser? 

Obviously if you have applied the current Microsoft OS patches for the Meltdown and Spectre vulnerabilities and you are using IE11 or Edge, the above test will fail - hopefully that is. Ditto for the current release of FireFox or if its "noscript" extension is enabled.

-EDIT- The actual proof of concept is here along with tests against various processors shown in the comments: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6

Edited January 8, 2018 by itman
removing URL

[planet 232]

7 hours ago, itman said:

If you see the wording "The Magic Words are Squeamish Ossifrage" in the displayed output, your browser cache data can be intercepted. [...] the above test will fail - hopefully that is. Ditto for the current release of FireFox or if its "noscript" extension is enabled.

Somewhat off topic, but interestingly on macOS 10.13.2 and Firefox 57.0.4, that test didn't fail and I saw those words. Apparently both 10.13.2 and 57.0.4 were versions that resolved these. Got some Googling to do.

Edited January 8, 2018 by planet

[itman 1,538]

6 hours ago, planet said:

Somewhat off topic, but interestingly on macOS 10.13.2 and Firefox 57.0.4, that test didn't fail and I saw those words.

Did you apply the Mac OS update?

Quote

Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation.

https://support.apple.com/en-us/HT208394

Also if you have Noscript set in FireFox, you have to allow the web page shown for the test. The test is actually being run from a web server.

Edited January 8, 2018 by itman

[itman 1,538]

@planet you might want to read this: https://www.bleepingcomputer.com/news/apple/apple-releases-security-updates-for-spectre-cpu-flaw/

Supposedly, Apple has only patched the Meltdown exploit and not the Spectre one as far as macOS 10.13.2 goes . The test I posted is for Spectre.

Edited January 8, 2018 by itman

[planet 232]

1 hour ago, itman said:

@planet you might want to read this: https://www.bleepingcomputer.com/news/apple/apple-releases-security-updates-for-spectre-cpu-flaw/

Supposedly, Apple has only patched the Meltdown exploit and not the Spectre one as far as macOS 10.13.2 goes . The test I posted is for Spectre.

The update appeared just now, and I've installed it. I then ran the test again in both Firefox and Safari (as this update apparently patches both macOS and Safari), and both browsers still showed the message in the test. I'm not using NoScript in Firefox, and version 57.0.4 apparently patched Spectre... https://github.com/hannob/meltdownspectre-patches

Is this test valid for my configuration? Surely these updates I've got now that apparently addressed both Spectre and Meltdown are meant to stop that test from showing me that message?

[itman 1,538]

32 minutes ago, planet said:

Is this test valid for my configuration?

Might only work on Win OSes.

-EDIT- Or.......... Patched FireFox can't stop it based on this:

Quote

David Lawdovsky‏ @dlawdovsky Jan 7

Replying to @MichalPurzynski @aionescu

This still works even on patched Firefox.

https://twitter.com/MichalPurzynski/status/949943285551788032

Edited January 8, 2018 by itman

[itman 1,538]

 

Quote

 

Detection of Meltdown and Spectre

Kernel memory violations are generated relatively infrequently by regular software. However, any process attempting to exploit Meltdown would generate thousands of such violations over a short duration. Capsule8 suggests that a system designed to monitor for an abundance of segmentation violations for kernel memory addresses (especially from the same PID) could be used to detect meltdown exploits in action.

Endgame recommends monitoring for cache timing attacks using hardware performance counters. In their blog, they examine methods to detect signs of Meltdown exploitation using TSX counters, page flush counters, and by counting last-level-cache (LLC) micro operations. They also examine how it might be possible to detect Spectre attacks by recording speculative branch execution leaks.

 

https://labsblog.f-secure.com/2018/01/09/some-notes-on-meltdown-and-spectre/

[itman 1,538]

Here's a great article by networkworld.com that I believe correctly assesses the threat posted by the Meltdown and Spectre exploits: https://www.networkworld.com/article/3245813/security/meltdown-and-spectre-exploits-cutting-through-the-fud.html#tk.nww-fsb . This states basically if you're a desktop user, you really should not be concerned about it other than to apply all recent OS and app patches issued in regards to it:

Meltdown and Spectre exploits: Cutting through the FUD

Quote

These aren't things smaller-scale computers, like PCs and smartphones, need to worry much about, as the amount of effort involved would highly favor exploitation at large data center machines rather than personal machines. It’s about “bang for the buck” for the hacker.

Additionally, I for one have no intention of applying any BIOS upgrades for the mitigation since most issued to date are causing major issues and are being revoked by their OEM issuers.

Edited January 14, 2018 by itman

[itman 1,538]

I am going to duplicate a posting below I made on wilderssecutity.com that I believe will "demystify" a lot in regards to Meltdown and Spectre vulnerabilities. I will then make some additional recommendations on how you can protect yourself against Spectre vulnerabilities.

The following from SANS pretty much sums up the Meltdown and Spectre vulnerabilities. Since Meltdown attacks the OS kernel, I would say that it is the worst of the two:

Here's is the full SANS article on the subject which is definitely worth a read: http:// https://www.renditioninfosec.com/files/Rendition_Infosec_Meltdown_and_Spectre.pdf

As far as browser mitigations go, besides apply the software patches, is the following. I find it ironic that a protection mechanism, i.e. sandboxing, is what is being exploited :

Quote

Spectre is most likely to be exploited in applications that allow users to run some code in a sandbox. Spectre will allow the code in a sandbox. Spectre will allow the attacker to escape the sandbox and leak data elsewhere in the process.

This is most useful in a browser where one tab may contain attacker code while another tab contains sensitive information that should not be accessible to the attacker.

Isolating each tab in its own process would mitigate this type of attack.

As far as Meltdown is concerned, OS update patches will mitigate it. Additionally, AMD processors are not vulnerable to Meltdown.

Sprectre is a different matter altogether. Both OS and application update patches need to be applied. Additionally, BIOS firmware updates need to applied. Furthermore, a number of security expects have outright stated until new CPU processors are introduced into the marketplace, this vulnerability will not be fully mitigated. Again, refer to the above SANS chart. What is currently most vulnerable to Spectre attacks - browsers.  For those that have not read the above linked SANS article is one important point to note:

Quote

Spectre can only read memory from the current process, not the kernel and other physical memory.

Next refer to what I underlined in the above first quote box.There is current one browser, IE11, that can be configured to do just that. When a new tab is opened in IE11, a new child process of itself is spawned in effect isolating its allocated memory from other currently running tabbed instances. Another browser option is to use Chrome configured for strict site isolation in the web browser. Finally, Edge might be able to be configured similar to that stated for IE11 although I have tested it yet.

Edited January 21, 2018 by itman

[k.crabbe 3]

Thanks for the information and explanations itman. It is very much appreciated.