Re: [PLUG] It's the final meltdown!! (Security vulnerabilies)

[Rich Freeman <r-plug@thefreemanclan.net>]

On Thu, Jan 4, 2018 at 11:27 AM, John Von Essen <john@quonix.net> wrote:
> I know people are freaking out about this, and its a big deal, but…. the
> thing I dont fully understand is why cant antivirus detect the “act” of
> grabbing leaked memory data?

One probably could, but antivirus is more of a band-aid to a
vulnerability.  As you later point out it tends to help most with
copy/paste attacks.

> Also, what are the uneffected CPUs?

AMD CPUs seem to be unaffected by exploit 3, and it sounds like nobody
has figured out how to actually pull off exploit 2 (they might
actually be unaffected).  They're vulnerable to exploit 1, but this
requires vulnerable code that can probably be patched (perhaps through
a compiler improvement).  As far as I'm aware no fix for exploit 1 is
available yet, but the only known attack against linux requires having
BPF enabled on AMD CPUs and that is not a commonly used feature and it
has to be turned on by the sysadmin.

>
> Lastly, you still need to get the malware on your PC, so if you are very
> careful, behind a firewall, and only install “approved” or “signed” apps,
> you should be good. On my work PC, for the past 10 years, I have never
> gotten infected by anything, the only software I install is commercial
> products like Office, etc.,. and I never download random apps, I mainly
> download PDFs, and misc content.

It is potentially exploitable by javascript/etc, so browsers are an
obvious target.  Exploit 1 isn't just a kernel vulnerability - it can
be used in any kind of IPC if there aren't steps to prevent it if the
code being called happens to be vulnerable.

> The real threat is cloud computing, where a hacker can just buy a VM, run
> their malware, and read all the contents of the cloud platforms CPU. Hence
> another reason not to use the cloud for critical stuff or sensitive data.
> Cloud is great for little web sites of content, but super sensitive data
> should be on your own hardware.

Yes and no.  There are many kinds of risks.  Having more control over
your hardware enables you to control those risks, or to mismanage
them.  For many less-sophisticated organizations there is a benefit to
letting somebody more competent manage some of these.  If you know
what you're doing, then certainly controlling your hardware allows you
to make sure things are done right, and to block these kinds of
attacks.

However, for the typical company that wants to spend as little on
sysadmins as possible, the cloud could be a better choice.  Cloud
providers have already been rolling out these patches, as they had
advance notice of the threat.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug