Skip to main content

Massive Vulnerability Resulting In Meltdown and Specter Attacks

I planned to update Arch every 10 days but since updating some 3 days ago, news of a massive vulnerability in the chip processor all computers use came out. There are two demonstrated attacks called Meltdown and Specter. So let me use the language of the OpenSuse security patch email here to explain what these are.


CVE-2017-5753 / "SpecŧreAttack": Local attackers on systems with modern

     CPUs featuring deep instruction pipelining could use attacker
     controllable speculative execution over code patterns in the Linux
     Kernel to leak content from otherwise not readable memory in the same
     address space, allowing retrieval of passwords, cryptographic keys and
     other secrets.

     This problem is mitigated by adding speculative fencing on affected code
   paths throughout the Linux kernel.


   - CVE-2017-5715 / "SpectreAttack": Local attackers on systems with modern
     CPUs featuring branch prediction could use mispredicted branches to
     speculatively execute code patterns that in turn could be made to leak
     other non-readable content in the same address space, an attack similar
     to CVE-2017-5753.

     This problem is mitigated by disabling predictive branches, depending
     on CPU architecture either by firmware updates and/or fixes in the
      user-kernel privilege boundaries.

     Please also check with your CPU / Hardware vendor on updated firmware
     or BIOS images regarding this issue.

     As this feature can have a performance impact, it can be disabled using
   the "nospec" kernel commandline option.


   - CVE-2017-5754 / "MeltdownAttack": Local attackers on systems with modern
     CPUs featuring deep instruction pipelining could use code patterns in
     userspace to speculative executive code that would read
     otherwise read protected memory, an attack similar to CVE-2017-5753.

     This problem is mitigated by unmapping the Linux Kernel from the user
   address space during user code execution, following a approach called
   "KAISER". The terms used here are "KAISER" / "Kernel Address Isolation"
   and "PTI" / "Page Table Isolation".

     Note that this is only done on affected platforms.

     This feature can be enabled / disabled by the "pti=[on|off|auto]" or
   "nopti" commandline options.

Linux distros have pushed patches so I'm doing an update today. I'm updating my mirrors first with.

$ reflector --latest 8 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

Then I update my system with --

$ pacman -Syu

I should be receiving the same patch that OpenSuse pushed to their users.

Comments

Post a Comment

Popular posts from this blog

Password Issues On Ubuntu Login

I found myself unable to enter my login credentials when prompted to do so in Ubuntu. I think I might have changed it then forget about it. I've been running the current session for more days than I should have. I forget. So what's the solution to my problem. How do I get in to my system now? It involved getting into the grub menu somehow. I am uncertain as to how to do that exactly in your system. So there's a couple of ways to do it (finger's crossed). When booting at system start, use the esc key or the shift key. The first one worked for me. The timing is key. Wait until the bios banner shows then hit the esc key once. I am using Ubuntu 22.04.4 here. I have a current version of grub. The grub menu will give you options and the one you want is: root. Yes you want root privileges to set the root password. It should give you a terminal access where you can issue commands. Type: #mount -rw -o -s remount / ==> this command mounts the filesyste...
Post a Comment
Read more

Reflections On My Blogging: Keeping It Honest

When you're facing a white, blank screen trying to decide what to write, it seemed hopeless and hopeful at the same time. It's like watching a boat with its sails unfurled but there's no wind, yet you wait and then see the tide turning. You have to stop the distractions. Shut the door. Wait until your breathing is regular and your mind relaxed, like your wrists on the table infront of you. I imagine me looking sideways but not hearing anything. The sounds come much later. I see the big mass of color first, the greens. Just the vegetation, moving, not even individual trees, not leaves, just the big green. Then behind it the blue sky, unfocused and floating. Do not concern your brain with the details. Forget the words and the punctuations. But be mindful of the flow, trace the outlines, hear the motions. Sometime these things don't have a name, give it a name. How do you give something a name and still be honest? How do you keep your writing honest? I...
Post a Comment
Read more

Webapps in Unity

So it has been 4 months since Ubuntu 14.04 came out. This is LTS and supported for 6 years by Canonical. The first mobile device with Ubuntu pre-installed is promised to come out later this year, 2014. It's time to check out how the apps perform so far. It is a good idea. I use Gmail and Twitter and Facebook. Why not a webapp in a desktop? So I start the Twitter and Gmail webapp. So far it has crashed my computer 6 times. Not a very good sign. On the other hand it does work but not as stable as opening them in Firefox. -- Use my PGP key if you want to encrypt your replies/messages to me. You are invited to also send me your PGP keys so we can communicate in private.
Post a Comment
Read more