From: Virus <Virus@Guy.C0M>

Is there a definative list of CPU models that are affected by Spectre / Meldown?

The most "detailed" explanation I can find is:

=============
"every processor since 1995 (except Intel Itanium and Intel Atom before
2013)" is affected by Meltdown"
==============

I'd like to see a complete breakdown of the status of all Intel CPU's,
going back to at least the SLOT-1 products and including socket 370,
socket 478 and socket 775.

Also, what is status of Zeon CPU's, specifically socket 775-compatible ones?

Other questions:

These exploits don't seem to be able to take control of systems, alter protected or system memory or proccesses (or even user-space memory or files?), plant or install back doors or other forms of persistent
access. Yes?

These exploits make it possible for specifically-crafted code to be able
to read system memory (ie - memory / data that they wouldn't normally
have access to) but not necessarily be able to alter or corrupt said
memory? Yes?

Other than executing a binary delivered via email, is it possible to
deliver a workable Spectre / Meltdown exploit in the form of a script
written in any of the various web/browser compatible formats (JS, Java,
html, etc)?
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: Shadow <Sh@dow.br>

On Thu, 04 Jan 2018 09:58:16 -0500, Virus <Virus@Guy.C0M> wrote:

These exploits don't seem to be able to take control of systems, alter >protected or system memory or proccesses (or even user-space memory or >files?), plant or install back doors or other forms of persistent
access. Yes?

Meltdown gives user programs access to kernel memory. And
anything there (passwords, etc). If you get the root password, the
computer's yours. It affects almost all OS's.
All INTEL processors produced in the last 10 years or so have
the backdoor. AMD processors do not.

Spectre affects ALL processors, but there are no known working
exploits known yet. Not to the public, anyway. If any appear, Cloud
Services will be the hardest hit. Nobody cares about the pR0n on your
desktop.
Happy nightmares.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: "David W. Hodgins" <dwhodgins@nomail.afraid.org>

On Thu, 04 Jan 2018 09:58:16 -0500, Virus <Virus@guy.c0m> wrote:

Is there a definative list of CPU models that are affected by Spectre / Meldown?
The most "detailed" explanation I can find is:
"every processor since 1995 (except Intel Itanium and Intel Atom before 2013)" is affected by Meltdown"
==============
I'd like to see a complete breakdown of the status of all Intel CPU's,
going back to at least the SLOT-1 products and including socket 370,
socket 478 and socket 775.

Unlikely that there will be such a list. All cpus are affected. AMD is
only affected by some of the bugs, but is not immune. Same with ARM.

Also, what is status of Zeon CPU's, specifically socket 775-compatible ones?

As above.

Other questions:
These exploits don't seem to be able to take control of systems, alter protected or system memory or proccesses (or even user-space memory or files?), plant or install back doors or other forms of persistent
access. Yes?

Based on the current public descriptions, correct. Read only access to
the memory that was previously used by the kernel, but becomes available
to the exploit without being initialized.

These exploits make it possible for specifically-crafted code to be able
to read system memory (ie - memory / data that they wouldn't normally
have access to) but not necessarily be able to alter or corrupt said
memory? Yes?

Correct.

Other than executing a binary delivered via email, is it possible to
deliver a workable Spectre / Meltdown exploit in the form of a script
written in any of the various web/browser compatible formats (JS, Java,
html, etc)?

There are no known exploits in the wild at this time. From what I've read,
it would be extremely difficult to exploit even with a program downloaded.
That doesn't ensure it can not be exploited using javascript, just that it would be extremely difficult.

It provides read access to tiny amounts of data at a time. Given the multi-processor/multi-threading of processors, the volume of data the
exploit would have to sift through to find any thing of use, is massive.
Either the exploit would have to do that on the victims computer with some complex way of filtering the data, and then report to it's masters, or it
would have to upload a massive amount of data, 99.99% of which would be useless.

What makes these two problems important, is that it's a hardware level
problem, that likely cannot be fixed even with microcode updates.

The software updates that are coming mitigate the problem by having the
kernel not use some of the features that are currently used to speed up processing of some tasks.

This is not a panic situation. There are no known exploits in the wild,
and even with the publication of the details, it will be very hard for
anyone to use.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: Virus <Virus@Guy.C0M>

David W. Hodgins wrote:

I'd like to see a complete breakdown of the status of all Intel CPU's,
going back to at least the SLOT-1 products and including socket 370,
socket 478 and socket 775.

Unlikely that there will be such a list. All cpus are affected.

Well, they do say that anything prior to 1995, and (in the case of Intel
Atom) prior to 2013. I have some Atom-powered netbooks that would
therefore not be vulnerable.

It provides read access to tiny amounts of data at a time. Given the multi-processor/multi-threading of processors, the volume of data the
exploit would have to sift through to find any thing of use, is massive.

That's one thing I don't understand, based on current reports.

Do operating systems of any or all sorts keep passwords in "special", strategic or universally-accepted locations in RAM such that sifting
through gb worth of memory dump would not be required?

To just even go about excercising the vulnerability, would the required
code be so specifically crafted such that the exact model/type of CPU
AND the particular OS would both be needed to be known in order for the
code to perform the intended memory dump operation?

Would there be any quirks of particular operating systems that would
render this vulnerability of little or no value, because of workability issues? I'm thinking of differences between, say, Win-9x/me vs any of
the NT-based Windoze. Differences in how memory is used by the kernel,
etc.

I don't believe that win-9x/me has any notion or ability to separate
memory access between applications, and I've never heard of any sort of "password" attack or comprimize that is specific to 9x/me that has any relavence to a user system.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: "David W. Hodgins" <dwhodgins@nomail.afraid.org>

On Thu, 04 Jan 2018 12:18:17 -0500, Virus <Virus@guy.c0m> wrote:

David W. Hodgins wrote:

I'd like to see a complete breakdown of the status of all Intel CPU's,
going back to at least the SLOT-1 products and including socket 370,
socket 478 and socket 775.

Unlikely that there will be such a list. All cpus are affected.

Well, they do say that anything prior to 1995, and (in the case of Intel Atom) prior to 2013. I have some Atom-powered netbooks that would
therefore not be vulnerable.

All cpus that use speculative execution. There aren't many still in use
that don't.

It provides read access to tiny amounts of data at a time. Given the
multi-processor/multi-threading of processors, the volume of data the
exploit would have to sift through to find any thing of use, is massive.

That's one thing I don't understand, based on current reports.

Do operating systems of any or all sorts keep passwords in "special", strategic or universally-accepted locations in RAM such that sifting
through gb worth of memory dump would not be required?

No. Using aslr, the kernel modules will be in different places in ram
every boot. Keep in mind, most applications that process passwords do
it in the application, not explicitly in the kernel.

To just even go about excercising the vulnerability, would the required
code be so specifically crafted such that the exact model/type of CPU
AND the particular OS would both be needed to be known in order for the
code to perform the intended memory dump operation?

Again, going based on what I've read, any exploit would require
customization based on the cpu family. As the exploit does not take
advantage of any vulnerabilities in the kernel or other software on
the system, it just has to be able to execute on that cpu. It's by
running the exploit code in parallel to code being run by the kernel,
on the same cpu that it gains access.

Would there be any quirks of particular operating systems that would
render this vulnerability of little or no value, because of workability issues? I'm thinking of differences between, say, Win-9x/me vs any of
the NT-based Windoze. Differences in how memory is used by the kernel,
etc.

No. If the code can run on that cpu, the os doesn't matter in any way,
except for how it's kernel uses the cpu.

I don't believe that win-9x/me has any notion or ability to separate
memory access between applications, and I've never heard of any sort of "password" attack or comprimize that is specific to 9x/me that has any relavence to a user system.

With win-9x/me, I expect most of the code runs outside of ring 0, making
the os much more vulnerable to other exploits anyway. Those are single
user operating systems, so all programs have full access to everything.
Such an operating system should never be used for anything requiring
any security. Never enter a password, account number, etc., if using
such an os, unless it is air gapped from the internet.

Without more details on how an exploit does work, I'm speculating based
on what has been published.

See https://en.wikipedia.org/wiki/Protection_ring
The kernel code running in run level 0 has to communicate with software
running in other levels.

My understanding is that by abusing speculative execution, a program
can gain some access to what the results of another programs instructions
would have put into it's registers. What I've read indicates to me that
they are talking about registers, not ram, so it's very tiny amounts of
data at a time.

While I can see how a proof of concept showing that some data is made accessible, that shouldn't be, has likely been made, I currently do not
see how that could be made into a useful exploit. I could be completely
wrong about the impact, but that's my current understanding.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: "David W. Hodgins" <dwhodgins@nomail.afraid.org>

On Thu, 04 Jan 2018 13:43:38 -0500, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

It provides read access to tiny amounts of data at a time. Given the
multi-processor/multi-threading of processors, the volume of data the
exploit would have to sift through to find any thing of use, is massive.

https://www.reuters.com/article/us-cyber-intel-researcher/how-a-researcher-hacked-his-own-computer-and-found-worst-chip-flaw-idUSKBN1ET1ZR

Given this description of seeing full urls, etc, I take it back. It is
a critical problem, that will have be be mitigated asap.

Regards, Dave Hodgins


--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: Virus <Virus@Guy.C0M>

David W. Hodgins wrote:

Given this description of seeing full urls, etc, I take it back. It is
a critical problem, that will have be be mitigated asap.

If I read that article correctly, they haven't actually tested the
exploit against processors made earlier than 2011.

That leaves a lot of socket 478/775 cpu's as yet to be proved vulnerable.

I would think that speculative execution is a "quirky" function in a
CPU, and that exactly how it operates depends a great deal on the
specific CPU die we're talking about, and possibly the microcode
revision it has?

I would love to see an on-line proof-of-concept test for this.
Naturally, something "white-hat" in nature. Barring that, a safe, downloadable executable.

If a meltdown exploit is running on a PC, wouldn't windows firewall
prevent out-bound communication of meltdown-derived data from an
infected PC to the outside world?

Or is the thinking that the exploit would attempt a privledge escalation
based on brute-force password testing?

Does Windows have any ability to lock-out an application or process from gaining admin-level if it attempts too many password attempts?

Or is the thinking that somehow, meltdown and it's memory-viewing
ability able to perform privlige escalation upon only a handful of
attempts, even the first attempt?
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

From: "David W. Hodgins" <dwhodgins@nomail.afraid.org>

On Fri, 05 Jan 2018 10:37:24 -0500, Virus <Virus@guy.c0m> wrote:

David W. Hodgins wrote:

Given this description of seeing full urls, etc, I take it back. It is
a critical problem, that will have be be mitigated asap.

If I read that article correctly, they haven't actually tested the
exploit against processors made earlier than 2011.
That leaves a lot of socket 478/775 cpu's as yet to be proved vulnerable.

At this point, better to assume it affects all multi-core and cpus.

I would think that speculative execution is a "quirky" function in a
CPU, and that exactly how it operates depends a great deal on the
specific CPU die we're talking about, and possibly the microcode
revision it has?

It's a standard part of almost every cpu. It varies somewhat from model
to model, but the basics are the same.

I would love to see an on-line proof-of-concept test for this.
Naturally, something "white-hat" in nature. Barring that, a safe, downloadable executable.

Agreed.

If a meltdown exploit is running on a PC, wouldn't windows firewall
prevent out-bound communication of meltdown-derived data from an
infected PC to the outside world?

I do not have any windows systems installed, so will leave descriptions
of it's security, or lack thereof to people more familiar with it's newer versions. I still occasionally help people with malware cleanup, but
prefer to avoid dealing with anything from Microsoft, as much as possible.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)