Here we go again: Spectre 1.1 and 1.2 vulnerabilities discovered

Martin Brinkmann
Jul 11, 2018
Security
|
18

Anyone still keeping track of all the Spectre-based vulnerabilities that were revealed to the public in 2018?

We published numerous articles on the topic already, and there is certainly some fatigue involved when it comes to the class of vulnerabilities.

Check out these resources for an overview if you have not already:

Two security researchers, Vladimir Kiriansky and Carl Waldspurger, published information about two new Spectre-class vulnerabilities which they named Spectre 1.1 and 1.2.

Intel and ARM have released statements already in which the companies confirm that the new Spectre variants affect company CPUs. AMD has not released a statement yet but it is likely that Spectre 1.1 and 1.2 affect AMD processors as well.

Microsoft, Oracle, and Red Hat revealed that they are looking into the new vulnerabilities to determine ways to mitigate them.

Spectre 1.1 "leverages speculative stores to create speculative buffer overflows".

Much like classic buffer overflows, speculative out-ofbounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming (ROP) gadgets that can be used to build alternative attack payloads.

Spectre 1.2 works on processors that don't "enforce read/write protections" so that "speculative stores can overwrite read-only data and code pointers to breach sandboxes".

Both vulnerabilities require that attack code is executed on vulnerable systems. While that certainly reduces the chance of exploitation, it is fair to say that the two new vulnerabilities add to the large list of Spectre-class vulnerabilities revealed in 2018.

There is little that users or system administrators can do about these issues. Patches and updates can be installed when they become available, but it seems likely that the cat and mouse game won't end until new processor families become adopted that don't have these flaws in first place.

The researchers suggested three hardware-based mitigations for Spectre 1.1 and one hardware-based mitigation for Spectre 1.1 attacks.

The only thing that most users can do right now is to run proper security protections on their devices to avoid that malicious code is executed on machines that would exploit one of the Spectre vulnerabilities that has not been patched yet on devices.

Bleeping Computer has published a handy table listing all Spectre and Meltdown variants. Windows users and admins may want to check Security Advisory 180002 which Microsoft updates regularly.

Summary
Here we go again: Spectre 1.1 and 1.2 vulnerabilities discovered
Article Name
Here we go again: Spectre 1.1 and 1.2 vulnerabilities discovered
Description
Two security researchers published information about two new Spectre-class vulnerabilities which they named Spectre 1.1 and 1.2 on July 11, 2018.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Jonnyredhead said on July 12, 2018 at 2:34 pm
    Reply

    I find sticking my head in the sand help immensely.

  2. Yuliya said on July 12, 2018 at 10:12 am
    Reply

    I didn’t bother updating my Win7 PC sinced december 2017. And what a good decision this was. I avoided all performance issues and rushed botched patches.
    If you think about it, it kind of makes sense why Microsoft decided not to incorporate the Spectre/Meltdown mitigations into their Windows 10 1803 image. I hope they do the same with 1809 as it’s going to be both LTSB and Server.

    1. pHROZEN gHOST said on July 12, 2018 at 4:42 pm
      Reply

      Could botched Win 7 & 8 patches be MS’s attempts to coerse people into adopting Win X?

  3. RMS said on July 12, 2018 at 3:29 am
    Reply

    Hypertreading is an NSA charade for big data harvesting:
    It first appeared in February 2002 on Xeon server processors and in November 2002 on Pentium 4 desktop CPUs. (1)

    Mr. Diebold coined the Term ‘Big Data’ on his paper, “Big Data Dynamic Factor Models for Macroeconomic Measurement and Forecasting,” presented in 2000 and published in 2003. (2)

    1.
    https://en.wikipedia.org/wiki/Hyper-threading
    2.
    https://bits.blogs.nytimes.com/2013/02/01/the-origins-of-big-data-an-etymological-detective-story/

    Harvesting relates to the monitoring, filtering and saving of all your actions with your PC.

  4. Tom Hawack said on July 11, 2018 at 11:14 pm
    Reply

    Russian Roulette here, and the odds are more in my device’s favor than 1:6 : I haven’t installed whatever anti-Meltdown or anti-Spectre patch. There’s a higher bid between the disease and the medicine anyway. If the race carries on this way we’ll end with safe devices in a wheelchair running at half their potential. But I remain aware of the threats and will take them into account when I buy a new computer, hoping that by then processors’ architecture will have been rethought with new builds able to circumvent what they are unable to block at this time.

  5. pHROZEN gHOST said on July 11, 2018 at 10:45 pm
    Reply

    Have there been significant and verifiable incidents with ANY of these vulnerabilities?

    I’m not asking for references to Internet articles, even though, if it’s on the Internet it has to be true. Right!

    Seems to me that manufacturers are working on new chips that will be guaranteed not to be affected. So, be the first on the block to be safe.

  6. ddk said on July 11, 2018 at 8:07 pm
    Reply

    On uBlock I have 3rd party scripts & frames blocked, may or may not help with mitigations.
    However pages tend to load a bit quicker with these off.

  7. AnorKnee Merce said on July 11, 2018 at 8:04 pm
    Reply

    All new generations of CPUs should not have the Speculative Execution feature which actually fakes faster speed in CPUs and wastes computer resources, ie higher power consumption, more usage of RAM memory, etc.

    As long as CPUs have this fake feature, there will be no end to Spectre-like vulnerabilities = there is likely no point in waiting until 2019 to buy new computers/CPUs that will not come with Spectre-like vulnerabilities.
    .

    Speculative Execution is like a person hiring a forgetful servant to prepare/execute in advance 20 different speculative dishes for every breakfast, lunch and dinner, in anticipation of what the person may eat for each meal daily. If the speculative execution of the dishes is successful, after each actual meal, about 16 uneaten dishes will have to be thrown away.
    ……. Since so many dishes have to be speculatively prepared/executed, the chances of the server making mistakes or allowing viruses/bacteria to get on the dishes become higher.

    1. Ruby said on July 12, 2018 at 9:07 am
      Reply

      Speculative execution doesn’t work in nearly the way you describe. A more apt analogy would be that the servant (the processor) knows from previous observations (prediction heuristics) that their master (the program) usually likes a certain dish for each meal and so cooks 5 days’ worth of meals ahead of time when they’re not busy, without waiting for the slow master to actually tell him what he wants to eat. 95% of the time (or even more often depending on how predictable the master i.e. program is) the servant’s guess is correct and the time that would have been wasted in asking the master’s preference before every meal is saved. On the rare chance that the servant guessed wrong, their work would indeed have to be “thrown away,” but the amount of time saved by speculating vastly outweighs the amount of time wasted on a prediction mistake.

      Yes, the more speculative dish preparation, the higher chance there will be for mistakes. But also the (much) higher amount of good meals prepared by the servant.

      The reason why speculative execution is such a time saver is that processors’ execution engines can only do as much work as they are given, and memory/caches can be slow and expensive. I do agree with the sentiment that security needs to come first in the design of an architecture, and it is possible to do speculative execution without sacrificing said security. To use your servant analogy again, it would be an incredible waste of time for the servant to ask their master for confirmation before executing every menial task (cleaning the house/dishes, making the bed, feeding the animals). Taking away speculative execution is like having an incredibly micro-managing boss/master. Far less work gets completed and much more time is wasted when a servant (processor) can’t self-manage most of the time (speculatively execute).

      As to whether it’s a “fake feature” or gives “fake faster speed,” that is true about almost every aspect of computing. Caches are “fake” faster access to data in RAM. RAM is “fake” faster access to data on disk. Buffering video is “fake” faster access to streaming movies, etc etc. Yes, cache misses do occur, data in RAM is not used sometimes, and people decide to stop watching a video or switch to a different one, but in all those cases, the speculative pre-fetching/execution of resources is what makes today’s technology possible. They are useful precisely BECAUSE they are “fake”.

      1. AnoreKnee Merce said on July 12, 2018 at 10:46 am
        Reply

        @ Ruby

        The Speculative Execution feature that increases CPU speed is FAKE because the bug fixes needed to patch for the associated Meltdown & Spectre vulnerabilities introduce a CPU speed/performance hit of up to 30%.

      2. John Fenderson said on July 12, 2018 at 4:55 pm
        Reply

        @AnoreKnee:

        That doesn’t make sense. The mitigations are specifically interfering with speculative execution in order to mitigate the vulnerability, and that’s causing a performance loss in the CPU.

        That inescapably means that speculative execution is not faking a performance increase at all, since if you prevent it you see a performance decrease. Also, speculative execution logically leads to a performance increase: it’s all about using time the CPU would not otherwise be doing anything with in order to execute instructions that appear to be likely to be needed next. It’s increasing performance by reducing idle time.

      3. AnorKnee Merce said on July 12, 2018 at 10:32 am
        Reply

        @ Ruby

        The Speculative Execution feature gives CPU a FAKE speed increase because the various bug fixes(eg CPU BIOS or microcode updates and OS updates) needed to patch the associated Meltdown & Spectre vulnerabilities introduce a CPU speed/performance hit of up to 30%.

        IIRC, Intel has announced that she will bake the various bug fixes for Meltdown & Spectre into her new 9th-gen and future-gen Intel CPUs from late 2018 onwards = these new Intel CPUs will be pre-baked with a CPU speed decrease of up to 30%.

        If the OEMs were to do away with the Speculative Execution feature in new generations of CPUs, there will be no need to pre-bake the bug fixes into the new CPUs = you immediately get a CPU speed boost of up to 30%.
        .

        Storage caches and video buffering are not fake because they likely do not introduce multiple and continuing vulnerabilities to the computer system. These features are not based on speculative execution. They are more like extra storage of data for likely possible future use. Stored data can be easily secured unlike the many speculatively executed processes.
        ……. Similarly for the supplementary virtual disk memory feature of the Windows pagefile.sys and Linux swap partition.

  8. Richard Allen said on July 11, 2018 at 6:33 pm
    Reply

    Are there any known exploits being used in the wild, that are not proof-of-concept test samples?

    Spectre/Meltdown variants, 7 more reasons why a content blocker should be used?

    How about globally limiting 3rd-party iframes and when visiting websites for the first time have javascript already disabled? That can be done easily without destroying browser ease of use. Then, for the extra cautious aka paranoid, javascript can be limited on all sites. :)

    “https://www.lawfareblog.com/spectre-advertising-meltdown-what-you-need-know”

    1. Ben said on July 12, 2018 at 12:03 am
      Reply

      You cannot exploit Meltdown remotely. Meltdown is of absolutely no issue for private users, because when the malware is able to run Meltdown it can do a lot worse already.

      Spectre is the only relevant attack that could be exploited via JavaScript, but at least Firefox patched it, so it can no longer be used.

      1. notAUser said on July 12, 2018 at 9:28 am
        Reply

        According articles from the Intenet Meltdown can be exploit remotely through JS in your browser. I talk about old browsers. As I understood Meltdown is fixed in the latest Firefox.

        Search by “Exploiting Speculative Execution (Meltdown/Spectre) via JavaScript” in the Google.

      2. Ben said on July 12, 2018 at 10:43 am
        Reply

        Yes because those “journalists” have no idea what they are talking about and always just say Meltdown/Spectre – just read the articles, it becomes quite obvious and it does not really help that they all copy each other.

        You cannot exploit Meltdown via JavaScript from your browser. Only Spectre.

  9. Apparition said on July 11, 2018 at 5:36 pm
    Reply

    So wait until 2021 before buying a new computer. Got it.

    1. svim said on July 11, 2018 at 9:10 pm
      Reply

      Sarcasm noted, but it’s not quite that bad a situation, we can all continue buying computers even now.
      It’s just that we cannot do anything on them that involves any online access :-)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.