So how long do I have to hold off building a new PC for now?
No idea. It may take years for the first affordable and performant CPUs to come with these bugs fixed because it sounds like it's a pretty fundamental flaw in their designs, regardless of manufacturer.So how long do I have to hold off building a new PC for now?
Admin edit: Fair warning, the page behind this link contains an acronym which spells out a rude word.
Almost all computers fail to hide all the naughty things it does behind your back, so bad guys can force the computer to say things it must never say ever.I'm being facetious, I know, but my five-year-old doesn't know words like "CPU", "Cache" and "Speculative".
Yes, which is absolutely bonkers. In the Spectre paper, they mentioned a proof-of-concept JS snippet which would let any random website retrieve all the browser's memory, which would include things like cookies, browsing history, saved passwords, current tabs... From there it could potentially read everything in your computer's memory.Crap, this is bad.
I forgot that modern browsers use JIT compilers (meaning your JS is running on actual hardware), sot this IS exploitable remotely by code in a browser - https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript
OhI forgot that modern browsers use JIT compilers (meaning your JS is running on actual hardware), sot this IS exploitable remotely by code in a browser - https://www.react-etc.net/entry/expl...via-javascript
Yes, a malicious program or script must be running in your computer. I don't know if JIT is completely required for Spectre JS attacks, but what it does require is a fairly accurate timer. Mozilla is nerfing exactly that to mitigate Spectre and I'm sure all other vendors will apply something like that in their browsers, so I don't think any action is required at all except keeping your browser up to date.Besides JavaScript, what do we have to watch out for? It seems to me that the attack is only possible if some piece of code runs on your computer, but doing that isn't that easy these days.
So I have a few questions:
- Suppose you don't want to disable JavaScript, is there a way to disable the JIT compiler? Would that matter at all?
- What other points of attack should I guard against besides "don't download files from sites you can't trust"?
- To what degree can a typical anti-virus / firewall software protect me?
Not that i know of, but it might appear in the future.- Suppose you don't want to disable JavaScript, is there a way to disable the JIT compiler? Would that matter at all?
Anything that can run more or less native code, which this days is a lot of stuff, from images to *fonts*. What exactly can or can not exploit it is a wide open question i can't really answer without a lot of trying to do the exploiting.- What other points of attack should I guard against besides "don't download files from sites you can't trust"?
Zip, zilch, none, nada.- To what degree can a typical anti-virus / firewall software protect me?
So yeah, I'm a bit skeptical on the real impact it will have, but certainly interesting times ahead.
I think individual users will barely notice a thing. For the industry as a whole, however, the economic damage from having the hardware slowed down due to the meltdown fix will be substantial. As I understand it, especially database servers will be affected significantly by the slowdown.
and whatever it reads is just whatever the CPU happens to have loaded.
If I understood the Spectre paper right, you need quite some knowledge about the target's inner working. In addition, there also needs to be some code path in the target that enables the exploit. So in essence it will be some kind of arms race between e.g. browser coders and hackers.
What makes me skeptical that this will be as bad as it sounds, is the fact that the exploit needs quite some time to determine the values of the memory, because it needs to test the page in question for cached state (the highest through-put micro-architectural side-channel as it seems) by means of measuring access time. As a side note, I guess this is also the reason why decreasing the browser timer's precision artificially is a way to mitigate the problem: it will make it harder to write attacker code that measures cache state.
Somewhere in the paper, I read about reading speeds of around 0.5MB/s. This is not terribly fast, especially if you take into account that the CPU is quite busy in that time. A mere brute-force approach with just dumping the browser memory and sending it in for later inspection is then easily detected, if you take into account that even my session here with nothing but O-F running takes around 200MB. That would mean a practically stalling script running for almost 7 minutes, not counting the time needed to pack the info into an upload container and send it in. If you try to hide it by doing it in incremental steps, you risk longer overall times, therefore preemption or detection.
IMO it would need a tailored attack to use Spectre on browsers efficiently, and given that the word is out on it now, I bet most coders will have a look out for "gadgets" in their code base.
So yeah, I'm a bit skeptical on the real impact it will have, but certainly interesting times ahead. After all, people now know about micro-architectural side-channels *evil grin*.
No, it's potentially most of you have in memory. The cache is just a roundabout way to get to whatever you want to read.No, it's what the CPU currently has cached.
No, it's what the CPU currently has cached. If you're browsing, this is pretty much guaranteed to include browser cookies.