Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Skyfall and Solace: Even more Meltdown/Spectre like security flaws?

    Posted on January 18th, 2018 at 09:44 woody Comment on the AskWoody Lounge

    Not many details as yet, but — just like Meltdown — they’re named after James Bond movies, and they have their own web sites. Logos are sure to appear.

    The Skyfall Attack site now says:

    Skyfall and Solace

    More vulnerabilities in modern computers.

    Following the recent release of the Meltdown and Spectre vulnerabilities, CVE-2017-5175, CVE-2017-5753 and CVE-2017-5754, there has been considerable speculation as to whether all the issues described can be fully mitigated.

    Skyfall and Solace are two speculative attacks based on the work highlighted by Meltdown and Spectre.

    Full details are still under embargo and will be published soon when chip manufacturers and Operating System vendors have prepared patches.

    Watch this space…

    Oh boy.

    UPDATE: It looks this is a hoax. A particularly cruel one, at that.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Skyfall and Solace: Even more Meltdown/Spectre like security flaws?

    Tagged: ,

    This topic contains 51 replies, has 22 voices, and was last updated by  Noel Carboni 6 months, 3 weeks ago.

    • Author
      Posts
    • #160142 Reply

      woody
      Da Boss

      Not many details as yet, but — just like Meltdown — they’re named after James Bond movies, and they have their own web sites. Logos are sure to appe
      [See the full post at: Skyfall and Solace: Even more Meltdown/Spectre like security flaws?]

      5 users thanked author for this post.
    • #160145 Reply

      MrBrian
      AskWoody MVP

      This could be a hoax.

      2 users thanked author for this post.
      • #160164 Reply

        The Surfing Pensioner
        AskWoody Lounger

        I don’t know about a hoax, but the exploit scene is getting more like science fiction every day! Who needs television with all this excitement going on?

        2 users thanked author for this post.
        • #160185 Reply

          AJNorth
          AskWoody Lounger

          The-Outer-Limits-1-3

          • This reply was modified 6 months, 4 weeks ago by  AJNorth.
          • This reply was modified 6 months, 4 weeks ago by  AJNorth.
          • This reply was modified 6 months, 4 weeks ago by  AJNorth.
          Attachments:
          You must be logged in to view attached files.
          5 users thanked author for this post.
          • #160205 Reply

            LeaningTowardsLinux
            AskWoody Lounger

            🙂

            Group B + Windows 7 SP1 x64 + Office 365 C2R + Linux Mint
          • #160252 Reply

            Bill C.
            AskWoody Lounger

            Actually, the all the IoT botnets and other hacks and vulnerabilities, I was thinking more along the lines of ‘Skynet becoming self aware’ from the Terminator series of movies, with a side helping of the most recent Jason Bourne movie.

            1 user thanked author for this post.
          • #160663 Reply

            ryegrass
            AskWoody Lounger

            There is nothing wrong with your Windows installation.  Do not attempt to adjust the settings. We are controlling the updates. We will control their timing; we will control their effectiveness, taking them from crystal clarity to the soft blur of total obscurity. For the next year sit quietly by while we control all that you see and hear. We repeat there is nothing wrong with your Windows installation. You are about to participate in a great adventure. You are about to experience the awe and mystery which reaches from stable computing to Windows 10.

            2 users thanked author for this post.
    • #160166 Reply

      WildBill
      AskWoody Lounger

      I don’t see Meltdown, but the other names are borrowed from the last 3 James Bond film titles:

      1. Quantum of Solace,
      2. Skyfall,
      3. Spectre.

      Hoax or not, they have fancy, foreboding names. Maybe the 1st 2 will get cool logos soon. As Woody originally said, the teasing is by people trying to get money somehow. Even if filthy lucre isn’t the goal, IMHO, attention is definitely a goal. Attention on the Internet matters.

      Windows 8.1, 64-bit, Group A.
      Wild Bill Rides Again...

    • #160207 Reply

      MrBrian
      AskWoody MVP

      From https://twitter.com/david_schor/status/954031372393439233: ‘Ok, so all my effort to independently verify this so-called “Skyfall and Solace” vulnerabilities have failed. Therefore from this point on, I’ll caution everyone to treat this as a COMPLETELY UNSUBSTANTIATED RUMOR until we get more credible evidence.’

      14 users thanked author for this post.
      • #160257 Reply

        woody
        Da Boss

        I’d say it’s likely a hoax, at this point.

        Just what we needed to liven up the slow news week, eh?

        5 users thanked author for this post.
        • #160258 Reply

          woody
          Da Boss

          Yeah, the domains – meltdownattack and skyfallattack  – appear to be registered to different owners.

          1 user thanked author for this post.
          • #160274 Reply

            anonymous

            It probably is a hoax, not some thugs with scareware pages or something else to scam people out of their money.

    • #160209 Reply

      John in Mtl
      AskWoody Lounger

      The Sky is Falling, The Sky is Falling… (kind of akin to “the Russians are coming, the Russians are coming” back in the 60’s)

      Take Solace – get windows 10 and a shiny new processor!

       

      • This reply was modified 6 months, 4 weeks ago by  John in Mtl.
      1 user thanked author for this post.
      • #160241 Reply

        AJNorth
        AskWoody Lounger

        With respect, my “shiny new processor” will be running Linux (with Windows 7 or 8.1 locked-down in a virtual environment).

        4 users thanked author for this post.
        • #160287 Reply

          ryegrass
          AskWoody Lounger

          Same here, only with a shiny new AMD (Ryzen) CPU.

          1 user thanked author for this post.
        • #160358 Reply

          GoneToPlaid
          AskWoody Lounger

          I have been both thinking and reading everything I can about Spectre and Meltdown. I had already planned to move to a Linux based OS and run Windows in a VM. Up until late 2011 and for well over a decade I had only used AMD CPUs. And then I mostly switched to Intel. Given that AMD has finally turned itself around and once again has game in the CPU market in terms of performance, I am switching back to AMD as finances permit. After that, I will be done with Intel.

          1 user thanked author for this post.
        • #161466 Reply

          rc primak
          AskWoody MVP

          I have an Intel NUC running Windows 10 Pro and Ubuntu 16.04. I just bought a Chromebook (ASUS Flip c302) and will run Chrome OS with XUbuntu 16.04 inside a Crouton CHROOT Container. Wish me luck with the Crouton installation!

          -- rc primak

    • #160212 Reply

      anonymous

      ? says:

      humm,

      “get windows 10 and a shiny new processor!” appears to be right on the money…

      2 users thanked author for this post.
    • #160215 Reply

      MrBrian
      AskWoody MVP

      From Skyfall and Solace vulnerabilities announced: “Update: Russel Brandom, senior editor for the Verge, says he has sources claiming these are bogus FUD news.”

      5 users thanked author for this post.
    • #160217 Reply

      jabeattyauditor
      AskWoody Lounger

      From Skyfall and Solace vulnerabilities announced: “Update: Russel Brandom, senior editor for the Verge, says he has sources claiming these are bogus FUD news.”

      Russell tweets the reason for his claim.

      1 user thanked author for this post.
    • #160219 Reply

      Steven S.
      AskWoody Lounger

      Time to pull out the old rusty, trusty abacus! 😉

      • This reply was modified 6 months, 4 weeks ago by  Steven S..
      1 user thanked author for this post.
      • #160359 Reply

        GoneToPlaid
        AskWoody Lounger

        Make sure that you get a booster tetanus shot!

    • #160226 Reply

      Microfix
      AskWoody MVP

      I’m awaiting ‘Q’ to come up with a solution and moneypenny to inform us, eh woody! 🙂

      | 2x Group A- W8.1x64 | Group A+ Linux x64 Hybrid | Group B W7x64 Pro | Group W XP Pro
        No problem can be solved from the same level of consciousness that created IT - AE
      5 users thanked author for this post.
      • #160423 Reply

        anonymous

        “Were you expecting an exploding pen? We don’t go in for that anymore.”

    • #160247 Reply

      manual
      AskWoody Lounger

      oh there is a logo here (like intel inside) : https://skyfallattack.com/favicon.ico

    • #160260 Reply

      anonymous

      Still not sure, but signs point to a host. Some journalist and post say that chip makers deny knowledge of researchers approaching them about these flaws. Plus, one of the earliest references I saw about this is a /r/sysadmin Reddit post, that has been deleted… Decent chance of hoax… but still worth monitoring.

      1 user thanked author for this post.
    • #160276 Reply

      TweakHound
      AskWoody Lounger

      https://meltdownattack.com/

      hosted by Graz University of Technology

      https://skyfallattack.com/

      hosted by mythic-beasts.com

      hmmmm…….

       

    • #160278 Reply

      fred
      AskWoody Lounger

      I’m awaiting ‘Q’ to come up with a solution and moneypenny to inform us, eh woody! 🙂

      ROFL

    • #160289 Reply

      OscarCP
      AskWoody Lounger

      AJNorth wrote: “With respect, my “shiny new processor” will be running Linux.”

      Well, anything that runs on most Intel chips, for example: PCs with LINUX OS…is fair game for the Bond-themed bugs, it would seem.

      Hmmm… Should I, must I, want I, really, truly, definitely, know about any of this?

      • This reply was modified 6 months, 4 weeks ago by  OscarCP.
      1 user thanked author for this post.
      • #160295 Reply

        AJNorth
        AskWoody Lounger

        That “shiny new processor” will be a forthcoming one designed to circumvent these exploits – and hopefully others that will by then be suggested (and inferred).

        • #161468 Reply

          rc primak
          AskWoody MVP

          That new processor without these flaws is still five years off in the future. Reasonably well patched Chromebooks and Intel based Linux boxes are almost here now. So take your pick — wait five years, or try what’s available now to mitigate.

          -- rc primak

    • #160291 Reply

      jescott418
      AskWoody Lounger

      Well, we knew it would come sooner rather then later. This has too much potential for the bad guys to ignore.

    • #160297 Reply

      MrBrian
      AskWoody MVP

      Tweet from The Register: ‘If you’re wondering why no-one is writing about two more “embargoed” CPU flaws – Skyfall and Solace – it’s because it’s 99% a hoax.’

      2 users thanked author for this post.
    • #160223 Reply

      anonymous

      Customer 0150372701 — secretive agent from Oxbridge ?

      Domain Name: skyfallattack.com
      Hosting Location: Cambridge, United Kingdom
      IP Hostname: onza.mythic-beasts.com
      ISP: Mythic Beasts Ltd

      Domain Name Creation Date: 2018-01-12 T16:18:50Z
      Registrant Name: Contact Privacy Inc. Customer 0150372701
      Registrant Address: 96 Mowat Ave, Toronto, Ontario, Canada
      Registrant Email: skyfallattack.com@contactprivacy.com

      • #160427 Reply

        anonymous

        Probably had to go with this, as Universal Exports Ltd is pretty much blown as a cover at this point.

    • #160334 Reply

      anonymous

      These vulnerabilities have existed throughout computer history, so why are ppl panicking now? is this in itself a trap?

      • #160364 Reply

        GoneToPlaid
        AskWoody Lounger

        Basically, because not only are these flaws quite severe in terms of stealing personal information, but also because proof of concept code has also been published.

    • #160337 Reply

      MrBrian
      AskWoody MVP

      How ironic would it be if someday the Skyfall website serves a Spectre browser exploit?

      • This reply was modified 6 months, 4 weeks ago by  MrBrian.
      • This reply was modified 6 months, 4 weeks ago by  MrBrian.
      6 users thanked author for this post.
      • #160365 Reply

        GoneToPlaid
        AskWoody Lounger

        That crossed my mind as well.

      • #160350 Reply

        anonymous

        1% (?) chance that maybe that is why the landing page exists.

      • #161469 Reply

        rc primak
        AskWoody MVP

        I am or soon will be patched for the javascript browser based exploits. I suggest everyone keep our browsers up to date, as usual.

        -- rc primak

        1 user thanked author for this post.
    • #160363 Reply

      Noel Carboni
      AskWoody MVP

      Watch this space

      …watch you.

      -Noel

      1 user thanked author for this post.
      • #160375 Reply

        AJNorth
        AskWoody Lounger

        THIRD BASE!

        1 user thanked author for this post.
    • #160446 Reply

      MrBrian
      AskWoody MVP

      Tweet from David Schor‏: ‘I am still seeing more news about “Skyfall and Solace”… c’mon people OS vendors don’t seem to know anything about it! This is 99% a hoax at this point. Stop writing unverified stories.’

      2 users thanked author for this post.
    • #160457 Reply

      Jan K.
      AskWoody Lounger

      Pfff… hardened and toughened up as we’ve become by Microsoft’s behaviour, nothing will make us nervous anymore anyway!

    • #160459 Reply

      anonymous

      Opinion piece …

      I do not think that the Meltdown and Spectre fixes actually do much of anything on existing silicon, and that includes what’s currently in use and what’s now on the assembly line. The fixes (software and firmware) being released and applied right now are only a stop gap. It is more than obvious that there are going to be a lot more fixes to come and these are just the preventative measures. Next will be fixes for actual exploits – that’s when the fun really begins.

      I envision a dam with hundreds of tiny holes and a little kid running back and forth sticking his finger in the one that spouts water. We all know the outcome.

      Manufacturers will have to design new silicon to address these security (and other) issues and that is going to take several years. All the partners and players will be looking to leverage the new design for their own purposes. This is what pushed performance ahead of security the last time around. Whatever comes down the chute will be shrouded in secrecy as all the negotiations and agreements are on a ‘need to know’ basis. We will not know what is in the end product until the sleuths get a hold of the new product.

      It will be interesting to see if this whole fiasco has any impact on the enterprise plan to migrate to Windows 10 by January 2020. Those that have to purchase new hardware may not want what is currently on the shelf. The year 2020 could be the year of reckoning for many.

      4 users thanked author for this post.
      • #160720 Reply

        jescott418
        AskWoody Lounger

        The real fix is to disable the hardware speculative execution completely. That would mitigate the threat completely. But it would also cause havoc with speed issues which nobody would accept. So we end up with cobbled together patches and firmware that tries its best at maintaining speed without giving up security. Since you can’t change hardware architecture your really not going to completely mitigate this threat without eliminating the hardware feature. Personally, I think everyone needs to weigh the threat vs the fixes and decide what is best.

        • #160726 Reply

          Noel Carboni
          AskWoody MVP

          The real fix is to disable the hardware speculative execution completely. That would mitigate the threat completely. But it would also cause havoc with speed issues which nobody would accept.

          Perhaps no one would be happy about the removal of speculative execution causing slowdowns, but what about browsers? Why is it a given that a browser MUST use a JIT (Just In Time) Javascript compiler, and thus be running untrusted machine code? Does anyone REALLY care if a particular browser runs a benchmark more quickly than others?

          Why not instead offer a pure interpretation option, to lower the chance of being violated while web browsing?

          People probably don’t want to live without web site scripting entirely, but who wouldn’t accept their web browser delivering glitz a little more slowly as a security measure? That’s WAY different than slowing down the execution of everything the CPU does!

          That would fundamentally change the problem into one more resembling the problems of the past: Don’t want malware? Don’t blithely run unvetted executables from the Internet. If you’re still worried, put active software in place to detect threats coming in.

          A whole lot of what’s going on fails a sniff test nowadays.

          -Noel

          4 users thanked author for this post.
        • #160785 Reply

          anonymous

          Ever been curious how well a 14 nanometer 80486 core or clusters of them with other modern processor features, minus the speculative execution and branch prediction would perform?

      • #160741 Reply

        MrBrian
        AskWoody MVP

        My understanding is that Meltdown is 100% fixed by operating system updates, but your point holds for the Spectre vulnerabilities.

        1 user thanked author for this post.
        • #161473 Reply

          rc primak
          AskWoody MVP

          In terms of performance hits, really that is a distinction without a difference at this point. Nevertheless, I have patched all my non-Windows systems. Awaiting the green or yellow light here for the Windows boxes.

          -- rc primak

          • #161482 Reply

            Noel Carboni
            AskWoody MVP

            Woody called for benchmarks, but I think those careful enough to care about even small performance hits are largely avoiding doing the updates, on the fear that they will achieve substantially reduced performance and no good way to get it back.

            I believe I’m going to need to see reports from people doing workloads not unlike mine quantifying the performance hits before I accept further kernel changes).

            What I’d LOVE to hear:

            A full C++ solution build in Visual Studio 2017 took 41 minutes before the patches.
            A full C++ solution build in Visual Studio 2017 took XX minutes after the patches.

            -Noel

            1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Skyfall and Solace: Even more Meltdown/Spectre like security flaws?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: