Skyfall and Solace: Even more Meltdown/Spectre like security flaws?

Topic

New Reply

Not many details as yet, but — just like Meltdown — they’re named after James Bond movies, and they have their own web sites. Logos are sure to appe
[See the full post at: Skyfall and Solace: Even more Meltdown/Spectre like security flaws?]

5 users thanked author for this post.

SueW, Fred, Microfix, AJNorth

Reply | Quote

Replies

This could be a hoax.

2 users thanked author for this post.

WildBill

Reply | Quote

I don’t know about a hoax, but the exploit scene is getting more like science fiction every day! Who needs television with all this excitement going on?

2 users thanked author for this post.

GoneToPlaid, AJNorth

Reply | Quote

THE OUTER LIMITS

5 users thanked author for this post.

Capella, GoneToPlaid, WildBill, BobbyB, Microfix

Reply | Quote

🙂

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Actually, the all the IoT botnets and other hacks and vulnerabilities, I was thinking more along the lines of ‘Skynet becoming self aware’ from the Terminator series of movies, with a side helping of the most recent Jason Bourne movie.

1 user thanked author for this post.

WildBill

Reply | Quote

There is nothing wrong with your Windows installation.  Do not attempt to adjust the settings. We are controlling the updates. We will control their timing; we will control their effectiveness, taking them from crystal clarity to the soft blur of total obscurity. For the next year sit quietly by while we control all that you see and hear. We repeat there is nothing wrong with your Windows installation. You are about to participate in a great adventure. You are about to experience the awe and mystery which reaches from stable computing to Windows 10.

2 users thanked author for this post.

rc primak, ve2mrx

Reply | Quote

I don’t see Meltdown, but the other names are borrowed from the last 3 James Bond film titles:

1. Quantum of Solace,
2. Skyfall,
3. Spectre.

Hoax or not, they have fancy, foreboding names. Maybe the 1st 2 will get cool logos soon. As Woody originally said, the teasing is by people trying to get money somehow. Even if filthy lucre isn’t the goal, IMHO, attention is definitely a goal. Attention on the Internet matters.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

From https://twitter.com/david_schor/status/954031372393439233: ‘Ok, so all my effort to independently verify this so-called “Skyfall and Solace” vulnerabilities have failed. Therefore from this point on, I’ll caution everyone to treat this as a COMPLETELY UNSUBSTANTIATED RUMOR until we get more credible evidence.’

14 users thanked author for this post.

rc primak, AlphaCharlie, HiFlyer, Pepsiboy, WildBill, JDeC, SueW, OscarCP, Fred, woody, FakeNinja, Microfix, anita.yk, AJNorth

Reply | Quote

I’d say it’s likely a hoax, at this point.

Just what we needed to liven up the slow news week, eh?

5 users thanked author for this post.

HiFlyer, Pepsiboy, OscarCP, AJNorth

Reply | Quote

Yeah, the domains – meltdownattack and skyfallattack  – appear to be registered to different owners.

1 user thanked author for this post.

HiFlyer

Reply | Quote

It probably is a hoax, not some thugs with scareware pages or something else to scam people out of their money.

Reply | Quote

The Sky is Falling, The Sky is Falling… (kind of akin to “the Russians are coming, the Russians are coming” back in the 60’s)

Take Solace – get windows 10 and a shiny new processor!

 

1 user thanked author for this post.

HiFlyer

Reply | Quote

With respect, my “shiny new processor” will be running Linux (with Windows 7 or 8.1 locked-down in a virtual environment).

4 users thanked author for this post.

rc primak, HiFlyer, GoneToPlaid, johnf

Reply | Quote

Same here, only with a shiny new AMD (Ryzen) CPU.

1 user thanked author for this post.

HiFlyer

Reply | Quote

I have been both thinking and reading everything I can about Spectre and Meltdown. I had already planned to move to a Linux based OS and run Windows in a VM. Up until late 2011 and for well over a decade I had only used AMD CPUs. And then I mostly switched to Intel. Given that AMD has finally turned itself around and once again has game in the CPU market in terms of performance, I am switching back to AMD as finances permit. After that, I will be done with Intel.

1 user thanked author for this post.

ryegrass

Reply | Quote

I have an Intel NUC running Windows 10 Pro and Ubuntu 16.04. I just bought a Chromebook (ASUS Flip c302) and will run Chrome OS with XUbuntu 16.04 inside a Crouton CHROOT Container. Wish me luck with the Crouton installation!

-- rc primak

Reply | Quote

? says:

humm,

“get windows 10 and a shiny new processor!” appears to be right on the money…

2 users thanked author for this post.

AJNorth, anita.yk

Reply | Quote

From Skyfall and Solace vulnerabilities announced: “Update: Russel Brandom, senior editor for the Verge, says he has sources claiming these are bogus FUD news.”

5 users thanked author for this post.

HiFlyer, WildBill, JDeC, SueW, AJNorth

Reply | Quote

MrBrian wrote:

From Skyfall and Solace vulnerabilities announced: “Update: Russel Brandom, senior editor for the Verge, says he has sources claiming these are bogus FUD news.”

Russell tweets the reason for his claim.

1 user thanked author for this post.

MrBrian

Reply | Quote

Time to pull out the old rusty, trusty abacus! 😉

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

1 user thanked author for this post.

OscarCP

Reply | Quote

Make sure that you get a booster tetanus shot!

Reply | Quote

I’m awaiting ‘Q’ to come up with a solution and moneypenny to inform us, eh woody! 🙂

Windows - commercial by definition and now function...

5 users thanked author for this post.

HiFlyer, GoneToPlaid, BobbyB, WildBill, Fred

Reply | Quote

“Were you expecting an exploding pen? We don’t go in for that anymore.”

Reply | Quote

oh there is a logo here (like intel inside) : https://skyfallattack.com/favicon.ico

Reply | Quote

Still not sure, but signs point to a host. Some journalist and post say that chip makers deny knowledge of researchers approaching them about these flaws. Plus, one of the earliest references I saw about this is a /r/sysadmin Reddit post, that has been deleted… Decent chance of hoax… but still worth monitoring.

1 user thanked author for this post.

OscarCP

Reply | Quote

https://meltdownattack.com/

hosted by Graz University of Technology

https://skyfallattack.com/

hosted by mythic-beasts.com

hmmmm…….

 

Reply | Quote

Microfix wrote:

I’m awaiting ‘Q’ to come up with a solution and moneypenny to inform us, eh woody! 🙂

ROFL

* _ ... _ *

Reply | Quote

AJNorth wrote: “With respect, my “shiny new processor” will be running Linux.”

Well, anything that runs on most Intel chips, for example: PCs with LINUX OS…is fair game for the Bond-themed bugs, it would seem.

Hmmm… Should I, must I, want I, really, truly, definitely, know about any of this?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

rc primak

Reply | Quote

That “shiny new processor” will be a forthcoming one designed to circumvent these exploits – and hopefully others that will by then be suggested (and inferred).

Reply | Quote

That new processor without these flaws is still five years off in the future. Reasonably well patched Chromebooks and Intel based Linux boxes are almost here now. So take your pick — wait five years, or try what’s available now to mitigate.

-- rc primak

Reply | Quote

Well, we knew it would come sooner rather then later. This has too much potential for the bad guys to ignore.

Reply | Quote

Tweet from The Register: ‘If you’re wondering why no-one is writing about two more “embargoed” CPU flaws – Skyfall and Solace – it’s because it’s 99% a hoax.’

2 users thanked author for this post.

JDeC, AJNorth

Reply | Quote

Customer 0150372701 — secretive agent from Oxbridge ?

Domain Name: skyfallattack.com
Hosting Location: Cambridge, United Kingdom
IP Hostname: onza.mythic-beasts.com
ISP: Mythic Beasts Ltd

Domain Name Creation Date: 2018-01-12 T16:18:50Z
Registrant Name: Contact Privacy Inc. Customer 0150372701
Registrant Address: 96 Mowat Ave, Toronto, Ontario, Canada
Registrant Email: skyfallattack.com@contactprivacy.com

Reply | Quote

Probably had to go with this, as Universal Exports Ltd is pretty much blown as a cover at this point.

Reply | Quote

These vulnerabilities have existed throughout computer history, so why are ppl panicking now? is this in itself a trap?

Reply | Quote

Basically, because not only are these flaws quite severe in terms of stealing personal information, but also because proof of concept code has also been published.

Reply | Quote

How ironic would it be if someday the Skyfall website serves a Spectre browser exploit?

6 users thanked author for this post.

HiFlyer, WildBill, Noel Carboni, anita.yk, Bill C., AJNorth

Reply | Quote

That crossed my mind as well.

Reply | Quote

1% (?) chance that maybe that is why the landing page exists.

Reply | Quote

I am or soon will be patched for the javascript browser based exploits. I suggest everyone keep our browsers up to date, as usual.

-- rc primak

1 user thanked author for this post.

Cascadian

Reply | Quote

Watch this space

…watch you.

-Noel

1 user thanked author for this post.

AJNorth

Reply | Quote

THIRD BASE!

1 user thanked author for this post.

SueW

Reply | Quote

Tweet from David Schor‏: ‘I am still seeing more news about “Skyfall and Solace”… c’mon people OS vendors don’t seem to know anything about it! This is 99% a hoax at this point. Stop writing unverified stories.’

2 users thanked author for this post.

Pepsiboy, AJNorth

Reply | Quote

Pfff… hardened and toughened up as we’ve become by Microsoft’s behaviour, nothing will make us nervous anymore anyway!

Reply | Quote

Opinion piece …

I do not think that the Meltdown and Spectre fixes actually do much of anything on existing silicon, and that includes what’s currently in use and what’s now on the assembly line. The fixes (software and firmware) being released and applied right now are only a stop gap. It is more than obvious that there are going to be a lot more fixes to come and these are just the preventative measures. Next will be fixes for actual exploits – that’s when the fun really begins.

I envision a dam with hundreds of tiny holes and a little kid running back and forth sticking his finger in the one that spouts water. We all know the outcome.

Manufacturers will have to design new silicon to address these security (and other) issues and that is going to take several years. All the partners and players will be looking to leverage the new design for their own purposes. This is what pushed performance ahead of security the last time around. Whatever comes down the chute will be shrouded in secrecy as all the negotiations and agreements are on a ‘need to know’ basis. We will not know what is in the end product until the sleuths get a hold of the new product.

It will be interesting to see if this whole fiasco has any impact on the enterprise plan to migrate to Windows 10 by January 2020. Those that have to purchase new hardware may not want what is currently on the shelf. The year 2020 could be the year of reckoning for many.

4 users thanked author for this post.

rc primak, SueW, MrBrian

Reply | Quote

The real fix is to disable the hardware speculative execution completely. That would mitigate the threat completely. But it would also cause havoc with speed issues which nobody would accept. So we end up with cobbled together patches and firmware that tries its best at maintaining speed without giving up security. Since you can’t change hardware architecture your really not going to completely mitigate this threat without eliminating the hardware feature. Personally, I think everyone needs to weigh the threat vs the fixes and decide what is best.

Reply | Quote

_Reassigned Account wrote:

The real fix is to disable the hardware speculative execution completely. That would mitigate the threat completely. But it would also cause havoc with speed issues which nobody would accept.

Perhaps no one would be happy about the removal of speculative execution causing slowdowns, but what about browsers? Why is it a given that a browser MUST use a JIT (Just In Time) Javascript compiler, and thus be running untrusted machine code? Does anyone REALLY care if a particular browser runs a benchmark more quickly than others?

Why not instead offer a pure interpretation option, to lower the chance of being violated while web browsing?

People probably don’t want to live without web site scripting entirely, but who wouldn’t accept their web browser delivering glitz a little more slowly as a security measure? That’s WAY different than slowing down the execution of everything the CPU does!

That would fundamentally change the problem into one more resembling the problems of the past: Don’t want malware? Don’t blithely run unvetted executables from the Internet. If you’re still worried, put active software in place to detect threats coming in.

A whole lot of what’s going on fails a sniff test nowadays.

-Noel

4 users thanked author for this post.

AlexEiffel, rc primak, Cascadian, SueW

Reply | Quote

Ever been curious how well a 14 nanometer 80486 core or clusters of them with other modern processor features, minus the speculative execution and branch prediction would perform?

Reply | Quote

My understanding is that Meltdown is 100% fixed by operating system updates, but your point holds for the Spectre vulnerabilities.

1 user thanked author for this post.

rc primak

Reply | Quote

In terms of performance hits, really that is a distinction without a difference at this point. Nevertheless, I have patched all my non-Windows systems. Awaiting the green or yellow light here for the Windows boxes.

-- rc primak

Reply | Quote

Woody called for benchmarks, but I think those careful enough to care about even small performance hits are largely avoiding doing the updates, on the fear that they will achieve substantially reduced performance and no good way to get it back.

I believe I’m going to need to see reports from people doing workloads not unlike mine quantifying the performance hits before I accept further kernel changes).

What I’d LOVE to hear:

A full C++ solution build in Visual Studio 2017 took 41 minutes before the patches.
A full C++ solution build in Visual Studio 2017 took XX minutes after the patches.

-Noel

1 user thanked author for this post.

rc primak

Reply | Quote