Update: No, Virginia, there are no Meltdown/Spectre exploits in the wild

Topic

New Reply

A reassuring tweet from Kevin Beaumont. https://twitter.com/martijn_grooten/status/959156265481113600 The AV-Test red line graph shows that, yes, ther
[See the full post at: Update: No, Virginia, there are no Meltdown/Spectre exploits in the wild]

10 users thanked author for this post.

jburk07, MikeFromMarkham, Heavenly, wdburt1, JDeC, SueW, AJNorth, WildBill, MrBrian, Elly

Reply | Quote

Replies

A collective sigh heard ’round the world. (For now… .)

2 users thanked author for this post.

BobbyB, SueW

Reply | Quote

I liked Beaumont’s tweet, too. Y’all follow @GossiTheDog… ASAP!

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Yes, it’s not in the wild (MAYBE)…
But you are missing the GIST…
It was CREATED AND IS in the civilized world of the:
FBI/CIA/NSA/Intel/Facebook/Google (et all)

Reply | Quote

Something to beware of …

Fake Spectre & Meltdown patch pushes Smoke Loader malware
https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader

We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.

Moreover, the same fraudulent domain has a link to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) containing the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.

Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information.

The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.

Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.

Also, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam.

The above incident brings to mind that at some places, legitimate government-owned domains (usually secured by HTTPS) may inject undesirable script into the browser, because the domain owner designed  it to work that way.

1 user thanked author for this post.

SueW

Reply | Quote

Woody posted:
none of them are in the wild. They’re “Proof of Concept” test samples.

Is it a matter of terminology … like “under-happy” vs. “not happy” ?

Or are PoCs like biological tests ? (Eg. Researcher showed that lab rat can be paralyzed in 1.5 secs using XYZ injection, & the experiment was successfully replicated by other researchers using XYZ & ABC injections.)

Malware Exploiting Spectre, Meltdown Flaws Emerges (SecurityWeek – 31 Jan 2018)

On Wednesday, AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies.

“Most appear to be recompiled/extended versions of the PoCs – interestingly, for various platforms like Windows, Linux and MacOS,” Andreas Marx, CEO of AV-TEST, told SecurityWeek. “We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”
Marx believes different groups are working on the PoC exploits to determine if they can be used for some purpose. “Most likely, malicious purposes at some point,”
The expert believes the current malware samples are still in the “research phase” and attackers are most likely looking for ways to extract information from computers, particularly from web browsers. He would not be surprised if we started seeing targeted and even widespread attacks in the future.

So based on what the security expert Andreas Marx said (as quoted above), is there potential for Meltdown-Spectre PoC samples to evolve along the following lines? Below is a random example. (The person who devised the PoC did not even release the source code or PoC test sample.)

Researcher Creates Proof-of-concept Malware That Infects BIOS, Network Cards (PCWorld – 29 Jul 2012)
Security researcher Jonathan Brossard created a proof-of-concept hardware backdoor called Rakshasa that replaces a computer’s BIOS (Basic Input Output System) and can compromise the operating system at boot time without leaving traces on the hard drive.

Rakshasa: The hardware backdoor that China could embed in every computer (ExtremeTech – 01 Aug 2012)
Rakshasa can be installed by anyone with physical access to your hardware — either at manufacturing time, or in the office with a USB stick.

Fortunately, Brossard hasn’t released the code for Rakshasa — but he seems fairly confident that other security groups/agencies have already developed similar tools.

Lenovo Caught (3rd Time) Pre-Installing Spyware on its Laptops (The Hacker News – 24 Sep 2015)
In August, Lenovo again got caught installing unwanted and non-removable crapware into part of the BIOS reserved for custom drivers.

Lenovo PCs & Laptops seem to have a BIOS level backdoor (TechWorm – 12 Aug 2015)

We found a hidden backdoor in Chinese Internet of Things devices: Researchers (TheRegister – 02 Mar 2017)
IoT devices from a Chinese vendor contain a weird backdoor that the vendor is refusing to fix, we’re told.

2 users thanked author for this post.

Karlston, Cybertooth

Reply | Quote

FWIW, HP sent out a critical alert mail today with a BIOS revision for my Zbook 17 Workstation, Win7 Pro x64. While I had no issue with the January 11th revision, and the Business Support rep I questioned said that Ver 01.38 which I’d installed did not have the Meltdown/Spectre fixes, the notes today said, “- Provides a rollback of the CPU microcode to the previous version to improve system stability.” Thought it best to install this Ver 01.39 update.

Whenever they get reliable updates from Intel, will wait for other machines to melt before installing on mine, have no fear! 😉

1 user thanked author for this post.

MrBrian

Reply | Quote

If anything comes of this in the wild, its going to target poorly supported and updated servers in countries where this would be more effective.

Reply | Quote

Since the Feb. update`s are coming out on Tue.  I went ahead and installed the security monthly roll-up for Win 7 X64, AMD Sempron 145 processor.   KB4056894.   Nothing happened every thing still running  normal, no slow down.

Reply | Quote

Only the Office non-security updates come out on the 1st Tues = 6th.
Feb updates come out on the 2nd Tuesday = 13th. We have a week to go.

4 users thanked author for this post.

OscarCP, WildBill, Charlie, Geo

Reply | Quote

Tuesday the 13th is as unlucky a date, at least in Spanish-speaking countries, as Friday the 13th. There is a saying that goes: “Martes trece: no te cases ni te embarques, ni de tu casa te apartes” = “Tuesday the 13th: don’t get married, or embark (on a ship, airplane, etc.), or leave your house.”

It doesn’t mention MS Windows Updates. But it is a really old saying, so it wouldn’t be a sound conclusion, that updating is a safe thing to do on Tuesday the 13th.

Just saying.

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Geo wrote:

Since the Feb. update`s are coming out on Tue. I went ahead and installed the security monthly roll-up for Win 7 X64, AMD Sempron 145 processor. KB4056894. Nothing happened every thing still running normal, no slow down.

I installed the Security Only version KB4056897 a couple of weeks ago on my three Haswell Win7 computers and on one AMD computer. Both KB4056897 and KB4056894 are meant to mitigate against the Meltdown vulnerability, yet do not mitigate against the Spectre vulnerabilities. The latter requires microcode updates for all affected CPUs.

I truly thought that KB4056897 was stable after two weeks of testing, yet it appears that it is not. Tonight I walked away from my primary Intel Intel Core i5 4670K Haswell computer, and I came back two minutes later to see that Windows Explorer had crashed. The Event Viewer could not identify the module which caused the crash. This has NEVER happened to me whenever I am not actually using my Win7 computers. They all have remained stable for days (no mouse or keyboard input).

What was the only additional thing which I had launched shortly before and which was running at the time of this crash? Dropbox. I am not blaming Dropbox was fully synced and was not otherwise doing anything. My gut instinct is that the KB4056897 and KB4056894 updates may have an obscure issue, perhaps with I/O timing.

I had suggested that KB4056897 should be green-lighted in order to protect users from Meltdown. Yet now I have reservations. For the time being, I will keep KB4056897 installed to see if any further errors occur — perhaps over days.

2 users thanked author for this post.

Noel Carboni, ryegrass

Reply | Quote

Thank you for sharing your experience, though it’s a bit disturbing to hear. I too braved the waters after having done some of my own testing, and armed with the knowledge that I could back out of the changes.

Knocking on wood, my small and mostly unattended Win 7 (Haswell Pentium G3220) system hasn’t yet shown me any glitches whatsoever, with only last month’s Windows Updates installed, no microcode changes. But I don’t normally leave it logged-in, so I just might not have seen the same trouble you’ve described.

We would lose a lot if systems that used to be reliable were to become unreliable. Long gone are the days when we would expect crashes occasionally. That’s not a state to be blithely given up!

Also, the knowledge that I’ve measured slower maximum I/O throughput on that system continues to haunt me. It’s an emotional thing; I measured no slowdowns for all the things the system normally is tasked with doing in the real world, but repeatable benchmark numbers showing a massive drop in the max possible throughput from 1400 MB/sec to 900 MB/sec just bother me.

I put time, effort, and money into the RAID-5 array on that system to achieve that good I/O performance, not to mention choosing ECC RAM and other top quality parts to ensure reliability.

Hm, come to think of it I may have actually sensed one manifestation of the I/O slowdown… I’ve noticed MSE malware scans (MsMpEng.exe) max out the CPU and take a lot longer now. If I log in during such a scan (which are normally scheduled for the wee hours, and I only rarely log in, so it’s not a typical situation) the system is noticeably less responsive than it was before. Any instability on top of this would certainly make me uninstall the January patches. This machine hasn’t had any system crashes and only a very few application failures since I turned it up back in early 2015.

-Noel

Reply | Quote

I don’t know if this would be called an ‘exploit’, but Windows Defender just caught something. I was running my weekly quick scan after updating Defender, & at the end, Defender turned Red. It said ‘Malware was found’, & the Scan button turned Red & said ‘Clean PC’. I clicked the button & Defender started cleaning off the following: ‘Win32/Spectre.A’. It found it on my sub-directory “Temporary Internet Files\Low\IE\I0FJR3E0\check[1].js”. I have neither applied any updates nor flashed my BIOS… yet. Firefox Quantum is my default browser, but I sometimes run my Win 8 Twitter app & when I click on a link in the app, it runs Internet Explorer. I can switch to my desktop browser (Firefox) from the app, but I must have browsed a link before doing that. Since Twitter & Facebook have updated their browser versions with “neat stuff” & only their Win 10 apps from the Microsoft Store mirror those changes, I will soon uninstall the Twitter & Facebook apps & browse those sites in Firefox. BTW, the Win 8 Facebook app displays any links I click on in Firefox, so only Twitter is guilty. But maybe the MSN Sports app & some links in the MSN News & MSN Money apps are guilty too. In the app shell, some sports links seem to run slower than when I right-click & then click ‘View in browser’, which switches to Firefox. Not sure if this counts as “in the wild”, but Windows Defender caught & removed it!

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Did you run this Spectre browser test?

1 user thanked author for this post.

woody

Reply | Quote

I Googled “Win32/Spectre.A” and it appears that it is a ransomware Trojan. It also appears that the first detection of it was at the end of November 2017. If true, what a wacky coincidence that this got named Spectre only a month or two before the early January news of the Meltdown and Spectre CPU vulnerabilities was announced.

4 users thanked author for this post.

Elly, Cascadian, woody, WildBill

Reply | Quote

Yes, on Firefox & Internet Explorer (both standalone). I ran it again now on both & each said “NOT VUNERABLE”. However, when I ran it on Firefox, Windows Defender found the exploit again & quarantined it.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Sounds like a Defender false positive. Anybody else seeing this?

Reply | Quote

2 false positives from Windows Defender in 1 day?! I guess anything’s possible…

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Is it possibly an infection that has nothing to do with the Spectre we all know and love?

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/Spectre.A

(Microsoft’s documentation is abysmal, but you already knew that….)

1 user thanked author for this post.

WildBill

Reply | Quote

Here’s a link to Sophos describing a Spectre.A. One would think that if this is the Spectre of Meltdown and Spectre that a big deal would be made of that. Apparently, though, it’s just another malware file.

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Spectre-A/detailed-analysis.aspx

2 users thanked author for this post.

woody, WildBill

Reply | Quote

I think it might be a true positive, since that browser test results in a network connection to the coinbase site that does real cryptomining.

Reply | Quote

Thanks, MrBrian, but GoneToPlaid thinks it’s a ransomware trojan with a similar name. I tend to agree with him. After I update Office later today (unless Woody says Don’t), I’ll have Windows Defender remove it, then run a full scan to make sure no other nasty beasties have slipped in.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

What GoneToPlaid wrote is accurate but that name was not used by Microsoft’s anti-malware products. These links have more info:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Exploit%3aWin32%2fSpectre.A

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_cve20175753.dam

https://forums.mydigitallife.net/threads/security-flaw-patch-for-intel-cpus-could-result-in-a-huge-performance-hit.76081/page-9#post-1403582

1 user thanked author for this post.

woody

Reply | Quote

Defender does flag it as “Win32/Spectre.A”. Other than that, MS hardly gives any other details. Their recommendation is to use Defender to remove it… which works. The MyDigitalLife link is a bit confusing & too technical for me… except the funny comment. “Additionally Defender just tried to arrest the spectre EXE files”, with Smiley ROTFL!

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

The MyDigitalLife link shows that Windows Defender uses the name “Win32/Spectre.A” for a Spectre proof-of-concept. Also notice that the Microsoft page for “Win32/Spectre.A” was published on January 9, 2018.

1 user thanked author for this post.

Cascadian

Reply | Quote

Even if there are no exploits, and most individual users make for unlikely targets of state sponsored attacks, the fact remains that one needs to have antivirus that is compatible, or else will no longer be able to install MS Window’s patches at all, if one has Windows Update set to download and install automatically, or install them safely by hand, if otherwise.

I have Webroot SecureAnywhere, and this one was lagging last month in the release of a compatible new version. As there may be more than one who uses this particular antivirus and also visits at Woody’s, I am glad to let them know that the new version of SecureAnywhere (9.0.10.43) was released and installed automatically on the 23rd of last month and is compatible with the MS patches. To check that it has reached your PC, launch SecureAnywhere, then click on “My Account”, and the number of the current version installed will be there. You can also check, as already explained by others, if the corresponding Register key is properly set:

Click Start in the lower left of your computer, and type “regedit” (without the quotes)

Click on regedit.exe that results from your search:
Your Registry Editor will open and you will see ‘Computer’ with 5 HKEYs below it

Click on ‘Edit’ in the Toolbar
A ‘Find’ box will open: just type “QualityCompat” (without the quotes) and click the ‘Find Next’ button

If QualityCompat is found, then the Key has been updated.

Extra credit: If you want to confirm that the value for QualityCompat was set properly:

Click on QualityCompat:
On the right pane, under “Name’ you will see cadca5fe-87d3-4b96-b7fb-a231484277cc, and
under ‘Type’ you will see REG_DWORD, and
under ‘Data’ you will see 0x00000000 (0)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

5 users thanked author for this post.

hjf, Lori, HiFlyer, jburk07, woody

Reply | Quote

Thanks for quoting my instructions 🙂

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

Reply | Quote

@SueW you’re quite right, any copy of someone else’s work needs to be attributed to the original author! Anything else amounts to such a violation it sees people regularly excluded from educational courses, for plagiarism.

Your post here was well written – thank you.

2 users thanked author for this post.

SueW, Elly

Reply | Quote

OscarCP wrote:

… the fact remains that one needs to have antivirus that is compatible, or else will no longer be able to install MS Window’s patches at all, if one has Windows Update set to download and install automatically, or install them safely by hand, if otherwise.

I am pretty sure that the registry key is only necessary for updates to be offered to VIA WU. If there is no key (because you don’t use any antivirus for example), updates can still be installed manually from the catalog. I know I asked about that on here before and that was the answer, but must be done at your own risk if you are using incompatible AV software.

Reply | Quote

Not sure if I’m posting this in the correct topic, but….

This morning the Fujitsu DeskUpdate tool is offering a Bios update for my Fujitsu Esprimo system:
“02-Feb-2018
BIOS – Change V4.6.5.4 R1.44.0 for D3220-A1x ====================================================
– New Intel(R) ME Firmware version 9.1.42.3002  implemented.
– Microcode updates added (Haswell C0).
– EraseDisk functionality updated (to Version 4.5).”

Not sure yet if I will update right now. What do you think?

1 user thanked author for this post.

woody

Reply | Quote

P.S. This Fujitsu support page http://www.fujitsu.com/global/support/products/software/security/products-f/itsa-00086e.html points to this Intel page Intel® Management Engine Critical Firmware Update (Intel-SA-00086)
which says
“This article describes issues related to security vulnerabilities found in the Intel® Management Engine Firmware. This article doesn’t contain information related to the processor side-channel vulnerability (known as Meltdown/Spectre). If you’re looking for information on the Meltdown/Spectre issue, go to Side-Channel Analysis Facts and Intel® Products.”

1 user thanked author for this post.

woody

Reply | Quote

anonymous wrote:

Not sure yet if I will update right now. What do you think?

Unless you’re having specific, major problems with your PC, I wouldn’t touch it with a three meter scepter.

Most of us go years (and years and years) without updating the BIOS. Ain’t broke, don’t fix.

Besides, they’ll have a Meltdown/Spectre update for the BIOS sooner or later.

2 users thanked author for this post.

Cascadian, SueW

Reply | Quote

Thanks a million @Woody. As always much appreciated!

Reply | Quote

In preparation for applying January’s approved patches, I just checked my Windows 7 laptop with McAfee installed as the AV.

A month into this mess, that laptop incredibly does NOT yet have the QualityCompat registry key set. My machines running Symantec products do have that key set.

Should I set it by hand, or should I hold off on patching that laptop until McAfee gets its act together? In the absence of that registry key, which patches should I avoid and which are OK to install?

Group B here, BTW.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

You probably need to update the engine (download/install the latest program version). If it is an old program (not definitions, they’re dumb) it doesn’t know to set the key.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Intel Newsroom: Security Issue Update: Progress Continues on Firmware Updates

Reply | Quote

I installed the Security Only version KB4056897 a couple of weeks ago on my three Haswell Win7 computers and on one AMD computer. Both KB4056897 and KB4056894 are meant to mitigate against the Meltdown vulnerability, yet do not mitigate against the Spectre vulnerabilities. The latter requires microcode updates for all affected CPUs. I truly thought that KB4056897 was stable after two weeks of testing, yet it appears that it is not. Tonight I walked away from my primary Intel Intel Core i5 4670K Haswell computer, and I came back two minutes later to see that Windows Explorer had crashed. The Event Viewer could not identify the module which caused the crash. This has NEVER happened to me whenever I am not actually using my Win7 computers. They all have remained stable for days (no mouse or keyboard input). What was the only additional thing which I had launched shortly before and which was running at the time of this crash? Dropbox. I am not blaming Dropbox was fully synced and was not otherwise doing anything. My gut instinct is that the KB4056897 and KB4056894 updates may have an obscure issue, perhaps with I/O timing. I had suggested that KB4056897 should be green-lighted in order to protect users from Meltdown. Yet now I have reservations. For the time being, I will keep KB4056897 installed to see if any further errors occur — perhaps over days.

UPDATE (2018-02-10): It has been approximately a week since my virtually identical secondary computer has been up and running. So far, Windows Explorer has not crashed on this computer while this computer has been mostly idle. I can only conclude that the crash and restart of Windows Explorer on my primary computer must have been a fluke.

 

Reply | Quote

I am really hoping that it was some sort of fluke. Yesterday I booted up my second Win7 computer which is virtually identical to my primary Win7 computer, yet is used primarily for image processing and image deconvolution. All software and installed programs are identical. I am going to let this virtually identical computer run for days with Windows Explorer open, to see whether or not Windows Explorer crashes while the computer simply is idle.

For the time being, I am keeping the January update which protects against Meltdown installed on all of my Win7 computers. Interestingly, copying or backing up really large files actually proceeds slightly faster with the January update installed, yet copying or backing up small files does take longer.

 

Reply | Quote