Replies

JohnH wrote:

MrBrian wrote:

I believe that the JavaScript proof-of-concepts exploit the Spectre variant that allows same-process-only memory access. From https://blog.barkly.com/meltdown-spectre-bugs-explained: “According to researchers, the most likely exploitation of Spectre would be using JavaScript (say in a malicious ad) to leak information, session keys, etc. cached in the browser.” From https://twitter.com/hackerfantastic/status/948709444602515457: “Blackhats will be weaponizing spectre to steal session cookies from additional websites opened in the browser, especially financial sites. Enable site isolation in Chrome now […].”

OK, so next question is, are you recommending that any of the Meltdown/Spectre-driven updates from MS or Intel should be installed? I currently have, for .NET, security & quality rollup KB4055532, and for Win7Ent “security monthly quality rollup” KB4056894 ready for download and install.

Of course, the security only updates are available too.

 

MrBrian wrote:

I believe that the JavaScript proof-of-concepts exploit the Spectre variant that allows same-process-only memory access. From https://blog.barkly.com/meltdown-spectre-bugs-explained: “According to researchers, the most likely exploitation of Spectre would be using JavaScript (say in a malicious ad) to leak information, session keys, etc. cached in the browser.” From https://twitter.com/hackerfantastic/status/948709444602515457: “Blackhats will be weaponizing spectre to steal session cookies from additional websites opened in the browser, especially financial sites. Enable site isolation in Chrome now […].”

OK, so next question is, are you recommending that any of the Meltdown/Spectre-driven updates from MS or Intel should be installed? I currently have, for .NET, security & quality rollup KB4055532, and for Win7Ent “security monthly quality rollup” KB4056894 ready for download and install.

 

Which I do not (have Java installed), so I have been — perhaps naively — rather laid-back about Meltdown/Spectre. Possible oops.

Actually, I thought you had to have Java installed on the machine, rather than just having javascript enabled Please correct me if I’m wrong!

AlexEiffel wrote:

From what I understood, and MrBrian might correct me if I am wrong, I think in theory the javascript attack itself won’t infect you. It will just be able to steal just about anything you have in memory, private or not, in another VM on the same hardware even. So you would likely never know what got stolen from you and it would be very likely you would never know it was stolen, as nothing would leave traces on your computer after a while, if you just visited a web page that served you the javascript code to steal your memory. Then, depending on where this data went, not much could happen or maybe someone could find something useful to do with it. That remains to be seen. The threat to me seems more for high profile targets, things that spies would have a great time doing, and cloud services providers where thieves could steal data from companies and create problems. At home, I am not sure how bad it could likely be in the real world. Maybe if an algorithm could automatically find and extract user names and passwords or credit cards data or other semi-useful things to sell? Or maybe some features of some spying tools for bad husbands or exes like the ones that Elly talks about to try to extract information from victims computer?

I’m so glad you’ve helped me avoid the Chicken Little rush to patch/update everything in sight on my x64 HP Win7Ent workstation, Woody! Please don’t forget to tell us when the appropriate tested, reliable defences against Meltdown/Spectre are available.

Lot more detail on April updates: https://www.theregister.co.uk/2017/04/11/patch_tuesday_mess/