Apple Working on Patch for New Year's Eve macOS Flaw
4.1.2018 securityweek Apple
Apple is aware of the macOS vulnerability disclosed by a researcher on New Year’s Eve and the company plans on patching it later this month.

A security expert who uses the online moniker Siguza has made public the details and proof-of-concept (PoC) code for a local privilege escalation vulnerability affecting all versions of the macOS operating system.

The flaw, which the researcher described as a “zero day,” allows a malicious application installed on the targeted system to execute arbitrary code and obtain root privileges.

Apple is working on patching the vulnerability and has shared some mitigation advice until the fix becomes available.

“Apple is committed to the security of our customers’ devices and data, and we plan to patch this issue in a software update later this month,” Apple said in a statement emailed to SecurityWeek. “Since exploiting the vulnerability requires a malicious app to be loaded on your Mac, we recommend downloading software only from trusted sources such as the Mac App Store.”

The flaw affects IOHIDFamily, a kernel extension designed for human interface devices (e.g. touchscreens and buttons). Siguza discovered that some security bugs in this component introduce a kernel read/write vulnerability, which he has dubbed IOHIDeous.

The exploit created by the hacker also disables the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features.

The PoC exploit is not stealthy as it needs to force a logout of the legitimate user. However, the researcher said an attacker could design an exploit that is triggered when the targeted device is manually rebooted or shut down.

Some of the PoC code made available by Siguza only works on macOS High Sierra 10.13.1 and earlier, but the researcher believes it can be adapted for version 10.13.2 as well.

The vulnerability has been around since at least 2002, but it could actually be much older.

Siguza says he is not concerned that malicious actors will abuse his PoC exploit as the vulnerability is not remotely exploitable. The hacker claims he would have privately disclosed the flaw to Apple had it been remotely exploitable or if the tech giant’s bug bounty program covered macOS.


Google Patches Multiple Critical, High Risk Vulnerabilities in Android
4.1.2018 securityweek Android
Google patched several Critical and High severity vulnerabilities as part of its Android Security Bulletin for January 2018.

A total of 38 security flaws were resolved in the popular mobile OS this month, 20 as part of the 2018-01-01 security patch level and 18 in the 2018-01-05 security patch level. Five of the bugs were rated Critical and 33 were rated High risk.

Four of the vulnerabilities addressed with the 2018-01-01 security patch level were rated Critical, all of them remote code execution bugs. The remaining 16 issues resolved in this patch level were High risk elevation of privilege and denial of service vulnerabilities.

An elevation of privilege bug that Google patched in Android runtime could be exploited remotely to bypass user interaction requirements in order to gain access to additional permissions.

The most severe of the 15 vulnerabilities resolved in Media framework could allow an attacker using a specially crafted malicious file to execute arbitrary code within the context of a privileged process. These include 3 Critical remote code execution bugs, 4 High severity elevation of privilege issues, and 8 High risk denial of service flaws.

One other Critical remote code execution bug was patched in System, along with two High severity elevation of privilege flaws and one High risk denial of service vulnerability.

Only one of the flaws fixed with the 2018-01-05 security patch level was a Critical vulnerability. Along with 6 High severity flaws, it was affecting Qualcomm closed-source components.

The patch level also resolved a High risk denial of service issue in HTC components and High risk elevation of privilege bugs in LG components, Media framework, MediaTek components, and NVIDIA components (one in each).

The security patch level addressed three High severity elevation of privilege and one information disclosure bug in Kernel components, along with two High risk elevation of privilege vulnerabilities in Qualcomm components.

Google also resolved 46 vulnerabilities in Google devices as part of the Pixel / Nexus Security Bulletin—January 2018. Most of the flaws were rated Moderate severity, exception making issues addressed in Media framework (some were rated Low risk and others were rated High severity on older Android versions).

Impacted components included Framework (1 vulnerability), Media framework (16 vulnerabilities), System (1 flaw), Broadcom components (1 issue), HTC components (1 flaw), Kernel components (7 bugs), MediaTek components (1 issue), and Qualcomm components (18 vulnerabilities).

In addition to patching security flaws, the security bulletin also addressed functionality issues on Pixel devices. The update adjusted the handling of key upgrades in keystore and improved stability and performance after installing an OTA.

On Google devices, all of these issues are fixed as part of the security patch levels of 2018-01-05 or later.


Devices Running GoAhead Web Server Prone to Remote Attacks
4.1.2018 securityweek
Attack
A vulnerability affecting all versions of the GoAhead web server prior to version 3.6.5 can be exploited to achieve remote code execution (RCE) on Internet of Things (IoT) devices.

GoAhead is a small web server employed by numerous companies, including IBM, HP, Oracle, Boeing, D-link, and Motorola, is “deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices,” according to EmbedThis, its developer.

The web server is currently present on over 700,000 Internet-connected devices out there, a Shodan search has revealed.

However, not all of these devices are impacted by said remote code execution vulnerability. Tracked as CVE-2017-17562, the vulnerability is triggered only in special conditions and affects only devices with servers running *nix that also have CGI support enabled with dynamically linked executables (CGI scripts).

Discovered by Elttam security researchers, the flaw is the “result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters.” If the aforementioned conditions are met, the behavior can be abused for remote code execution when combined with the glibc dynamic linker, using special variables such as LD_PRELOAD.

The security researchers discovered that the issue affects all versions of the GoAhead source since at least 2.5.0, with the optional CGI support enabled.

The bug resides in the cgiHandler function, “which starts by allocating an array of pointers for the envp argument of the new process, followed by initializing it with the key-value pairs taken from HTTP request parameters. Finally, the launchCgi function is called which forks and execve’s the CGI script,” Elttam explains.

While REMOTE_HOST and HTTP_AUTHORIZATION are filtered, the remaining parameters are considered trusted and are passed along unfiltered. Thus, an attacker can control arbitrary environment variables used in a new CGI process.

To resolve the issue, EmbedThis introduced a skip for special parameter names and a prefix of all other parameters with a static string. This patch should resolve the issue even when parameters of the form a=b%00LD_PRELOAD%3D are used, Elttam says.

The issue, the researchers say, could exist in other services as well, not only in GoAhead web servers compiled with CGI support enabled.

“Although the CGI handling code remained relatively stable in all versions of the web server (which made it the ideal target), there has been a significant amount of code churn over the years in other modules. It’s possible there are other interesting vulnerabilities [in the web server],” Elttam concludes.


DMARC Implemented on Half of U.S. Government Domains
4.1.2018 securityweek Safety
Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security (DHS) directive, but the first deadline is less than two weeks away.

The Binding Operational Directive (BOD) 18-01 issued by the DHS in mid-October instructs all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations can set the DMARC policy to “none” in order to only monitor unauthenticated emails, “quarantine” to send them to the spam or junk folder, or “reject” to completely block their delivery.

The DHS has ordered government agencies to implement DMARC with at least a “none” policy by January 15. Organizations will then need to set their DMARC policy to “reject” within one year.

A few days after the DHS made the announcement, security firm Agari checked over 1,000 domains owned by federal agencies and found that only 18% had implemented DMARC. By mid-November it increased to 34% and in December it reached 47%.

However, only 16% of them had deployed “quarantine” or “reject” policies by December, an increase of two percentage points compared to the previous month.

DMARC%20adoption%20in%20US%20government

More than 20 agencies have fully implemented DMARC, including the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), the Senate, the Postal Service, the Department of Health and Human Services (HHS), and Department of Veterans Affairs.

The HHS has deployed DMARC across more than 100 of its domains, including ones used by Healthcare.gov, the National Institutes of Health (NIH), and the Centers for Disease Control and Prevention (CDC).

Agari said the overall email attack rate for government customers that had implemented DMARC dropped to less than one percent.

“Deploying a DMARC policy where p=none is simple, but it is only the first step,” Agari said in a report published on Tuesday. “To fully protect against phishing threats against both the federal government and the public at large (and maintain strong email governance), federal agencies must ultimately move to Quarantine and Reject policies.”


LockPoS Adopts New Injection Technique
4.1.2018 securityweek
Virus
The LockPoS Point-of-Sale (PoS) malware has been leveraging a new code injection technique to compromise systems, Cyberbit researchers say.

First detailed in July this year, LockPoS steals credit card data from the memory of computers attached to PoS credit card scanners. The malware was designed to read the memory of running processes and collect credit card data that is then sent to its command and control (C&C) server.

Previous analysis revealed that the threat used a dropper that injects it directly into the explorer.exe process. After execution, the dropper extracts a resource file from itself and injects various components that load the final LockPoS payload.

The malware is now employing an injection method that appears to be a new variant of a technique previously employed by the Flokibot PoS malware. With LockPoS distributed from the Flokibot botnet, and with the two threats sharing similarities, this doesn’t come as a surprise.

One of the injection techniques employed by LockPoS involves creating a section object in the kernel, calling a function to map a view of that section into another process, then copying code into the section and creating a remote thread to execute the mapped code, Cyberbit says.

LockPoS was observed using 3 main routines to inject code into a remote process, namely NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx, all three exported from ntdll.dll, a core Dynamic-link library (DLL) file in the Windows operating system.

Instead of calling said routines, the malware maps ntdll.dll from the disk to its own virtual address space, which allows it to maintain a “clean” copy of the DLL file. LockPoS also allocates a buffer for saving the system calls number, copies malicious code to the shared mapped section, then creates a remote thread in explorer.exe to execute its malicious code.

By using this “silent” malware injection method, the malware can avoid any hooks that anti-malware software might have installed on ntdll.dll, thus increasing the chances of a successful attack.

“This new malware injection technique suggests a new trend could be developing of using old sequences in a new way that makes detection difficult,” Hod Gavriel, malware analyst at Cyberbit, explains.

While most endpoint detection and response (EDR) and next-gen antivirus products already monitor the Windows functions in user mode, kernel functions can’t be monitored in Windows 10, where the kernel space is still guarded. To ensure successful detection, improved memory analysis should be employed, the researcher says.


Intel má velký problém s procesory, oprava kritické chyby povede k jejich zpomalení
3.1.2017 Živě.cz
Hardware
Intelu hrozí velký průšvih, obsahují kritickou chybu na hardwarové úrovni
Umožňuje přístup k paměťovému prostoru pro jádro systému
Softwarový oprava bude znamenat snížení výkonu
Na herní výkon nemá zavedení KPTI vliv. Takto vypadá před a po jeho aktivaci v CS:GO.A takto v F1 2012.Při dalších operacích může dojít ke snížení výkonu při práci s archivy.Pokles byl zaznamenán i při práci s SSD. Takto vypadaly rychlosti před aktualizací……a takto po ní. Není ale jasné, zda rozdíl opravdu souvisí s KPTI.
O zpomalování procesorů se v posledních týdnech hovoří především v souvislosti s Applem a jeho iPhony. Jenže nyní to vypadá, že tahle minikauza bude brzy zapomenuta, mnohem větší průšvih totiž může postihnout Intel a většinu z jeho procesorů několika posledních generací. Za vše může chyba při práci s paměťovým systémem.

Nejdřív zkrácená verze pro ty, které nemají zájem o technické pozadí. Web The Register přinesl informace o chybě na hardwarové úrovni, která způsobuje, že se zpracovávaný kód může dostat do adresního prostoru, který je vyhrazen čistě pro jádro systému. Nyní jsou oba prostory, jak uživatelský tak pro kernel mapovány společně a přístup k nim je řízen pomocí privilegií.

Díky tomu je zrychlena práce s pamětí při přepínání mezi operacemi na uživatelské a systémové úrovni. Oprava chyby ale bude vyžadovat jejich oddělení v jádře systému, což sníží celkový výkon. U operací, které se týkají především serverového použití to může být pokles až o třetinu výkonu.

Vzhledem k tomu, že je většina informací pod embargem a zveřejněné opravě v linuxovém jádře chybí jakákoliv dokumentace, nemáme podrobné informace o samotné chybě v procesorech a stejně tak nevíme, zda se nebude týkat i AMD. Podle dosavadních indicií by se však mělo jednat pouze o procesory Intelu. Konkrétně se hovoří o modelech Core 6., 7. a 8. generace, procesorech Xeon v5 a v6, Xeonech-W a nižších řadách Apollo Lake (Atom, Pentium).

Linux, Windows i macOS
The Register vycházel primárně z reportu na LWM.net, který informuje o zavedení KPTI (kernel page-table isolation) do jádra Linuxu na konci října. Jde právě o izolaci obou adresních prostorů pro práci se systémovým a uživatelským kódem.

Aktuálně jsou oba v paměti namapovány společně a asociativní buffer TLB tak může uchovávat informace o přiřazení virtuální paměti k fyzické adrese pro oba prostory. Pokud se tedy vykonává uživatelský kód, CPU má v TLB ihned k dispozici adresování na fyzickou paměť a stejně tak když přijde na řadu kód na úrovni systémového jádra.

Jenže hardwarová chyba v procesorech vyžaduje opravu zavedením již zmíněné izolace. V takovém případě je třeba buffer TLB vyprázdnit při každé změně paměťového prostoru. Pokud CPU pracuje s programem, je v TLB uloženo adresování uživatelské části paměti, jestliže ale začne pracovat třeba s diskem, což si vyžádá volání na systémové úrovni, bude potřeba TLB vyprázdnit.

Izolace adresních prostorů bude zavedena do všech systémů. V Linuxu již je a do jádra Windows se dostane velmi brzy. V případě, že využíváte testovací program Insider Preview, pak je již dostupná v aktualizaci s označením 17063. Stejně tak se oprava zamíří do macOS.

Až o 30 % nižší výkon
Na webu se začaly objevovat první testy, které demonstrují dopad zavedení KPTI při konkrétním využití. Pro běžné koncové uživatele se toho příliš nezmění – testy na webu Phoronix ukazují, že i s opatchovaným systémem je výkon ve hrách totožný.

Klepn%C4%9Bte%20pro%20v%C4%9Bt%C5%A1%C3%AD%20obr%C3%A1zek

Klepn%C4%9Bte%20pro%20v%C4%9Bt%C5%A1%C3%AD%20obr%C3%A1zek
Na herní výkon nemá zavedení KPTI vliv (zdroj: Phoronix)
Na Computerbase potom otestovali procesor Core i7-7700K při běžných scénářích, které vídáme v obvyklých srovnávacích testech. Výraznější rozdíl byl zaznamenán pouze při práci s archivy. Stále však jde o nízké jednotky procent.

Klepn%C4%9Bte%20pro%20v%C4%9Bt%C5%A1%C3%AD%20obr%C3%A1zek
Testy Core i7-7700K před a po aktualizaci na verzi 17063 s aktivní KPTI. Nepatrný rozdíl je pouze při práci s archivy (zdroj: Computerbase)
Zároveň si na Computebase všimli většího rozdílu při práci s SSD, kdy s novou aktualizací klesnuly přenosové rychlosti o několik desítek MB/s. Tady ale není možné určit, zda za propad opravdu může zavedení KPTI nebo jiná změna v systému.

Klepn%C4%9Bte%20pro%20v%C4%9Bt%C5%A1%C3%AD%20obr%C3%A1zekKlepn%C4%9Bte%20pro%20v%C4%9Bt%C5%A1%C3%AD%20obr%C3%A1zek
Takto se liší přenosové rychlosti úložiště SSD po instalaci aktualizace (zdroj: Computerbase)
Problém značných rozměrů by ale mohl nastat v případě serverového použití a to především na straně obřích poskytovatelů jako je Microsoft, Google nebo Amazon. Právě při práci s databázemi nebo virtualizaci jsou zaznamenávány nejvyšší propady ve výkonu.

Jeden ze značně znepokojujících reportů vydali vývojáři databázového systému PostgreSQL. Ti otestovali běh databáze na procesoru Intel Core i7-6820HQ. Při aktivní izolaci adresního prostoru byl výkon nižší v nejlepším případě o 17 procent. Při nejhorším scénáři potom došlo k propadu výkonu dokonce o 23 procent. Pokud se takové výsledky potvrdí po nasazení do reálného provozu, pro většinu poskytovatelů cloudových služeb to bude znamenat velké problémy. A to nejen technické, mohou si vyžádat značné investice do hardwaru.

Velké záplatování
Že se nejedná o výstřel do prázdna, je patrné nejen z dosavadního embarga prakticky na jakékoliv informace, ale i z reakce velkých poskytovatelů. Amazon rozeslal zákazníkům využívající virtualizační služby EC2 e-mail o tom, že v noci z pátku na sobotu bude probíhat údržba, na kterou si vyhradil čtyrhodinové okno, během něhož dojde k restartování služeb a virtuální instance nebudou dostupné.

Podobný zásah potom čeká i uživatele služeb Microsoft Azure. V tomto případě bude patchování a restartování strojů probíhat od půlnoci 10. ledna.

Klepn%C4%9Bte%20pro%20v%C4%9Bt%C5%A1%C3%AD%20obr%C3%A1zekKlepn%C4%9Bte%20pro%20v%C4%9Bt%C5%A1%C3%AD%20obr%C3%A1zek
Amazon na chvíli vypne svoje virtualizační služby ještě tento týden, u Microsftu bude údržba probíhat příští středu
Tady je potřeba zdůraznit, že údržba tohoto rozsahu je naprosto výjimečná. Jen v ojedinělých případech je potřeba restartování, které způsobí nedostupnost cloudových služeb, tady virtualizačních.

Výhra pro AMD. Snad…
Na zprávy o problémech celkem logicky muselo zareagovat AMD a prvním výstupem se stal publikovaný komentář jednoho z linuxových vývojářů z AMD. Podle něj žádný z procesorů společnosti touto chybou netrpí a KPTI tak není potřeba zavádět.

Je tedy pravděpodobné, že na procesory AMD se nebude opatření v podobě izolace adresních prostorů vztahovat. Pokud by totiž vývojáři systému tuto výjimku v kernelu nezavedli, na AMD by KTPI dopadlo mnohem výrazněji než na samotný Intel. To ukazuje test na webu Grsecurity, kde serverový procesor Epyc po aktivaci KTPI přišel o 51 procent výkonu.

Klepn%C4%9Bte%20pro%20v%C4%9Bt%C5%A1%C3%AD%20obr%C3%A1zek
Nahoře výkon procesoru Epyc bez KPTI, dole po jeho aktivaci. Rozdíl až 51 % (zdroj: Grsecurity)
Žádného oficiálního vyjádření od Intelu jsme se zatím nedočkali, jistě však bude muset přijít. A to i kvůli investorům. Cena akcií AMD rychle vyskočila o 5 %, naopak u Intelu můžeme sledovat opačný trend. S úsměvem rovněž můžeme číst zprávu z před dvou týdnů o tom, že se CEO Intelu Brian Krzanich zbavil všech akcií, které mohl prodat. Utržil za ně 11 milionů dolarů a ponechal si pouze minimum, které musí na své pozici držet. Vypadá to na zajímavý start roku 2018.


VMware Patches Critical Flaws in vSphere Data Protection
3.1.2017 securityweek
Vulnerebility
VMware has patched three critical vulnerabilities in vSphere Data Protection (VDP), including arbitrary file upload, authentication bypass and path traversal issues.

vSphere Data Protection is a backup and recovery solution for vSphere environments. The product is no longer offered by VMware since April 2017, but the company will continue to provide general support for version 6.x until 2020 and technical guidance until 2022.

VMware published a security advisory on Tuesday to inform VDP customers that critical vulnerabilities have been found in versions 5.x, 6.0.x and 6.1.x of the product. VMware has not credited anyone for discovering the weaknesses.

One of the flaws, tracked as CVE-2017-15548, allows an unauthenticated attacker to remotely bypass authentication and gain root access to a vulnerable system. Another bug, identified as CVE-2017-15549, allows a remote attacker with access to a low-privileged account to upload malicious files to any location on the server file system.

The last vulnerability is a path traversal tracked as CVE-2017-15550. It allows an authenticated attacker with low privileges to access arbitrary files on the server in the context of the vulnerable application.

The security holes have been patched with the release of VDP 6.1.6 and 6.0.7. Users of version 5.x have been advised to update to version 6.0.7 or newer.

This is only the third security advisory published by VMware for VDP. Another advisory was released last year to alert users of critical Java deserialization and credentials encryption issues, and one was published in late 2016 for an SSH key-based authentication flaw.


Mitigations Prepared for Critical Vulnerability in Intel CPUs
3.1.2017 securityweek
Vulnerebility
Researchers have apparently discovered a serious vulnerability affecting all Intel CPUs. Software-level mitigations have already been developed, but they could cause significant performance penalties.

Details of the vulnerability are expected to become available on January 9. The impact of the flaw is comparable to the notorious Heartbleed bug, but an attack is said to be more practical.

The existence of the security hole came to light following the introduction of kernel page table isolation (KPTI) in Linux. A similar feature is being implemented by Microsoft in Windows and Apple is also expected to make some changes in macOS. Experts believe it will not be easy for Intel to address the problem directly in its processors.

Vulnerability Impacts Intel ChipsKPTI is a hardening technique designed to improve security by isolating the kernel space from user space memory. It’s based on the KAISER system developed last year by a team of researchers at the Graz University of Technology in Austria. KAISER brings improvements to address space layout randomization (ASLR), a mitigation designed to prevent control-flow hijacking and code injection attacks.

Back in July 2017, researcher Anders Fogh shared some thoughts on how it may be possible to read kernel memory from an unprivileged process via speculative execution. While his attempts were unsuccessful, his work did yield some results. Some believe that researchers at Graz University – Fogh has previously collaborated with Graz University researchers on memory-related attacks – may have found a way to make it work.

Gaining access to the kernel space poses serious risks as this memory can include highly sensitive information.

AMD says its processors are not vulnerable to the type of attacks mitigated by KPTI, but the company does mention speculative execution.

“The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault,” an AMD representative explained.

Cloud services from Microsoft, Amazon and Google are apparently impacted by the Intel hardware vulnerability - Amazon Web Services (AWS) and Microsoft Azure have informed customers of upcoming security updates that will require a reboot of their cloud instances. A developer who writes on the blog Python Sweetness speculated that the flaw could allow privilege escalation attacks against hypervisors.

As for the impact of the KPTI mitigation on performance, tests conducted by Grsecurity showed an impact of up to 35%, but it depends a great deal on what type of operations are being carried out. Tests done by Phoronix showed that gaming performance on Linux does not appear to be affected by the PTI changes in the kernel.

“Performance penalties from single to double digits are expected on patched kernels,” explained Michael Larabel, founder of Phoronix. “The penalty depends upon how much interaction the application/workload deals with the kernel if there's a lot of context switching and other activity. If it's a simple user-space application not doing much, the x86 PTI additions shouldn't cause much of an impact. Newer Intel CPUs with PCID should also help in ensuring less of a performance impact.”

The developers of the KAISER system claimed that the method has a negative impact of only 0.28%.


Intel Makes a Mistake in The CPU Design, Windows and Linux Scramble to Fix It
3.1.2017 securityaffairs
Vulnerebility

Intel Makes a Mistake in The CPU Design, Windows and Linux Scramble to Fix It. It is suspected that the flaw is in the way an Intel CPU manages memory between “kernel mode” and “user mode.”
Competition between IT hardware manufacturers is fierce. Decimal point differences in performance specs translate into millions of dollars won or lost with every chip release. Manufacturers are very creative at finding ways to gain an edge over their competition, and sometimes the creativity works against them. This appears to be the case with Intel’s CPUs, and in the worst case, it affects anyone who relies on Intel chips for virtualization — most companies, and cloud providers like Microsoft Azure, Amazon EC2, Google Compute Engine. It is up to operating system manufacturers to fix the problem and the fix will hurt performance.

Details of the security vulnerability are under embargo from Intel in an attempt to give developers time to come up with a fix so much of the reporting on the bug is extrapolated from online discussions and by dissecting the Linux patches that were quickly rolled out in December.

It is suspected that the flaw is in the way an Intel CPU manages memory between “kernel mode” and “user mode.” Think of all the programs running on a computer at the same time. For security and stability reasons we want to be sure that one program doesn’t negatively impact another program. For example, if your browser crashes you don’t want it to take down the entire computer by crashing the OS.

In a virtualized cloud environment, you don’t want someone else’s program to be able to see the details of what you are running in your portion of the cloud. To accomplish this isolation, individual programs are run in their own “user space.” However, these programs are still sharing hardware like network connections and hard drives so there is another layer required. Kernel mode coordinates requests for shared hardware and still maintain isolation between the various user mode programs. When microseconds can impact your performance metrics, the “cost” of loading kernel mode to execute the request, then unloading kernel mode, and returning to user mode is “expensive.” As described in The Register article, Intel attempted a shortcut “To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes’ virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and re-enter the process.”

intel%20chip

Although memory for each user process is well isolated, it is believed that the Intel flaw allows for these user processes to exploit kernel memory space to violate the intended isolation.

Many operating systems utilize a security control called Kernel Address Space Layout Randomization (KASLR) which is supposed to address risks of a user process gaining access to kernel memory space (Daniel López Azaña has a good summary of ASLR, KASLR and KARL here.) However, in October 2017 the Linux core kernel developers released the KAISER patch series which hinted at the current Intel CPU issue, detailed in the LWN article, “KAISER: hiding the kernel from user space.” Then in December, a number of Linux distributions released kernel updates which included Kernel Page-Table Isolation (PTI) significantly restricting memory space available to running processes. On December 26, 2017, Intel’s competitor AMD sent this email to the Linux kernel mailing list:

"AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault."
All of this activity seems to point squarely at a problem in the way that Intel CPUs isolate, or fail to isolate, kernel memory from user processes. But while under the embargo it is all educated guessing.

Major Linux distributions have released kernel updates to address the issue and Microsoft is expected to release corresponding patches in January’s patch bundle. There are rumors that Microsoft Azure and Amazon Web Services customers have been notified directly of impending maintenance outages this month which might be associated with patches for this Intel bug. Since the kernel mode shortcut was intended to improve CPU performance, you should expect that the fix will negatively impact current performance. We will have to wait for the Intel information embargo to be lifted, and for the Linux and Windows patches to be applied to truly understand the risks and performance impacts.


Marketing companies have started exploiting a flaw in browsers’ built-in password managers to track users
3.1.2017 securityaffairs
Vulnerebility

A group of researchers discovered marketing companies have started exploiting an 11-year-old vulnerability in browsers’ built-in password managers to track visitors.
A group of researchers from Princeton’s Center for Information Technology Policy has discovered that at least two marketing companies, AdThink and OnAudience, that are exploiting an 11-year-old vulnerability in major browsers to track visitors.

The researchers discovered that the marketing firms have started exploiting the flaw in browsers’ built-in password managers that allow them to secretly steal email address. The gathered data allow them to target advertising across different browsers and devices.

password-manager%20tracking

Of course, the same flaw could be exploited by threat actors to steal saved login credential from browsers without requiring users interaction.
Every browser (i.e. Google Chrome, Mozilla Firefox, Microsoft Edge, and Opera) implements a built-in password manager tool that allows users to save login information for automatic form-filling.

The researchers from Princeton’s Center for Information Technology Policy discovered that both AdThink and OnAudience are exploiting the built-in password managers to track visitors of around 1,110 of the Alexa top 1 million sites across the Internet.

“We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to one or more third-party servers. These scripts were present on 1110 of the Alexa top 1 million sites.” states the analysis of the Princeton’s Center for Information Technology Policy.

The experts have found third-party tracking scripts on these websites that inject invisible login forms in the background of the webpage, the password managers are tricked into auto-filling the form using these data.

The scripts detect the username and send it to third-party servers after hashing with MD5, SHA1, and SHA256 algorithms, these hashed values are used as an identifier for a specific user. Typically tracker used the hashed email as user’s ID.

“Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form.” continue the researchers.

“Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested don’t require user interaction to autofill password fields.”

browser%20password-manager%20tracking

“Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier,” the researchers said. “A user’s email address will almost never change—clearing cookies, using private browsing mode, or switching devices won’t prevent tracking.”
Third-party password managers like LastPass and 1Password are not exposed to this tracking technique because they avoid auto-filling invisible forms and anyway they require user interaction.

Users can test the tracking technique using a live demo page created by the researchers.

Below the list of sites embedding scripts that abuse login manager for tracking, it also includes the website of the founder of M5S Beppe Grillo (beppegrillo.it).


Obří bezpečnostní chyba v procesorech Intel zpomalí stovky milionů počítačů až o třetinu. Problém se týká všech operačních systémů

3.1.2017 Ihned.cz Zranitelnosti

Chyba je přímo v procesorech vyrobených firmou Intel, takže není důležité, s jakým operačním systémem uživatel pracuje.

Chyba v návrhu procesorů Intel umožňuje útočníkům přečíst obsah paměti a zefektivnit útoky.
Problém se týká procesorů od Intelu vyrobených v posledních deseti letech a tím pádem i stovek milionů PC.
Výrobci operačních systémů musí problém odstranit softwarově s výrazným vlivem na výkon.
Intel udělal při návrhu svých procesorů zásadní chybu, která zpomalí chod stovek milionů počítačů s operačním systémem Windows a Linux. Vývojáři pracující na jádru Linuxu se snaží bezpečnostní díru opravit, od Microsoftu se očekává, že aktualizaci vydá v nejbližších dnech, testují ji už uživatelé v programu Windows Insider.

Chyba se dotkne i systému MacOS od Applu, protože není závislá na operačním systému, ale je přímo v procesorech Intel. Totéž se týká velkých cloudových služeb, které mají servery vybavené čipy od Intelu. Bez starostí mohou být naopak uživatelé procesorů AMD, které touto chybou netrpí. Intel ale ovládá 80 procent trhu s počítačovými procesory, a dokonce 90 procent u notebooků a serverů.

V souvislosti s opravou bezpečnostní chyby, která útočníkům umožňuje přístup k chráněné části paměti počítačů, dojde ke snížení výkonu postižených počítačů. Rozdíl ve výkonu se podle předběžných informací může pohybovat od pěti až do třiceti procent podle typu vykonávané úlohy a konkrétního modelu procesoru. Například u databázového produktu PostgreSQL jde v nejlepších případech o zpomalení o 17 procent, v nejhorším o 23 procent.

Konkrétní informace o chybě v procesorech Intel nejsou zatím k dispozici. K jejich zveřejnění dojde podle informací serveru The Register po vydání aktualizace pro Windows. Opravy pro jádro Linuxu jsou už k dispozici, informace o změnách jsou ale utajené. Problém se však týká možnosti aplikací získat přístup k chráněné oblasti operační paměti používané jádrem operačního systému. Toto bezpečnostní riziko lze odstranit softwarovým oddělením uživatelské a systémové paměti.