Language Selection

English French German Italian Portuguese Spanish

Security: Updates, MDS, WhatsApp and 'The Cloud'

Filed under
Security
  • Security updates for Tuesday
  • Understanding the MDS vulnerability: What it is, why it works and how to mitigate it

    MDS vulnerabilities explained in ~three minutes

  • A deeper look at the MDS vulnerability

    In our last post, Jon Masters offered an overview of the MDS vulnerability. In this video, Jon provides a ddeper technical explanation of the vulnerability.

  • SUSE addresses Microarchitectural Data Sampling Vulnerabilities

    Researchers have identified new CPU side channel information leak attacks against various microarchitectural buffers used in Intel CPUs. These attacks allows local attackers to execute code to read out portions of recently read or written data by using speculative execution. Local attackers can be on the same OS or running code on the same thread of a CPU core, which could happen for other VMs on the same physical host.
    Intel, together with hardware and operating system vendors, have worked over recent months to prepare mitigations for these vulnerabilities, also known as RIDL, Fallout and ZombieLoadAttack.

  • MDS: The Newest Speculative Execution Side-Channel Vulnerability [Ed: Faked performance means no security and since there are no rules associated with this, there will be no multi-billion-dollar fines, no mass recalls etc. What an awful industry.]

    Intel just disclosed a new speculative execution side-channel vulnerability in its processors similar to the existing Spectre/L1TF vulnerabilities. This new disclosure is called the Microarchitectural Data Sampling (MDS).

    The Microarchitectural Data Sampling vulnerability was discovered by Intel researchers and independently reported as well by external researchers and is said to be similar to existing speculative execution side channel vulnerabilities. Fortunately, some current-generation CPUs are not vulnerable and Intel says all new processors moving forward will be mitigated. For those processors affected, microcode/software updates are said to be coming.

  • Update WhatsApp now to avoid spyware installation from a single missed call
  • Update WhatsApp Now, Adobe Warning Creative Cloud Users with Older Apps, Kernels Older than 5.0.8 Are Vulnerable to Remote Code Execution, Schools in Kerala Choose Linux and MakeOpenStuff Is Launching the HestiaPi Touch Smart Thermostat

    A vulnerability in WhatsApp allows spyware to be installed from a single unanswered phone call. The Verge reports that the "spyware, developed by Israel's secretive NSO group, can be installed without trace and without the target answering the call, according to security researchers and confirmed by WhatsApp. Once installed, the spyware can turn on a phone's camera and mic, scan emails and messages, and collect the user's location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole."

  • How WhatsApp exposed its users to a spyware attack

    Facebook-owned firm confirms that a vulnerability in WhatsApp opened doors for a spyware attack that installs a malicious code on victim's smartphone...

  • Modern IT security: Sometimes caring is NOT sharing

    The last decade of technological advances has seen a race to reduce costs. Migration to virtualized systems quickly eclipsed traditional bare-metal deployments. At some point, virtualization will be out-paced by containerization. While the physical footprint of an organization’s compute resources may have been reduced, the complexity of managing those environments certainly has not.

    Back in the Stone Age of IT operations and information security, everyone’s attention was focused on the corporate datacenter and the physical machines that lived there. It was simpler to understand where security controls needed to be applied. You had one giant cable coming into the building from "the internet," so you’d throw firewalls, Information Data Leak Prevention/Detection (IDP/IDS), proxies, load balancers and other tools in-line before that channel was split to the larger corporate network. This Castle-and-Moat model of protection worked fairly well (ignoring the insider threat) for decades.

    [...]

    Virtualization evolved into "the cloud". TL/DR for everyone out there: the cloud is just someone else’s computer. You used to run it on your server in your datacenter. Move it "to the cloud" and it now runs on Frank’s Discount Cloud and actually sits in his basement in Peoria, Illinois. Cloud-enabled individuals and businesses to have a low-cost means to quickly deploy systems and applications. It offered benefits around high availability and other features you’d typically see deployed in Enterprise-class organizations. Instead of ordering physical boxes from your favourite retailer or OEM and having that take weeks to be delivered and weeks more to be configured and deployed, now you call up Frank (say "Hi!" to his mom while she’s down in the server room doing Frank’s laundry) and Frank can have you up and running with computing and storage resources in minutes. Cloud lets you "outsource" a lot of technology and skills you might not have in-house (or have any interest in managing yourself).

Latest on MDS

  • "ZombieLoad": a new set of speculative-execution attacks

    The curtain has finally been lifted on the latest set of speculative-execution vulnerabilities. This one has the delightful name of ZombieLoad; it is also known as "microarchitetural data sampling", but what's the fun in that? Various x86 processors stash data into hidden buffers that can, in some cases, be revealed via speculative execution. Exploits appear to be relatively hard.

  • Ubuntu updates to mitigate new Microarchitectural Data Sampling (MDS) vulnerabilities

    Microarchitectural Data Sampling (MDS) describes a group of vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) in various Intel microprocessors, which allow a malicious process to read various information from another process which is executing on the same CPU core. This occurs due to the use of various microarchitectural elements (buffers) within the CPU core. If one process is able to speculatively sample data from these buffers, it can infer their contents and read data belonging to another process since these buffers are not cleared when switching between processes. This includes switching between two different userspace processes, switching between kernel and userspace and switching between the host and a guest when using virtualisation.

    In the case of a single process being scheduled to a single CPU thread, it is relatively simple to mitigate this vulnerability by clearing these buffers when scheduling a new process onto the CPU thread. To achieve this, Intel have released an updated microcode which combined with changes to the Linux kernel ensure these buffers are appropriately cleared.

    Updated versions of the intel-microcode, qemu and linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users. As these vulnerabilities affect such a large range of Intel processors (across laptop, desktop and server machines), a large percentage of Ubuntu users are expected to be impacted – users are encouraged to install these updated packages as soon as they become available.

  • A Slew Of Stable Kernel Updates Issued For Addressing MBS / Zombieload Vulnerabilities

    Following today's disclosure of the new MDS vulnerabilities affecting Intel CPUs, a slew of new Linux kernel stable releases have been issued.

    Greg Kroah-Hartman has issued Linux 5.1.2, 5.0.16, 4.19.43, 4.14.119, and 4.9.176 with these now public mitigation patches that pair with Intel's CPU microcode for mitigating this latest set of speculative execution side-channel vulnerabilities.

Insecurity firms spread fear over MDS to sell products/services

  • Linux Kernel Flaw Allows Remote Code-Execution

    The bug is remotely exploitable without authentication or user interaction.

    Millions of Linux systems could be vulnerable to a high-impact race condition flaw in the Linux kernel.

    Kernel versions prior to 5.0.8 are affected by the vulnerability (CVE-2019-11815), which exists in the rds_tcp_kill_sock in net/rds/tcp.c. “There is a race condition leading to a use-after-free [UAF],” according to the CVE description.

The 'insecurity publishers' use scary buzzwords now ("Meltdown")

  • The second Meltdown: New Intel CPU attacks leak secrets

    Over a year ago, the Meltdown and Spectre attacks took the computer industry by storm and showed that the memory isolation between the operating system kernel and unprivileged applications or between different virtual machines running on the same server were not as impervious as previously thought. Those attacks took advantage of a performance enhancing feature of modern CPUs called speculative execution to steal secrets by analyzing how data was being accessed inside CPU caches.

    Since then, the research community found additional "side channel" techniques that could allow attackers to reconstruct secrets without having direct access to them, by analyzing how data passes through the CPU's microarchitectural components during speculative execution.

More on WhatsApp's Flaw

  • On WhatsApp, it may be hackers calling
  • Why it might be time to ditch WhatsApp for Signal or Telegram

    By now you’ve heard the news: WhatsApp is currently rolling out an urgent update to all app users to close a major vulnerability that leaves unpatched phones at risk of being targeted by hackers. WhatsApp is owned by Facebook, and if you plan to stick with the platform, don’t wait for an update notification: access your phone’s app store now to force install the update.

    Except maybe now is the time to go one step further: perhaps it’s the perfect opportunity to switch to a different messaging platform. One that’s not owned by one of the major tech companies, is equally -- if not more -- secure, and which works on more than just your phone. Enter stage left, Telegram, and stage right, Signal.

Linux vs. Zombieload

  • Linux vs. Zombieload

    The researchers have shown a Zombieload exploit that can look over your virtual shoulder to see the websites you're visiting in real-time. Their example showed someone spying on another someone using the privacy-protecting Tor Browser running inside a virtual machine (VM).

    Zombieload's more formal name is "Microarchitectural Data Sampling (MDS)." It's more common name comes from the concept of a "zombie load." This is a quantity of data that a processor can't handle on its own. The chip then asks for help from its microcode to prevent a crash. Normally, applications, virtual machines (VMs), and containers can only see their own data. But the Zombieload vulnerabilities enable an attacker to spy on data across the normal boundaries on all modern Intel processors.

    Unlike the earlier Meltdown and Spectre problems, Intel was given time to ready itself for this problem. Intel has released microcode patches. These help clear the processor's buffers, thus preventing data from being read.

    To defend yourself, your processor must be updated, your operating system must be patched, and for the most protection, Hyper-Threading disabled. When Meltdown and Spectre showed up, the Linux developers were left in the dark and scrambled to patch Linux. This time, they've been kept in the loop.

Canonical Releases Ubuntu Updates to Mitigate New MDS Security

  • Canonical Releases Ubuntu Updates to Mitigate New MDS Security Vulnerabilities

    Four new security vulnerabilities affecting Intel microprocessor have been publicly disclosed earlier, and Intel already released updated microcode firmware to mitigate them, but in the case of Linux-based operating system these flaws cannot be addressed only by updating the CPU firmware, but also by installing new Linux kernel versions and QEMU patches.

    The vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) affect various Intel processors and could allow a local attacker to expose sensitive information. They have an impact on all supported Ubuntu Linux releases, including Ubuntu 19.04 (Disco Dingo), Ubuntu 18.10 (Cosmic Cuttlefish), Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 ESM (Trusty Tahr).

Intel and MDS

  • Intel CPUs impacted by new Zombieload side-channel attack

    Academics have discovered a new class of vulnerabilities in Intel processors that can allow attackers to retrieve data being processed inside a CPU.

    The leading attack in this new vulnerability class is a security flaw named Zombieload, which is another side-channel attack in the same category as Meltdown, Spectre, and Foreshadow.

How Hackers Broke WhatsApp With Just a Phone Call

Cameron Kaiser: ZombieLoad doesn't affect Power Macs

  • Cameron Kaiser: ZombieLoad doesn't affect Power Macs

    The latest in the continued death march of speculative execution attacks is ZombieLoad (see our previous analysis of Spectre and Meltdown on Power Macs). ZombieLoad uses the same types of observable speculation flaws to exfiltrate data but bases it on a new class of Intel-specific side-channel attacks utilizing a technique the investigators termed MDS, or microarchitectural data sampling. While Spectre and Meltdown attack at the cache level, ZombieLoad targets Intel HyperThreading (HT), the company's implementation of symmetric multithreading, by trying to snoop on the processor's line fill buffers (LFBs) used to load the L1 cache itself. In this case, side-channel leakages of data are possible if the malicious process triggers certain specific and ultimately invalid loads from memory -- hence the nickname -- that require microcode assistance from the CPU; these have side-effects on the LFBs which can be observed by methods similar to Spectre by other processes sharing the same CPU core. (Related attacks against other microarchitectural structures are analogously implemented.)

WhatsApp is not end-to-end because Facebook keeps copy of keys

  • The Ultimate Bad Take: Bloomberg's Leonid Bershidsky Thinks A WhatsApp Vulnerability Proves End To End Encryption Is Useless

    Bloomberg has really been on a roll lately with getting security stories hellishly wrong. Last fall it was its big story claiming that there was a supply chain hack that resulted in hacked SupermMicro chips being used by Amazon and Apple. That story has been almost entirely debunked, though Bloomberg still has not retracted the original. Then, just a few weeks ago, it flubbed another story, claiming that the presence (years ago) of telnet in some Huawei equipment was a nefarious backdoor, rather than a now obsolete but previously fairly common setup for lots of equipment for remote diagnostics and access.

    The latest is an opinion piece, rather than reporting, but it's still really bad. Following yesterday's big revelation that a big security vulnerability was discovered in WhatsApp, opinion columnist Leonid Bersidsky declared it as evidence that end-to-end encryption is pointless.

Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets

  • Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs

    More than a year has passed since security researchers revealed Meltdown and Spectre, a pair of flaws in the deep-seated, arcane features of millions of chip sold by Intel and AMD, putting practically every computer in the world at risk. But even as chipmakers scrambled to fix those flaws, researchers warned that they weren't the end of the story, but the beginning—that they represented a new class of security vulnerability that would no doubt surface again and again. Now, some of those same researchers have uncovered yet another flaw in the deepest guts of Intel's microscopic hardware. This time, it can allow attackers to eavesdrop on virtually every bit of raw data that a victim's processor touches.

    Today Intel and a coordinated supergroup of microarchitecture security researchers are together announcing a new, serious form of hackable vulnerability in Intel's chips. It's four distinct attacks, in fact, though all of them use a similar technique, and all are capable of siphoning a stream of potentially sensitive data from a computer's CPU to an attacker.

    [...]

    AMD and ARM chips don't appear to be vulnerable to the attacks, [...]

Microarchitectural Data Sampling (MDS) focus now on Intel

  • Intel reveals four more Spectre-like bugs in its processors

    Intel has revealed four more vulnerabilities in all its modern processors, all of which could lead to side channel attacks that use speculative execution to leak data.

  • Intel CPU Exploit Zombieload Uses Hyperthreading To Steal Data

    he latest Intel CPU exploit termed Zombieload is a speculative execution side-channel attack. It uses Intel Hyperthreading to execute a Microarchitectural Data Sampling (MDS) attack which targets buffers in CPU microarchitecture.

    According to a report, Intel CPUs made since 2008 are all susceptible to this attack. The latest 8th and 9th gen Intel CPUs are safe from this issue. Intel has released a security patch for this security flaw.

Steinar H. Gunderson: Bug fest

RIP Hyper-Threading?

  • RIP Hyper-Threading? ChromeOS axes key Intel CPU feature over data-leak flaws – Microsoft, Apple suggest snub

    In conjunction with Intel's coordinated disclosure today about a family of security vulnerabilities discovered in millions of its processors, Google has turned off Hyper-Threading in Chrome OS to fully protect its users.

    Meanwhile, Apple, Microsoft, IBM's Red Hat, QubesOS, and Xen advised customers that they may wish to take similar steps.

    The family of flaws are dubbed microarchitecture data sampling (MDS), and Chipzilla's official advisory is here, along with the necessary microcode updates to mitigate the data-leaking vulnerabilities and list of affected products. Installing these fixes and disabling Intel's Hyper-Threading feature is a sure fire way to kill off the bugs, though there may be a performance hit as a result.

Debian Patches New Intel MDS Security Vulnerabilities in Debian

  • Debian Patches New Intel MDS Security Vulnerabilities in Debian Linux Stretch

    On May 14th, Intel disclosed four new security vulnerabilities affecting several of its Intel CPUs, which could allow attackers to leak sensitive information if the system remains unpatched. Intel has worked with major OS vendors and device manufactures to quickly deploy feasible solutions for mitigating these flaws, and now patches are available for users of the Debian GNU/Linux 9 "Stretch" operating system series.

    "Multiple researchers have discovered vulnerabilities in the way the Intel processor designs have implemented speculative forwarding of data filled into temporary microarchitectural structures (buffers). This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory," reads the security advisory.

Now the BSD World

  • The BSDs Get Promptly Mitigated For The MDS Side-Channel Vulnerabilities

    When Spectre and Meltdown came to light, there was some frustrations in the BSD community that it took time for them to be briefed and ultimately handling the mitigations for these CPU security vulnerabilities. Fortunately, with the new Microarchitectural Data Sampling (MDS, also dubbed "Zombieload") vulnerabilities, the key BSDs have seen punctual patches.

    FreeBSD on Tuesday issued a security advisory that does include patches and additional guidance. FreeBSD's guidance is also recommending the disabling of Hyper Threading for systems with users/processors in different trust domains. FreeBSD also provides instructions on setting up the loading of the latest Intel CPU microcode files and applying patches for FreeBSD 12 and 11 series.

Zombieload Intel Vulnerability Explained

  • Zombieload Intel Vulnerability Explained: Nasty Flaw In Millions Of CPUs

    Zombieload is the latest Intel CPU vulnerability to plague everything from desktop computers to enterprise level servers. However, due to the increasingly complex nature of online attacks, it is becoming harder for companies to detect and fix them.

    These fixes are usually half measured at best and cause the processors of enterprises as well as the average user to lose their performance value in the long run or so we’re told. Online attacks like Spectre and Meltdown affect almost everyone that uses a computer. It is a problem which is forcing companies to cut corners, more often than not, in areas concerning performance.

More MDS Media Coverage

СloudLinux, LWN and Red Hat on MDS

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Android Leftovers

today's leftovers

  • Open Policy Agent: Cloud-native security and compliance

    Every product or service has a unique way of handling policy and authorization: who-can-do-what and what-can-do-what. In the cloud-native world, authorization and policy are more complex than ever before. As the cloud-native ecosystem evolves, there’s a growing need for DevOps and DevSecOps teams to identify and address security and compliance issues earlier in development and deployment cycles. Businesses need to release software on the order of minutes (instead of months). For this to happen, those security and compliance policies—which in the past were written in PDFs or email—need to be checked and enforced by machines. That way, every few minutes when software goes out the door, it’s obeying all of the necessary policies. This problem was at the top of our minds when Teemu Koponen, Torin Sandall, and I founded the Open Policy Agent project (OPA) as a practical solution for the critical security and policy challenges of the cloud-native ecosystem. As the list of OPA’s successful integrations grows—thanks to active involvement by the open source community—the time is right to re-introduce OPA and offer a look at how it addresses business and policy pain points in varied contexts.

  • Eirini: Mapping Code into Containers

    There has been a lot of noise recently about the Project known as Eirini.  I wanted to dig into what this project was in a little more detail. If you weren’t already aware, its goal is to allow Cloud Foundry to use any scheduler but it’s really for allowing the workloads to run directly inside Kubernetes without needing separately scheduled Diego cells to run on top of. There are many reason that this is a fantastic change, but the first and foremost is that having a scheduler run inside another scheduler is begging for headaches. It works, but there are odd edge cases that lead to split-brain decisions. NOTE: There is another project (Quarks) that is working on containerizing the control plane in a way that the entire platform is more portable and requiring significantly less overhead. (As in: you can run Kubernetes, the entire platform, and some work, all on your laptop)  

  • Wayland Buddies | LINUX Unplugged 315

    We spend our weekend with Wayland, discover new apps to try, tricks to share, and dig into the state of the project. Plus System76's new software release, and Fedora's big decision.

  • Kdenlive 19.08 Released with Clip Speed, Project Bin Improvements

    Busy trying to salvage footage from a recent video shoot, I missed the arrival of Kdenlive 19.08, the first major release of this free video editor since its big code revamp earlier this year. And what a release it is! Kdenlive 19.08 builds on the terrific work featured in the various point releases that have been available since April. “This version comes with a big amount of fixes and nifty new features which will lay the groundwork for the 3 point editing system planned for this cycle,” they say in their release announcement. Now, 3-point editing isn’t my bag (if you’re a heavy keyboard user, you might want to look into it) so I’m gonna skip that side of things to highlight a couple of other welcome changes to the project bin.

  • LabPlot's Welcome screen and Dataset feature in the finish line

    Hello Everyone! This year's GSoC is coming to its end. Therefore I think that I should let you know what's been done since my last blog post. I would also like to evaluate the progress I managed to make and the goals set up at the beginning of this project. As I told you in my last post, my main goal, in this last period, was to clean up, properly document, refactor, optimise the code and make it easier to read, so it would be fit to be brought to the master branch and to be used by the community. My next proposition was to search for bugs and fix them, in order to make the implemented features more or less flawless. I can happily state, that I succeeded in this.

  • Distributed Beta Testing Platforms

    Do they exist? Especially as free software? I don’t actually know, but I’ve never seen a free software project use something like what I’ve got in mind. That would be: a website where we could add any number of test scenarios. People who wanted to help would get an account, make a profile with their hardware and OS listed. And then a couple of weeks before we make a release, we’d release a beta, and the beta testers would login and get randomly one of the test scenarios to test and report on. We’d match the tests to OS and hardware, and for some tests, probably try to get the test executed by multiple testers. Frequent participation would lead to badges or something playful like that, they would be able to browse tests, add comments and interact — and we, as developers, we’d get feedback. So many tests executed, so many reported failure or regressions, and we’d be able to improve before the release.

  • GSoC 2019 Final submission

    Since my last blog post the main merge request of my GSoC project has landed and after that I followed up with subsequent bugfixes and also a couple of enhancements to the savestates manager.

  • LXLE 18.04.3 Beta Run Through

    In this video, we are looking at LXLE 18.04.3 Beta.

  • Fedora Update Weeks 31–32

    The branch point also meant that the Change Code Complete deadline was passed. As part of the Go SIG, I was one of the packagers behind the Adopt new Go Packaging Guidelines Change. As mentioned in the last post, this was mostly handled by @eclipseo and the tracker bug was marked complete for it just earlier. I am also behind the Automatic R runtime dependencies Change. As part of this Change, I initiated a mini-rebuild last week of all affected R packages. I will write about that in a separate post. That tracker bug is now Code Complete, though there are a couple FTBFS to fix up. With release monitoring working again, that meant a slew of new bug reports about new package versions being available. This happened just last Friday, so I haven’t had much chance to update everything. I did manage to go through almost all the R packages, except for a few with new dependencies. I also updated one or two Go and Python packages as well.

  • Rugged, Kaby Lake-U based IoT gateway offers Linux BSP

    Axiomtek’s Linux-ready, DIN-rail mounted “ICO500-518” IoT gateway runs on 7th Gen Core U-series CPUs and provides swappable SATA, 4x USB 3.0, 2x GbE, 2x mini-PCIe, and 2x “PIM” slots for options including 8x GbE or isolated serial and CANBus. Axiomtek announced a compact modular edge gateway with ruggedization features for industrial IoT. Applications for the Intel 7th Gen Kaby Lake-U based ICO500-518 include transportation, public utility, smart building, solar energy, and factory automation.

  • 5 Reasons to Use a VM for Development [Ed: Dice promoting the idea that developers should use Windows and keep GNU/Linux in a VM jail using Microsoft's proprietary tools]

    I started using virtual machines (VMs) on my development PC about six years ago; I was keen to learn Linux, having been a Windows developer since the mid-1990s. At first, I used an old Windows PC and installed a Linux distro on it; but I quickly found out that the distro took up a lot of space, and I needed a KVM switch to manage two different PCs. It was all a bit “fiddly,” which is why I began exploring the potential of VMs. Discovering VirtualBox was a godsend, and made things a lot more convenient. Despite all the flak Oracle gets over its databases, MySQL, and Java, Virtual Box remains an excellent and free open-source package.

Ubuntu Touch OTA-10 Officially Released for Ubuntu Phones, Here's What's New

Coming three and a half months after the OTA-9 release, the Ubuntu Touch OTA-10 update is now available with better hardware compatibility for Fairphone 2, Nexus 5, and OnePlus One smartphones by implementing proper camera orientation and audio routing on the Fairphone 2, and fixing audio and video sync problems on the Fairphone 2 and OnePlus One. Additionally, Ubuntu Touch OTA-10 improves the reliability and speed of Wi-Fi based geolocation functionality by removing the "wolfpack" tool, which used the Geoclue service for gathering approximate location data. However, it may take more than 20 minutes for some users to have their location retrieved after updating to Ubuntu Touch OTA-10. Read more

today's howtos