All posts in “Hackers”

Those huge CPU vulnerabilities, Meltdown and Spectre, explained

By now you’ve probably heard. A large portion of the world’s computer processors are vulnerable to at least one of two exploits that render them susceptible to hackers. But what, exactly, is going on — and what can you do to protect yourself?

While the answer to the first question is complicated, thankfully the answer to the second isn’t. It turns out that companies like Google and Microsoft have been working behind the scenes to create patches for what the security community has named Meltdown and Spectre. 

But we’re not out of the woods yet, and, depending on your operating system, you still need to take some proactive measures to make sure your data is safe. 

What’s in a name: Meltdown and Spectre

One of the reasons this latest threat is so complicated is because it’s actually multiple vulnerabilities that were unveiled at the same time. They’re similar in some ways, but differ in important others — a fact hinted at by their names. 

According to researchers, Meltdown “basically melts security boundaries which are normally enforced by the hardware.” Spectre, meanwhile, “breaks the isolation between different applications” allowing “an attacker to trick error-free programs, which follow best practices, into leaking their secrets.”

And what does that actually mean? Essentially, either of these vulnerabilities could be theoretically exploited to steal sensitive data, like passwords, off your computer. Spectre is also a threat to your smartphone, so no escape there.  

Furthermore, while Meltdown can be mostly mitigated with software patches, it is thought only certain exploitations of Spectre can be stopped in this manner. In other words, the latter is going to haunt us for some time and either could potentially require new processors for a complete fix (maybe).

So, who has patched?

Companies, if they haven’t already, are rushing to release the aforementioned “mitigations” against possible attacks that could exploit Meltdown or Spectre (a helpful patch list can be found on the Computer Emergency Response Team site). Why mitigations? Well, because the patches and updates mitigate the risk — but might not remove it completely.   

Microsoft, on Jan. 3, released an update for devices running Windows 10 that was downloaded and installed automatically. 

Google, for its part, issued a lengthy blog post on the same day detailing all the steps it had taken to protect users against both Spectre (Variant 1 and 2) and Meltdown (Variant 3). While a lot of that work happened behind the scenes, there are still some actions you need to take yourself. For example, you should definitely enable site isolation on Chrome.

[embedded content]

Android devices with the most recent security updates are also protected from the above mentioned variants.

Apple was a little late to the customer-facing party, but on Jan. 4 made it clear that it is indeed paying attention. Specifically, the company said that — just like with its competitors — its products are at risk. That includes “all Mac systems and iOS devices,” to be exact. 

But wait, there’s good news! Patches to help defend against Meltdown were released in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and Spectre-focused patches for Safari should be hitting “in the coming days.”

What do I need to do?

Meltdown and Spectre are the real deal, and rightly have security professionals concerned. However, at this time there are plenty of things you can do to protect yourself that don’t involve buying a new computer

Security researcher Matt Tait writes that, at least when it comes to Meltdown, typical computer users can mostly breathe easy. First and foremost, make sure your system is up to date. Download any all all patches for your operating system and browser of choice. 

But, because more updates are coming down the pike, you’re not done. Be on the lookout for any and all future security releases and make sure to install them immediately. Don’t pull the classic “remind me later” bit. 

And what about Spectre? This one is a little trickier. 

“Spectre is harder to exploit than Meltdown, but it is also harder to mitigate,” explain the researchers behind the discovery. “However, it is possible to prevent specific known exploits based on Spectre through software patches.” 

In other words, while nothing is perfect, much of the same advice applies as with Meltdown: update, update, update. 

Which, well, has always been good advice. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f12%2fe76fcdc4 ed41 036e%2fthumb%2f00001

Here’s what every Chrome user should do in the wake of #Spectre

The new year kicked off with a bang on Jan. 3 when security researchers revealed two major software vulnerabilities that affect, to some extent, most types of computer processors on the planet. Laptops, desktops, Chromebooks, smartphones, and enterprise machines are all potentially at risk, theoretically allowing attackers exploiting what have been dubbed Meltdown and Spectre to steal your passwords and other sensitive data. 

And while the ultimate fix may be a costly hardware one, there are steps you can take today to at least mitigate your risk. If you’re a Chrome user in particular, Google has one very specific recommendation for protecting against Spectre.

Now here’s the rare dash of good news: It’s super easy to implement. 

Buried within Google’s lengthy (and informative!) blog post on its response to Spectre (Variant 1 and 2) and Meltdown (Variant 3) is a link to a page listing the “mitigation status” of affected products. Essentially, this page lists out all the Google services that are at risk, and what steps the company has taken to address that risk. In some cases, it includes stuff you have to do yourself.

Notably, this doesn’t mean that doing these things will 100 percent protect you, but, taken in the aggregate, they represent a line of defense against some seriously big security holes. 

This is where we come back to Chrome, and a little something called Site Isolation. According to The Chromium Projects, and this gets technical pretty quickly, “[Site Isolation] makes it harder for untrusted websites to access or steal information from your accounts on other websites.”

That sounds good, especially considering that a Google spokesperson told Mashable via email that “Variant 1 (Spectre) can be used in Javascript to pull secrets from a user’s browser, by attacking the process memory of the browser.”

[embedded content]

“The Site Isolation protection loads each individual remote website in a separate process,” continued the spokesperson. “By doing so, if a user runs into an attack from a bad site, the process memory for the site the user is trying to reach is unavailable to be attacked. That way, your login secrets for one site cannot be stolen by another.”

This is definitely a welcome additional layer of security. So, how to enable it? In Chrome, go to chrome://flags/#enable-site-per-process and click “enable” on “Strict site isolation.” You’ll need to restart your browser, but otherwise that’s it.

Pretty simple, right?

We also reached out to Google to determine if this will have any adverse affects on your browsing experience — say, reduced speeds — and were pleased to hear that we shouldn’t really worry about that. 

“The performance loss for Chrome specifically should be negligible,” the spokesperson assured us. 

So, yeah, download all your patches and enable Site Isolation on Chrome. Your data will thank you. 

This story has been updated with additional comment from Google. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f12%2fe76fcdc4 ed41 036e%2fthumb%2f00001

Microsoft just issued a fix for that big Intel processor vulnerability

Fixing stuff.
Fixing stuff.

Image: Stephen Brashear /Getty Images

So your computer is probably vulnerable to a processor chip bug that could theoretically let JavaScript running in a web browser steal your passwords (among other problems). Both your computer and your smartphone are at risk. It’s not good. 

Thankfully, however, for anyone with a machine running Windows, you’re probably in the clear. That’s because on Wednesday, January 3, Microsoft released a fix.

So reports ZDNet, which explains this patch was not issued on Microsoft’s standard Patch Tuesday — suggesting someone at the company decided it was urgent.  

Still, some questions remain. Does this fix only apply to Windows 10? Was the patch pushed automatically, or do users have to follow a prompt? We reached out to Microsoft for comment, and will update this post as soon as we hear back. 

Apple, for its part, has also reportedly patched the vulnerability in macOS 10.13.2.

In the meantime, more information has dropped on what actually turns out to be two separate vulnerabilities in a wide range of processor chips (not just from Intel). Dubbed Meltdown and Spectre, the bugs differ in both the ease of exploit and ease of mitigation. 

“Meltdown and Spectre exploit critical vulnerabilities in modern processors,” explains a website dedicated to the findings. “These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

Software patches exist for Meltdown, and security researchers are working on fixes for Spectre.

As always, your safest bet is to make sure you update your OS early and often to help mitigate the risk of known vulnerabilities. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f82747%2f8a8be74f b0ff 410d bf3d 015c4b1b4530

MacOS High Sierra vulnerability was publicly disclosed in an Apple forum weeks ago

While Apple scrambles to issue a software fix for a major macOS High Sierra vulnerability, astute observers are wondering what took the company so long to react — after all, the problem was known about weeks ago. 

It seems that on November 13, a commenter on an Apple developer forum disclosed the very vulnerability that today threw the infosec community into a frenzy. Oh, and it was called out 9 days ago on Twitter as well. 

And just how bad is this security threat? Well, it’s not good. Essentially, it gives anyone with access to an unlocked computer the ability to set themselves as the root user — as well as log back in later to the locked computer at a time of their choosing.

To execute the hack, you only needed to go to System Preferences > Users & Groups, then enter “root” as your user name while leaving the password field blank. Try this a few times until you have access. It’s that simple. The exploit was first explained by Apple developer chethan177.

Again, chethan177 posted this on November 13. Apple only issued instructions on how to protect yourself against this on November 28. 

Whether or not anyone tried to responsibly disclose the threat with Apple remains unclear. But the fact that this attack — which in some cases can be performed remotely — was known to some developers weeks before Apple issued a statement about it is sure to turn heads. 

Mashable has reached out to Apple for comment and will update the story as soon as we hear back.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f83312%2f6fc86afc 2462 4d27 8658 951f9fd60c9d