Skyfall and Solace

You guys see this?

https://skyfallattack.com/

https://react-etc.net/entry/skyfall-and-solace-vulnerabilities

Fun times!

 

Well, we'll see. But, most likely to be Spectre-class vulnerabilities, there will be a stream of those.

All using side-channels, whose risks have been known forever but conveniently forgotten in the rush for speed and profit. Instead of giving us extra cores (harming their high end/data centre profits), we've had incremental improvements based on slapdash implementations of dodgy optimisations.

 

"...A website that began going viral today, Skyfallattacks, suggests more potential attack vectors are imminent. Currently, the site is basically just some text that alludes to two allegedly potential new attacks dubbed Skyfall and Solace. (Someone out there really likes Daniel Craig’s James Bond—marketing!) Little is known about this new pair of alleged exploits, and it’s entirely possible they’re entirely bull<snip>..."

https://gizmodo.com/intel-claims-90-percent-of-affected-cpus-have-live-patc-1822192075

 

As someone who is not a techie: how likely will one be vulnerable in the real world against these attacks, asssuming one uses a browser/ email client (interface with the internet) that is fully patched ?

 

IMO, at beginning not very likely if you are not high value target. Most members of this forum will probably be "high hanging fruit" even if vulnerabilities get exploited in wild. If it gets exploited and affects most of regular users it will be a problem of whole tech industry and not just individuals.

 

Meltdown and Spectre have opened up the whole "firmware vulnerability can of worms" that has existed for years for full public disclosure. And frankly, it's high time this was done. Like I keep saying, this isn't one isolated hardware issue. The whole small computer architecture is flawed security-wise and has been since "day one."

 

Exactly - they have to execute instructions (including high-resolution timing measures). So for clients, that is most likely delivered by browsers as scripts. Conventional sandboxing, process isolation, rings etc. avail you naught in controlling this. But fuzzing the accuracy of the timing measures is pretty helpful, which is what the latest FF patch does, for example.

As @itman notes of course, these side channel attacks have been around forever, and well-known to competent hardware/chip designers. Perhaps what's different is that Intel in particular has maximised profit and milked the cash cow for many years, based on dodgy and dangerous optimisation rather than letting people have more real cores for reasonable money. So you have the absurd situation where a smartphone has more cores than your desktop and some at least have not gone down the Spectre-vulnerable optimisation route on the Smartphones. As Snowden said: clients are "terrifically weak".

I'd encourage people to also think about the cloud and their indirect exposure to systems and data running there. While hopefully your main providers will not be running on shared systems, and will control their software extremely tightly, that won't always be the case. For instance, if you're running a VPS or something, your certificates on the machine might possibly be vulnerable - depending on your hoster.

 

I think that's pretty much all we can do at this stage. There's also ad-blocking and malicious site blocking (which I do on the router these days), and also some merit in using Firejail or Sandboxie to block internet access for those programs that don't need it, so that they can't phone home (as well as for most userspace programs). I also think that VMs continue to offer good protection, even though they are likely more permeable than desired, the risk is small.

 

""Skyfall attack" was attention seeking

After the Meltdown/Spectre attacks, somebody created a website promising related "Skyfall/Solace" attacks. They revealed today that it was a "hoax".

It was a bad hoax..."

http://blog.erratasec.com/2018/01/skyfall-attack-was-attention-seeking.html