Tag Archive for: spectre

Apple wins class-action over Spectre and Meltdown security flaws

/in


Four years ago, we learned of the Spectre and Meltdown security flaws affecting Mac and iOS devices. This week, a US judge is dismissing a proposed class-action lawsuit that accuses Apple of defrauding customers, according to Reuters.

Background

Back in 2018, Meltdown and Spectre security flaws were affecting ARM-based and Intel processors. While all Mac and iOS devices were hurt by the vulnerability, Apple stated there were no known exploits affecting customers.

The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory – including that of the kernel – from a less-privileged user process such as a malicious app running on a device.

Apple defeats the class-action lawsuit over security flaws

U.S. District Judge Edward Davila in San Jose, California said customers failed to prove that they overpaid for their devices because Apple knowingly concealed defects, and provided security patches that made its devices significantly slower.

Reuters says the lawsuit came after Apple revealed the Meltdown and Spectre security flaws in 2018. These flaws could potentially let hackers access computer devices and steal memory contents. Customers claimed Apple first learned about the flaws in June 2017 and didn’t share until the New York Times reported the issue.

Davila dismissed the case as Apple assertions that its products were ‘secure’ and ‘private’ were too general to support customer claims. Davila also stated that the company’s marketing wasn’t false or misleading. By saying its newer processors were faster and longer-lasting wasn’t a falsehood as the patches may have disrupted performance.

While lawyers for the plaintiffs have yet to comment, Davila has given them until June 30 to repeal their claims.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

Source…

New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems

/in


spectre Linux vulnerability

Cybersecurity researchers on Monday disclosed two new vulnerabilities in Linux-based operating systems that, if successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory.

Discovered by Piotr Krysiuk of Symantec’s Threat Hunter team, the flaws — tracked as CVE-2020-27170 and CVE-2020-27171 (CVSS scores: 5.5) — impact all Linux kernels prior to 5.11.8. Patches for the security issues were released on March 20, with Ubuntu, Debian, and Red Hat deploying fixes for the vulnerabilities in their respective Linux distributions.

While CVE-2020-27170 can be abused to reveal content from any location within the kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory.

First documented in January 2018, Spectre and Meltdown take advantage of flaws in modern processors to leak data that are currently processed on the computer, thereby allowing a bad actor to bypass boundaries enforced by the hardware between two programs to get hold of cryptographic keys.

Put differently, the two side-channel attacks permit malicious code to read memory that they would typically not have permission to. Even worse, the attacks could also be launched remotely via rogue websites running malicious JavaScript code.

Although isolation countermeasures have been devised and browser vendors have incorporated defenses to offer protection against timing attacks by reducing the precision of time-measuring functions, the mitigations have been at an operating system level rather than a solution for the underlying issue.

The new vulnerabilities uncovered by Symantec aim to get around these mitigations in Linux by taking advantage of the kernel’s support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory.

“Unprivileged BPF programs running on affected systems could bypass the Spectre mitigations and execute speculatively out-of-bounds loads with no restrictions,” Symantec said. “This could then be abused to reveal contents of the memory via side-channels.”

Specifically, the kernel (“kernel/bpf/verifier.c”) was found to perform undesirable…

Source…

Intel ‘intentionally hid’ Meltdown and Spectre from US cyber security officials

/in

  1. Intel ‘intentionally hid’ Meltdown and Spectre from US cyber security officials  The INQUIRER

  2. Intel Kept US Cyber Security Agencies In The Dark About Spectre And Meltdown  Hot Hardware
  3. Intel did not disclose chip flaw to US government despite risk to national security  Telegraph.co.uk
  4. Intel did not tell US cyber officials about chip flaws until made public  Reuters

    5. Full coverage

computer security news – read more