Security Bits Logo

Security Bits – 15 November 2018

Followups 1 — The Windows 10 Fall 2018 has been Re-released

After having to withdraw the update due to a bug that led to accidental file deletions in a very small number of edge cases, Microsoft have now released a fixed version —…

Followup 2 — 7 More Spectre/Meltdown Variants Published

We’ve known since the day Spectre and Meltdown became public that this whole speculative execution problem would be with us for a long time, with many new variants being found, and many changes needed in how we design our hardware and our software.

That processes continues with the publication of details of seven new variants.

You can read a detailed report here: Spectre, Meltdown researchers unveil 7 more speculative execution attacks —

I think this extract sums things up nicely:

A research team—including many of the original researchers behind Meltdown, Spectre, and the related Foreshadow and BranchScope attacks—has published a new paper disclosing yet more attacks in the Spectre and Meltdown families. The result? Seven new possible attacks. Some are mitigated by known mitigation techniques, but others are not. That means further work is required to safeguard vulnerable systems.

The most important thing to remember about all this as a home user is that the big danger with this class of vulnerabilities is computers where multiple processes owned by different end-users share the same hardware. Basically, cloud computing platforms. The people who have a lot of work to do are the chip manufacturers, and the cloud hosting companies. IMO the only thing regular folks need to do is to stay patched — keep your OS and all your apps patched and you’ll be doing your bit to protect yourself!

Followup 3 — Cloudflare Have Released an iOS & Android App Enabling Secure DNS through

Cloudflare have expanded their DNS project to include mobile apps. Cleverly, these apps use the VPN Profile APIs to route all DNS queries to 1.1.1. over an encrypted connection.

While these apps use the VPN Profile APIs, they are not VPNs! These apps only protect your DNS queries, they do not wrap other traffic in encryption.

The use of VPN profiles is very clever, giving users a very easy to use solution, but, it does have two obvious downsides:

  1. The mobile OSes treat the apps like true VPNs, so when they are enabled, it will look like you are using a real VPN
  2. Because the apps use the VPN profiles API, they can’t be used in conjunction with an actual VPN


Followup 4 — More Details on Apple’s T2 Security Chip, a Correction, and Some Tradeoffs

Let’s get the correction out of the way first — last time we suggested that it was the T2 chip that was physically disconnecting the mic on Apple’s new laptops. That’s what most of the media were reporting. However, it now seems that’s not quite right. What Apple actually said is that all laptops that have the T2 chip have a hardware switch for the mic. That does not mean the T2 is providing that functionality!

One of the features that T2 does provide is secure boot for the Mac. By default, a Mac with a T2 chip will not boot an OS that is not digitally signed by Apple. This protects from some of the most pernicious kinds of malware that manage to worm their way into a device before the OS even boots, giving them massive power to alter core OS features at a very low level. There was a lot of hyperventilation online that Apple have just killed Linux on the Mac, but that’s not accurate. Secure boot is on by default, as it needs to be to provide security, but users can choose to disable it, and once it is disabled, any OS can be installed on the device. This approach is entirely in keeping with the rest of the PC industry.

The T2 does more than just secure boot though — two other core features are security for TouchID, and hardware disk encryption. It’s these features that come with real tradeoffs. To get reliable security for these features there needs to be a very low-level pairing of the T2 to the motherboard, the flash storage, and the TouchID sensor. This means that those components can only be replaced by authorised repair centres who have the tools to securely cryptographically connect the new components. The tradeoff is clear — you can have security, or you can have unauthorised repairs, you can’t have both (because of maths, not malice). This reality is a bit of a Rorschach Test, with some like iFixIt seeing a conspiracy to shut down hobbyists and 3rd party repairers, and others seeing Apple following through on their commitments to security and privacy.

Personally, I think this is a trade-off where the good strongly out-weighs the bad. I do not want it to be possible for 3rd parties to modify my device so it becomes possible to steal my biometrics, or to suck out my cryptographic keys behind my back. Yes, it will stop me tinkering with the innards of my own Mac, and it could reduce my choices when it comes to getting my Macs repaired, but that’s a price I’m happy to pay. I have no interest in mucking around with my Mac’s hardware, and I would never trust an unauthorised repairer anyway, so personally, I only stand to gain from this. It’s my opinion that the same goes for the vast majority of Mac users.


Security Medium — The PortSmash Attack

TL;DR — no need to panic, just stay patched to stay secure!

PortSmash is the latest side-channel attack that breaches process isolation on Intel CPUs. The effects of this bug are quite similar the many Spectre/Meltdown variants, but the mechanism is completely different. The Spectre/Meltdown bugs abuse speculative execution, PortSmash abuses hyper threading.

In theory, two processes running on a computer should not be able to access each other’s information without explicit permission (handled by the OS). This is important because running processes often have to deal with sensitive data like passwords, credit card numbers, and cryptographic keys. That game of Solitaire you;’re playing should not be able to ready your credit card number from the online shopping cart you’re checking out with in Safari!

Hyper-threading is a strategy used by many CPUs to do two things at once on a single CPU core. It pre-dates the common availability of multi-core CPUs. A CPU contains multiple computing circuits that are designed to perform different types of calculation. For reasons I don’t understand these regions are referred to as ports. A single instruction only uses a single port, so if there are 5 instructions waiting, and each needs a different port, there is no reason for them to run one after the other, each could be allowed to use the port it wants at the same time. That’s hyper threading!

What security researchers found is that when two processes utilise hyper-threading to execute simultaneously on the same CPU core they can infer information about each other’s state. This is a so-called side-channel attack. With enough persistence an attacker can extract data from processes they should not have access to.

On a personal computer all the processes you run belong to you, so while process isolation is definitely desirable, it’s not critical. To exploit this bug a piece of malware has to share a CPU core with a victim process. If you are the only user of a computer, then the malware is already running on your computer, so it doesn’t need to exploit this kind of trick to get at your stuff, it can just get it directly!

Where process isolation becomes vital is in virtualised environments. A VM is just a collection of processes, so, processes belonging to one VM could easily end up sharing a core with processes from another VM, allowing an attacker to reach in to another user’s VM and steal their data — very bad indeed!

The good news is that this problem can be fixed.

The simplest short-term fix is simply to disable hyper-threading. This will obviously have a performance hit, but it completely solves the problem and is easy to do with a BIOS setting.

In the longer term there is a much better solution. One of the jobs of an OS is to schedule process execution — it’s the OS that decides which process gets to use which CPU when. OSes need to update their scheduling process so only threads that belong to the same master process can share a core. For regular home users this would mean that if one Safari process was scheduled on a given core then only other Safari processes would be allowed to share that core at that time. For virtualisation environments it would mean that only threads belonging to the same VM could share a core.

So, unless you are a large cloud provider, all you probably need to do is update your OS and and when the vendor releases updates. Basically, stay patched!


Notable Security Updates

Notable News

  • The mobile version of Pwn2Own saw a lot of exploits against all popular mobile OSes, but the hack that’s getting the most press attention is one that allows attackers to recover deleted photos on the latest version of iOS —…
  • Security researchers have found a botnet of over 100K routers that was built up by exploiting old vulnerabilities in home routers (Editorial by Bart: if you haven’t updated your router recently, now might be a good time. If your vendor doesn’t issue regular security updates, consider replacing your router with one from a vendor that does) —…
  • A security researcher has released details of a zero-day bug in Oracle’s popular VirtualBox VM software. Thankfully there is a workaround —…
  • A study by the University of Oxford in the UK has found that apps in the Google Play store categorised as being for children have seven trackers on average. The study was based on an analysis of close to 1M apps on the US and UK Play stores —…
  • Google have released version 3 of their re-Captcha tool. This new version uses a very different approach, switching from a binary output (yes human, no, not human) to a more granular confidence score. Website developers can choose for themselves at what level of confidence they are happy with for each feature on their website. Users will not see any visual interaction, instead, JavaScript will be used to asses if the user is behaving in a human-like way (exactly how is secret, and will undoubtedly perpetually evolve as the eternal cat-and-moues game continues) —…
  • Google is making their privacy controls for search easier to access by embedding some of the related UI directly in the search page itself —…
  • Google’s crackdown on dodgy ads continues with the introduction of a new policy giving offending sites 30 days to shape up or Chrome will start blocking ads on their sites —…
  • Holiday Shopping from a Security Point of View
    • LastPass released a “naughty or nice” list of good and bad retailers from a security and privacy point of view. Apple topped the nice list, and Wayfair bottomed the naughty list —…
    • Mozilla have published a guide for buying tech gadgets that get security right —… (via Allison)

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top