this post was submitted on 13 Aug 2023
973 points (99.0% liked)

Technology

59446 readers
4775 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Oh no.

you are viewing a single comment's thread
view the rest of the comments
[–] FaceDeer@kbin.social 55 points 1 year ago (6 children)

I just skimmed through the article and it seems like this vulnerability is only really meaningful on multi-user systems. It allows one user to access memory dedicated to other users, letting them read stuff they shouldn't. I would expect that most consumer gaming computers are single-user machines, or only have user accounts for trusted family members and whatnot, so if this mitigation causes too much of a performance hit I expect it won't be a big risk to turn it off for those particular computers.

[–] TheOctonaut@mander.xyz 83 points 1 year ago (3 children)

Would it mean that a malicious application being run in non-admin mode by one user could see data/memory in use by an admin user?

It would indeed imply that which is why this vulnerability is also serious for single user contexts.

The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible.

[–] Espi@kbin.social 42 points 1 year ago (2 children)

All these kind of CPU level vulnerabilities are the same, they are only really "risky" if there is malicious software running in the computer in the first place.

The real problem is that these CPU-level vulnerabilities all break one of the core concepts of computers, which is process separation and virtual memory. If process separation is broken then all other levels of security become pointless.

While for desktops this isn't a huge problem (except when sometimes vulnerabilities might even be able to be exploited though browsers), this is a huge problem for servers, where the modern cloud usually has multiple users in virtual machines in a single server and a malicious user could steal information across virtual machines.

[–] towerful@reddthat.com 31 points 1 year ago* (last edited 1 year ago)

Your first paragraph isn't quite right.
Modern hacks/cracks aren't a "do this and suddenly you are in" type deal.
It's a cascade chain of failures of non-malicious software.
Saying "don't have a virus" is absolutely correct, however that's not the concern here.
The concern is about the broadening of the attack surface.

A hacker gets minor access to a system. Leverages some CVE to get a bit more access, and keeps poking around and trying CVEs (known or unknown) until they get enough access to run this CVE.
And then they can escape the VM onto the host or other VMs on the same system, which might then give them access to a VM on another host, and they can escape that VM to get access to another VM, and on and on.

Very quickly, there is a fleet of VMs that are compromised. And the only sign of someone poking around is on the first VM the hacker broke into.
All other VMs would be accessed using trusted credentials.

ETA:
Infact, it doesn't even need to be a hacker.
It could be someone uploading a CI/CD task using their own account. It extracts all API keys, usernames and passwords it can find.
Suddenly, you have access to a whole bunch of repositories and APIs.
Then you can sneak in some malicious code to the git repo, and suddenly your malicious code is being shipped within legit software that gets properly signed and everything.

[–] gressen@lemm.ee 33 points 1 year ago (1 children)

It allows memory access across virtual machines as well, meaning the all cloud VMs are vulnerable.

[–] FaceDeer@kbin.social 3 points 1 year ago

The machines that are running cloud VMs should obviously be patched. I wasn't talking about those.

[–] 4am@lemmy.world 16 points 1 year ago (1 children)

Processes that run on the same system can run as different users (including kernel) which is used for privilege separation. This can still allow a program in userland to peer into otherwise restricted system processes or the kernel. Every system is a "multi-user" system, even if there is only a single human user.

[–] FaceDeer@kbin.social 5 points 1 year ago

Yes, but all the data that I care about is in my single human user's account already. If I install malicious software then I'm already hooped regardless.

Look, I'm not saying this is no biggie. There are plenty of systems out there that will have to install this patch. Single-user computers probably should too. The situation I'm addressing is the case where a gaming computer has its performance as a gaming measurably harmed by the patch's overhead, which is reportedly significant in some cases. In those cases it's reasonable to weigh the merits and decide that this vulnerability isn't all that big a problem.

[–] fmstrat@lemmy.nowsci.com 12 points 1 year ago (1 children)

Disagree. For non-security conscious users who install that helper tool or plugin for their game, it can now read bank credentials from the browser.

[–] FaceDeer@kbin.social 3 points 1 year ago (1 children)

If you're a non-security-conscious user installing malicious software on your computer then I don't think there's much that could help you.

[–] fmstrat@lemmy.nowsci.com 1 points 1 year ago

But these are the people we (the security community) should be helping. If we don't help those who don't have the skills to help themselves, scammers have a large target and keep on scamming. We are not a target.

Granted, this post isn't necessarily about that, but they'll be the one's targeted regardless. Sometimes the best way to reduce the attack vector is about people, not software.