macOS Zero-Day Flaw Lets Hackers Bypass Security Using Invisible Mouse-Clicks

Your Mac computer running the Apple’s latest High Sierra operating system can be hacked by tweaking just two lines of code, a researcher demonstrated at the Def Con security conference on Sunday.

Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually “click” objects without any user interaction or consent.

To know, how dangerous it can go, Wardle explains: “Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click…allowed. Authorize keychain access? Click…allowed. Load 3rd-party kernel extension? Click…allowed. Authorize outgoing network connection? click …allowed.”

Wardle described his research into “synthetic” interactions with a user interface (UI) as “The Mouse is Mightier than the Sword,” showcasing an attack that’s capable of ‘synthetic clicks’—programmatic and invisible mouse clicks that are generated by a software program rather than a human.

macOS code itself offers synthetic clicks as an accessibility feature for disabled people to interact with the system interface in non-traditional ways, but Apple has put some limitations to block malware from abusing these programmed clicks.

hacking with mac os

Wardle accidentally discovered that High Sierra incorrectly interprets two consecutive synthetic mouse “down” event as a legitimate click, allowing attackers to programmatically interact with security warnings as well that asks users to choose between “allow” or “deny” and access sensitive data or features.

“The user interface is that single point of failure,” says Wardle. “If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms.”

Although Wardle has not yet published technical details of the flaw, he says the vulnerability can potentially be exploited to dump all passwords from the keychain or load malicious kernel extensions by virtually clicking “allow” on the security prompt and gain full control of a target machine.

Wardle said that he found this loophole accidentally when copying and pasting the code and that just two lines of code are enough to completely break this security mechanism.

Unlike earlier findings, Wardle didn’t report Apple about his latest research and choose to publicly reveal details of the zero-day bug at DefCon hacker conference.

“Of course OS vendors such as Apple are keenly aware of this ‘attack’ vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed,” says Wardle.

However, the Apple’s next version of macOS, Mojave, already has mitigated the threat by blocking all synthetic events, which eventually reduces the scope of accessibility features on applications that legitimately use this feature.

Go to Source

Flaws in Pre-Installed Apps Expose Millions of Android Devices to Hackers

Bought a new Android phone? What if I say your brand new smartphone can be hacked remotely?

Nearly all Android phones come with useless applications pre-installed by manufacturers or carriers, usually called bloatware, and there’s nothing you can do if any of them has a backdoor built-in—even if you’re careful about avoiding sketchy apps.

That’s exactly what security researchers from mobile security firm Kryptowire demonstrated at the DEF CON security conference on Friday.

Researchers disclosed details of 47 different vulnerabilities deep inside the firmware and default apps (pre-installed and mostly non-removable) of 25 Android handsets that could allow hackers to spy on users and factory reset their devices, putting millions of Android devices at risk of hacking.

At least 11 of those vulnerable smartphones are manufactured by companies including Asus, ZTE, LG, and the Essential Phone, and being distributed by US carriers like Verizon and AT&T.

Other major Android handset brands include Vivo, Sony, Nokia, and Oppo, as well as many smaller manufacturers such as Sky, Leagoo, Plum, Orbic, MXQ, Doogee, Coolpad, and Alcatel.

Some vulnerabilities discovered by researchers could even allow hackers to execute arbitrary commands as the system user, wipe all user data from a device, lock users out of their devices, access device’s microphone and other functions, access all their data, including their emails and messages, read and modify text messages, sending text messages, and more—all without the users’ knowledge.

“All of these are vulnerabilities that are prepositioned. They come as you get the phone out the box,” Kryptowire CEO Angelos Stavrou said in a statement. “That’s important because consumers think they’re only exposed if they download something that’s bad.”

For example, vulnerabilities in Asus ZenFone V Live could allow an entire system takeover, allowing attackers to take screenshots and record user’s screen, make phone calls, spying on text messages, and more.

Kryptowire, whose research was funded by the U.S. Department of Homeland Security, explained that these vulnerabilities stem from the open nature of the Android’s operating system that allows third-parties like device manufacturers and carriers to modify the code and create completely different versions of Android.

Kryptowire is the same security firm that, in late 2016, uncovered a pre-installed backdoor in more than 700 Million Android smartphones that surreptitiously found sending all text messages, call log, contact list, location history, and app data to China every 72 hours.

Kryptowire has responsibly reported the vulnerabilities to Google and the respective affected Android partners, some of which have patched the issues while others are working diligently and swiftly to address these issues with a patch.

However, it should be noted that since the Android operating system itself is not vulnerable to any of the disclosed issues, Google can’t do much about this, as it has no control over the third apps pre-installed by manufacturers and carriers.

Go to Source

Snapchat Hack — Hacker Leaked Snapchat Source Code On GitHub

The source code of the popular social media app Snapchat was recently surfaced online after a hacker leaked and posted it on the Microsoft-owned code repository GitHub.

A GitHub account under the name Khaled Alshehri with the handle i5xx, who claimed to be from Pakistan, created a GitHub repository called Source-Snapchat with a description “Source Code for SnapChat,” publishing the code of what purported to be Snapchat’s iOS app.

The underlying code could potentially expose the company’s extremely confidential information, like the entire design of the hugely-successful messaging app, how the app works and what future features are planned for the app.

Snapchat’s parent company, Snap Inc., responded to the leaked source code by filing a copyright act request under the Digital Millennium Copyright Act (DMCA), helping it takedown the online repository hosting the Snapchat source code.

SnapChat Hack: Github Took Down Repository After DMCA Notice

how to hack snapchat source code

Though it is not clear precisely what secret information the leaked SnapChat source code contained, the company’s panic can be seen in the DMCA request (written in all-caps) which suggests the contents of the repository were legitimate.

“I AM [private] AT SNAP INC., OWNER OF THE LEAKED SOURCE CODE,” a reply from a Snap employee, whose name is redacted, on the DMCA notice reads.

Upon asking “Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online,” the Snap employee responded:

“SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.”

“WE WOULD APPRECIATE YOU TAKE DOWN THE WHOLE THING.”

Snap told several online news outlets that an iOS update in May exposed a “small amount” of its iOS source code.

Although the company identified and rectified the mistake immediately, it discovered that some of the exposed source code had been posted online.

However, Snap did confirm that the code has been subsequently removed and that the event did not compromise its application and had no impact on its community.

Pakistani Hacker Threatens to Re-Upload Snapchat’s Source Code

It appears that the online user behind the source code leak created the Github account with the sole purpose of sharing the Snapchat source code as nothing else was posted on the account before or after the Snapchat leak.

Moreover, some posts on Twitter by at least two individuals (one based in Pakistan and anotherin France) who appear to be behind the i5xx GitHub account suggest that they tried contacting Snapchat about the source code and expecting a bug bounty reward.

But when they did not get any response from the company, the account threatened to re-upload the source code until they get a reply from Snapchat.

The Snapchat source code has now been taken down by GitHub after the DMCA request, and will not be restored unless the original publisher comes up with a legal counterclaim proving he/she is the owner of the source code.

However, this does not rectify the issue completely. Since the Snapchat source code is still in the hands of outsiders, they could re-publish it on other online forums, or could use it for individual profit.

Go to Source

Adobe Releases Security Patch Updates For 112 Vulnerabilities

Adobe has released security patches for a total 112 vulnerabilities in its products, most of which have a higher risk of being exploited.

The vulnerabilities addressed in this month’s patch Tuesday affect Adobe Flash Player, Adobe Experience Manager, Adobe Connect, Adobe Acrobat, and Reader.

None of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.

Adobe Flash Player (For Desktops and Browsers)

Security updates include patches for two vulnerabilities in Adobe Flash Player for various platforms and application, as listed below.

One of which has been rated critical (CVE-2018-5007), and successful exploitation of this “type confusion” flaw could allow an attacker to execute arbitrary code on the targeted system in the context of the current user.

This flaw was discovered and reported to Adobe by willJ of Tencent PC Manager working with Trend Micro’s Zero Day Initiative.

Without revealing technical details of any flaw, Adobe said the second vulnerability, which has been rated important by the company, could allow an attacker to retrieve sensitive information.

Affected Version

  • Flash Player v30.0.0.113 and earlier versions

Affected Platforms and Applications

  • Windows
  • macOS
  • Linux
  • Chrome OS
  • Google Chrome
  • Microsoft IE 11
  • Microsoft Edge

 

Adobe Acrobat and Reader (Windows and macOS)

The company has patched a total of 104 security vulnerabilities in Adobe Acrobat and Reader, of which 51 are rated as critical and rest are important in severity.

Both products include dozens of critical heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference and buffer errors vulnerabilities which could allow an attacker to execute arbitrary code on the targeted system in the context of the current user.

These vulnerabilities were reported by security researchers from various security firms, including Palo Alto Networks, Trend Micro Zero Day Initiative, Tencent, Qihoo 360, CheckPoint, Cisco Talos, Kaspersky Lab, Xuanwu Lab and Vulcan Team.

Affected Version

  • Continuous Track—2018.011.20040 and earlier versions
  • Classic 2017 Track—2017.011.30080 and earlier versions
  • Classic 2015 Track—2015.006.30418 and earlier versions

Affected Platforms

  • Microsoft Windows
  • Apple macOS

Adobe Experience Manager (All Platforms)

Adobe has addressed three important Server-Side Request Forgery (SSRF) vulnerabilities in its Experience Manager, an enterprise content management solution, which could result in sensitive information disclosure.

Two of these security vulnerabilities (CVE-2018-5006, CVE-2018-12809) were discovered by Russian application security researcher Mikhail Egorov.

Affected Version

  • AEM v6.4, 6.3, 6.2, 6.1 and 6.0

The vulnerabilities affect Adobe Experience Manager for all platforms, and users are recommended to download the updated version from here.

Adobe Connect (All Platforms)

Adobe has patched three security vulnerabilities in Adobe Connect—a software used to create information and general presentations and web conferencing—two of which, rated important, could allow an attacker to bypass the authentication, hijack web sessions and steal sensitive information.

The third flaw, rated moderate, in Adobe Connect is a privilege escalation issue caused due to an insecure loading of a library.

Affected Version

  • Adobe Connect v9.7.5 and earlier for all platforms

Adobe recommends end users and administrators to install the latest security updates as soon as possible.

Go to Source

DomainFactory Hacked—Hosting Provider Asks All Users to Change Passwords

Besides Timehop, another data breach was discovered last week that affects users of one of the largest web hosting companies in Germany, DomainFactory, owned by GoDaddy.

The breach initially happened back in last January this year and just emerged last Tuesday when an unknown attacker himself posted a breach note on the DomainFactory support forum.

It turns out that the attacker breached company servers to obtain the data of one of its customers who apparently owes him a seven-figure amount, according to Heise.

Later the attacker tried to report DomainFactory about the potential vulnerability using which he broke into its servers, but the hosting provider did not respond, and neither disclosed the breach to its customers.

In that situation, the attacker head on to the company’s support forum and broke the news with sample data of a few customers as proof, which forced DomainFactory to immediately shut down the forum website and initiate an investigation.

Attacker Gains Access to a Large Number of Data

DomainFactory finally confirmed the breach last weekend, revealing that following personal data belonging to an unspecified number of its customers has been compromised.

  • Customer name
  • Company name
  • Customer account ID
  • Physical address
  • E-mail addresses
  • Telephone number
  • DomainFactory Phone password
  • Date of birth
  • Bank name and account number (e.g. IBAN or BIC)
  • Schufa score (German credit score)

Well, that’s a whole lot of information, which can be used by cybercriminals for targeted social engineering attacks against the customers.

The forum has since been temporarily down, and DomainFactory said that a data feed of certain customer information, accessed by the attacker, was left open to external third parties after a system transition on January 29, 2018.

“We have notified the data protection authority and commissioned external experts with the investigation. The protection of the data of our customers is paramount, and we regret the inconvenience this incident causes, very much,” the company said.

Change All of Your Passwords

DomainFactory is now advising its users to change passwords for all of the following services and applications “as a precautionary measure,” and also change passwords for other online services where you use the same password.

  • Customer password
  • Phone password
  • Email passwords
  • FTP / Live disk passwords
  • SSH passwords
  • MySQL database passwords

Since the compromised data can be used for identity theft and to create direct debits for customers’ bank account, users are also recommended to monitor their bank statements for any unauthorized transaction.

So far it is unclear how the attacker got into the Domainfactory servers, but the German publication said the attacker did not give an impression of selling the captured data or leaking it online.

Go to Source

Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users

And the hacks just keep on coming.

Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users.

Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago.

The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts.

“We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached,” the company wrote in a security advisory posted on its website.

Social Media OAuth2 Tokens Also Compromised

Moreover, the attackers also got their hands on authorization tokens (keys) provided by other social networking sites to Timehop for gaining access to your social media posts and images.

With access to these tokens, hackers could view some of your posts on Facebook and other social networks without your permission.

However, Timehop claims that all the compromised tokens were deauthorized and made invalid within a “short time window” after the company detected the breach on its network on July 4th at 4:23 PM Eastern Time.

The stolen access tokens cannot be now used to gain access to any of your social media profiles, and the company also claims that there is “no evidence that this actually happened.”

“In addition to our communications with local and federal law enforcement, we are also in contact with all our social media providers, and will update users as needed, but again: there are no credible reports, and there has been no evidence of, any unauthorized use of these access tokens,” the company said.

It should also be noted that these authorization tokens do not give anyone, including the company itself, access to your private messages on Facebook Messenger, Direct Messages on Twitter and Instagram, and things that your friends post to your Facebook wall.

Timehop is also confident that the security breach did not affect your private/direct messages, financial data, social media and photo content, and other Timehop data including streaks and memories.

Timehop also pointed out that there was no evidence that any account was accessed without authorization.

Data Breach Aided By Lack of Two-Factor Authentication

 

“The breach occurred because an access credential to our cloud computing environment was compromised,” Timehop said.

The same day Timehop identified the breach on its network, we reported about the Gentoo GitHub account hack that allowed intruders to replace the content of the project’s repositories and pages with the malicious one, after guessing the account password.

The Gentoo breach was aided by the lack of two-factor authentication (2FA) for its Github account. The 2FA makes it mandatory for users to enter an additional passcode besides the password in order to gain access to the account.

The same happened with Timehop.

Since the company was not using two-factor authentication, the attacker(s) were able to gain access to its cloud computing environment by using compromised credential.

Timehop has now taken some new security measures that include system-wide multifactor authentication to secure its authorization and access controls on all accounts.

Timehop immediately logged out all of its users of the app after the company invalidated all API credentials, which means you will need to re-authenticate each of your social media accounts to the app when you log into your Timehop account to generate a new token.

The company is also working with security experts and incident response professionals, local and federal law enforcement officials, and its social media providers to minimize the impact of the breach on its users.

Since the new GDPR privacy law defines a breach as “likely to result in a risk to the rights and freedoms of the individuals,” Timehop claims to have notified all of its affected European users and is working closely with GDPR experts to assist in the countermeasures.

To know more about the incident and how it happened, you can head on to the technical reportpublished by Timehop, which provides a more detailed breakdown of the security incident.

Go to Source

Password-Guessing Was Used to Hack Gentoo Linux Github Account

github-hacking-gentoo-linux

Maintainers of the Gentoo Linux distribution have now revealed the impact and “root cause” of the attack that saw unknown hackers taking control of its GitHub account last week and modifying the content of its repositories and pages.

The hackers not only managed to change the content in compromised repositories but also locked out Gentoo developers from their GitHub organisation.

As a result of the incident, the developers were unable to use GitHub for five days.

What Went Wrong?

Gentoo developers have revealed that the attackers were able to gain administrative privileges for its Github account, after guessing the account password.

The organisation could have been saved if it was using a two-factor authentication, which requires an additional passcode besides the password in order to gain access to the account.

“The attacker gained access to a password of an organization administrator. Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated web pages,” Gentoo wrote in its incident report.

Besides this, Gentoo developers did not also have a backup copy of its GitHub Organization detail. What’s more? The systemd repo was also not mirrored from Gentoo but was stored directly on GitHub.

What Went Well? (Luckily)

However, Gentoo believed the project got lucky that the attack was “loud,” as knocking all other developers out of the targeted GitHub account caused them to be emailed.

Quick action from both Gentoo and Github put an end to the attack in about 70 minutes.

“The attack was loud; removing all developers caused everyone to get emailed,” the Gentoo maintainers said. “Given the credential taken, it’s likely a quieter attack would have provided a longer opportunity window.”

Moreover, the report also added that by force pushing commits that attempted to remove all files, the attacker made “downstream consumption more conspicuous,” which could have eventually “blocked git from silently pulling in new content to existing checkouts on ‘git pull’.”

As the project previously said, the main Gentoo repositories are kept on Gentoo hosted infrastructure, and Gentoo mirrors to GitHub in order to “be where the contributors are.”

Therefore, the private keys of the account were not impacted by the incident, and so the Gentoo-hosted infrastructure.

Impact of the Cyber Attack

As a result of the incident, the Gentoo Proxy Maintainers Project was impacted as many proxy maintainers contributors use GitHub to submit pull requests, and all past pull requests were also disconnected from their original commits and closed.

The attackers also attempted to add “rm -rf” commands to various repositories, which if executed, would have deleted user data recursively. However, this code was unlikely to be executed by end users due to various technical guards in place.

rm is a Unix command which is used for removing files, directories and similar, and rm -rf denotes a more forcible removal, which “would cause every file accessible from the present file system to be deleted from the machine.”

Steps Taken to Prevent Future Cyber Attacks

Following the incident, Gentoo has taken many actions to prevent such attacks in the future. These actions include:

  • Making frequent backups of its GitHub Organization.
  • Enabling two-factor authentication by default in Gentoo’s GitHub Organization, which will eventually come to all users the project’s repositories.
  • Working on an incident response plan, particularly for sharing information about a security incident with users.
  • Tightening up procedures around credential revocation.
  • Reducing the number of users with elevated privileges, auditing logins, and publishing password policies that mandate password managers.
  • Introducing support for hardware-based 2FA for Gentoo developers

Currently, it is not known who was behind the Gentoo Hack. Gentoo did not say if the incident has been reported to law enforcement to hunt for the hacker(s).

Go to Source

Ticketmaster Suffers Security Breach – Personal and Payment Data Stolen

Global entertainment ticketing service Ticketmaster has admitted that the company has suffered a security breach, warning customers that their personal and payment information may have been accessed by an unknown third-party.

The company has blamed a third-party support customer service chat application for the data breach that believed to affect tens of thousands of its customers.

The customer support chat application, made by Inbenta Technologies—a third-party artificial intelligence tech supplier—used to help major websites interact with their customers.

In its statement, Ticketmaster said it discovered malicious software on the customer support application hosted on its UK website that allowed attackers to extract the personal and payment information from its customers buying tickets.

Ticketmaster disabled the Inbenta product across all of its websites as soon as it recognized the malicious code.

However, Inbenta Technologies turned away blame back to Ticketmaster, saying that the ticketing service deployed the chat application improperly on its website.

“Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements,” Inbenta chief executive Jordi Torras said in a statement.

“This code is not part of any of Inbenta’s products or present in any of our other implementations. Ticketmaster directly applied the script to its payments page, without notifying our team.”

Inbenta said by applying this Javascript to the payment page, Ticketmaster presented attackers with “a point of vulnerability that affects the capacity for web forms to upload files,” allowing attackers to locate, modify, and use the script to “extract the payment information of Ticketmaster customers processed between February and June 2018.”

Compromised information includes name, address, email address, telephone number, payment details and Ticketmaster login details of its customers.

“Forensic teams and security experts are working around the clock to understand how the data was compromised,” Ticketmaster said. “We are working with relevant authorities, as well as credit card companies and banks.”

Neither Ticketmaster nor Inbenta did say the number of customers affected by the incident, but the ticketing service did confirm that less than 5% of its global customer base has been affected.

Inbenta is entirely confident that no other customer of Inbenta has been compromised in any way, and that the incident has “nothing to do with any of its industry-leading AI and machine learning products,” which serve hundreds of customers on six continents.

“We can fully assure our customers and end-users that no other implementation of Inbenta across any of our products or customer deployments has been affected,” Inbenta said.

Ticketmaster said that it has emailed all affected customers, and is offering 12 months of free identity monitoring service for those who have been impacted.

Affected customers are also advised to keep a close eye on their bank account transactions for signs of any suspicious activity, and immediately notify their banks if found any.

Users are also advised to be cautious if they receive any suspicious or unrecognized phone call, text message, or email from anyone saying you must pay taxes or a debt immediately—even if they provide your personal information.

Go to Source

Email Phishers Using A Simple Way to Bypass MS Office 365 Protection

Security researchers have been warning about a simple technique that cyber criminals and email scammers are using in the wild to bypass most AI-powered phishing detection mechanisms implemented by widely used email services and web security scanners.

Dubbed ZeroFont, the technique involves inserting hidden words with a font size of zero within the actual content of a phishing email, keeping its visual appearance same, but at the same time, making it non-malicious in the eyes of email security scanners.

According to cloud security company Avanan, Microsoft Office 365 also fails to detect such emails as malicious crafted using ZeroFont technique.

Like Microsoft Office 365, many emails and web security services use natural language processing and other artificial intelligence-based machine learning techniques to identify malicious or phishing emails faster.

The technology helps security companies to analyze, understand and derive meaning from unstructured text embedded in an email or web page by identifying text-based indicators, like email scams mimicking a popular company, phrases used to request for payments or password resets, and more.

microsoft-email-security-phishing

However, by adding random zero font-size characters between the indicator texts present in a phishing email, cybercriminals can transform these indicators into an unstructured garbage text, hiding them from the natural language processing engine.

Therefore, the email looks normal to a human eye, but Microsoft reads the entire garbage text, even if some words are displayed with a font size of “0.”

“Microsoft can not identify this as a spoofing email because it cannot see the word ‘Microsoft’ in the un-emulated version,” reads Avanan’s blog post. “Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user.”

Besides the ZeroFont technique, Avanan also detected hackers using other similar tricks that involve Punycode, Unicode, or Hexadecimal Escape Characters in their phishing attacks.

Last month, researchers from the same company reported that cybercriminals had been splitting up the malicious URL in a way that the Safe Links security feature in Office 365 fails to identify and replace the partial hyperlink, eventually redirecting victims to the phishing site.

Go to Source

New ‘Lazy FP State Restore’ Vulnerability Found in All Modern Intel CPUs

Hell Yeah! Another security vulnerability has been discovered in Intel chips that affects the processor’s speculative execution technology—like Specter and Meltdown—and could potentially be exploited to access sensitive information, including encryption related data.

Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw and keep their customers protected.

The company has not yet released technical details about the vulnerability, but since the vulnerability resides in the CPU, the flaw affects all devices running Intel Core-based microprocessors regardless of the installed operating systems, except some modern versions of Windows and Linux distributions.

As the name suggests, the flaw leverages a system performance optimization feature, called Lazy FP state restore, embedded in modern processors, which is responsible for saving or restoring the FPU state of each running application ‘lazily’ when switching from one application to another, instead of doing it ‘eagerly.’

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch,” Intel says while describing the flaw.

“Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value.”

According to the Red Hat advisory, the numbers held in FPU registers could potentially be used to access sensitive information about the activity of other applications, including parts of cryptographic keys being used to secure data in the system.

All microprocessors starting with Sandy Bridge are affected by this designing blunder, which means lots of people again should gear them up to fix this vulnerability as soon as the patches are rolled out.

However, it should be noted that, unlike Spectre and Meltdown, the latest vulnerability does not reside in the hardware. So, the flaw can be fixed by pushing patches for various operating systems without requiring new CPU microcodes from Intel.

According to Intel, since the flaw is similar to Spectre Variant 3A (Rogue System Register Read), many operating systems and hypervisor software have already addressed it.

Red Hat is already working with its industry partners on a patch, which will be rolled out via its standard software release mechanism.

AMD processors are not affected by this issue.

Also, modern versions of Linux—from kernel version 4.9, released in 2016, and later are not affected by this flaw. Only if you are using an older Kernel, you are vulnerable to this vulnerability.

Moreover, modern versions of Windows, including Server 2016, and latest spins of OpenBSD and DragonflyBSD are not affected by this flaw.

Microsoft has also published a security advisory, offering guidance for the Lazy FP State Restore vulnerability and explaining that the company is already working on security updates, but they will not be released until the next Patch Tuesday in July.

Microsoft says that Lazy restore is enabled by default in Windows and cannot be disabled, adding that virtual machines, kernel, and processes are affected by this vulnerability. However, customers running virtual machines in Azure are not at risk.

Go to Source