[The Exiled]

Post-Meltdown Intel Tries to Save Face with $250,000 Bug Bounty Program

Citiraj:

Intel has launched a public bug bounty program with individual rewards going as far as $250,000, the company said today in a press release. Intel had previously run a bug bounty program, but that one was limited to submissions from a few selected security researchers only. The new bug bounty program will be hosted on the HackerOne platform, and Intel has opened up its hardware, firmware, and software products for the occasion.

Through its new bug bounty program, Intel is trying to wash away the image of a disastrous patching process. In reality, the new bug bounty program is nothing more than a PR move, and even if it had been in place last year, it wouldn't have helped. Intel received notice of the Meltdown and Spectre bugs in June 2017, but it took four months to notify downstream OEMs about issues —doing so in November. Despite this, when public disclosure came around, Intel did not have CPU microcode patches available for OEM vendors, and the Meltdown and Spectre flaws are still largely unpatched even today.

Even if news of the Meltdown and Spectre flaws became public a week before the planned public disclosure, Intel can't use this as an excuse. The problem wasn't researchers getting in contact with the company, nor Intel paying researchers for their findings, but Intel patching its damn hardware, which Intel miserably failed to do with a six-month disclosure deadline.

MeltdownPrime and SpectrePrime

Citiraj:

In a research paper bit boffins from Princeton University and chip designer nVidia describe variants of Meltdown and Spectre exploit code that can be used to conduct side-channel timing attacks. In short, the team have discovered new ways for malware to extract sensitive information, such as passwords and other secrets, from a vulnerable computer's memory by exploiting the Meltdown and Spectre design blunders in modern processors. The software mitigations being developed and rolled out to thwart Meltdown and Spectre attacks, which may bring with them performance hits, will likely stop these new exploits. Crucially, however, changes to the underlying hardware probably will not: that is to say, whatever Intel and its rivals are working on right now to rid their CPU blueprints of these vulnerabilities may not be enough. These fresh exploits attack flaws deeply embedded within modern chip architecture that will be difficult to engineer out. Before you panic: don't. No exploit code has been released.

Pored toga, Microsoft za Spectre uvodi promjene na nivou kompajlera, dok Red Hat u prezentaciji na školski način pojašnjava kako Meltdown i Spectre iskorištavaju moderne (mikro)arhitekture.