MSI just got hit by a massive ransomware attack, but even worse – it lost a ton of critical data to the hackers!
MSI Hit By Ransomware Attack + Data Theft!
On 7 April 2023, MSI (Micro-Star International) was hit by a ransomware attack, in which the hackers allegedly exfiltrated 1.5 terabytes of source codes, BIOS firmware, private keys and other data from its servers.
In its terse regulatory filing with the Taiwan Stock Exchange (TWSE), MSI admitted that it was hacked, but did not detail the circumstances or nature of the attack.
After detecting some information systems being attacked by hackers,MSI’s IT department has initiated information security defense mechanism and recovery procedures. The Company also has been reported the anomaly to the relevant government authorities.
MSI claimed that the attack had “[no] significant impact our business in terms of financial and operational currently“, but said that it was “enhancing the information security control measures of its network and infrastructure to ensure data security.”
In a public statement, MSI also urged users to only obtain firmware / BIOS updates from its official website, and refrain from using other sources.
Hackers Demand $4 Million From MSI To Not Release Stolen Data
The MSI ransomware attack and data theft appear to be committed by the Money Message ransomware gang.
While MSI has apparently restored files encrypted by Money Message’s ransomware, the gang now has access to about 1.5 terabytes of critical MSI data.
According to BleepingComputer, chats between Money Message and an MSI representative show the gang demanding a ransom payment of $4 million. Otherwise, Money Message will release the stolen files.
To show that they did indeed steal those MSI files, Money Message posted screenshots of what they describe was MSI’s Enterprise Resource Planning (ERP) databases and files containing software source code, private keys, and BIOS firmware.
If Money Message releases MSI confidential data, it may not just be embarrassing for the Taiwanese company, it could allow other threat actors to use the source code and private keys to create malware targeting their customers.
In light of that, MSI users should only download and install software or BIOS firmware from the official MSI website.
Please Support My Work!
Support my work through a bank transfer / PayPal / credit card!
Name : Adrian Wong Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp
Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.
He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.
Maybank just officially announced that it will fully migrate from SMS OTP to Secure2u, as part of efforts to crack down on scams!
Here is what you need to know…
Maybank To Fully Migrate SMS OTP To Secure2u!
On 28 September 2022, Maybank officially announced that it will fully migrate from SMS OTP to Secure2u, as part of efforts to crack down on scams!
By June 2023, all online activities or transactions involving account opening, fund transfers and payments, as well as changes to personal information or account settings, will require Secure2u authentication.
This announcement came after Bank Negara Malaysia (BNM) ordered banks to migrate from the SMS OTP (One Time Password) to more secure authentication methods.
We remain highly committed in helping our customers to avoid being scammed by fraudsters. This is done through existing security measures that are already in place and as we progressively rollout more measures that can help deter or minimise the likelihood of customers falling prey to financial scams.
We are also supportive of Bank Negara Malaysia’s announcement on 26 September 2022 in relation to the five measures to be adopted by banks in Malaysia to ensure higher standards of security, especially for Internet and mobile banking services.
The banking industry is committed to working together to combat financial scams which are increasingly prevalent in today’s digitalised environment.
– Dato’ Khairussaleh Ramli, Group President & CEO of Maybank
Details Of How Maybank Secure2u Will Replace SMS OTP
Secure2u isn’t new. It was introduced in April 2017 as a more secure way for Maybank customers to authorise Maybank2u and MAE transactions using Secure Verification (one-tap approval) and Secure Transaction activation codes (a 6-digit TAC number generated in the app), as an alternate to SMS OTP.
Maybank also revealed some details of how Secure2u will be enhanced as it replaces SMS OTP :
Only one Secure2u device will be allowed per account holder (customer) to minimise the possibility of compromise by a third party
Maybank will alert the customer by SMS, a push notification, and an email when Secure2u is registered on a new device.
In Q4 2022, Maybank will introduce a cooling-off period whenever customers enable Secure2u on a different device. This cooling-off period will give customers the opportunity to verify and report to the bank in case of any unauthorised Secure2u registration on a new device.
In addition to Secure2u, Maybank is heeding BNM’s call for tightened fraud detection rules and triggers, and has in place a call-back verification process to alert customers of suspicious transactions.
Maybank has a dedicated 24/7 hotline for customers to report financial scams at +603-5891-4744. Customers are advised to call the hotline immediately, as soon as they suspect that their banking details have been compromised, or whenever they notice suspicious transactions, so their bank accounts can be suspended swiftly.
Alternatively, customers can also contact the general Maybank Customer Care Hotline at 1-300-88-6688 to report scams / fraud, or to seek assistance in suspending their bank accounts.
Finally, here are some tips from Maybank on how to protect yourself while using online platforms:
Avoid installing/downloading apps/Android Package Kit (APK) files or clicking on suspicious links sent via chat messages such as SMS, WhatsApp, Messenger or other similar services.
Do not provide permission for any app to send or view your SMSes.
Do not ignore any warnings from your devices, especially when downloading or installing a new file.
Do not enter your banking details, especially username or password, in any suspicious apps or websites.
Always keep your antivirus software updated for constant protection.
Only download apps from the genuine app stores such as Apple App Store, Google Play Store or Huawei AppGallery and not from a link.
Be alert if you are being prompted to download a file that is not compatible with your device i.e.: iPhone/iPad device being asked to use an Android device to download a file.
Always look out for your online banking security image and phrase (i.e.: Maybank2u security image and phrase), to ensure the website and app are legitimate.
Do not root or jailbreak your device.
Update your mobile device’s operating system (OS) and apps regularly.
Finally, we must all remember to NEVER share with anyone (not even bank employees) details of our bank accounts.
Please SHARE this article and these tips with your family and friends!
Please Support My Work!
Support my work through a bank transfer / PayPal / credit card!
Name : Adrian Wong Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp
Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.
He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.
In this guide, I will share with you how to turn on two-step verification in Telegram.
Step 1 : Open Telegram.
Step 2 : Go to Options > Settings > Privacy and Security.
Step 3 : Tap on the Two-Step Verification option.
Step 4 : In the Two-Step Verification screen, tap on the Set Password option.
Step 5 : Key in your preferred password, which can be any combination of capital or small letters and numbers.
Step 6 : You will need to key the same password again, to confirm it.
Step 7 : Next, you can create a hint to remind you of your password. This is optional, and you can skip it if you prefer.
But if you key one in, the hint will be displayed whenever you are asked to key in the password in the future.
Step 8 : After that, you will have the option of adding a Recovery Email address, just in case your account is hijacked.
This is optional as well, but I highly recommend you add a recovery email, which is simply the email address you use.
Step 9 : If you entered a Recovery Email address, Telegram will now send you an email with a 6-digit code to verify that email address.
Step 10 : Look for the Telegram verification code email, and key in the 6-digit verification code.
That’s it! You’re done! From now on, you will be required to key in the password whenever you log into a new device.
This will prevent hackers / scammers from taking over your account, even if you accidentally give them the Login code you receive by SMS.
Please Support My Work!
Support my work through a bank transfer / PayPal / credit card!
Name : Adrian Wong Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp
Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.
He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.
Can hackers use greeting photos and videos to hack your phone, and steal your data?
Take a look at the viral claim, and find out what the FACTS really are!
Claim : Greeting Photos + Videos Can Hack Your Phone!
People keep sharing this warning about greeting photos and videos, which claims that they can hack your phone and steal your data.
It’s a long message, so just skip to the next section for the facts!
Hello Family and friends,
Starting tomorrow, Please do not send network pictures. Look at the following article to understand. I’m going to stop too.
Please delete all photos and videos of Good morning, Evening and other greetings and religious messages as soon as possible. Read the following article carefully and you will understand why.
Read all! Please send this message urgently to as many friends as possible to prevent illegal intrusion.
Warning from Olga Nikolaevnas lawyer:
Attention! For those who like to send Good morning! It’s a beautiful day! Good evening!
picture. Please do not send these good messages.
Today, Shanghai China International News sent out SOS to all subscribers and experts – advise: Do not send pictures and videos of good morning, good night, etc.
The report shows that hackers who designed these images, and these images and videos are beautiful, But there is a hidden phishing code, and when everyone sends these messages, hackers use your device to steal personal information, such as bank card information and data, and break into your phone.
It is reported that more than 500,000 victims have been defrauded.
If you want to say hello to others, please write your own greetings and send your own pictures and videos so that you can protect yourself and your family and friends.
Important ! To be safe, please be sure to delete all greetings and pictures on your phone. If someone has sent you such images, remove them from your device immediately. Malicious code takes some time to deploy, so if you take action immediately, there will be no harm done.
Tell all your friends to prevent being hacked.
Say hello in your own words and only send your own created images and videos to greet, which is completely safe for yourself, your family and friends. Please understand what I mean! Everyone has a bank card attached to their mobile phone, and everyones mobile phone has many contacts. This hack creates a threat not only to yourself, but to your phone, friends and acquaintances as well! This is brutal.
This is a new technique used by terrorists to visit your mobile phone SIM card, so that you become their accomplice!!!
* * * Send this message to as many of your relatives and friends as possible to stop any unauthorised intrusions!!!
Truth : Greeting Photos + Videos Cannot Be Hack Your Phone!
Many of us get spammed with Good Morning, Good Afternoon, Good Evening photos and videos every day from family and friends.
While they often clog up Facebook, Telegram and WhatsApp groups, they really cannot hack your phone. Here are the reasons why Good Morning messages are very irritating, but harmless…
Fact #1 : Shanghai China International News Does Not Exist
The news organisation that was claimed to be the source of this warning – Shanghai China International News – does not exist!
Fact #2 : Greeting Photos + Videos Not Created By Hackers
Hackers (from China or anywhere else) have better things to do than to create these greeting photos and videos.
They are mostly created by websites and social media influencers for people to share and attract new followers.
Fact #3 : No Fraud Involving Greeting Photos / Videos
There has been no known fraud involving Good Morning or Good Night messages, videos or pictures.
Certainly, half a million victims of such a scam would have made front page news. Yet there is not a single report on even one case…. because it never happened.
Fact #4 : Image-Based Malware Is Possible, But…
Digital steganography is a method by which secret messages and other data can be hidden in digital files, like a photo or a video, or even a music file.
It is also possible to embed malicious code within a Good Morning photo, but it won’t be a full-fledged malware that can execute by itself.
At most, it can be used to hide the malware payload from antivirus scanners, which is pretty clever to be honest…
Fact #5 : Image-Based Malware Requires User Action
In January 2019, cybercriminals created an online advertisement with a script that appears innocuous and would pass any malware check.
However, the image itself has an “almost white” rectangle that is recognised by the script, triggering it to redirect the user to the cybercriminals’ website.
Once there, the victim is tricked into installing a Trojan disguised as an Adobe Flash Player update.
Such a clever way to bypass malware checks, but even so, this image-based malware requires user action.
You cannot get infected by the Trojan if you practice good “Internet hygiene” by not downloading or installing anything from unknown websites.
Fact #6 : Malicious Code Executes Immediately
If you accidentally download and trigger malware, it will execute immediately. It won’t wait, as the hoax message claims.
Deleting Good Morning or Good Night photos or videos will free up storage space in your phone, but it won’t prevent any malware from executing.
There is really no reason for malware to wait before it infects your devices. Waiting will only increase the risk of detection.
Whether the malware serves to take over your device, steal your information or encrypt it for ransom, it pays to do it at the first opportunity.
Now that you know the facts, please SHARE this article with your family and friends!
Please Support My Work!
Support my work through a bank transfer / PayPal / credit card!
Name : Adrian Wong Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp
Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.
He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.
Please watch out for a new malware called SVCReady that is being embedded in Microsoft Word attachments!
Here is what you need to know about the new SVCReady malware!
Watch Out For SVCReady Malware In MS Word Documents!
The HP Threat Research just uncovered a new malware called SVCReady, which they first picked up on 22 April 2022 through HP Wolf Security telemetry.
SVCReady is being distributed in phishing emails with Microsoft Word attachments. On opening the infected Word document, an embedded Visual Basic for Applications (VBA) AutoOpen macro is used to run shellcode stored in the properties of the document.
Splitting the macro from the shellcode is a way to evade security software that would normally detect the malicious code.
Document properties containing shellcode, namely a series of nop instructions as represented by 0x90 values. Credit : HP
The SVCReady malware begins by downloading and loading its payload from the web, and connecting to its Command and Control (C2) server.
It then starts gathering and sending information to the C2 server like :
The SVCReady malware also connects to its C2 server every 5 minutes to report its status, send information, receive new instructions, or validate the domain.
Currently, the malware appears to only gather and send information. However, that will change as the malware persists in the system, and is capable of receiving both updates and instructions from the C2 server.
In fact, the HP team observed the SVCReady retrieve and load a Readline stealer payload on an infected computer. It’s a sign of things to come.
The HP team believes that the SVCReady malware is still in early development, with an influx of updates adding features like encrypted C2 communications, and detection evasion.
They also found evidence linking SVCReady to past malware documents by the TA551 (Shatak) group from 2019 and 2020.
SVCReady will eventually be used for more nefarious purposes once it is good and ready. Until then, the malware will stay hidden, lurking and waiting for its master’s commands.
How To Avoid SVCReady Malware In MS Word Documents?
The HP team discovered that the malware creates a new registry key, which could serve as a signature for security software to detect it : HKEY_CURRENT_USER\Software\Classes\CLSID\{E6D34FFC-AD32-4d6a-934C-D387FA873A19}
But until security software are updated to detect SVCReady, the best way to avoid this malware is simple – do NOT open Word document attached to emails!
If you regularly receive Word documents in your emails, please VERIFY with the sender before opening them.
These phishing emails are designed to look legitimate. So be very careful about what you open!
Please Support My Work!
Support my work through a bank transfer / PayPal / credit card!
Name : Adrian Wong Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp
Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.
He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.
Apple just rushed out macOS Big Sur 11.2.3, iOS 14.4.1, iPadOS 14.4.1 and Safari 14.0.3 to patch a critical security bug.
Find out what they fix, and why you need to update your MacBook, iPhone and iPad right away!
Apple Rushes Out macOS, iOS, iPadOS, Safari Critical Bug Fixes!
Released on 8 March 2021, macOS Big Sur 11.2.3 patches only one bug, which may mislead users into thinking that it’s not very important.
WebKit
Available for: macOS Big Sur
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-1844: Clément Lecigne of Google’s Threat Analysis Group, Alison Huffman of Microsoft Browser Vulnerability Research
On the same day, Apple also released iOS 14.4.1 and iPadOS 14.4.1 – both patching the same CVE-2021-1844 vulnerability.
WebKit
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-1844: Clément Lecigne of Google’s Threat Analysis Group, Alison Huffman of Microsoft Browser Vulnerability Research
Apple also released Safari 14.0.3, which patches the same vulnerability for macOS Catalina and macOS Mojave :
WebKit
Available for: macOS Catalina and macOS Mojave
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-1844: Clément Lecigne of Google’s Threat Analysis Group, Alison Huffman of Microsoft Browser Vulnerability Research
Why Install These macOS, iOS, iPadOS, Safari Bug Fixes ASAP?
While they appear to only patch WebKit in macOS Big Sur, iOS, iPadOS and Safari, they are CRITICAL bug fixes that you need to install right away.
They patch the new CVE-2021-1844 vulnerability, which was discovered by Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research.
This vulnerability allows a remote attacker to trigger a buffer overflow when the victim opens a specially-crafted web page, allowing the attacker to execute arbitrary code on the target system.
It is not known if this vulnerability has been exploited yet, but it is critical to install the new updates to prevent that from happening.
If you like our work, you can help support us by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Lazada just admitted that a data breach involving their RedMart customer database that could affect some 1.1 million customers!
Find out what happened, and what it could mean for Lazada and RedMart customers!
Lazada RedMart : What Is It?
RedMart is an online grocery platform in Singapore that was founded in August 2011.
Lazada acquired RedMart in November 2016, and started to integrate it into their platform in March 2019.
This March 2019 date is important, because that was when the RedMart database was last updated.
Lazada RedMart Data Breach : What Happened?
The Lazada RedMart database was spotted for same in an online forum, amongst many other databases stolen from other e-commerce websites.
In this screenshot, you can see that it claims to have details on 1.1 million Lazada RedMart customers :
Email address
Password
Mailing address
Name
Phone number
Partial credit card information
Picture Credit : CNA
In a statement posted on 30 October 2020, Lazada confirmed the data breach involving their RedMart database.
They assert that only the old RedMart database that was “18 months out of date” when it was last updated in March 2019.
Singapore, 30 October 2020 – Lazada places great importance on protecting your personal information, and we value the trust you have placed with us. On 29 October 2020, as part of our proactive monitoring, our cybersecurity team discovered a data security incident in Singapore, involving a RedMart-only database hosted on a third-party service provider. The customer data hosted on this database is more than 18 months out of date as it was last updated in March 2019.
The customer information that was illegally accessed include the names, phone numbers, emails, addresses, encrypted passwords and partial credit card numbers of RedMart customers. We have taken immediate action to block unauthorised access to the database. This data was used on the previous RedMart app and website, which are no longer in use. Lazada customer data in Southeast Asia is not affected by this incident.
Protecting the data and privacy of our users is of utmost importance to us. Apart from reviewing and fortifying our security infrastructure, we are working very closely with the relevant authorities on this incident and remain committed to providing all necessary support to our users.
We want to be transparent about this incident with all of our customers and reassure you that we are taking it seriously.
They also set their platform to log out all Lazada users, and require them to register a new password.
They are also warning their users to be on the alert for spam mails requesting personal information.
Lazada RedMart Data Breach : What’s The Implication?
A Data Breach Is A Data Breach Is A Data Breach
Lazada may claim that the data and privacy of their users are of the utmost importance, but the data breach says otherwise.
They left a database they no longer used since March 2019 on a third-party service provider, and accessible online all this time.
Any half-decent cybersecurity specialist would have told them to take the database offline, unless it was essential to the operation of the website.
Closing The Barn Door After The Horses Have Bolted
Lazada immediately blocked unauthorised access to their RedMart database, but that’s like closing the barn door after the horses have bolted.
Once the data was stolen, all it does is prevent other attackers from stealing the data for themselves.
Lazada Migrated RedMart Users In March 2016
It seems a little disingenuous for Lazada to announce that the data was used in “the previous RedMart app and website, which are no longer in use“.
They appear to have migrated RedMart users to Lazada on 15 March 2016 using the same data that was just stolen.
Unless RedMart users changed their passwords, addresses, phone numbers, email addresses or credit card details AFTER they were migrated to the Lazada platform, they remain exposed by the data breach.
The Data Isn’t Necessarily Outdated
Most of us don’t change our logins and passwords that often. And we often reuse the same login and password combination for different websites.
So it is scant assurance that their RedMart database was last updated in March 2019, even if we take their word that it was more than 18 months out of date.
This data breach exposes all affected RedMart users to the possibility of their other accounts being breached as well.
Only Ex-RedMart Users Affected
The only saving grace we can see here is that it looks like only former RedMart users are affected by this data breach.
That means Lazada users who never registered or used the RedMart app or website are not affected.
Lazada RedMart Data Breach : What Can You Do?
If you ever registered for, or used, RedMart before their migration to the Lazada platform in March 2016, we highly recommend that you :
change your Lazada password
change the password of accounts that use the same password as your Lazada / RedMart account
do NOT click on links in emails warning you about this data breach and asking you to change your password
do NOT respond to calls or messages warning you about this data breach
do NOT respond to requests for personal information
If you like our work, you can help support us by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
VMware just announced that vSphere 7 Update 1 will add support for AMD SEV-ES encryption!
Find out what this means for enterprise security, and the future of AMD EPYC processors!
AMD SEV-ES Encryption : What Is It?
SEV-ES, short for Secure Encrypted Virtualization-Encrypted State, is a hardware-accelerated encryption capability in AMD EPYC processors.
Leveraging both the AMD Secure Processor and the AES-128 encryption engine built into every AMD EPYC processor, SEV-ES encrypts all CPU register contents when a virtual machine stops running.
This prevents the leakage of information from the CPU registers to components like the hypervisor. It can even detect malicious modifications to a CPU register state.
VMware vSphere 7 Now Supports AMD SEV-ES Encryption!
VMware vSphere 7 Update 1 adds support for both AMD SEV-ES and AMD EPYC processors.
ESXi has many layers of isolation within its virtualised infrastructure, but all of that is implemented in software. They still require a level of trust in the hardware, which is where AMD SEV-ES comes in.
A guest operating system that supports SEV can ask the AMD Secure Processor to issue it an encryption key, for full in-memory, in-hardware encryption.
SEV-ES extends that protection to CPU registers, so that the data inside the CPU itself is encrypted. This protects the data from being read or modified when the virtual machine stops running.
Even a compromised hypervisor that accesses the register data cannot make use of it, because it is now encrypted.
Needless to say, adding support for AMD SEV-ES in vSphere 7 will spur the uptake of AMD EPYC processors in the datacenter.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Even during the COVID-19 pandemic, hackers have been attacking the healthcare system already buckling under pressure.
Take a look at the first part of a newly-released documentary on how hackers are attacking the healthcare system, and what it means for us and the world!
How Hackers Attack Healthcare During COVID-19 Pandemic!
Cybercriminals and state-sponsored hackers do not care that almost a million people have died from COVID-19. In fact, they see the pandemic as an opportunity.
Over the last few months, the creators of this documentary spoke to hospitals, law enforcement agencies, health organisations and research centres across the world, to understand how they are coping with increased cyberattacks and malware.
This particular feature was directed by Didi Mae Hand, and produced by Max Peltz.
Hackers Increased Attacks On Healthcare During COVID-19 Pandemic
The documentary reveals a shocking surge in cyberattacks on healthcare systems during the COVID-19 pandemic. The World Health Organisation (WHO), for example, reported a 5X increase in cyberattacks on its systems since March 2020.
State-sponsored hackers are mainly looking for biodata, including research on COVID-19 vaccines. Meanwhile, cybercriminals are capitalising on the fact that hospitals may be more willing than usual to pay a ransom.
For example, the Brno University Hospital, which was responsible for running a big share of COVID-19 testing in the Czech Republic, was held to ransom and forced to shut down its IT network at a critical time.
Fortunately, the surge in cyberattacks was met with an incredible response by the cybersecurity community. Some 3000 cybersecurity volunteers created the CV19 group to provide hospitals and healthcare institutions with free support to protect their systems.
If you like our work, you can help support us by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
You may be wondering why your WD NAS is no longer visible in Windows 10.
Where did it go? How do you get it back?
Find out why your WD NAS cannot no longer be seen in Windows, and what are the solutions!
WD NAS Can’t Be Seen In Windows : What Happened?
You may have been using your WD NAS for some time, but one day, its network share – the “drive” that you directly access – can no longer be seen in Windows 10.
The NAS links in Windows File Explorer will only lead you to the login page for the WD NAS management page, not the actual drive where you can directly read, copy, write or edit your files.
All these NAS issues are happening because Microsoft disabled the Network Browse function from Windows 10 v1709 onwards.
The problems started after Windows 10 Fall Creators Update 1709, which :
The Computer Browser service relies on the SMB 1.0 protocol to discover network devices and display them in the Windows Network Neighbourhood.
Disabling SMB 1.0 breaks the Computer Browser service, so it is automatically uninstalled and your NAS drives “disappear” from Network Neighbourhood.
Disabling guest access prevents guest or public access to your NAS drives, even to folders you specifically set to allow for public access. Hence, the Public folder they had access to earlier “disappears”.
Why Did Microsoft Disable Those Network Features?
The SMB1 network protocol was first implemented in Windows back in 1992, so it’s old… very old.
It’s so old that it lacks encryption. Everything transmitted via SMB1 can be captured and read, and even modified, by any attacker who gains access to the network.
Guest logins even on SMB2 do not support standard security features like signing and encryption. This makes them vulnerable to man-in-the-middle attacks.
That’s why Microsoft (finally) disabled them both, starting with the Windows 10 Fall Creators Update 1709.
WD NAS Can’t Be Seen In Windows : Before We Start…
Preliminary Step #1 : Update Your NAS
Before you do anything, you should log into your WD NAS management system and update its firmware, in case it’s not already set to automatically update.
Updating its firmware will ensure that your NAS supports at least SMB 2, if not SMB 3 as well.
WD NAS
Windows URL
macOS URL
My Cloud EX2100
http://wdmycloudex2100
http://wdmycloudex2100.local
My Cloud DL2100
http://wdmyclouddl2100
http://wdmyclouddl2100.local
My Cloud EX4100
http://wdmycloudex4100
http://wdmycloudex4100.local
My Cloud DL4100
http://wdmyclouddl4100
http://wdmyclouddl4100.local
Preliminary Step #2 : Use A Higher SMB Protocol
Then, enable the highest SMB protocol your WD NAS supports (Settings > Network). Set it to SMB 3 if possible.
This will ensure that both your WD NAS and your network support the most secure network protocol possible, for your security.
WD NAS Can’t Be Seen In Windows : The Solutions!
Best Solution : Map Your WD NAS By Device Name
The best way is to manually map your WD NAS by its device name. This lets you use the more secure SMB2 or SMB3 network protocols, with direct access to your files as usual.
Determine your WD NAS network path, which is based on the device name.If you changed your WD NAS device name to TechARPCloud (for example), the network name will be \\TechARPCloudHere is a list of default network paths for different WD NAS :
WD NAS
Default Network Path
My Cloud Home
\\MYCLOUD-last 6 digits of serial number
Example : \\MYCLOUD-123456
My Cloud Home Duo
My Cloud
\\WDMYCLOUD
My Cloud Mirror
\\WDMYCLOUDMIRROR
My Cloud Mirror Gen 2
My Cloud EX2
\\WDMYCLOUDEX2
My Cloud EX2 Ultra
\\MYCLOUDEX2ULTRA
My Cloud EX4
\\WDMYCLOUDEX4
My Cloud EX2100
\\WDMYCLOUDEX2100
My Cloud EX4100
\\WDMYCLOUDEX4100
My Cloud DL2100
\\WDMYCLOUDDL2100
My Cloud DL4100
\\WDMYCLOUDDL4100
My Cloud PR2100
\\MYCLOUDPR2100
My Cloud PR4100
\\MYCLOUDPR2100
Open Windows File Explorer and click on Network on the left pane.
Key in the network path of the WD NAS, which is based on its device name. Make sure you include \\ before the network path.
You will be asked to key in a user name and password.
This can be the administrator’s login, or the login of any registered user of your WD NAS.
Remember – Windows 10 no longer allows guest logins or public access. So you will need to create a password-protected account even for guests to use.
Once you successfully authenticate your user name and password, the network shares of your WD NAS will become visible in File Explorer under Network!You can stop here, but you will need to keep keying in the network path and login to access your NAS every time you boot into Windows.
For more convenience, you can create a password-protected Private Share.Start by right-clicking on a network share from your WD NAS and select Map network drive…
Select a drive letter for the network share.
Check Reconnect at sign-in if you don’t want to automatically log into the drive.
Then click Finish to map the drive.
That’s it! If you expand This PC in Windows File Explorer, you should now see that the WD NAS network drive has now been mapped by its device name!
Alternate Solution : Enable Network Discovery Without SMB1
This Windows 10 workaround can be used if your WD NAS supports SMB2 or SMB3 and you prefer not to map the network drives.
Go to Windows Services.
Start these two services :
– Function Discovery Provider Host
– Function Discovery Resource Publication
Set the Startup type for both those services to Automatic (Delayed Start).
Open Windows File Explorer and go to Network.
When prompted, enable Network Discovery.
Your WD NAS shares should now be visible in Windows File Explorer.
Worst Case Solution : Enable Network Discovery Without SMB1
This should only be attempted if your WD NAS simply cannot support SMB2 or SMB3, and can only use SMB1.
Go to Control Panel > Programs.
Click on Turn Windows features on or off.
Expand the SMB 1.0/CIFS File Sharing Support option.
Check the SMB 1.0/CIFS Client option.
Click the OK button.
Restart Windows 10
After Windows 10 restarts, your WD NAS shares should now be visible in Windows File Explorer.
If you like this review, please support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
The Kashi Mining Company has come under scrutiny for falsely using the photos of Malaysia’s Director-General of Health, as well as other notable Malaysians.
Find out what they did, and why it is a fake company website being used to scam people of their money!
Kashi Mining Company : Fake Company
Malaysia’s Director-General of Health, Tan Sri Dr Noor Hisham Abdullah, publicly announced that Kashi Mining Company has falsely used his picture, listing him as their COO.
It cast a spotlight on Kashi Mining Company, that claims to be an award-winning company based in Labuan, and yet owns 5 gem mines around the world.
Their management team appears to be comprised of respectable-looking Malaysians. However, a closer look will reveal that Kashi Mining Company misappropriated photos of notable Malaysians :
Mohamed Lew (CEO) : That is really Mohamad Abdullah, the Senior Deputy Registrar of Universiti Sains Malaysia’s Student Affairs and Alumni Department.
Aidan Razif (COO) : That is really Tan Sri Dr Noor Hisham Abdullah, the Malaysia Director-General of Health.
Imran Sin (Managing Director) : That is really Alex Ng, Goodyear Malaysia’s Managing Director.
Umar Yow (Company Secretary) : That is really KM Liew, Director and Head of IT & Mobile, Samsung Malaysia.
A quick check of their company address and Google location – both slightly different locations in Labuan, showed that the company does not exist, at least at those locations.
Kashi Mining Company : Fake Website
The Kashi Mining Company website is not only full of bad grammar and spelling mistakes, the pictures used have also been misappropriated.
The pictures of the mining vehicles and mining operations have all been taken from companies like MEDATECH Engineering Services, MacLean Engineering, and Epiroc.
We added the scam alert overlay to avoid that screenshot from being abused. Needless to say, Kashi Mining Company does not have 250 staff manning 5 gem mines across the world.
A quick WHOIS check of their domain also reveals that this is a relatively new website, with the domain registered only in October 2019 :
Registered On : 2019-10-18
Expires On : 2020-10-18
Registrant Name : WhoisGuard Protected
IP Address : 104.194.10.93
Hosting Company : HostNowNow.com
Obviously, a genuine award-winning gem mining company would not have such a new website and domain.
In addition, they would not hide their contact details using a protection service like WhoisGuard.
Kashi Mining Company : Fake Procurement Scam!
The truth is the Kashi Mining Company does not exist, and their website is part of a fake procurement scam.
Popular in West African countries like Benin, Cameroon, and Nigeria, these scammers offer you a chance to bid on a contract for a large quantity of their products. Gems in this case.
They will offer you extremely good prices on their products, and use fake companies with websites like Kashi Mining Company to trick you into believing that they are genuine.
A different version of the scam flips the narrative – the scammers will offer to purchase large quantities of your products, like machinery.
Whether they offer to sell or purchase, you will be asked to pay some kind of processing fee or legal fees, by government authorities or their lawyers or even transportation companies.
All you need to know is that these are SCAMMERS out to cheat you of your money.
Don’t fall for their tricks. Make sure you WARN your family and friends!
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Apple recently advised everyone not to cover the camera of their Mac laptops, and rely instead on the camera indicator light.
Find out why Apple is WRONG, and why you need to physically cover your Mac computer’s camera!
Mac Camera Cover : What Is It For?
Cybersecurity specialists have long advocated covering the built-in camera of your computers, not just MacBook laptops or Mac desktops, with a camera cover of some sort.
This prevents hackers from taking over that camera, and secretly recording you. This has implications beyond just recording your embarrassing moments for blackmail.
With access to your laptop camera, hackers can determine when you are away from home, who lives at your home, who you are working with, and even where you currently are.
Apple : Don’t Use A Camera Cover For Your Mac
In their recent HT211148 tech advisory, they asked Mac laptop (MacBook, MacBook Air, MacBook Pro) users not to use any camera cover.
Instead, they recommended that you use these two built-in features for your privacy :
A. The Green Camera Indicator Light
Apple points out that your Mac computer has a camera indicator light that glows green whenever the camera is active.
They also claimed that the camera is designed not to activate unless its indicator light is also turned on.
B. The Camera Access Control
As an additional measure built into macOS Mojave or later, you must give an app permission before it can use your Mac computer’s camera.
To view which apps has access to your Mac computer’s camera, and to revoke any app’s access :
On your Mac, choose Apple menu > System Preferences, click Security & Privacy, then click Privacy.
Select Camera.
Select the tickbox next to an app to allow it to access your camera.Deselect the tickbox to turn off access for that app.If you turn off access for an app, you’re asked to turn it on again the next time that app tries to use your camera.
Why Apple Is Wrong, And You Need To Cover Your Mac Camera!
Apple fans may hate us for this, but they are wrong. You must physically cover your Mac computer’s camera to protect yourself.
Hackers Always Disable The Indicator Light
Mac computers are not the only ones to feature an indicator light for their built-in cameras. Most computers with a built-in webcam have such an indicator light.
It is, therefore, SOP for hackers to disable the indicator light after gaining control of the camera. Camfecting attacks won’t work if you are aware that the camera is turned on…
Apple asserts that the camera and its indicator light on Mac computers are wired in series, so the camera won’t work if the indicator light is turned off.
However, a 2013 Johns Hopkins University paper showed how it was possible to disable the indicator light of a Mac computer’s webcam, even though the camera module had a “hardware interlock”.
This isn’t just an obscure research subject. The FBI has the capability to covertly activate a computer’s camera without triggering the indicator light, according to Marcus Thomas, the former assistant director of FBI’s Operational Technology Division.
The only ways to prevent such attacks would be to either turn off your computer, or physically cover the camera.
Hackers Won’t Ask You For Permission
Security researcher Ryan Pickren showed in April 2020 how seven flaws in Apple Safari can let malicious websites hijack your camera and microphone to spy on you.
All you have to do is click on a link, and it lets the malicious website gain access to your webcam without asking for permission.
So much for the Mac Camera Access Control feature…
You May Not Notice The Light
Even if the camera indicator light is not disabled, it doesn’t mean you will immediately realise when the light turns on.
By the time you realise the green light is actually glowing, it may already be too late.
This is partly because it emits a steady glow, and doesn’t blink. Of course, a blinking light is bloody irritating, but we are more likely to notice it than a static green glow.
The only way to prevent that is to physically cover the camera.
Hackers Can Turn On Sleeping Or Hibernating Computers
Don’t assume that just because your Mac computer is sleeping or hibernating, hackers cannot access its camera.
They can potentially wake your computer, turn on the camera and record from it, with the indicator light turned off.
Security researcher Pedro Vilaça showed in 2015 how it was possible to remotely “root” and take over a Mac computer after it wakes up from sleep mode of 30 seconds or longer.
Irrespective of the method used, once hackers gain control of your computer, they can turn on its Wake On LAN (WOL) feature to remotely wake up your computer, like what the Ryuk ransomware does.
The only way to prevent that is to turn off your computer, or physically cover the camera.
Cybercriminals Can Trick You With A Fake Blackmail
Even if cybercriminals are unable to access your camera, they can still trick you into believing they somehow took compromising photos or videos from it.
They send out thousands of spam emails every day to trick people into believing they have been caught on camera.
People who don’t use a camera cover can be convinced into believing that their webcams were somehow compromised, and tricked into paying up to avoid exposure.
The only way to prevent that is to physically cover the camera.
The Best Way To Cover Your Mac Computer Camera
While we strongly advise you to cover your Mac computer camera, that does not mean you should risk damaging your display.
According to Apple, we should not use any camera cover that is more than 0.1 mm thick. That basically rules out any camera cover, because it is impossible to make one that thin.
They also advise again using anything that leaves an adhesive residue. So that means cellophane tape (Scotch tape) and packaging tape should be avoided.
So here are the best options for you to consider, based on your requirements :
If you don’t intend to use the camera at all
a) Use your laptop in clamshell mode, with a separate monitor, keyboard and mouse
b) Cover the camera with masking tape, which is gentle and leaves no residue
If you plan to use the camera
– Cut a small piece of sticky note, so that there is an adhesive part and a non-adhesive part.
– Alternatively, cut a piece of masking tape, and fold part of it to create a non-adhesive portion.
– Cover the camera with the adhesive part
– You can then use the non-adhesive portion to pull it off whenever you need to use the camera
Desktop Computers (iMac, iMac Pro)
Desktop computers like the iMac or iMac Pro don’t have to worry about damaging their displays with camera covers of any thickness.
We therefore recommend using a proper camera cover that slides to let you use the camera whenever you want to, and physically cover it whenever you don’t.
Just make sure the camera cover does not use excessively strong adhesive, or leaves a residue that will require using solvent to remove, which could damage the display coating!
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Google recently introduced Confidential Computing, with Confidential VM as the first product, and it’s powered by 2nd Gen AMD EPYC!
Here’s an overview of Confidential Computing and Confidential VM, and how they leverage the 2nd Gen AMD EPYC processor!
Google Cloud Confidential Computing : What Is It?
Google Cloud encrypts customer data while it’s “at-rest” and “in-transit“. But that data must be decrypted because it can be processed.
Confidential Computing addresses that problem by encrypting data in-use – while it’s being processed. This ensures that data is kept encrypted while in memory and outside the CPU.
Google Cloud Confidential VM, Powered By 2nd Gen AMD EPYC
The first product that Google is unveiling under its Confidential Computing portfolio is Confidential VM, now in beta.
Confidential VM basically adds memory encryption to the existing suite of isolation and sandboxing techniques Google Cloud uses to keep their virtual machines secure and isolated.
This will help customers, especially those in regulated industries, to better protect sensitive data by further isolating their workloads in the cloud.
Google Cloud Confidential VM : Key Features
Powered By 2nd Gen AMD EPYC
Google Cloud Confidential VM runs on N2D series virtual machines powered by the 2nd Gen AMD EPYC processors.
It leverages the Secure Encrypted Virtualisation (SEV) feature in 2nd Gen AMD EPYC processors to keep VM memory encrypted with a dedicated per-VM instance key.
These keys are generated and managed by the AMD Secure Processor inside the EPYC processor, during VM creation and reside only inside the VM – making them inaccessible to Google, or any other virtual machines running on the host.
Your data will stay encrypted while it’s being used, indexed, queried, or trained on. Encryption keys are generated in hardware, per virtual machine and are not exportable.
Confidential VM Performance
Google Cloud worked together with the AMD Cloud Solution team to minimise the performance impact of memory encryption on workloads.
They added support for new OSS drivers (name and gvnic) to handle storage traffic and network traffic with higher throughput than older protocols, thus ensuring that Confidential VM will perform almost as fast as non-confidential VM.
Easy Transition
According to Google, transitioning to Confidential VM is easy – all Google Cloud Platform (GCP) workloads can readily run as a Confidential VM whenever you want to.
Available OS Images
In addition to the hardware-based inline memory encryption, Google built Confidential VM on top of Shielded VM, to harden your OS image and verify the integrity of your firmware, kernel binaries and drivers.
Google currently offers images of Ubuntu v18.094, Ubuntu 20.04, Container Optimized OS (COS v81), and RHEL 8.2.
They are currently working with CentOS, Debian and other distributors to offer additional OS images for Confidential VM.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
In his first prediction for Earth 2050, Eugene Kaspersky believes that AI digital intuition will deliver cyberimmunity by 2050. Do YOU agree?
What Is Earth 2050
Earth 2050 is a Kaspersky social media project – an open crowdsourced platform, where everyone can share their visions of the future.
So far, there are nearly 400 predictions from 70+ visionaries, from futurologist Ian Pearson, astrophysicist Martin Rees, venture capitalist Steven Hoffman, architect-engineer Carlo Ratti, writer James Kunstler and sci-fi writer David Brin.
Eugene himself dabbles in cyberdivination, and shares with us, a future of cyberimmunity created by AI digital intuition!
Eugene Kaspersky : From Digital Intuition To Cyberimmunity!
In recent years, digital systems have moved up to a whole new level. No longer assistants making life easier for us mere mortals, they’ve become the basis of civilization — the very framework keeping the world functioning properly in 2050.
This quantum leap forward has generated new requirements for the reliability and stability of artificial intelligence. Although some cyberthreats still haven’t become extinct since the romantic era around the turn of the century, they’re now dangerous only to outliers who for some reason reject modern standards of digital immunity.
The situation in many ways resembles the fight against human diseases. Thanks to the success of vaccines, the terrible epidemics that once devastated entire cities in the twentieth century are a thing of the past.
However, that’s where the resemblance ends. For humans, diseases like the plague or smallpox have been replaced by new, highly resistant “post-vaccination” diseases; but for the machines, things have turned out much better.
This is largely because the initial designers of digital immunity made all the right preparations for it in advance. In doing so, what helped them in particular was borrowing the systemic approaches of living systems and humans.
One of the pillars of cyber-immunity today is digital intuition, the ability of AI systems to make the right decisions in conditions where the source data are clearly insufficient to make a rational choice.
But there’s no mysticism here: Digital intuition is merely the logical continuation of the idea of machine learning. When the number and complexity of related self-learning systems exceeds a certain threshold, the quality of decision-making rises to a whole new level — a level that’s completely elusive to rational understanding.
An “intuitive solution” results from the superimposition of the experience of a huge number of machine-learning models, much like the result of the calculations of a quantum computer.
So, as you can see, it has been digital intuition, with its ability to instantly, correctly respond to unknown challenges that has helped build the digital security standards of this new era.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Sophos just released their analysis of the MegaCortex ransomware whose speed and spread of attack are very worrying! Get the key details about MegaCortex and how to prevent an attack!
What Is Megacortex?
MegaCortex is a new ransomware that was rarely seen until it suddenly spiked in volume in May 2019. Similar to infamous ransomware like Ryuk and BitPyamer, it is now spreading rapidly in these countries :
US
Canada
Argentina
Italy
The Netherlands
France
Ireland
Hong Kong
Indonesia
Australia
Why Is MegaCortex Dangerous?
Ransomware attacks are usually carried out in 3 ways:
Manual attacks
Automated attacks
Blended attacks
Unlike Ryuk and BitPyamer, MegaCortex is controlled by cybercriminals using more automated tools, and designed to spread infection to many victims at a much faster speed.
What Does MegaCortex Demand?
Unlike other ransomware attacks, MegaCortex has no clear ransom demands.
All it does is invite its victims to email the attackers on any of two free email addresses, attaching a file that had been dropped into the victim’s hard disk drive, to request decryption services.
The ransom note includes “a guarantee that your company will never be inconvenienced by us“. On top of that, if the victim pays the ransom, “You will also receive a consultation on how to improve your companies cyber security“.
How sweet of them.
How To Protect Against MegaCortex
Sophos recommends the following steps to protect your business from MegaCortex and the threat of ransomware attacks in general :
Companies are cautioned to be on the highest alert should they see warning signs about Emotet or Qbot, as there is strong correlation between MegaCortex and the two ransomwares.
Place the company Remote Desktop Protocol (RDP) machine behind a Virtual Private Network (VPN)
Practice two-factor authentication for systems logins
Regular backup of important and current data on an offline storage device
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Secureworks just launched Red Cloak TDR at Dell Technologies World 2019 in Las Vegas! Here is a primer on the Secureworks Red Cloak TDI cybersecurity service!
SecureWorks Launches Red Cloak TDR
At Dell Technologies World 2019, Secureworks, a Dell Technologies subsidiary, unveiled Red Cloak TDR, their software-as-a-service (SaaS) app that allows companies to securely manage their own cybersecurity measures.
Developed with over 20 years of field experience in cybersecurity, Red Cloak TDR offers a new way for companies to detect, investigate and respond to online threats such as malware, ransomware etc. Unlike other cybersecurity services, it is aided by deep learning, and machine learning.
The AI assistance helps it quickly detect new and unknown online threats, while reducing false alarms. It also helps cybersecurity teams focus on the real or high-risk threats.
How Secureworks Red Cloak TDR Will Transform Cybersecurity
Cybersecurity threats can go undetected for hundreds of days in the gaps and disconnected layers of security products. This is particularly problematic with apps and services that are not updated on a daily or even hourly basis.
Red Cloak TDR Is Cloud-Native
As a cloud-native application, it can be quickly updated after investigations revel a new threat. In addition, the service includes the following features :
Intuitive workflows
Automation
Chat feature
Access to Secureworks’ cybersecurity team and network
Software-as-a-Service
As a software-as-a-service (SaaS) app, there is no hassle of installing on-site hardware or software system version upgrades. All updates, back-ups and tuning will be covered by the Red Cloak TDR app.
The app does not charge by data consumption like some apps, so users are free to process and manage all the security data they need to protect their organisation. The app is also designed to integrate into the organisation’s own control framework.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Lenovo recently introduced ThinkShield – a complete end-to-end security solution to keep all of their devices secure throughout their life cycle. Join us for the official Lenovo ThinkShield tech briefing by Thorsten Stremlau!
The Lenovo ThinkShield Tech Briefing
Lenovo ThinkShield is a comprehensive suite of hardware, software and policies that are designed to protect Lenovo devices from the design and manufacturing stages, and all the way through their lifespans.
Thorsten Stremlau, Lenovo Commercial Chief Technology Officer, flew in to give us a briefing on Lenovo ThinkShield. Check it out!
Lenovo ThinkShield Secures Devices through the Entire Lifecycle
From secure BIOS and firmware development to features like ThinkPad Privacy Guard security screens and the industry’s first laptop camera shutters, Lenovo builds protection into its products.
Security doesn’t stop at design: Lenovo has unique control over its global supply chain, setting strict security standards and policies for its manufacturing facilities.
Lenovo’s strategic partnership with Intel has enabled them to align with the Intel Transparent Supply Chain, which allows customers to locate the source of each component of their new system.
Lenovo oversees the security of suppliers who build intelligent components, making sure they conform to rigorous Trusted Supplier Program guidelines and best practices. For an extra layer of transparency, Lenovo Quality Engineers can audit suppliers at any time.
Lenovo ThinkShield Protects Users’ Identities and Credentials
A founding member of FIDO®, Lenovo offers the industry’s first and only FIDO-certified authenticators—plus match-on-chip fingerprint technology—to give companies safer, easier ways to protect their employees’ identities.
An industry-leading level of integration with Intel Authenticate—up to 7 authentication factors—offers greater security and flexibility than vendors providing fewer authentication methods.
BIOS-based Smart USB protection allows IT professionals to configure USB ports to respond only to keyboards and pointing devices, keeping employees’ PCs safer.
Lenovo ThinkShield Protects Users Online
Lenovo WiFi Security, in partnership with Coronet, detects threats and notifies users when they are about to connect to unsafe wireless networks.
BUFFERZONE technology isolates online threats before they infect the whole organization.
Lenovo Endpoint Management, powered by MobileIron, provides a secure, simple way to unify cloud and endpoint security across multiple devices.
Lenovo ThinkShield Protects Users’ Data
Absolute Persistence technology provides IT admins with an unbreakable connection to all of their devices so they can leverage enriched asset intelligence, automate endpoint hygiene and stay audit-ready with continuous compliance.
Once devices reach the end of their lifecycle, Lenovo keeps potentially sensitive data secure by wiping the drives and securely recycling the parts.
Lenovo offers a paid Keep Your Drive service that ensures sensitive information never leaves customers’ hands.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
The recently-discovered RyzenFall, MasterKey, Fallout and Chimera security flaws affecting AMD’s latest processor platforms are ruining the AMD Ryzen 2 pre-launch vibes. So it’s no surprise to see AMD working hard to fix the vulnerabilities.
In this article, we will share with you the latest AMD mitigation options for the RyzenFall, MasterKey, Fallout and Chimera security vulnerabilities.
What’s Really Affected?
While it is accurate to say that the AMD Ryzen and AMD EPYC processors are affected by RyzenFall, MasterKey, Fallout and Chimera, these vulnerabilities do not affect the actual processor cores. Neither are they related to the Zen microarchitecture.
Instead, the new RyzenFall, MasterKey, Fallout and Chimera security vulnerabilities are found in:
the AMD Secure Processor (integrated into the new Ryzen and EPYC processors), and
the AMD Promontory chipsets that are paired with Ryzen and Ryzen Pro desktop processors.
The AMD Promontory chipset is used in many Socket AM4 desktop, and Socket TR4 high-end desktop (HEDT) platforms.
AMD EPYC, Ryzen Embedded, and Ryzen Mobile platforms do not use the Promontory chipset.
The AMD RyzenFall, MasterKey, Fallout + Chimera Mitigations
RyzenFall + Fallout
Issue : An attacker with administrative access can write to the AMD Secure Processor (PSP registers to exploit vulnerabilities in the interface between the x86 processor core and AMD Secure Processor.
Impact : The attacker can circumvent security controls to install difficult-to-detect malware in the x86 System Management Mode (SMM). The access is not persistent across reboots.
Planned Mitigations : AMD will issue AMD Secure Processor firmware patches through BIOS updates in coming weeks. No performance impact is expected.
MasterKey (PSP Privilege Escalation)
Issue : An attacker with administrative access can write malicious firmware updates, without the AMD Secure Processor (PSP) detecting the “corruption”.
Impact : The attacker can circumvent security controls to install difficult-to-detect malware. These changes are persistent, even following a system reboot.
Planned Mitigations : AMD will issue AMD Secure Processor firmware patches through BIOS updates in coming weeks. No performance impact is expected.
Chimera
Issue : An attacker with administrative access can install a malicious driver to access certain features in the AMD Promontory chipset.
Impact : The attacker can access physical memory through the Promontory chipset. The attacker can also install difficult-to-detect malware in the chipset, but this is not persistent across reboots.
Planned Mitigations : AMD will issue chipset patches through BIOS updates in coming weeks. No performance impact is expected.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
The speculative execution CPU bug that literally kneecapped Intel, also affects many AMD and ARM processors. This means BILLIONS of CPUs around the world, including those powering smartphones, are affected by Meltdown and/or Spectre.
Our article Everything On The Meltdown + Spectre CPU Flaws! summarises the key details of the speculative execution bug, and what we can do about it. This guide is to help those who want a full list of affected CPUs. Because we intend this to be an exhaustive list, we split it into multiple sections.
Article Update History
Click here for the Article Update History
Updated @ 2018-03-07 : Added a new list of 5 IBM z/Architecture CPUs. Added a new list of 22 VIA desktop and mobile CPUs. Added 1 ARM mobile CPU, 1 Intel server CPU, and 1 Intel mobile CPU. Also added 20 mobile SoCs, 9 digital TV or media player SoCs, and 43 industrial SoCs.
Updated @ 2018-02-15 : Added 96 Intel server CPUs, 91 Intel desktop CPUs, and 127 Intel mobile CPUs.
Updated @ 2018-02-07 : Added 128 AMD server CPUs, 11 AMD workstation CPUs, 128 AMD desktop CPUs, and 59 AMD mobile CPUs.
Updated @ 2018-02-02 : Added 11 Intel server CPUs, 96 AMD server CPUs, 168 AMD desktop CPUs, 77 AMD mobile CPUs, 10 IBM POWER CPUs, 9 HiSilicon Kirin mobile SoCs, 10 MediaTek mobile SOCs, 4 MediaTek digital TV SoCs, and 6 NVIDIA devices to the lists of vulnerable CPUs.
Updated @ 2018-01-14 : Added 416 Intel server CPUs, 8 Intel desktop CPUs, and 29 Intel mobile CPUs to the lists of vulnerable CPUs. Added a new list of 51 Intel mobile SoCs.
Updated @ 2018-01-12 : Added 71 AMD server CPUs, 71 AMD desktop CPUs, 29 AMD mobile CPUs and 3 AMD server SoCs based on a vulnerable ARM CPU. Also added a table summarising the number of vulnerable processors.
Updated @ 2018-01-11 : Added 18 Intel desktop CPUs and 165 Intel server / workstation CPUs. Also added a list of vulnerable Apple iOS devices, and expanded the list of vulnerable mobile SoCs used by smartphones.
Originally posted @ 2018-01-08
What Are Meltdown And Spectre?
Meltdown and Spectre are two exploits that take advantage of three variants of the speculative execution bug that affects billions of CPUs around the world.
The Spectre exploit targeted Variants 1 and 2, while the Meltdown exploit targets Variant 3, of the CPU bug.
The CPUs Vulnerable To Meltdown / Spectre Updated!
For easy reference, we divided the affected CPUs by Company (arranged ALPHABETICALLY – no conspiracy, we promise), and subsequently by Segment (Workstation / Desktop / Mobile), or affected variants.
As of Revision 8.0, we believe we have covered all of the affected AMD, Apple, ARM, IBM, Intel and VIA CPUs. But we will add more CPUs (and devices) as and when they’re noted to be vulnerable to the Meltdown and Spectre exploits.
Note : It’s arguable that all CPUs that uses speculative execution to any degree are potentially vulnerable to Meltdown or Spectre or a future exploit. We will only focus on CPUs that are confirmed to be vulnerable to Meltdown or Spectre.
Vulnerable CPUs By The Numbers Updated!
Here is a quick summary of the number of CPUs vulnerable to Meltdown or Spectre, according to the company, and the type of processor.
Company
Spectre 1
Spectre 2
Meltdown
AMD
295 Server CPUs
42 Workstation CPUs
396 Desktop CPUs
208 Mobile CPUs
295 Server CPUs
42 Workstation CPUs
396 Desktop CPUs
208 Mobile CPUs
None
Apple
13 Mobile SoCs
13 Mobile SoCs
13 Mobile SoCs
ARM
10 Mobile CPUs
3 Server SoCs
10 Mobile CPUs
3 Server SoCs
4 Mobile CPUs
3 Server SoCs
IBM
5 z/Architecture CPUs
10 POWER CPUs
5 z/Architecture CPUs
10 POWER CPUs
5 z/Architecture CPUs
10 POWER CPUs
Intel
733 Server / Workstation CPUs
443 Desktop CPUs
584 Mobile CPUs
51 Mobile SoCs
733 Server / Workstation CPUs
443 Desktop CPUs
584 Mobile CPUs
51 Mobile SoCs
733 Server / Workstation CPUs
443 Desktop CPUs
584 Mobile CPUs
51 Mobile SoCs
Affected Variants :AMD CPUs are affected by both Variants 1 and 2 of the speculative execution CPU bug. Colloquially, many people refer to them as Spectre 1 and Spectre 2.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
The AMD Workstation CPUs Vulnerable To Spectre
Affected Variants :AMD CPUs are affected by both Variants 1 and 2 of the speculative execution CPU bug. Colloquially, many people refer to them as Spectre 1 and Spectre 2. They are not vulnerable to Meltdown.
AMD Summit Ridge (2017)
AMD Ryzen Threadripper 1950X
AMD Ryzen Threadripper 1920X
AMD Ryzen Threadripper 1900X
AMD Vishera (2012)
AMD FX-9590
AMD FX-9370
AMD FX-8370E
AMD FX-8370
AMD FX-8350
AMD FX-8320E
AMD FX-8320
AMD FX-8310
AMD FX-8300
AMD FX-6350
AMD FX-6300
AMD FX-6200
AMD FX-4350
AMD FX-4320
AMD FX-4300
AMD Zambezi (2011)
AMD FX-8170
AMD FX-8150
AMD FX-8140
AMD FX-8120
AMD FX-8100
AMD FX-6130
AMD FX-6120
AMD FX-6100
AMD FX-4170
AMD FX-4150
AMD FX-4130
AMD FX-4120
AMD FX-4100
AMD Windsor (2006)
AMD Athlon 64 FX-74
AMD Athlon 64 FX-72
AMD Athlon 64 FX-70
AMD Athlon 64 FX-62
AMD Toledo (2005)
AMD Athlon 64 FX-60
AMD San Diego (2005)
AMD Athlon 64 FX-57
AMD Athlon 64 FX-55
AMD Clawhammer (2004)
AMD Athlon 64 FX-55
AMD Athlon 64 FX-53
AMD Sledgehammer (2003)
AMD Athlon 64 FX-53
AMD Athlon 64 FX-51
[adrotate group=”1″]
AMD Desktop CPUs Vulnerable To Spectre
Affected Variants :AMD CPUs are affected by both Variants 1 and 2 of the speculative execution CPU bug. Colloquially, many people refer to them as Spectre 1 and Spectre 2. They are not vulnerable to Meltdown.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
AMD Mobile CPUs Vulnerable To Spectre
Affected Variants :AMD CPUs are affected by both Variants 1 and 2 of the speculative execution CPU bug. Colloquially, many people refer to them as Spectre 1 and Spectre 2. They are not vulnerable to Meltdown.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
The Apple CPUs Vulnerable To Meltdown / Spectre
Apple makes custom processors based on the ARM microarchitecture. They have not released specific information on which of their processors are affected by which exploit, but this is what we know so far.
Affected Variants : Apple only issued a general notice that their processors are affected by both Meltdown and Spectre, not the specific variants.
Apple A4
Apple A5
Apple A5X
Apple A6
Apple A6X
Apple A7
Apple A8
Apple A8X
Apple A9
Apple A9X
Apple A10 Fusion
Apple A10X Fusion
Apple A11 Bionic
Vulnerable iOS or tvOS Devices : Apple was vague about the iOS devices that were affected, but based on the affected CPU cores, here are the iOS devices that are vulnerable to Meltdown and Spectre :
Apple TV 2nd Generation, 3rd Generation, 4th Generation and 5th Generation
The ARM CPUs Vulnerable To Meltdown / Spectre
ARM CPUs Vulnerable To All Three Variants
Affected Variants :Variants 1 and 2, and either Variant 3 or Variant 3a, of the speculative execution CPU bug. They are vulnerable to Meltdown and both variants of Spectre.
ARM Cortex-A75
ARM Cortex-A72
ARM Cortex-A57
ARM Cortex-A15
Mobile SoCs Using These ARM CPUs (Not Exhaustive)
HiSilicon Kirin 955
HiSilicon Kirin 950
HiSilicon Kirin 928
HiSilicon Kirin 925
HiSilicon Kirin 920
MediaTek Helio X27 (MT6797X)
MediaTek Helio X25 (MT6797T)
MediaTek Helio X23 (MT6707D)
MediaTek Helio X20 (MT6797)
MediaTek MT8173
MediaTek MT8135 / MT8135V
MediaTek MT6795
NVIDIA Tegra X2
NVIDIA Tegra X1
NVIDIA Tegra K1
NVIDIA Tegra 4
Qualcomm Snapdragon 845
Qualcomm Snapdragon 810 / 808
Qualcomm Snapdragon 670
Qualcomm Snapdragon 653 / 652 / 650
Qualcomm Snapdragon 640
Samsung Exynos 7420
Samsung Exynos 5800
Samsung Exynos 5433
Samsung Exynos 5422 / 5420
Samsung Exynos 5410
Samsung Exynos 5260
Samsung Exynos 5250
Samsung Exynos 5 Dual (Exynos 5250)
AMD Server SoCs Using These ARM CPUs
AMD Opteron A1170
AMD Opteron A1150
AMD Opteron A1120
NVIDIA Devices Using These ARM CPUs (Not Exhaustive)
NVIDIA SHIELD TV (ARM Cortex-A57)
NVIDIA SHIELD Tablet (ARM Cortex-A15)
NVIDIA Jetson TX2 (ARM Cortex-A57)
NVIDIA Jetson TX1 (ARM Cortex-A57)
NVIDIA Jetson TK1 (ARM Cortex-A15)
NVIDIA Jetson Tegra K1 (ARM Cortex-A15)
Digital TV / Media Player SoCs Using These ARM CPUs (Not Exhaustive)
Rockchip RK3399
Industrial SoCs Using These ARM CPUs (Not Exhaustive)
Embedded Computers Using These ARM CPUs (Not Exhaustive)
VIA VAB-1000
VIA VAB-820 / VAB-800
VIA VAB-630 / VAB-600
VIA ALTA DS
VIA QSM-8Q60
VIA SOM-6X50
VIA VTS-8589
IBM POWER CPUs Vulnerable To Meltdown + Spectre
Affected Variants : These IBM POWER CPUs are affected by all three variants of the speculative execution CPU bug. They are vulnerable to the Meltdown and both Spectre exploits.
IBM POWER4
IBM POWER4+
IBM POWER5
IBM POWER5+
IBM POWER6
IBM POWER6+
IBM POWER7
IBM POWER7+
IBM POWER8
– including IBM Murano, IBM Turismo, PowerCore CP1
IBM POWER8 with NVLink / POWER8+
IBM POWER9
– IBM Nimbus, IBM Cumulus
IBM z/Architecture CPUs Vulnerable To Meltdown + Spectre
Affected Variants : These IBM z/Architecture CPUs are affected by all three variants of the speculative execution CPU bug. They are vulnerable to the Meltdown and both Spectre exploits.
IBM z14
IBM z13
IBM zEC12
IBM z196
IBM z10
[adrotate group=”1″]
Intel UMPC / Smartphone SoCs Vulnerable To Meltdown + Spectre
Affected Variants : These Intel SoCs are affected by all three variants of the speculative execution CPU bug. They are vulnerable to the Meltdown and both Spectre exploits.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Intel Server / Workstation CPUs Vulnerable To Meltdown + Spectre
Affected Variants : These Intel CPUs are affected by all three variants of the speculative execution CPU bug. They are vulnerable to the Meltdown and both Spectre exploits.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Intel Desktop CPUs Vulnerable To Meltdown + Spectre
Affected Variants : These Intel CPUs are affected by all three variants of the speculative execution CPU bug. They are vulnerable to the Meltdown and both Spectre exploits.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Intel Mobile CPUs Vulnerable To Meltdown + Spectre
Affected Variants : These Intel CPUs are affected by all three variants of the speculative execution CPU bug. They are vulnerable to the Meltdown and both Spectre exploits.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
VIA Desktop CPUs Vulnerable To Meltdown + Spectre
Affected Variants : These VIA CPUs are affected by all three variants of the speculative execution CPU bug. They are vulnerable to the Meltdown and both Spectre exploits.
VIA Nano QuadCore (2011)
VIA Nano QuadCore L4800E
VIA Nano QuadCore L4700E
VIA Nano QuadCore L4650E
VIA Nano Dual Core 2011)
VIA Nano X2 E L4350E
VIA Nano X2 E L4350E
VIA Nano 3000 Series (2009)
VIA Nano L3600
VIA Nano L3050
VIA Nano L3025
VIA Nano 2000 Series (2008)
VIA Nano L2200
VIA Nano L2100
VIA Mobile CPUs Vulnerable To Meltdown + Spectre
Affected Variants : These VIA CPUs are affected by all three variants of the speculative execution CPU bug. They are vulnerable to the Meltdown and both Spectre exploits.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Updated @ 2018-02-28 :Added a new page on the AMD Spectre 2 hardware mitigation options.
Originally posted @ 2018-02-01
Only Spectre
Now that the dust has settled, we know that AMD processors are completely invulnerable to Meltdown, but are vulnerable to both Spectre exploits. Therefore, AMD only needs to mitigate against the two Spectre exploits.
In the Spectre 1 (GPZ Variant 1) exploit, a malware can make use of the processor’s speculative execution capability to bypass the memory bounds check, thereby accessing memory that it did not have permission for.
AMD is recommending software-only solutions for Spectre 1, which include operating system kernels, JIT (Just In Time) compilers, browsers and other user applications.
AMD recommends the V1-1 (lfence) software solution for the GPZ Variant 1 (Spectre 1) exploit.
GPZ Variant 2 (Spectre 2)
In the Spectre 2 (GPZ Variant 2) exploit, a malware may trick the CPU branch predictor into mis-predicting the wrong path, thereby speculatively executing code that would not otherwise be executed.
AMD offers both software-only, and software + hardware mitigations, for Spectre 2.
AMD recommends the V2-1(retpoline) option for the GPZ Variant 2 (Spectre 2) exploit.
Technique : Clear out untrusted data from registers (e.g. write 0) when entering more privileged modes, or sensitive code.
Effect : By removing untrusted data from registers, the CPU will not be able to speculatively execute operations using the values in those registers.
Applicability : All AMD processors.
Note : Instructions that cause the machine to temporarily stop inserting new instructions into the machine for execution and wait for execution of older instructions to nish are referred to as dispatch serializing instructions.
AMD Spectre Mitigation G-2
Target : Spectre 1 and Spectre 2
Technique : Set an MSR in the processor so that LFENCE is a dispatch serializing instruction and then use LFENCE in code streams to serialize dispatch (LFENCE is faster than RDTSCP which is also dispatch serializing). This mode of LFENCE may be enabled by setting MSR C001_1029[1]=1.
Effect : Upon encountering an LFENCE when the MSR bit is set, dispatch will stop until the LFENCE instruction becomes the oldest instruction in the machine.
Applicability : All AMD family 10h/12h/14h/15h/16h/17h processors support this MSR. LFENCE support is indicated by CPUID function1 EDX bit 26, SSE2. AMD family 0Fh/11h processors support LFENCE as serializing always, but do not support this MSR. AMD plans support for this MSR and access to this bit for all future processors.
Effect : The processor will never speculatively fetch instruction bytes in supervisor mode if the RIP address points to a user page. This prevents the attacker from redirecting the kernel indirect branch to a target in user code.
Applicability : All AMD processors that support SMEP (Family 17h, Family 15h model >60h)
Note : The load-store unit is a key area for controlling speculation because information leakage comes from the residual nature of cache lines after a speculative fill.
Effect : The processor will never initiate a fill if the translation has a SMAP violation (kernel accessing user memory). This can prevent the kernel from bringing in user data cache lines. With SMEP and SMAP enabled the attacker must nd an indirect branch to attack in the area marked by SMAP that is allowed to access user marked memory.
Applicability : All AMD processors that support SMAP ( family 17h and greater)
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
AMD Spectre 1 Mitigation Options
AMD Spectre Mitigation V1-1
Target : Spectre 1 only
Technique : With LFENCE serializing, use it to control speculation for bounds checking. For instance, consider the following code:
2: ja out_of_bounds ; if greater, index is too big
3: mov ebx, [eax] ; read buffer
In this code, the CPU can speculative execute instruction 3 (mov) if it mispredicts the branch at 2 (ja). If this is undesirable, software should implement:
2: ja out_of_bounds ; if greater, index is too big
3: lfence ; serializes dispatch until branch
4: mov ebx, [eax] ; read buffer
Effect : In the second code sequence, the processor cannot execute op 4 because dispatch is stalled until the branch target is known.
Applicability : All AMD processors.
AMD Spectre Mitigation V1-2
Target : Spectre 1 only
Technique : Create a data dependency on the outcome of a compare to avoid speculatively executing instructions in the false path of the branch. For instance, consider the following code:
2: ja out_of_bounds ; if greater, index is too big
3: mov ebx, [eax] ; read buffer
In this code, the CPU can speculative execute instruction 3 (mov) if it mispredicts the branch at 2 (ja). If this is undesirable, software should implement:
3: ja out_of_bounds ; if greater, index is too big
4: cmova eax, edx ; NEW: dummy conditional mov
5: mov ebx, [eax] ; read buffer
Effect : In the second code sequence, the processor cannot execute op 4 (cmova) because the ags are not available until after instruction 2 (cmp) nishes executing. Because op 4 cannot execute, op 5 (mov) cannot execute since no address is available.
Applicability : All AMD processors.
AMD Spectre Mitigation V1-3
Target : Spectre 1 only
Technique : Create a data dependency on the outcome of a compare to mask the array index to keep it within bounds. For instance, consider the following code:
2: ja out_of_bounds ; if greater, index is too big
3: mov ebx, [eax] ; read buffer
In this code, the CPU can speculative execute instruction 3 (mov) if it mispredicts the branch at 2 (ja). If this is undesirable, software should implement:
2: ja out_of_bounds ; if greater, index is too big
3: and eax, $MASK ; NEW: Mask array index
4: mov ebx, [eax] ; read buffer
Effect : In the second code sequence, the processor will mask the array index before the memory load constraining the range of addresses that can be speculatively loaded. For performance it is best if $MASK is an immediate value.
Applicability : All AMD processors. This mitigation works best for arrays that are power-of-2 sizes but can be used in all cases to limit the range of addresses that can be loaded.
Note : In the case of RET instructions, RIP values are predicted using a special hardware structure that tracks CALL and RET instructions called the return stack bu er. Other indirect branches (JMP, CALL) are predicted using a branch target bu er (BTB) structure. While the mechanism and structure of this buffer varies significantly across AMD processors, branch predictions in these structures can be controlled with software changes to mitigate variant 2 attacks.
[adrotate group=”1″]
AMD Spectre 2 Mitigation Options
AMD Spectre Mitigation V2-1
Target : Spectre 2 only
Technique : Convert indirect branches into a “retpoline”. Retpoline sequences are a software construct which allows indirect branches to be isolated from speculative execution. It uses properties of the return stack bu er (RSB) to control speculation. The RSB can be lled with safe targets on entry to a privileged mode and is per thread for SMT processors. So instead of
1: jmp *[eax] ; jump to address pointed to by EAX2:
To this:
1: call l5 ; keep return stack balanced
l2: pause ; keep speculation to a minimum
3: lfence
4: jmp l2
l5: add rsp, 8 ; assumes 64 bit stack
6: push [eax] ; put true target on stack
7: ret
and this 1: call *[eax] ;
To this:
1: jmp l9
l2: call l6 ; keep return stack balanced
l3: pause
4: lfence ; keep speculation to a minimum
5: jmp l3
l6: add rsp, 8 ; assumes 64 bit stack
7: push [eax] ; put true target on stack
8: ret
L9: call l2
Effect : This sequence controls the processor’s speculation to a safe known point. The performance impact is likely greater than V2-2 but more portable across the x86 architecture. Care needs to be taken for use outside of privileged mode where the RSB was not cleared on entry or the sequence can be interrupted. AMD processors do not put RET based predictions in BTB type structures.
Applicability : All AMD processors.
AMD Spectre Mitigation V2-2
Target : Spectre 2 only
Technique : Convert an indirect branch into a dispatch serializing instruction sequence where the load has nished before the branch is dispatched. For instance, change this code:
1: jmp *[eax] ; jump to address pointed to by EAX2:
To this:
1: mov eax, [eax] ; load target address
2: lfence ; dispatch serializing instruction
3: jmp *eax
Effect : The processor will stop dispatching instructions until all older instructions have returned their results and are capable of being retired by the processor. At this point the branch target will be in the general purpose register (eax in this example) and available at dispatch for execution such that the speculative execution window is not large enough to be exploited.
Applicability : All AMD processors. AMD plans that this sequence will continue to work on future processors until support for other architectural means to control indirect branches are introduced.
AMD Spectre Mitigation V2-3
Target : Spectre 2 only
Technique : Execute a series of CALL instructions upon entering more privileged code to ll up the return address predictor.
Effect : The processor will only predict RET targets to the RIP values in the return address predictor, thus preventing attacker controlled RIP values from being predicted.
Applicability : All AMD processors. The size of the return address predictor varies by processor, all current AMD processors have a return address predictor with 32 entries or less. Future processors that have more than 32 RSB entries are planned to be architected to not require software intervention.
AMD Spectre Mitigation V2-4
Target : Spectre 2 only
Technique : An architectural mechanism, Indirect Branch Control (IBC), is being added to the x86 ISA to help software control branch prediction of jmp near indirect and call near indirect instructions. It consists of 3 features: Indirect Branch Prediction Barrier (IBPB), Indirect Branch Restricted Speculation (IBRS) and Single Thread Indirect Branch Predictors (STIBP).
Effect : These features give software another mechanism through architectural MSRs to provide mitigation for different variant 2 exploits.
IBPB – Places a barrier such that indirect branch predictions from earlier execution cannot in uence execution after the barrier. IBRS – Restricts indirect branch speculation when set. STIBP – Provides sibling thread protection on processors that require sibling indirect branch prediction protection
Applicability : As a new feature, these mechanism are available in only a limited number of current AMD processors and require a microcode patch. These 3 features are individually enumerated through CPUID and all processors do not support all features. These features also require software updates to write the MSR where appropriate.
Note : After a RIP value is predicted, the new RIP value is sent through a TLB and table walker pipeline before instruction bytes can be fetched and sent for execution.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
AMD Spectre 2 Hardware Mitigation Options
On 7 February, AMD revealed three AMD64 mechanisms to mitigate against Spectre 2 (indirect branch target injection). They are designed to increase control of indirect branches, and identified by CPU ID bits.
Feature
AMD Version (CPUID Function)
MSR Exist
Indirect Branch Prediction Barrier (IBPB)
8000_0008 EBX[12]=1
PRED_CMD (MSR 49)
Indirect Branch Restricted Speculation (IBRS)
8000_0008 EBX[14]=1
SPEC_CTRL (MSR 48)
Single Thread Indirect Branch Prediction (STIBP)
8000_0008 EBX[15]=1
SPEC_CTRL (MSR 48)
AMD IBPB Hardware Mitigation
Target : Spectre 2 only
Technique : This is a write-only MSR (model-specific register) that, when written with a 0, prevents older indirect branches from influencing predictions of indirect branches in the future. This applies to jmp indirects, call indirects and returns.
As this feature prevents the processor from using all previous indirect branch information, it is meant to be used only when a software switches from one user context to another that requires protection.
CPUID Function 8000_0008, EBX[16]=1 indicates an IBRS always on mode. The processor prefers that IBRS is only set once during boot and not changed.
If IBRS is set on a processor supporting IBRS always on mode, indirect branches executed in a less privileged prediction mode will not influence branch predictions for indirect branches in a more privileged prediction mode.
This also reduces the performance impact of the WRMSR (Write to Model Specific Register) on less privileged to more privileged entry point and the WRMSR on more privileged to less privileged exit points.
AMD IBRS Hardware Mitigation
Target : Spectre 2 only
Technique : Indirect Branch Restricted Speculation (IBRS) exists at MSR 0x48 (SPEC_CTRL) bit 0.
When this bit is set, it keeps indirect branches that occurred in a lesser prediction mode from before it was set from influencing the future indirect branches that are going to execute now while IBRS is 1. A lesser prediction mode is CPL 3 vs CPL[2-0] and Guest vs Host mode.
If software clears IBRS, it is now allowed for the older indirect branches that occurred when IBRS was 0 to be used to influence the indirect branches.
It is also possible that while IBRS is 1, another write of 1 to IBRS bit 0 occurs. This starts a new window where older indirect branches should not influence future indirect branches.
Therefore if IBRS were set in a lesser privilege mode, on a transition to a more privileged mode the more privileged mode would have to set IBRS to 1 to indicate to hardware that it wants branches in the more privileged mode separated from those in the lesser privileged mode with IBRS set.
On processors with a shared indirect branch predictor, IBRS being set provides protection from being influenced by a sibling thread’s indirect branch predictions. For the ret type of indirect branch, software is responsible for clearing out the return stack buffer with 32 calls that have a non-zero target.
Processors that support more than 32 RSB (Return Stack Buffer) entries will be responsible for clearing the extra RSB entries. Clearing out the return stack buffer maybe required on the transition from CPL3 to CPL0, even if the OS has SMEP enabled.
CPUID Function 8000_0008, EBX[18]=1 indicates that the processor prefers using the IBRS feature instead of other software mitigations such as retpoline. This allows software to remove the software mitigation and utilize the better performing IBRS mechanism.
[adrotate group=”1″]
AMD STIBP Hardware Mitigation
Target : Spectre 2 only
Technique : The Single Thread Indirect Branch Predictor (STIBP) exists at MSR 0x48 (SPEC_CTRL) bit 1.
When this bit is set in processors that share branch prediction information, indirect branch predictions from sibling threads cannot influence the predictions of other sibling threads. Return instructions are always immune to influence by the other thread and do not require this bit to be set for protection.
Any attempt to write SPEC_CTRL bits 63:2 results in general protection fault (GP fault). If a processor only supports STIBP (bit 1) for ease of software implementation, the processor does not GP fault attempts to write bit 0. In a similar manner, if a processor only supports IBRS, attempts to set STIBP do not GP fault.
Both SPEC_CTRL and PRED_CMD are not architecturally serializing WRMSRs. They are still execution serializing and prevent any execution of future instructions until they have completed.
CPUID Function 8000_0008, EBX[17]=1 indicates an STIBP always on mode. The processor prefers that STIBP is only set once during boot and not changed. This reduces the performance impact of the WRMSR (Write to Model Specific Register) at the necessary toggle points.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Ever since the Meltdown and Spectre exploits were exposed, Microsoft has been working overtime to patch Windows against them. Unfortunately, they were quite secretive about their Spectre and Meltdown patch list and schedule. We usually only find out when something bad happens, like when some patches bricked AMD systems.
They changed that stance recently, quietly releasing their Windows Spectre and Meltdown patch schedule. This schedule listed the patches they have released so far, or are about to release. For your convenience, we have divided and sorted them according to the applicable Windows version.
Please note that the current Microsoft Spectre and Meltdown patch schedule covers the January and February 2018. We will update the schedule as and when Microsoft releases them.
Article Update History
Click here for the Article Update History
Updated @ 2018-02-22 :Added the late January and early February 2018 Spectre and Meltdown patch schedule for Windows 10 and Windows Server 2016.
Originally posted @ 2018-01-24
The Spectre + Meltdown Patch Schedule For Windows 10
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
The Meltdown and Spectre CPU flaws that the Google Project Zero team discovered are arguably the worst we have ever known. These vulnerabilities were built into BILLIONS of CPUs that we have been using for the last decade or so.
Not just Intel CPUs, but also CPUs made by AMD, Apple and ARM. Even those that power our smartphones and other smart devices!
Let’s take a look at what we know so far about Meltdown and Spectre, how they affect you, and what we can do about them.
This story is still developing. We will update the article as and when new details emerge. Be sure to check back and refresh the page for the latest information!
Article Update History
Click here for the Article Update History
2018-02-17 :Updated the table of CPUs vulnerable to Meltdown and Spectre.Updated four sections with new information.
2018-02-05 :Added a table of CPUs vulnerable to Meltdown and Spectre.Updated three sections with new information.
2018-01-25 :Revamped the entire article. Added a new section on the difference between Meltdown and Spectre, and a new section on InSpectre. Updated the list of vulnerable processors, mitigation efforts by Microsoft and Apple, as well as the Intel spontaneous reboot issues with their Spectre 2 patches.
2018-01-16 : Updated the list of vulnerable processors, and added a new section on Intel CPUs spontaneously rebooting after applying Meltdown and Spectre patches. Also added cautionary advice on holding off these updates.
2018-01-12 : Updated the article with the AMD confirmation that their processors are vulnerable to both Spectre exploits. Also added details on the Google Retpoline mitigation technique against Spectre attacks.
2018-01-11 : Added new sections on the performance impact of the Meltdown and Spectre mitigation patches, and reports of those patches bricking some AMD PCs. Also expanded the list of affected CPUs, and corrected information on the Intel-SA-00086 Detection Tool.
Between 2018-01-09 and 2018-01-10 : Numerous updates including details of patches and affected CPUs.
Originally posted @ 2018-01-09
The Meltdown + Spectre Vulnerabilities
The Project Zero team identified these vulnerabilities in 2017, reporting it to Intel, AMD and ARM on 1 June 2017.
These vulnerabilities take advantage of the Speculative Execution and Branch Prediction features of the modern processor, that have been used for many years to improve performance.
Speculative Execution lets the CPU predict and pre-execute the next instruction, allowing it to “instantly” deliver the results if it’s correct.
Branch Prediction helps the CPU predict future execution paths that should be speculatively-executed for better performance.
There are THREE (3) variants of the speculative execution CPU bug :
The Spectre attack (whitepaper) exploits variants 1 and 2.
The Meltdown attack (whitepaper) exploits variant 3.
There is a Variant 3a, which appears to affect only certain ARM processors.
What’s The Difference Between Meltdown & Spectre?
Spectre tricks the CPU branch predictor into mis-predicting the wrong path, thereby speculatively executing code that would not otherwise be executed.
Meltdown takes advantage of the out-of-order execution capability of modern processors, tricking them into executing malicious code that would normally not be allowed.
The Spectre name is based on both the root cause – speculative execution, and the fact that it is not easy to fix, and will haunt us for a long time like a spectre (ghost).
The Meltdown name was chosen because the vulnerability “basically melts security boundaries which are normally enforced by the hardware“.
How Bad Are Meltdown & Spectre?
The Spectre exploits let an attacker access and copy information from the memory space used by other applications.
The Meltdown exploit lets an attacker copy the entire physical memory of the computer.
Unless patched, the affected processors are vulnerable to malware and cyberattacks that exploits this CPU bug to steal critical information from running apps (like login and credit card information, emails, photos, documents, etc.)
While the Meltdown exploit can be “fixed”, it is likely that the Spectre exploit cannot be fixed, only mitigated, without a redesign of the processors. That means we will have to live with the risks of a Spectre attack for many more years to come.
The Intel-SA-00086 Detection Tool does NOT detect the processor’s susceptibility to these vulnerabilities. It only checks for different vulnerabilities affecting the Intel Management Engine.
InSpectre
Our reader Arthur shared that the Gibson Research Corporation has an aptly-named utility called InSpectre.
It checks for Meltdown and Spectre hardware and software vulnerabilities in a Windows system. It will help you check if your system is getting patched properly against these vulnerabilities.
What Is Being Done??? Updated!
Note : The terms “mitigate” and “mitigation” mean the possibility of a successfully attacked are reduced, not eliminated.
Intel has started issuing software and firmware updates for the processors introduced in the last 5 years. By the middle of January 2018, Intel expects to have issued updates for more than 90% of those CPUs. However, that does not address the other Intel processors sold between 2010 and 2012.
Microsoft and Linux have started to roll our the KPTI (Kernel Page Table Isolation) patch, also known as the KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed) patch.
The KPTI or KAISER patch, however, will only protect against the Meltdown exploit. It has no effect on a Spectre attack.
Microsoft Edge and Internet Explorer 11 received the KB4056890 security update on 3 January 2018, to prevent a Meltdown attack.
Firefox 57 includes changes to mitigate against both attacks.
Google Chrome 64 will be released on 23 January 2018, with mitigations against Meltdown and Spectre attacks.
For Mac systems, Apple introduced mitigations against Spectre in macOS 10.13.2 (released on 8 January 2018), with more fixes coming in macOS 10.13.3.
For iOS devices, Apple introduced mitigations against Meltdown in iOS 11.2 and tvOS 11.2.
On 8 January 2018, Apple released iOS 11.2.2, which mitigates the risk of the two Spectre exploits in Safari and WebKit, for iPhone 5s, iPad Air, and iPod touch 6th generation or later.
Google patched Android against both exploits with the December 2017 and January 2018 patches.
Google shared details of their Return Rrampoline (Retpoline) binary modification technique that can be used to protect against Spectre attacks. It is a software construct that ensures that any associated speculative execution will “bounce” (as if on a trampoline) endlessly.
On 11 January 2018, AMD announced that the “majority of AMD systems” have received the mitigation patches against Spectre 1, albeit some older AMD systems got bricked by bad patches. They also announced that they will make “optional” microcode updates available for Ryzen and EPYC processors by the same week.
In the same 11 January 2018 disclosure, AMD also shared that Linux vendors have started to roll out OS patches for both Spectre exploits, and they’re working on the “return trampoline (Retpoline)” software mitigations as well.[adrotate group=”2″]
On 8 February 2018, an Intel microcode update schedule revealed that their Penryn-based processors are also vulnerable, adding an additional 314 CPU models to the list of vulnerable processors.
On 14 February 2018, Intel revealed an expanded Bug Bounty Program, offering up to $250,000 in bounty awards.
Some AMD PCs Got Bricked
In the rush to mitigate against Meltdown and Spectre, Microsoft released Windows 10 patches that bricked some AMD PCs. They blamed the incorrect / incomplete documentation provided by AMD.
Intel’s rush to patch Meltdown and Spectre resulted in buggy microcode patches, causing several generations of their CPUs to randomly and spontaneously reboot.
So far, over 800 Intel CPU models have been identified to be affected by these spontaneous reboot issues. If you have one of the affected CPUs, please hold off BIOS / firmware updates!
Intel has identified the cause as the Spectre 2 patches in their microcode updates for some of these processors. They’re still investigating the cause of the other affected CPU models.
Fortunately for Windows users, Microsoft issued the KB4078130 emergency update to stop the reboots while Intel worked to fix the issue.
First and foremost – DO NOT PANIC. There is no known threat or attack using these exploits.
Although we listed a number of important patches below, the buggy updates are worse than the potential threat they try to fix. So we advise HOLDING OFF these patches, and wait for properly-tested versions a few weeks down the line.
If you are using an iOS device, get updated to iOS 11.2 or tvOS 11.2.
If you are using Firefox, update to the latest Firefox 57.
If you are using Google Chrome, make sure you watch out for Chrome 64, which will be released on 23 January.
Download and install the latest software firmware updates from your PC, laptop, motherboard brands. In particular, install the latest driver for the Intel Management Engine (Intel ME), the Intel Trusted Execution Engine (Intel TXE), and the Intel Server Platform Services (SPS)
If you are using an Intel system, hold off updating your firmware, unless you have already verified that your CPU is not affected by the buggy Intel patches, or Intel has already issued corrected patches.
The Performance Impact Of The Mitigation Patches
Many benchmarks have been released, showing performance impacts of between 5% to 30%, depending on the type of benchmark and workload. Microsoft has called those benchmark results into question, stating that they did not cover both operating system and silicon microcode patches.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
The world is under siege by ransomware attacks. Ransomware don’t just put our personal data at risk, they are a serious threat to critical services and even national security. Therefore, we are elated to learn about the new Acronis Ransomware Protection – a free, standalone app that will protect us against ransomware.
The Ransomware Threat
Ransomware remains a silent destroyer of data for users worldwide. New strains of ransomware can easily bypass traditional anti-virus software to encrypt user data.
According to a ransomware survey conducted by Acronis earlier this month, 57.5% of the respondents still don’t know that ransomware can wipe their files and disable computer. Only 9.2% of the respondents heard about the WannaCry or NotPetya attacks last year, and 37.4% report that they don’t know how to protect their data or choose to do nothing.
These findings demonstrate a need for an easy, universal ransomware protection solution, and 55.5% of the survey respondents said that they would use one if it was free.
Acronis Ransomware Protection
Acronis Ransomware Protection is designed to stop ransomware attacks in real-time, and help users recover their data without paying any ransom. It is compatible with all popular backup and anti-virus programs, and provides an additional level of defense.
In event of a ransomware attack, Acronis Ransomware Protection blocks the malicious process and notifies the user with a popup. If any files were damaged in the attack, it facilitates the instant recovery of those affected files.
Acronis Ransomware Protection also comes with a cloud backup capability, allowing users to protect important files not only from ransomware, but also from hardware failure, natural disasters and other causes of data loss. Every user receives 5 GB of free Acronis Cloud storage.
Easy to install, Acronis Ransomware Protection is essentially a “set it and forget it” protection solution. The lightweight program (only 20 MB in size) requires limited system resources, which means it can run quietly in the background without affecting system performance.
Acronis Active Protection
Acronis Ransomware Protection is based on the Acronis Active Protection technology, that monitors system processes in real time, and uses unique behavioural heuristics to detect a ransomware attack.
[adrotate group=”2″]
These heuristics are constantly being improved by machine learning models, that are generated by analysing hundreds of thousands of malicious and legitimate processes in the Acronis Cloud AI infrastructure.
According to Acronis, this AI-based training is “tremendously effective” in defeating all ransomware strains, including zero-day attacks that signature-based solutions cannot detect.
Downloading Acronis Ransomware Protection
Acronis Ransomware Protection is currently available only for the Microsoft Windows operating system. Head over to its official page for the FREE download.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Within a week after the Meltdown and Spectre exploits revealed, the first Apple Spectre patches were introduced. And Apple has finally released their next slew of patches that will help protect Apple computers against Meltdown and Spectre.
There has been some confusion about what was “fixed” in which patch. In this article, we will share with you exactly mitigations were introduced in which OS X update. As usual, we will update this article, as and when new Apple Spectre or Meltdown patches are released.
The Apple Spectre + Meltdown Patches
macOS High Sierra 10.13.2 Supplemental Update
Date Of Introduction : 8 January 2018
Operating System Patched : macOS 10.13 High Sierra
GPZ Variant Addressed : Spectre 1 and 2 (CVE-2017-5753 and CVE-2017-5715)
The first known update was the macOS High Sierra 10.13.2 Supplemental Update. It introduced a number of mitigations against the two Spectre variants (CVE-2017-5753 and CVE-2017-5715). Specifically, several security improvements were made to Safari and WebKit.
After updating, Safari will be upgraded to version 11.0.2 (13604.4.7.1.6) or version 11.0.2 (13604.4.7.10.6).
Security Update 2018-001 Sierra
[adrotate group=”2″]
Date Of Introduction : 23 January 2018
Operating System Patched : macOS 10.12 Sierra
GPZ Variant Addressed : Meltdown (CVE-2017-5754)
This security update patched all versions of macOS Sierra against the Meltdown exploit (CVE-2017-5754).
Security Update 2018-001 El Capitan
Date Of Introduction : 23 January 2018
Operating System Patched : OS X 10.11 El Capitan
GPZ Variant Addressed : Meltdown (CVE-2017-5754)
This security update patched all versions of OS X El Capitan against the Meltdown exploit (CVE-2017-5754).
Outstanding Apple Spectre + Meltdown Patches
From what we understand, these are the likely Apple Spectre and Meltdown patches that are still outstanding, and will eventually be released :
A Meltdown patch for macOS High Sierra
Spectre mitigation patches for macOS Sierra and OS X El Capitan
EFI firmware updates for various Mac computers
We will update this article, as and when new Apple Spectre or Meltdown patches are released.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Microsoft just revealed that pre-2016 Intel CPUs will be hit worst by the Meltdown and Spectre patches. They also pointed out that the performance impact detailed in benchmarks published so far did not include both operating system and silicon updates, and are therefore, inaccurate.
Microsoft is still working on their own set of benchmarks that will look at the performance impact after both operating system and silicon updates have been applied. In the meantime, Terry Myerson, Executive Vice President of the Windows and Devices Group, shared some preliminary findings.
Performance Impact Of The Meltdown + Spectre Patches
According to Terry, the patches for Variant 1 (Spectre 1) and Variant 3 (Meltdown) of the speculative execution bug have minimal performance impact.
It is the Variant 2 (Spectre 2) patches, both operating system and silicon microcode, that have a significant performance impact.
Here is a summary of what Microsoft has found so far :
Windows 10 With 2016 Or Newer Intel CPUs
Intel CPU Models : Intel Skylake, Intel Kaby Lake, Intel Coffee Lake
Performance Impact :Single digit reduction in performance. Microsoft does not expect most users to notice the impact, because the percentages are “reflected in milliseconds“.
Windows 10 With Pre-2016 Intel CPUs
Intel CPU Models : Intel Broadwell, Intel Haswell, Intel Ivy Bridge, Intel Sandy Bridge, or older.
Performance Impact :Significant slowdowns in some benchmarks. Microsoft expects some users to notice the decrease in performance.
Windows 8 and Windows 7 With Pre-2016 Intel CPUs
Intel CPU Models : Intel Broadwell, Intel Haswell, Intel Ivy Bridge, Intel Sandy Bridge, or older.
Performance Impact :Significant slowdowns. Microsoft expects most users to notice the decrease in performance.
Windows Server On Any Intel CPU
Performance Impact :Significant slowdowns in any IO-intensive application.
Why The Difference In Performance Impact?
In the newer Intel processors (from the 2016 Skylake onwards), Intel refined the instructions used to disable branch speculation to be more specific to indirect branches. This reduces the performance impact of Spectre mitigation patches.
There is a larger performance impact with Windows 8 and Windows 7 because they have more user-kernel transitions. For example, all font rendering takes place in the kernel.
What Should You Do?
If you are using a newer Intel CPU like the Core i7-8700K with Windows 10, you can rest easy knowing that the performance impact of the Meltdown and Spectre patches to be minimal.
If you are using a newer Intel CPU with an older operating system like Windows 8 or Windows 7, you should consider upgrading to Windows 10. This would reduce the performance impact of the Meltdown and Spectre patches.
[adrotate group=”2″]
If you are using a pre-2016 Intel CPU with Windows 10, there is nothing much you can do except consider upgrading to a newer processor. You could possibly live with the performance impact of the Meltdown and Spectre patches.
If you are using a pre-2016 Intel CPU with an older operating system like Windows 8 or Windows 7, you can try upgrading to Windows 10 to reduce the performance impact of the Meltdown and Spectre patches.
If you are managing a Windows Server that uses Intel CPUs, you will need to balance the risk of leaving each Windows Server instance unprotected, against the significant performance impact of protecting it against Meltdown and Spectre.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Lemi Orhan Ergin did not give Apple any forewarning when he publicly revealed the massive macOS root bug on Twitter. He basically exposed a zero-day vulnerability for hackers to use, while Apple rushed on a bug fix. The good news is Apple just issued the root bug fix in Security Update 2017-001.
This is really fast work, but it also showed their sloppiness. Hopefully, the bug fix does not introduce additional bugs!
macOS Security Update 2017-001
[adrotate group=”2″]
Apple released macOS Security Update 2017-001 just a day after the macOS root bug was revealed. They also gave us more information on the bug that caused so much ruckus around the world (and rightly so).
The bug only affected macOS High Sierra 10.13.1.
The bug did not affect computers running macOS Sierra 10.12.6 or earlier.
They confirmed that it allowed an attacker to “bypass administrator authentication without supplying the administrator’s password“.
The macOS root bug fix is now available for download via the App Store. If it doesn’t appear yet, just click on the Updates icon to refresh.
Please note that this bug fix will reset and disable the root user account. If you need to use the root user account, you will need to re-enable it, and change its password, after applying the update.
Terminal Users, Watch Out!
If you’re using Terminal to update though, you may face some complications due to Apple’s sloppiness. Chai discovered that Apple accidentally used a space instead of the version number.
This is not an issue if you are downloading the patch through the App Store. But if you’re applying the patch via Terminal, you need to add a space.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
The Internet is abuzz with the shocking revelation that now everyone can hack an Apple computer… as long as it’s using the latest macOS High Sierra operating system. Let us explain what’s going on, and share with you the workaround for the macOS High Sierra root bug.
Updated @ 2017-11-30 : Added a new section on the Apple bug fix (Security Update 2017-001) [1], and additional information on the root bug [2].
Originally posted @ 2017-11-29
What Is Root User?
If you are the primary user of a MacOS X system, you have an administrator account with administrator privileges. This gives you more privileges and access than a standard user account. However, that is not the highest access level possible.
There is a Mac superuser account called “root” that gives you elevated read and write privileges to hidden or protected areas of the system. With the Mac root user account, you can even access files in other user accounts.
In fact, it gives you such God-like powers, you can modify or even delete critical system files. In fact, a Mac root user can use the rm -rf * command to delete the contents of every mounted drive in the computer, until macOS crashes when a crucial file or folder is deleted.
So this Mac root user account should only remain disabled unless you really, REALLY need to use it.
On Tuesday, 28 November 2017, Turkish software developer Lemi Orhan Ergin revealed the macOS High Sierra root bug. With a few simple steps, anyone can gain elevated root user privileges in any computer running macOS High Sierra! Here is a summary of what we know about the root bug :
The root bug exploit requires a computer running macOS High Sierra, with multiple user accounts.
When prompted for a username and password, use these steps to gain root user access without any password :
Type “root” as the username and leave the password field blank.
Just click “Unlock” twice.
The root bug cannot be exploited remotely, unless screen sharing is enabled.
The root bug was introduced in macOS High Sierra 10.13.1. Earlier versions of macOS were not affected.
Apple confirmed that the bug was due to “a logic error… in the validation of credentials“.
Apple also confirmed that the bug would allow an attacker to “bypass administrator authentication without supplying the administrator’s password“.
Several security researchers successfully replicated the bug.
The macOS High Sierra root bug is EXTREMELY serious, because it allows a hacker to easily bypass all of the macOS operating system’s security protections.
It doesn’t matter if you encrypted your computer, and secured it with an extremely long and complex password. Anyone who gains root user privileges using this bug can access (read, copy or move) the files in any user account (even those of an administrator) without knowing the password.
What’s even more troubling is that the root bug works even with a disabled root user account. This means the vast majority of Apple computers running on High Sierra are compromised, as the root user account is disabled by default.
How To Fix The Root Bug?
Unlike other security researchers, Lemi Orhan Ergin did not forewarn Apple before publicly revealing the bug, on Twitter no less. He basically exposed a zero-day vulnerability for hackers to use, while Apple rushes to fix the bug.
1. Install macOS Security Update 2017-001 New!
Apple just released Security Update 2017-001. This update will remove the root bug and improve credential validation. INSTALL THIS UPDATE NOW!
Note : This bug fix will reset and disable the root user account. If you need to use the root user account, you will need to re-enable it, and change its password, after applying the update.
Note : Apple rushed out this update so quickly that they accidentally used a space instead of the version number. You can read more about this in our article – Apple Rushed Out macOS Root Bug Fix & It Shows…
This is not an issue if you are downloading the patch through the App Store. But if you’re applying the patch via Terminal, you need to add a space.
Alternatively, you can opt to move your sensitive data to encrypted containers or drives using third-party encryption utilities like VeraCrypt. Hackers may use the High Sierra root bug to gain access to the encrypted containers or drives, but without the correct password, the actual data won’t be accessible.
4. Physically Protect Your Apple Computer
The good news is the High Sierra root bug generally requires physical access to your Apple computer. Until this bug is fixed, you should make sure your Apple computer is never left unsupervised.
Keep it in a locked room or bag, whenever you are not using it. If no one can get to it, they cannot use the bug to gain root access.
5. Disable Screen Sharing
The High Sierra root bug can be exploited remotely if Screen Sharing is enabled. So make sure you disable Screen Sharing.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Want to have elevated God-like privileges to your Mac OS X system? Then you need to be a Mac root user. In this guide, we will teach you how to enable the root user account in OS X, change the password, and disable it.
For experienced users or power users, you can use Terminal to quickly make these changes :
If you are the primary user of a MacOS X system, you have an administrator account with administrator privileges. This gives you more privileges and access than a standard user account. However, that is not the highest access level possible.
There is a Mac superuser account called “root” that gives you elevated read and write privileges to hidden or protected areas of the system. With the Mac root user account, you can even access files in other user accounts.
In fact, it gives you such God-like powers, you can modify or even delete critical system files. So this Mac root account should only remain disabled unless you really, REALLY need to use it.
OS X High Sierra currently has a root bug that allows practically root access in a few simple steps. Therefore, Apple advises you to enable the Mac root account, with your own password, until they fix the bug.
How To Enable The Mac Root User / Change Password (Terminal Method)
Requisite : You need to be logged into an administrator account.
Please note this method is used to both enable the root account, and to change its password. The single command line of sudo passwd root both changes its password, while enabling the root account.
Step 1 : Click on the Apple () menu, and select System Preferences.
Step 2 : Click on Utilities, and select Terminal.
Step 3 : Type sudo passwd root and press Enter.
sudo passwd root
Step 4 : You will be asked for your administrator password, not the new root password. Key in your administrator password and hit Enter.
Step 5 : Now key in the new root password, and hit Enter. Then retype the new root password for verification, and hit Enter.
That’s it! You have successfully enabled the Mac root account, with a password of your choice. To use it, you need to log off your administrator account.
[adrotate group=”1″]
How To Disable The Mac Root User (Terminal Method)
Requisite : You need to be logged into an administrator account.
Step 1 : In Terminal, type dsenableroot -d and press Enter.
dsenableroot -d
Step 2 : Key in your administrator password (not the root user password), and hit Enter.
If you succeed, you will see the notification : ***Successfully disabled root user.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
How To Enable The Mac Root User Account (GUI Method)
Requisite : You need to be logged into an administrator account.
Step 1 : Click on the Apple () menu, and select System Preferences.
Step 2 : Click on Users & Groups.
Step 3 : In the Users & Groups screen, click on the lock and key in your administrator name and password.
Step 4 : Click on Login Options.
[adrotate group=”1″]
Step 5 : Click on the Join… (or Edit…) button next to Network Account Server.
Step 6 : Click on the Open Director Utility… button.
Step 7 : Click on the lock, and key in your administrator name and password.
Step 8 : In the Directory Utility menu bar, select Edit and click on Enable Root User.
Step 9 : Now, key in the password you want, and a second time for verification, and click OK.
That’s it! You have successfully enabled the Mac root user account, with a password of your choice. To use it, you need to log off your administrator account.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
How To Change The Mac Root User Password (GUI Method)
Requisite : You need to be logged into an administrator account, and have the root user account enabled.
If you have just enabled the root user account, and are still in the Directory Utility screen, skip ahead to Step 8.
Step 1 : Click on the Apple () menu, and select System Preferences.
Step 2 : Click on Users & Groups.
Step 3 : In the Users & Groups screen, click on the lock and key in your administrator name and password.
Step 4 : Click on Login Options.
Step 5 : Click on the Join… (or Edit…) button next to Network Account Server.
[adrotate group=”1″]
Step 6 : Click on the Open Director Utility… button.
Step 7 : Click on the lock, and key in your administrator name and password.
Step 8 : In the Directory Utility menu bar, select Edit and click on Change Root Password.
Step 9 : Now, key in the new password you want, and a second time for verification, and click OK.
That’s it! You have successfully changed the Mac root user password. To use it, you need to log off your administrator account.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
How To Disable The Mac Root User Account (GUI Method)
Requisite : You need to be logged into an administrator account, and have the root user account enabled.
If you have just enabled the root user account, and are still in the Directory Utility screen, skip ahead to Step 8.
Step 1 : Click on the Apple () menu, and select System Preferences.
Step 2 : Click on Users & Groups.
Step 3 : In the Users & Groups screen, click on the lock and key in your administrator user name and password.
Step 4 : Click on Login Options.
[adrotate group=”1″]
Step 5 : Click on the Join… (or Edit…) button next to Network Account Server.
Step 6 : Click on the Open Director Utility… button.
Step 7 : Click on the lock, and key in your administrator name and password.
Step 8 : In the Directory Utility menu bar, select Edit and click on Disable Root User.
That’s it! You have successfully disabled the Mac root user account.
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
Mikko Hypponen is the Chief Research Officer at F-Secure, where he has worked since 1991. He is one of the world’s foremost expert on computer security, serving on the advisory board of IMPACT (International Multilateral Partnership against Cyber Threats).
He is a sought-after speaker who has given keynotes and presentations at security events like Black Hat and DEF CON, as well as mainstream events like TED and SXSW. He even speaks at military events and writes for BetaNews and Wired.
It was therefore a great opportunity to hear him speak about the purported death of antivirus software and services at the 2016 AVAR Conference. Join us for his full talk on the latest security threats and the future of the antivirus industry!
The 2016 AVAR Conference
Malaysia was the host for the 2016 AVAR (Association of Anti-Virus Asia Researchers) Conference with delegates from all over the world. The hosts were F-Secure Malaysia, together with MDEC (Malaysia Digital Economy Corporation) and Cybersecurity Malaysia.
MDEC Vice President Norhizam Kadir kicked off the 2016 AVAR conference by explaining how MDEC aims to catalyse the Malaysian digital economy.
Every year, the AVAR Conference is held in one of its many members’ countries with focus on various aspects of the information security world or underworld. The mission of AVAR is to develop cooperative relationships among prominent experts on cyber security, with participation from countries such as Malaysia, Australia, China, Hong Kong, India, Japan, Korea, Philippines, Singapore, Taiwan, UK, and the USA.
[adrotate banner=”5″]
Mikko Hypponen : Is Antivirus Dead?
Now, learn from Mikko Hypponen about the latest security threats and the future of the antivirus industry! Whether you are an antivirus researcher, a computer security professional, or just a tech geek, this talk will rivet you. No wonder he’s such a sought-after speaker!
Support Tech ARP!
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!