From: "David W. Hodgins" <dwhodgins@nomail.afraid.org>

On Thu, 04 Jan 2018 09:58:16 -0500, Virus <Virus@guy.c0m> wrote:

> Is there a definative list of CPU models that are affected by Spectre /
> Meldown?
> The most "detailed" explanation I can find is:
> "every processor since 1995 (except Intel Itanium and Intel Atom before
> 2013)" is affected by Meltdown"
> ==============
> I'd like to see a complete breakdown of the status of all Intel CPU's,
> going back to at least the SLOT-1 products and including socket 370,
> socket 478 and socket 775.

Unlikely that there will be such a list. All cpus are affected. AMD is
only affected by some of the bugs, but is not immune. Same with ARM.

> Also, what is status of Zeon CPU's, specifically socket 775-compatible ones?

As above.

> Other questions:
> These exploits don't seem to be able to take control of systems, alter
> protected or system memory or proccesses (or even user-space memory or
> files?), plant or install back doors or other forms of persistent
> access.  Yes?

Based on the current public descriptions, correct. Read only access to
the memory that was previously used by the kernel, but becomes available
to the exploit without being initialized.

> These exploits make it possible for specifically-crafted code to be able
> to read system memory (ie - memory / data that they wouldn't normally
> have access to) but not necessarily be able to alter or corrupt said
> memory?  Yes?

Correct.

> Other than executing a binary delivered via email, is it possible to
> deliver a workable Spectre / Meltdown exploit in the form of a script
> written in any of the various web/browser compatible formats (JS, Java,
> html, etc)?

There are no known exploits in the wild at this time. From what I've read,
it would be extremely difficult to exploit even with a program downloaded.
That doesn't ensure it can not be exploited using javascript, just that it
would be extremely difficult.

It provides read access to tiny amounts of data at a time. Given the
multi-processor/multi-threading of processors, the volume of data the
exploit would have to sift through to find any thing of use, is massive.
Either the exploit would have to do that on the victims computer with some
complex way of filtering the data, and then report to it's masters, or it
would have to upload a massive amount of data, 99.99% of which would be
useless.

What makes these two problems important, is that it's a hardware level
problem, that likely cannot be fixed even with microcode updates.

The software updates that are coming mitigate the problem by having the
kernel not use some of the features that are currently used to speed up
processing of some tasks.

This is not a panic situation. There are no known exploits in the wild,
and even with the publication of the details, it will be very hard for
anyone to use.

Regards, Dave Hodgins

-- 
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.
--- NewsGate v1.0 gamma 2
 * Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)