Menu

React, etc. Tech Stack

React, Flux, GraphQL, Hack, HHVM...? All of this and more!

Skyfall and Solace CPU vulnerabilities a hoax - Confirmed

The Meltdown and Spectre vulnerabilities shook the computing world in early 2018. Now there are reportedly two more, with details incoming in the days after embargo in place for security.

Curiously the two new vulnerabilities have James Bond movie inspired names: Skyfall and Solace.

UPDATE: The Skyfall and Solace vulnerabilities have been confirmed as being hoaxes originating from Rob Leadbeater, as he states on the updated websites:

The Skyfall and Solace "attacks" were born as a result of one of the many meetings I've sat in since news of the Meltdown and Spectre vulnerabilities broke in early January, and the IT industry's ridiculous fascination with naming security vulnerabilities.

According to sources, these vulnerabilities are also physical issues with chips, which make them very difficult to mitigate with full certainty. Like Meltdown and Spectre vulnerabilities the new ones supposedly take use of speculative execution, a feature in modern CPUs. There is no credible evidence as of yet, but the following information has been released:

Following the recent release of the Meltdown and Spectre vulnerabilities, CVE-2017-5175, CVE-2017-5753 and CVE-2017-5754, there has been considerable speculation as to whether all the issues described can be fully mitigated.

Skyfall and Solace are two speculative attacks based on the work highlighted by Meltdown and Spectre.

source: Skyfall and Solace
Skyfall logoSolace Logo

Details are still scarce, but both Skyfall and Solace vulnerabilities take use of the same attack vector as Meltdown and Spectre - speculative execution. According to the vulnerability information site, skyfallattack.com, it is another case where both Operating System creators like Microsoft, Apple and Google and chip manufacturers like AMD, Intel and ARM will again need to work together to mitigate these issues.

It remains to be seen how significant will the new vulnerabilities will be, but it may be that exploiting the same functionalities will yield significant security compromised - uniquely to the Spectre attack browsers could be exploited with JavaScript, with simple example code available online.

Intel and Solaris logosAs for the name of Skyfall and Solace, they could be references to Intel Skylake processors and possibly Oracle Solaris Operating System originating from Sun Microsystems. The logos take influence from the Intel logo and the Solaris logo. The original logos shown on the right.

So for now it is presumed that popular systems can be exploited, but malicious parties do not have wide access to the exploits for Skyfall and Solace. As always, exercise caution when browsing and downloading files from suspicious sources. Speculation over effects to security and performance is yet to be seen - if this is not an elaborate hoax.

Report legibility still in question

Currently the only source is a random .com site hosted on the UK hosting service Mythic Beasts. The company has discussed Meltdown and Spectre in their blog, which adds credibility that they might have insight into security issues.

Experts have stated that Spectre class Side Channel Attacks are likely to be uncovered in chips with aggressive Speculative Execution, and there is suspicion that the security researches are simply covering their tracks until the results are published.

Update: The online publication The Register is stating on Twitter that they are convinced that Skyfall and Solace vulnerabilities are a hoax as their chip manufacturer contacts have not heard of this vulnerability. 

Written by Jorgé on Thursday January 18, 2018

Permalink - Tags: meltdown, spectre, skyfall, solace

« Using TypeScript with GraphQL - Gentics Mesh, a capable Open Source Headless CMS built on OrientDB »