By Oded Vanunu, Dikla Barda, Roman Zaikin

Unmasking Deceptive Tactics: A recent investigation by Check Point Research exposes a troubling trend in the cryptocurrency landscape. Deceptive actors are manipulating pool liquidity, sending token prices soaring by a shocking 22,000%.

$80,000 Heist Unveiled: The manipulation of pool liquidity resulted in a swift and calculated theft of $80,000 from unsuspecting token holders. This incident sheds light on the evolving strategies scammers employ to exploit decentralized finance platforms.

Continued Threat Landscape: This incident follows hot on the heels of a previously reported million-dollar scam. Check Point Research recently delved into the intricacies of a rug pull orchestrated through a fake token factory. For details on this preceding incident, visit Check Point Research: Unraveling the Rug Pull.

Check Point’s Blockchain Threat Intelligence system raised an alert on pool liquidity manipulation, resulting in a staggering token price increase of 22,000%. The malicious actor exploited the liquidity pool, stealing $80,000 from unsuspecting holders.

Check Point’sBblockchain Threat Intelligence system detected a malevolent transaction:
https://etherscan.io/tx/0x85ebb1b1d6f091a2d72c4cffb66beea0552a07b2efabb5fd53d4198f8d159b64

What did we find?

The scammer created two wallets:

0x48F7661E84A823505d683D092a2DccdA1e5aA119

0x151a2498826F9fe6f214C92bB1811f7d1153b630

Using the first wallet, they deployed the contract token WIZ (0x2ae38b2b47bf41ba4ab8f749b092fdd02b00bc1e) and its liquidity pool pair address (0x6e0367d897a8fd8bcbc44b4e2a14bafa904360aa), which included reserves of WETH and WIZ tokens. In the second wallet (0x151a2498826F9fe6f214C92bB1811f7d1153b630), the scammer created a malicious contract (0x796042E0032aC5247bc04A49102d49c5b5A5cF0c) designed to exploit a backdoor and manipulate the WIZ token price, resulting in an $80,000 theft from victims.

Method of Operation:

Token Creation: The scammer launches a new cryptocurrency token, pairs it with a well-known cryptocurrency on a decentralized exchange (DEX), creating a liquidity pool.

Token Promotion: Aggressive marketing, often leveraging social media and influencers, generates hype and attracts investors.

Investor Participation: As investor interest grows, they start purchasing the new token.

Pool Manipulation: After accumulating substantial investments, the scammer manipulates the pool reserve by burning most WIZ tokens, reducing the supply and temporarily inflating the token’s price by 22,000%.

Scammer’s Gain: Exploiting the inflated price, the scammer sells a significant number of tokens, pocketing $80,000.

Technical Insights:

Liquidity pools

In the world of cryptocurrencies, you often need to swap one type of digital currency for another. But how do you do it easily and quickly without an intermediate? That’s where liquidity pools come in. Without these pools, you’d have to find someone willing to trade at the exact time and price you want, which can be difficult and time-consuming.

So how does a liquidity pool work?

Let’s break down the mechanics of a liquidity pool:

Picture a sizable digital reservoir holding two distinct cryptocurrencies—let’s call them Token A and Ethereum. This reservoir serves as an open arena where anyone can swap Token A for Ethereum or vice versa.

Now, when an individual decides to exchange Token A for Ethereum, they contribute Token A to the pool and withdraw an equivalent value of Ethereum. The dynamic pricing within the pool fluctuates based on the quantity of each token present. If there is an abundance of Token A but a scarcity of Ethereum, the value of Token A decreases while Ethereum’s value rises.

In the case at hand, the scammer manipulates the pool balance by burning tokens. Burning tokens within a liquidity pool, like the WIZ/WETH pool, can boost the token’s value by adhering to the core principles of supply and demand. As tokens are permanently removed from circulation, the overall supply diminishes.

Liquidity pools follows a formula that harmonizes the quantities of two tokens. When one token type (WIZ in this instance) undergoes reduction through burning, the relative value of the other token (WETH) in the pool escalates to maintain equilibrium. Failure to increase the amount of WETH leads to a substantial surge in the token price, particularly for WIZ.

Are you seeing how hackers or scammers exploit this method, known as liquidity pool manipulation, to sway token prices?

The crux of this strategy lies in the transient inflation of the token’s price within the liquidity pool. Given that decentralized exchange (DEX) prices hinge on asset ratios in the pool, diminishing one side (via burning) can ditort the price.

Liquidity pools become susceptible to exploitative tactics, including rug pulls or influencing contracts reliant on these pools for price data. This blog zeroes in on the former, unraveling the narrative of a scammer concealing a backdoor to manipulate the WIZ/WETH liquidity pool by incinerating their tokens.So, let us see what the scammer did:

The scammer runs the function ‘brr’ methodID (0x5606de36) on his malicious contract:

let’s see this function:

We can see on line 127 the scammer runs the transfer function on the _coin contract address, the _coin address will be set in an earlier function by the scammer to WIZ address: 0x2ae38b2b47bf41ba4ab8f749b092fdd02b00bc1e

Using this transfer function, the scammer was able to burn the WIZ tokens on the pool, let us understand how :

In order to get to the _burn function the scammer will have to pass a few checks, which we will explore now:

The first check he will need to go through is limitsEnabled, this would have needed to be set to False in order for the scammer to get to the second check.

for limitsEnabled to be False, the scammer needed to run the function called ‘removeLimits’

And as we can see, right before renouncing the ownership of WIZ contract he calls this function:

So this is how the scammer passes the first check.

Now let us look at the second check, in this, the ‘from’ address needs to return False on the ExcludeFromFees and True for isexcludedForMaxTxAmount,

since both functions _isExcludedFromFees and _isExcludedForMaxTxAmount are public, we can run them with the scammer contract address as input and check the results:

Let us look at how the malicious contract address was set to True on the ExcludedForMaxTxAmount, since this is the part that helps us understand that the person who created the WIZ token and the scammer is the same person.

In the WIZ contract code we found a backdoor, the scammer hardcoded the malicious contract address in the code as mktRecevier, and set the excludeFromMaxTranscation to True for this address:

This helps the scammer to pass the second check, and allows him to get to the _burn function.

He then uses this function to burn the WIZ tokens in the WIZ/WETH liquidity pool.

If we will continue to look at the malicious contract code:

We can see the scammer in line 132 of the malicious contract sync the pool and raises the WIZ price. Then at the end in line 137 executes 0xf77 which sells all the tokens and steals almost 80,000 dollars.

As you can see in CoinMarketCap the price of the token raises by 21949% at the time of this malicious transaction:

Scammer’s Strategy:

The scammer’s approach involves temporarily inflating the token price in the liquidity pool. By manipulating the pool balance, they influence the decentralized exchange prices. Liquidity pools, integral to various contracts, become vulnerable to manipulative schemes.

Conclusion:

This manipulation scheme highlights the susceptibility of liquidity pools to fraudulent activities. Scammers leverage backdoors and exploits to manipulate token prices, emphasizing the importance of vigilance in the decentralized finance space.

Check Point researchers are actively monitoring domains associated with the identified scammer’s wallet address and similar. The Threat Intel Blockchain system, developed by Check Point, continues to accumulate valuable information on emerging threats, and this intelligence will be shared in the future. In this collaborative effort, we aim to empower investors with the knowledge needed to navigate the crypto space securely and protect themselves from potential pitfalls. For more information contact us at: blockchain@checkpoint.com

The post Crypto Deception Unveiled: Check Point Research Reports Manipulation of Pool Liquidity Skyrockets Token Price by 22,000%. appeared first on Check Point Research.

Check Point Research – ​Read More

Most smartphones have an average of around 80 installed apps, of which at least 30% are never used since most are forgotten about. But such “ballast” is harmful: there’s less free space on the device; potential bugs and compatibility issues multiply; and even unused apps at times distract you with pointless alerts.

To make things worse, abandoned apps can continue collecting data about the phone and its owner and feed it to advertising firms, or simply gobble up mobile data. Hopefully, we’ve already convinced you to “debloat” your smartphone at least a couple of times a year and uninstall apps you haven’t used for ages — not forgetting to cancel any paid subscriptions to them!

But, unfortunately, some apps are vendor-protected against uninstallation, and so aren’t all that easy to jettison. Thankfully, there are some ways to get round this problem…

Uninstall the app

Sometimes you can’t find an unwanted app under the Manage apps & device tab of the Google Play app. First, try to remove it through the phone settings: look there for the Apps section. This lists all installed programs and has a search feature to save you from having to scroll through them all. Having found the unwanted app and tapping it, you’re taken to the App Info screen. Here you can view the app’s mobile data, battery, and storage consumption, and, most importantly, find and tap the Uninstall button. If the button is there and active, the job’s done.

Disable the app

If the app was installed on the phone by the vendor, it’s likely to be non-removable and have no Uninstall button on the App Info screen. That said, it’s not necessarily linked to the OS or core components of the smartphone — it could be, say, a Facebook client or a proprietary browser. Such apps are often called bloatware since they bloat the phone’s firmware and the list of standard apps. The easiest way to disable such apps is on the above-mentioned App Info screen; instead of Uninstall, the relevant button will be marked Disable. A disabled app is not much different from an uninstalled one — it vanishes from the set of icons on the startup screen and won’t run manually or when the phone boots up. Should you need it later, you can easily turn it back on with a single tap on that same App Info screen.

Disabling reduces the risk of data leakage, but does nothing to save storage space — unfortunately, the disabled app continues to take up memory on your phone. If you absolutely have to uninstall it — but there’s no Uninstall button — read on!…

Stop the app

But what if the Disable button on the App Info screen is grayed out and untappable? For especially important programs, vendors take care to block the disabling option — often for a good reason (they’re vital to the system) — so you need to think very carefully before trying to disable or uninstall such apps manually. Open your favorite search engine and punch in the query “exact smartphone model number + exact app name”. Most likely you’ll see Android user forum discussions at the top of the search results. These often give information about whether the given app is safe to disable or whether there could be any side effects.

To perform a harmless experiment with an app that can’t be disabled, you can use the Force Stop button. This is the second button on that App Info screen and it’s almost always active — even for apps that can’t be disabled. Force Stop simply stops the app temporarily, without attempting to remove or permanently disable it. However, it no longer consumes power or mobile data — and can no longer spy on you. And if your phone continues to work as normal, then perhaps the app isn’t that important after all.

But stopped apps can start up again when certain events occur or after a phone restart, and stopping them manually each time — moreover regularly — can be troublesome and inconvenient. Fortunately, you can automate this task with the Greenify app. It doesn’t require superuser rights to work, but merely automates navigating to the now-familiar App Info screen and tapping the Force Stop button. You simply supply Greenify with a list of unwanted apps and set a Force Stop schedule to, say, twice a day. Other tools offer similar functionality, but Greenify’s advantage is its lack of “extra” features.

Freeze or uninstall the app despite its objections

If you tested stopping a non-removable app and suffered no negative effects, you might consider freezing it or removing it altogether. Freezing is the same as disabling but is done using different tools. Before delving into the details, note that freezing requires technical skill and the activation of Developer mode on your phone. This mode itself creates certain information security risks by allowing connections to the phone via USB or LAN in special technical modes, plus the ability to view and modify its contents. Although Google has fenced off this functionality with many safeguards (permission requests, additional passwords, and so on), the room for error (thus creating risks) is high.

One more thing: before you start tinkering, be sure to create the fullest possible backup of your smartphone data.

If all of the above hasn’t scared you off, see the guide in the box.

Freezing and uninstalling non-removable Android apps in Developer mode

Download and install Android SDK Platform-Tools on your computer. Of the tools inside, you’ll only need the Android Debug Bridge USB driver and the ADB command line.
Enable Developer mode on your phone. The details vary slightly from vendor to vendor, but the general recipe is roughly the same: repeatedly tap the Build Number option in the About Phone.
Enable USB Debugging under Developer Settings on your smartphone. There are multiple options there — but don’t touch any apart from these two!
Connect your smartphone to your computer through USB.
Allow Debug mode on your phone screen.
Test Debug mode by getting a list of all packages (what developers call apps) installed on your phone. To do so, type the following in the ADB command line
adb shell pm list packages
The response will be a long list of packages installed on the phone, in which you need to find the name of the unwanted app. This might look something like facebook.katana or com.samsung.android.bixby.agent. You can often (but not always) tell which app is which by their names.
Freeze (disable) the unwanted app using the ADB command line. To do so, enter the command
adb shell pm disable-user –user 0 PACKAGENAME ,
where PACKAGENAME is the name of the unwanted app package. Different vendors may have different usernames (0 in our example), so check the correct PM command for your smartphone. As before, an online search helps out: “phone model + Debloat” or “phone model + ADB PM”.
You can use developer commands to not only disable an app but also completely uninstall it. To do so, replace the previous command with adb shell pm uninstall –user 0 PACKAGENAME
Restart your phone.

The free Universal Android Debloater tool somewhat simplifies all this sorcery. It issues ADB commands automatically, based on the “cleaning packages” selected from the menu, which are prepared with both the vendor and model in mind. But since this is an open-source app written by enthusiasts, we can’t vouch for its efficacy.

Kaspersky official blog – ​Read More

Researchers have discovered several vulnerabilities in the BitcoinJS library that could leave Bitcoin wallets created online a decade ago prone to hacking. The basic issue is that the private keys for these crypto wallets were generated with far greater predictability than the library developers expected.

Randstorm vulnerabilities and consequences

Let’s start at the beginning. Researchers at Unciphered, a company specializing in crypto wallet access recovery, discovered and described a number of vulnerabilities in the BitcoinJS JavaScript library used by many online cryptocurrency platforms. Among these services are some very popular ones — in particular, Blockchain.info, now known as Blockchain.com. The researchers dubbed this set of vulnerabilities Randstorm.

Although the vulnerabilities in the BitcoinJS library itself were fixed back in 2014, the problem extends to the results of using this library: crypto wallets created with BitcoinJS in the early 2010s may be insecure — in the sense that it’s far easier to find their private keys than the underlying Bitcoin cryptography assumes.

The researchers estimate that several million wallets, totaling around 1.4 million BTC, are potentially at risk due to Randstorm. Among the potentially vulnerable wallets, according to the researchers, 3–5% of them are actually vulnerable to real attacks. Based on the approximate Bitcoin exchange rate of around $36,500 at the time of posting, this implies total loot of $1.5-2.5 billion for attackers who can successfully exploit Randstorm.

The researchers claim that the Randstorm vulnerabilities can indeed be used for real-world attacks on crypto wallets. What’s more, they successfully exploited these vulnerabilities to restore access to several crypto wallets created on Blockchain.info before March 2012. For ethical reasons, they didn’t publish a proof-of-concept of the attack, as this would have directly exposed tens of thousands of crypto wallets to the risk of theft.

The researchers have already contacted the online cryptocurrency services known to have used vulnerable versions of the BitcoinJS library. In turn, these services notified customers who could potentially be affected by Randstorm.

The nature of Randstorm vulnerabilities

Let’s look in more detail at how these vulnerabilities actually work. At the heart of Bitcoin wallet security lies the private key. Like any modern cryptographic system, Bitcoin relies on this key being secret and uncrackable. Again, as in any modern cryptographic system, this involves the use of very long random numbers.

And for the security of any data protected by the private key, it must be as random as can possibly be. If the number used as a key is highly predictable, it makes it easier and quicker for an attacker armed with information about the key-generation procedure to brute-force it.

Bear in mind that generating a truly random number is no stroll in the park. And computers by their very nature are extremely unsuited to the task since they’re too predictable. Therefore, what we usually have are pseudo-random numbers, and to increase the entropy of the generation (cryptographer-speak for the measure of unpredictability) we rely on special functions.

Now back to the BitcoinJS library. To obtain “high-quality” pseudo-random numbers, this library uses another JavaScript library called JSBN (JavaScript Big Number), specifically its SecureRandom function. As its name suggests, this function was designed to generate pseudo-random numbers that qualify for use in cryptography. To increase their entropy, SecureRandom relies on the browser function window.crypto.random.

Therein lies the problem: although the window.crypto.random function existed in the Netscape Navigator 4.x browser family, these browsers were already obsolete by the time web services began actively using the BitcoinJS library. And in the popular browsers of those days — Internet Explorer, Google Chrome, Mozilla Firefox, and Apple Safari — the window.crypto.random function was simply not implemented.

Unfortunately, the developers of the JSBN library failed to make provision for any kind of check or corresponding error message. As a result, the SecureRandom function passed over the entropy increment step in silence, effectively handing the task of creating private keys to the standard pseudo-random number generator, Math.random.

This is bad in and of itself because Math.random is not cut out for cryptographic purposes. But the situation is made even worse by the fact that the Math.random implementation in the popular browsers of 2011–2015 —  in particular Google Chrome — contained bugs that resulted in even less random numbers than should have been the case.

In turn, the BitcoinJS library inherited all the above-mentioned issues from JSBN. As a result, platforms that used it to generate private keys for crypto wallets got much fewer random numbers from the SecureRandom function than the library developers expected. And since these keys are generated with great predictability, they’re much easier to brute-force — allowing vulnerable crypto wallets to be hijacked.

As mentioned above, this isn’t a theoretical danger, but rather a practical one — the Unciphered team was able to exploit these vulnerabilities to restore access to (in other words, ethically hack) several old crypto wallets created on Blockchain.info.

Randstorm: who’s at risk?

BitcoinJS utilized the vulnerable JSBN library right from its introduction in 2011 through 2014. Note, however, that some cryptocurrency projects may have been using an older-than-latest version of the library for some time. As for the bugs afflicting Math.random in popular browsers, by 2016 they’d been fixed by changing the algorithms for generating pseudo-random numbers. Together, this gives an approximate time frame of 2011–2015 for when the potentially vulnerable crypto wallets were created.

The researchers emphasize that BitcoinJS was very popular back in the early 2010s, so it’s difficult to compile a full list of services that could have used a vulnerable version of it. Their report gives a list of platforms they were able to identify as at risk:

BitAddress — still operational.
BitCore (BitPay) — still operational.
Bitgo — still operational.
info — still operational as Blockchain.com.
Blocktrail — redirects to https://btc.com or https://blockchair.com .
BrainWallet — dead.
CoinKite — now sells hardware wallets.
CoinPunk — dead.
Dark Wallet — redirects to https://crypto-engine.org .
DecentralBank — dead.
info (Block.io) — still operational.
EI8HT — dead.
GreenAddress — redirects to https://blockstream.com/green/ .
QuickCon — dead.
Robocoin — dead.
Skyhook ATM — redirects to https://yuan-pay-group.net .

Besides Bitcoin wallets, Litecoin, Zcash, and Dogecoin wallets may also be at risk, since there are BitcoinJS-based libraries for these cryptocurrencies, too. It seems natural to assume that these libraries could be used to generate private keys for the respective crypto wallets.

The Unciphered report describes a host of other intricacies associated with Randstorm. But what it all basically boils down to is that wallets created between 2011 and 2015 using the vulnerable library may be vulnerable to varying degrees — depending on the particular circumstances.

How to protect against Randstorm

As the researchers themselves rightly state, this isn’t a case where fixing the vulnerability in the software would suffice: “patching” wallet owners’ private keys and replacing them with secure ones just isn’t doable. So, despite the fact that the bugs have long been fixed, they continue to affect the crypto wallets that were created when the above-discussed errors plagued the BitcoinJS library. This means that vulnerable wallet owners themselves need to take protective measures.

Because the task of drawing up a complete list of cryptocurrency platforms that used the vulnerable library is difficult, it’s better to play it safe and consider any crypto wallet created online between 2011 and 2015 to be potentially insecure (unless you know for sure that it’s not). And naturally, the fatter the wallet — the more tempting it is to criminals.

The obvious (and only) solution to the problem is to create new crypto wallets and move all funds from potentially vulnerable wallets to them.

And since you have to do this anyway, it makes sense to proceed with the utmost caution this time. Crypto protection is a multi-step process, for which reason we’ve put together a comprehensive checklist for you with loads of additional information accessible through links:

Explore the main crypto threats and protection methods in detail.
Understand the differences between hot and cold crypto wallets, and the most common ways they are attacked.
Use a hardware (cold) wallet for long-term storage of core crypto assets, and a hot wallet with minimal funds for day-to-day transactions.
Before transferring all funds from the old wallet to the new one, equip all your devices with reliable protection. It will guard your smartphone or computer against Trojans looking to steal passwords and private keys or clippers that substitute crypto wallet addresses in the clipboard, as well as protect your computer from malicious crypto miners and unauthorized remote access.
Never store a photo or screenshot of your seed phrase on your smartphone, never post your seed phrase in public clouds, never send it through messengers or email, and don’t enter it anywhere except when recovering a lost private key.
Securely store your private key and the seed phrase for its recovery. This can be done using the Identity Protection Wallet in Kaspersky Premium, which encrypts all stored data using AES-256. The password for it is stored nowhere except in your head (unless, of course, it’s on a sticky note attached to your monitor) and is unrecoverable — so the only one with access to your personal documents is you.
Another option is to use a cold crypto wallet that doesn’t require a seed phrase to back up the private key. This is how, for example, the Tangem hardware wallet works.

Kaspersky official blog – ​Read More

On November 14, Google released a bulletin reporting a serious vulnerability in a number of Intel processors — starting from the Ice Lake generation released in 2019. Potentially this vulnerability can lead to denial of service, privilege escalation, or disclosure of sensitive information. At the time of writing, microcode updates addressing the issue have been released for the 12th and 13th generation Intel processors (Alder Lake and Raptor Lake, respectively). Patches for 10th and 11th generation processors (Ice Lake and Tiger Lake) are in progress. The full list of affected processors is available on the Intel website in the form of an extensive spreadsheet.

According to Intel representatives, the company’s engineers were aware of the processors’ abnormal behavior, but the issue was considered non-critical, and plans to resolve it were postponed to the first half of 2024. However, the situation changed when Google researchers discovered the problem independently. In fact, all of the details about the vulnerability actually come from Google specialists, specifically from this article by Tavis Ormandy.

Processor fuzzing

Tavis Ormandy has discovered numerous major vulnerabilities in various programs and devices. Recently, we wrote about his previous research that found the Zenbleed vulnerability in AMD processors. On that occasion, Tavis talked about adopting fuzzing to find hardware vulnerabilities.

Fuzzing is a testing method that involves feeding random information into the input of the information system being tested. Usually, it’s used to automate the search for software vulnerabilities: a special fuzzing tool is created to interact with the program and monitor its state. Subsequently, tens or hundreds of thousands of tests are conducted to identify unusual behavior in the tested code.

When it comes to testing processors, things are a bit more complicated. We have to generate random programs that operate with no failures of their own and run them on the processor. How can we differentiate normal processor behavior from abnormal behavior in such a case? After all, not every error during software execution leads to a crash. Ormandy proposed a technique in which the same “random” code is simultaneously executed on different processors. Theoretically, the output of an identical program should also be identical; if it isn’t, it could indicate a problem. It was this approach that revealed the vulnerability in the Intel processors.

Useless but dangerous code

To understand how the Reptar vulnerability works, we need to go down to the lowest level of programming — the machine code that processors execute directly. Assembly language is used to represent such basic instructions in a more convenient way. A snippet of assembly language code looks something like this:

The last line features the movsb instruction, which tells the processor to move data from one memory area to another. It’s preceded by the rep modifier, which indicates that the movsb command should be executed several times in a row. Such prefixes are not relevant for all instructions. Intel processors know how to skip meaningless prefixes. Tavis Ormandy gives an example:

Let’s add another prefix, the so-called rex.rxb. It was introduced alongside the x86-64 architecture to handle eight additional processor registers. Although what exactly it does is not that important — all we need to know is that this prefix doesn’t make sense when used with the movsb command:

In fact, this prefix changes the behavior of Intel processors (starting from Ice Lake), although it shouldn’t. In this generation of processors, a technology called “Fast Short Repeat Move” was added. It’s designed to accelerate operations involving data movement in RAM. Among other things, this technology can optimize the execution of the rep movsb instruction. Along with the “Fast Short Repeat Move” feature, a flaw crept into the processor’s logic, first discovered by Intel engineers and later by Google experts.

Immediate threat

What could executing this instruction, which disrupts the normal behavior of the processor, lead to? According to Ormandy, the results are unpredictable. The researchers observed execution of random code, parts of the program being ignored, and various failures in the processor, all the way up to complete failure. For the latter, one needs to somehow exploit the vulnerability on a pair of processor cores simultaneously. To check their own systems for this vulnerability, a team of Google researchers prepared a test program.

Unpredictable behavior is bad enough. The most important difference between this “processor bug” and all the others is that it directly threatens providers of virtual private server hosting services, or cloud solution providers in general. This industry is built on the ability to share a single powerful server among dozens or hundreds of clients — each managing their own virtual operating system. It’s crucial that under no circumstances should one client see another client’s data or the data of the host — the operating system managing the virtual containers.

Now imagine that a client can execute a program in their virtual OS that causes the host to crash. At the very least, this could enable a DoS attack on the provider. In fact, Ormandy didn’t present any other exploitation scenarios, citing the fact that it’s very difficult to predict the behavior of a processor operating in black-box mode; although it’s theoretically possible for an attacker to execute specific malicious code instead of relying on random failures. Intel representatives themselves acknowledge that “code execution” and “information disclosure” are possible. Therefore, it’s extremely important to install microcode updates prepared by Intel (for virtual hosting service providers at least).

Kaspersky official blog – ​Read More