Hyperbola users are now mitigated against Microarchitectural Data Sampling (MDS) vulnerabilities

As part of our commitment to provide a fully free (as in freedom) operating system that is stable, simple and "SECURE"; we hereby announce Hyperbola users are now mitigated against recently published Microarchitectural Data Sampling (MDS) vulnerabilities also labelled as Zombieland (CVE-2018-12130), RIDL (Rogue In-Flight Data Load) (CVE-2018-12127 and CVE-2019-11091), and Fallout (CVE-2018-12126) which controversially Intel has considered of "Moderate" severity. These flaws, if exploited by an attacker with local shell access to a system, could allow data in the CPU's cache to be exposed to unauthorized processes. While difficult to execute, a skilled attacker could use these flaws to read memory from a virtual or containerized instance, or the underlying host system. The vulnerabilities can be exploited using malware planted on the targeted devices, but some of them can also be exploited remotely from the internet via JavaScript code and malicious websites. Even a rogue website running Javascript in the target's browser—could trick the CPU into revealing data that should be protected from untrusted code running on that machine. That data can include information like what website the user is browsing, their passwords, or the secret keys to decrypt their encrypted hard drive. At this point of time, these specific flaws are only known to affect Intel-based processors. Hyperbola users are highly recommended to update their systems immediately using # pacman -Syu to perform the upgrade.

Additionally, since it is not possible to fully prevent cross-thread attacks, complete mitigation of MDS may require that users disable the Intel Hyper-Threading Technology at their own discretion and evaluation if disabling SMT/HT and the tradeoff between performance over security is what they wish to have. Hyper-Threading (Intel HT) is Intel's implementation of simultaneous multithreading (SMT), which is a technique for splitting a single physical processor core into two virtual cores which are known as hardware threads. It's supposed to improve performance by allowing two software threads to run simultaneously through each physical core, sharing available resources on the silicon chip as needed. This means one physical core can juggle two threads, either in the same application or two separate applications, at the same time, improving throughput. However, one thing it does bring into the mix is the risk that side-channel surveillance techniques, such as MDS, may be able to break hardware thread isolation, and access sensitive data it shouldn't be able to see. In other words, one thread can snoop on the memory accesses of another thread sharing the same physical CPU core, and lift passwords, keys, and other secrets, potentially. In this case, part of the mitigation advice is to specify a kernel command line option mds=full,nosmt.

We recommend users not to use nonfree JavaScript code, and to use firejail to sandbox their browsers.

As part of our solutions we are providing an updated kernel which is patched against the vulnerabilities and we will ship fresh live images shortly.