Two distinct vulnerabilities dubbed Meltdown and Spectre potentially affect almost every system1. In a world that is already saturated with cyberattacks and vulnerabilities, it is easy to succumb to cyber threat fatigue when discussing two new outbreaks. Even though there have been no confirmed reports of attacks that have taken advantage of these newly exposed vulnerabilities, they are highly concerning. That is because they involve the CPU, the fundamental building block of the internet, corporate networks and PCs.
What is the Risk?
Data is constantly running through spaces within CPUs and system memory in raw and unencrypted form. Fortunately, there are protections to protect this data and prevent it from being observed or inadvertently accessed. A CPU requires permission to implement a task in the same manner a user requires permission to run an application or access a file. The problem is that 22 years ago, someone decided to rush the processes implemented by the CPU in order to make it faster. This was accomplished by designing the processor to predict what function will be run next so that executions are queued in advance. For example, the CPU executes certain instructions while checking the process’s permissions, and doing these in parallel. If it turns out that the process does not have the correct permissions, the process is simply canceled and deleted. Once clever op-ed piece in the New York Times2 compared it to an overly attentive butler pouring the second glass of wine before you knew you were going to ask for it. Should the butler’s hunch be incorrect, he simply disposes of the poured wine. This seems innocent enough, except that the dinner guests have gained additional knowledge of the wine contained in the wine cellar by the host.
The problem in the case of these CPU vulnerabilities is that a hacker can take advantage of these speculative executions by injecting malicious code to access the information contained within the processes. What this means is that an attacker can access passwords, photos, documents and other types of data from PCs, cloud computing services, smartphones and even IoT devices. These vulnerabilities are most concerning for cloud computing services in which server hardware is shared amongst multiple clients.
What we know.
Although exposure risks are fairly for similar for the two vulnerabilities, Meltdown and Specter are slightly different in their makeup and complexity.
- Spectre’s name comes from “speculative execution”. It breaks the isolation between different applications, which could allow an attacker to manipulate programs into leaking their secrets. Essentially, Spectre can steal information from one application and share it with another. Spectre affects Intel, ARM and AMD processors. It requires far more complexity in effort to take advantage of, as it requires direct access to the microchip.
Impact to the Organization
Like any vulnerability, Meltdown and Spectre pose a cyber security risk to any organization. Because nearly every node within your network utilizes one of these affected CPUs, it will require your staff to patch every laptop, desktop, server, tablet, and mobile device in your enterprise. Beyond the vast scope of this endeavor is the fact that solutions, as of right now, come at the expense of slower performance depending upon what chip generation is involved. This is especially troublesome for cloud computing companies whose services depend on fast processing power. What’s more, in some cases, the proposed cure is worse than the problem being addressed as IT staffs have encountered blue screens and other reboot problems after patching.
What to do to Protect Yourself (we can help if you need guidance)
Vendors are working quickly to address Meltdown, as it is the easier of the two. Spectre is more challenging as it requires updating the firmware of the CPU itself rather than patching the OS and browser. Here is where we stand as of right now.
- Intel has released a firmware update for added hardware protection for its chips. The updates will be distributed through OEMs such as Dell, HP, Lenovo and others. Information concerning these updates can be found at the OEM websites.
- Microsoft has released security updates for Windows 10, Internet Explorer, Edge and earlier operating systems for INTEL systems. Although they initially addressed AMD systems, those patches have been pulled due to compatibility issues4. They are also applying patches to their cloud services. Microsoft has also experienced problems with third party antimalware software and is now requiring all such vendors to confirm compatibility with its CPU fixes and set a registry key in their products to certify compatibility5. The absence of this registry key will prevent all future Windows security updates from being installed.
- AWS recently published AWS Security Bulletin AWS-2018-01366 for the newly disclosed research regarding side-channel analysis via speculative execution on modern computer processors.
- Firefox has released version 57 that includes the fix.
- Google rolls out their fix in Chrome 64 on January 23.
- Apple has confirmed that its systems are affected as well and has released updates for its iPhones, Macs and Apple TVs. It will release a new version of Safari in the coming days. Further updates to their products will add additional protection as well.
While fixes have been released, “some patches have done more harm than good, requiring recalls and sowing general confusion.7“
In the end, Meltdown/Spectre have shown us just how vulnerable we are in a wired digital world. It also shows us that our desire for speed comes at a price in the end; we may not be willing to remunerate.
Have an ongoing managed detection and response (MDR) strategy with HALOCK’s Threat Hunting Program.
- Meltdown and Spectre
- Microsoft yanks buggy Windows Meltdown/Spectre patches for AMD computers, Computerworld
- Meltdown and Spectre Patches; How it will affect your machine, Intel warns, JBH News
- Microsoft: No more Windows patches at all if your AV clashes with our Meltdown fix, ZDNet
- The Looming Digital Meltdown, The New York Times
- Processor Speculative Execution – Operating System Updates, AWS
- Meltdown and Spectre Patching Has Been a Total Train Wreck, WIRED