This post will be updated as the story evolves.

You may have heard of Meltdown and Spectre over the last few days and wondered what they are. Basically, they’re names for new vulnerabilities within the architecture of x86 and x64 processors, which are used in most servers, desktops, routers and phones. Meltdown is a vulnerability specifically for Intel CPUs, while Spectre can be used to attack nearly all CPU types.

An attack using these vulnerabilities means that one process running on the CPU would be able to read the secured memory belonging to another process. This enables an attacker to do things such read information like usernames or passwords, which should be secured to the process using that information. With Meltdown, a malicious attacker needs to be running the process on the system itself, while Spectre can be launched from within a browser using a script. This means that an attack using Spectre can be executed remotely through a compromised website providing a far larger attack surface for systems.

Vendors are releasing patches today to help protect systems from this vulnerability. However, some of the updates from Microsoft may not interact properly with certain anti-virus solutions causing system crashes and lock-ups. It’s suggested to ensure that your anti-virus has been updated prior to applying the patches from Microsoft. It’s also recommended to update your operating system and browsers with available patches as soon as possible.

Mitigations

Microsoft has issued a patch for Windows 10 today (5th Jan 2018) while older versions of Windows are expected to be patched on the traditional Patch Tuesday (9th Jan 2018). Microsoft has also issued a guidance document for mitigating the attack on devices. As mentioned above, the patches released by Microsoft are causing some incompatibility with certain antivirus software.

MacOS 10.13.2 mitigates some of the discovered vulnerability, but MacOS 10.13.3 will hopefully complete these mitigations.

For Linux systems, RedHat has already released the first set of kernel patches to deal with three variants of the Meltdown attack.

  • CVE-2017-5754 is the most severe of the three. This exploit uses speculative cache loading to enable a local attacker to read the contents of memory. This issue is corrected with kernel patches.
  • CVE-2017-5753 is a Bounds-checking exploit during branching. This issue is corrected with a kernel patch.
  • CVE-2017-5715 is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software.

Processor vendor links:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
https://www.amd.com/en/corporate/speculative-execution
https://developer.arm.com/support/security-update

Other software vendor patches:

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://www.suse.com/support/kb/doc/?id=7022512