Spectre & Meltdown (update, patch and pray)

The big news of the New Year was the announcement of two major security flaws found within pretty much every processor made since 1995 – Meltdown and Spectre. That includes nearly all servers, desktops, tablets, routers and smartphones. On the face of it, the hack seems relatively innocuous - it only gives someone the ability to eavesdrop on CPU.  However, with the right software, it is theoretically possible to steal the username and password for that system, at which point you have total control over everything:

https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches

The good news is that whilst the vulnerability was identified by academics working at Google Project Zero, no one outside these circles has yet to turn it into a proper virus. That won’t be the case for long.

Most operating systems, browsers, anti-virus, application providers and hardware manufacturers have rushed to release automatic updates and patches. Unfortunately, some of these patches were released too quickly and without proper testing, resulting in the cure causing more damage (through system lock-outs) than the disease. Windows updates in particular had some major problems when they conflicted with certain anti-virus software:

https://www.theregister.co.uk/2018/01/09/meltdown_patch_anti_malware_conflict

Updates can also have a serious impact on computer performance, causing many IT professionals to hold fire on rolling out ‘official patches’ until their impact can be fully evaluated:

https://www.wired.com/story/meltdown-spectre-patching-total-train-wreck

Our advice (at the moment) is to do the following:

  • Make sure you’re updating your anti-virus and browser software daily

  • Make sure your Operating System auto-updates are enabled

  • For any other patching, either seek professional help before applying an update or carefully review other peoples’ experiences first.

Unfortunately, whilst operating system and browser updates have helped mitigate the risk of Spectre, IT experts agree the only true fix is a hardware update. As such, Spectre is likely to remain an issue for years to come. 

Mitigations

Microsoft has issued a patch for Windows 10 today (5th Jan 2018) while older versions of Windows are expected to be patched on the traditional Patch Tuesday (9th Jan 2018). Microsoft has also issued a guidance document for mitigating the attack on devices. As mentioned above, the patches released by Microsoft are causing some incompatibility with certain antivirus software.

MacOS 10.13.2 mitigates some of the discovered vulnerability, but MacOS 10.13.3 will hopefully complete these mitigations.

For Linux systems, RedHat has already released the first set of kernel patches to deal with three variants of the Meltdown attack.

  • CVE-2017-5754 is the most severe of the three. This exploit uses speculative cache loading to enable a local attacker to read the contents of memory. This issue is corrected with kernel patches.
  • CVE-2017-5753 is a Bounds-checking exploit during branching. This issue is corrected with a kernel patch.
  • CVE-2017-5715 is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software.

Processor vendor links:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
https://www.amd.com/en/corporate/speculative-execution
https://developer.arm.com/support/security-update

Other software vendor patches:

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://www.suse.com/support/kb/doc/?id=7022512

To find out more about Meltdown and Spectre, or if you have any further questions about the vulnerabilities, you can check the official Meltdown Attack site: 

https://meltdownattack.com