Researchers have discovered crucial vulnerabilities that affect all modern CPUs, and impact virtually every device from servers, to desktops, to mobile devices. The two issues—Spectre and Meltdown—are a function of the CPU hardware and can be potentially exploited regardless of the operating system you run on the hardware. In a nutshell, these vulnerabilities are potentially massive and the scope of affected devices is mind boggling.
Let’s take a look at what Spectre and Meltdown are, what the potential consequences of an exploit might be, and what you can do to remediate these issues.
What are Spectre and Meltdown?
The issues are fairly technical, but I will try to explain them in plain English. If you really want the nitty gritty details, I suggest you read Google’s deep dive on the CPU vulnerabilities.
The simple explanation is that the vulnerabilities cause the chip’s kernel to leak memory. The kernel is the heart and soul of the CPU. It has access to and complete control of the operating system and interacts directly with system hardware.
The “flaw” isn’t even technically a flaw, really. There is no bug in the CPU—just a design and execution issue that can be exploited by attackers. The vulnerabilities result from the way the processor addresses what’s called “speculative execution,” which is used to increase performance. Although the behavior of speculative execution is theoretically unpredictable, attackers can find ways to predict the timing and access the memory cache.
Because of the nature of the vulnerabilities and associated exploits, Spectre and Meltdown are unlikely to be used as initial attack vectors. They are more likely to be used as a means of moving laterally across your network once access has been gained through some other malware exploit.
Due to the nature of these vulnerabilities and the proof of concepts available in their current form, it’s not possible to detect and block the active exploitation of these specific vulnerabilities alone. The attack itself is local—so some level of access is required to successfully exploit these vulnerabilities—but, it’s not hard to see the possibility of these vulnerabilities being included in advanced malware attacks in the future.
Alert Logic’s Threat Intelligence team will remain vigilant and will keep an eye out for weaponized versions of these attacks. Alert Logic will have scanning content available to check for the existence of this vulnerability available on Friday January 5th.
Why Should I Be Concerned about Spectre or Meltdown?
Because the technology being exploited is a feature rather than a bug, it exists across virtually all processors, including Intel, AMD, and ARM. That means that everything from cloud services to tablets and smartphones are at risk.
Spectre is more difficult to exploit than Meltdown and it will also be harder to mitigate. According to Google, Spectre allows an attacker to trick applications into accessing arbitrary locations in memory. There are ways to work around the issue and defend against it from software, but there appears to be little that can be done to fundamentally resolve the problem from a hardware perspective.
The more serious concern right now is Meltdown. Google explains that Meltdown breaks the isolation between user applications and the operating system. If exploited, it can potentially expose sensitive data from the protected kernel memory—including encryption keys, passwords, or other sensitive or confidential data.
Am I at Risk from Spectre or Meltdown?
In a word, Yes.
Virtually all processors in use from Intel and AMD, as well as ARM processors—most commonly used in mobile devices—are at risk for Spectre. Every Intel processor released since 1995 is effectively vulnerable to Meltdown no matter what operating system is running on the hardware.
Intel processors use speculative execution more aggressively than other chips, and that makes Intel processors more susceptible to exploits. AMD actually claims to have minimal risk from Spectre and zero vulnerability to Meltdown.
What Can I Do to Defend Against Spectre or Meltdown?
Patch and update. Vendors have known about the flaws for some time and have already developed patches you can apply to address these vulnerabilities. Let me say that again—you must aggressively patch as soon as updates are made available. If you don’t want to end up being the next data breach headline, it’s critical that you address these issues as quickly as possible.
Apple added protection for Meltdown in the macOS update that was released on December 6. Google pushed out an update for Chrome OS on December 15. Microsoft rushed out patches for Windows ahead of the standard Patch Tuesday schedule when news of the vulnerabilities became public. There are many variants of Linux out there, and Linux developers are scrambling to develop and test patches as quickly as possible.
Cloud servers and cloud service providers are at greater risk from Spectre and Meltdown. The good news is that by the time you read this your cloud providers have probably already patched to defend against this risk. Cloud providers moved quickly to address this issue—long before the critical cloud vulnerabilities were publicly disclosed—and in some cases even developed their own patches.
I need to stress, though, that it is still urgent for you to patch the software you are running in the cloud. The cloud service provider will address the underlying infrastructure, but under the shared responsibility model it is still your responsibility to patch and update the operating systems and software you run in the cloud.
I Have Some Bad News
The patches should guard against the immediate risk for Meltdown.
Addressing Spectre effectively will take more time, and ultimately may not be entirely possible. Because the issue is a function of cache timing, there is nothing chip makers can do to completely eradicate potential exploits.
There is something else you should know, though. The patch to protect against Meltdown might also affect performance. Your mileage will vary depending on the age and architecture of the processor you’re using, as well as what types of processing demands you put on it. Just know up front that you might see a noticeable decline in speed and performance once you’ve patched.
