A massive security vulnerability has been found that affects most of the processors present in many of the devices we use daily. The vulnerabilities, known as Meltdown and Spectre, could allow a malicious application to access sensitive data stored in memory on desktops, laptops, mobile devices, and even hardware used by cloud-based service providers.
This affects nearly every computer with an AMD or Intel processor and includes vulnerabilities against Apple mobile devices (with ARM processors), Microsoft, Mozilla, Google (excluding Google Infrastructure, Google Apps, and G-Suite), and the Linux Kernel. As of January 4, 2018, there are no known exploits against these vulnerabilities, but users are smartly taking steps to ensure their devices are protected.
Read on to see how you could be affected and what steps you can take to protect your users, devices, and data against potential exploits.
Am I affected by the bug?
Most certainly, yes.
Can I detect if someone has exploited Meltdown or Spectre against me?
Unfortunately, probably not. The exploitation does not leave any traces in traditional log files.
Can my anti-virus detect or block this attack?
Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications.
What can be exploited?
If your system is affected, the exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
Is there a workaround/fix?
There are patches against Meltdown for Linux (KPTI (formerly KAISER)), Windows, OS X/macOS, and iOS. (See resources below).
Which systems are affected by Meltdown?
Intel processors which implement out-of-order execution are potentially affected, (except Intel Itanium and Intel Atom before 2013). Currently only Meltdown has been verified on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: desktops, laptops, cloud servers, as well as smartphones and tablets. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, Spectre affects Intel, AMD, and ARM processors.
Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied are affected. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
What is CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
- Utilize asset management software to capture the processor types included in desktops, laptops, servers, and mobile devices. Most all computers with Intel or AMD chipsets are affected.
- Keep operating systems, Web browsers, and anti-virus applications updated.
- Microsoft has published an update to protect against Meltdown (see references below).
- Google has a fix for both Meltdown and Spectre (see reference below).
- Apple’s macOS High Sierra 10.13.3 (released in December 2017) is also protected against Meltdown.
- Kernel fixes are available for Linux (see references below).
- Use the Chrome browser, and turn on site isolation.
- Corporate network administrators can do this through group policy as long as you have the admx for Chrome installed.
- Home or standalone users can turn site isolation on in the Chrome browser per this article.
- If you use Firefox, update to version 57 or higher. Firefox ESR users are waiting for an update.
- Microsoft did release patches to fix IE for this vulnerability, but keep checking for updated information. If you are using IE for some specific reason, make sure it is patched and only use IE for specific purposes. For everything else, use Chrome or Firefox.
- Apply OS updates only when you feel there is no risk of disrupting something else.
- Update your anti-virus security software—Macs and iPhones are not exempt.
- Wait for firmware updates from your hardware vendors. Keep checking. Be prepared to purchase a new computer that is supported if necessary.
- Use different passwords. Every single device or website you authenticate to should have different credentials.
- There may be additional OS patches, firmware updates, etc. coming from manufacturers. Keep checking!
Warning: Customers who only install the Windows January 2018 security updates will not receive the benefits of all known protections against the vulnerabilities. In addition to installing the January 2018 security updates, a processor microcode, or firmware update is required. This should be available through your device manufacturer.
Note: Surface customers will receive a microcode update via Windows update.
The operating system patches that modify the way the OS interacts with the CPU may cause a 15% to 30% reduction in efficiency.