The Meltdown and Spectre Vulnerabilities: Get the Lowdown

Protect Against These Big-Time Bugs

Bill Virtue

1/23/18 Update — Reports, patches, and updates are still coming forward. We are continuing to monitor the situation as it develops. Here are a few links to help keep you updated on where the situation stands as of Tuesday, January 23rd.

The Meltdown and Spectre bugs have spawned a vast number of quickly assembled patches, including browser and operating-system-level fixes — but the patches to processors themselves are widely considered the most difficult task for the recovery. Shortly after the vulnerability became public, Microsoft was forced to halt AMD’s Spectre patch after it rendered some computers unbootable.

Intel has also responded quickly, working with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to mitigate this issue. You can keep up with their latest findings and announcements here, including this week’s updated guidance for customers and partners about the root cause of update-related reboot issues.

Original Post from 1/10/18 A massive security vulnerability has been found that affects most of the processors present in many of the devices we use daily. The vulnerabilities, known as Meltdown and Spectre, could allow a malicious application to access sensitive data stored in memory on desktops, laptops, mobile devices, and even hardware used by cloud-based service providers.

This affects nearly every computer with an AMD or Intel processor and includes vulnerabilities against Apple mobile devices (with ARM processors), Microsoft, Mozilla, Google (excluding Google Infrastructure, Google Apps, and G-Suite), and the Linux Kernel. As of January 4, 2018, there are no known exploits against these vulnerabilities, but users are smartly taking steps to ensure their devices are protected.

Read on to see how you could be affected and what steps you can take to protect your users, devices, and data against potential exploits.

Q&A:

Am I affected by the bug?
Most certainly, yes.

Can I detect if someone has exploited Meltdown or Spectre against me?
Unfortunately, probably not. The exploitation does not leave any traces in traditional log files.

Can my anti-virus detect or block this attack?
Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications.

What can be exploited?
If your system is affected, the exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.

Is there a workaround/fix?
There are patches against Meltdown for Linux (KPTI (formerly KAISER)), Windows, OS X/macOS, and iOS. (See resources below).

Which systems are affected by Meltdown?
Intel processors which implement out-of-order execution are potentially affected, (except Intel Itanium and Intel Atom before 2013). Currently only Meltdown has been verified on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

Which systems are affected by Spectre?
Almost every system is affected by Spectre: desktops, laptops, cloud servers, as well as smartphones and tablets. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, Spectre affects Intel, AMD, and ARM processors.

Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied are affected. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.

What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

What is CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

Our Recommendations:

  • Utilize asset management software to capture the processor types included in desktops, laptops, servers, and mobile devices. Most all computers with Intel or AMD chipsets are affected.
  • Keep operating systems, Web browsers, and anti-virus applications updated.
    • Microsoft looks for a registry entry and stops pushing patches if it’s missing—making it important to update your anti-virus software first. If you don’t, you may believe you applied patches when you didn’t. More information on Microsoft’s response to the vulnerabilities can be found here and here.
  • Microsoft has published an update to protect against Meltdown (see references below).
  • Google has a fix for both Meltdown and Spectre (see reference below).
  • Apple’s macOS High Sierra 10.13.3 (released in December 2017) is also protected against Meltdown.
  • Kernel fixes are available for Linux (see references below).
  • Use the Chrome browser, and turn on site isolation.
    • Corporate network administrators can do this through group policy as long as you have the admx for Chrome installed.
    • Home or standalone users can turn site isolation on in the Chrome browser per this article.
  • If you use Firefox, update to version 57 or higher. Firefox ESR users are waiting for an update.
  • Microsoft did release patches to fix IE for this vulnerability, but keep checking for updated information. If you are using IE for some specific reason, make sure it is patched and only use IE for specific purposes. For everything else, use Chrome or Firefox.
  • Apply OS updates only when you feel there is no risk of disrupting something else.
  • Update your anti-virus security software—Macs and iPhones are not exempt.
  • Wait for firmware updates from your hardware vendors. Keep checking. Be prepared to purchase a new computer that is supported if necessary.
  • Use different passwords. Every single device or website you authenticate to should have different credentials.
  • There may be additional OS patches, firmware updates, etc. coming from manufacturers. Keep checking!

Microsoft Statement:

Warning: Customers who only install the Windows January 2018 security updates will not receive the benefits of all known protections against the vulnerabilities. In addition to installing the January 2018 security updates, a processor microcode, or firmware update is required. This should be available through your device manufacturer.

Note: Surface customers will receive a microcode update via Windows update.

Performance Impacts:

The operating system patches that modify the way the OS interacts with the CPU may cause a 15% to 30% reduction in efficiency.

Resources:
https://support.google.com/faqs/answer/7625886
https://www.macrumors.com/2018/01/04/apple-meltdown-spectre-vulnerability-fixes/
https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/
https://spectreattack.com/#faq-leaked
http://www.amd.com/en/corporate/speculative-execution
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
https://security-center.intel.com
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
http://www.crn.com/slide-shows/security/300097621/9-steps-intel-recommends-to-sidestep-spectre-and-meltdown.htm

Bill is a Senior Systems Engineer at Connection with over 30 years of experience in Networking Solutions, Information Security, and Identity Management. Bill is a founding member of the ISSA NH chapter dedicated to promoting Information Security within the business community. Bill is also a US Navy veteran and held Operations Management positions within the Atlantic Fleet. Bill has broad knowledge in the Security and Compliance space and has consulted on large scale enterprise deployments and security projects and contributed to many technical articles and technology white papers. When he has free time, Bill enjoys catching up with family and friends and riding his Harley Davidson.

© PC CONNECTION, INC. ALL RIGHTS RESERVED.