The first full week started 2018 with a bang in the information security space when two new vulnerabilities were disclosed. These new vulnerabilities, dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753), allow for sensitive information to be leaked from computer systems in a few different ways depending on the hardware of the specific device.
What exactly is the problem?
These bugs take advantage of a specific part of the CPU that does “speculative execution” – a method for making the processor run faster by executing code in advance of the real need to do so. New research discovered the ability to of certain actions to prime the pump, essentially, by feeding specially crafted instructions into the CPU in a specific order that then allows data to be exfiltrated from sensitive parts of the system – this might be things like passwords, encryption keys, or other data.
What is the difference between Spectre and Meltdown?
On a technical level, Meltdown is an additional bug that is specific to Intel processors and some small number of ARM systems. The attack is similar to Spectre, but in this case relies on specifics of the hardware implementation of speculative execution that Intel and ARM has used.
Spectre, on the other hand, affects all CPUs from Intel, AMD, ARM, and even PowerPC cores according to some sources. These attacks abuse fundamental risks that are a part of speculative execution – basically the processors have been trading speed for security, something that is seen all to commonly.
At the end of the day, both of these vulnerabilities are major issues, but it appears that Meltdown will be easier to remediate, and Spectre may be the bigger long term threat. This is because patching against Meltdown is easier to do, whereas patching against Spectre takes applying patches at several levels – from new CPU micro-code to the web browser, and the operating system in between.
What is the expected impact of Meltdown and Spectre?
These vulnerabilities were disclosed to major vendors including chip manufacturers (Intel, AMD, ARM), operating system vendors (Microsoft, Apple, and others), and even large cloud hosting companies like Amazon at some point around mid 2017, so all of these parties have been working to prepare fixes for their systems. Unfortunately patching against Spectre is not quite so simple – requiring patches to the BIOS / CPU MicroCode, Operating System, and in some cases specific software like web browsers, for complete protection. What this means is that these issues could potentially linger in systems for quite some time after they were disclosed – especially when devices like consumer IoT products, automotive CPUs, or other industrial equipment are considered.
At this point it is considered unlikely that these techniques have been exploited in the wild for nefarious reasons because the research behind them is so new. One cause for concern is that these type of attacks do not leave traces in system logs, therefore detection may be difficult if not impossible.
The other area where the impact of these issues will be felt is in data centers. The fix for Meltdown specifically, which is required for most Intel CPUs, affects performance of the processors by up to 30% depending on the specific usage case. The vast majority of data center systems run on Intel CPUs. A sudden 30% increase in CPU usage could mean immediate cost increases for businesses that rely heavily on technology.
Lastly it is possible that one tangential outcome of this issue is jail time for Intel’s CEO. No – it’s not illegal for computers, microchips, or software to have bugs and get hacked, which is a good thing because it happens to everyone! What might be illegal, in this case, is the response to discovering those issues. It appears as if Intel’s CEO may have sold Intel stock in advance of this information being released – expecting a drop in share value. At a minimum, an investigation will probably take place to see if this amounts to insider trading.
What can you do to be protected?
The key here, and this has been said before, is applying patches as soon as possible. In many cases, including Windows 10, Firefox, Chrome, and some of the better consumer electronics, patching now happens automatically if using the default settings – and this is great for users. On other systems, such as MacOS, the user will be prompted to install patches once Apple has approved them for release.
Unfortunately, this still leaves other areas behind – specifically with this bug the system’s BIOS / CPU microcode must also be patched, which is something that must be done manually. You will need to visit your vendor’s website for more information on this specifically. Also, it’s worth mentioning again that in many cases IoT, home routers, smart homes, industrial devices, transportation, etc – may need manual upgrades to their firmware to address issues like this. End users are generally not aware of the need for these updates, so these devices are all too often left unpatched.
Lastly, if you are technical and would like to check if your system is fully patched against these attacks, there is a PowerShell script available on github that checks for the apropriate patches for both Spectre and Meltdown, including BIOS level, operating system, and web browsers.
For more details on these vulnerabilities visit https://meltdownattack.com/