10 Jan What Uou Need to Know About Meltdown and Spectre
At this point, you have certainly heard about the latest security threat(s) facing, well, nearly every computer on the planet. Oh boy….Definitely not the way we wanted to start the new year. Meltdown and Spectre are very scary, very real, and may be extremely difficult to completely address in the short-term (this last part is still being researched).
There is a lot of confusion about these vulnerabilities so we at Harbor will try to boil it down.
Meltdown and Spectre are CPU hardware design flaws (not really “bugs”) that can be very difficult to fully understand. In a technical nutshell, Meltdown breaks the isolation between the user app and the OS, so the app can do a memory dump and steal any data in it (like passwords, encryption keys, etc.). Spectre goes further. It breaks the isolation between apps. It’s harder to exploit but harder to mitigate.
Basically, these hardware flaws allow malicious programs to steal data being processed in your computer’s memory. Normally, applications are not able to do this as they are isolated from each other and the operating system. This hardware flaw breaks that isolation. This “isolation” is a key factor in securing the interaction between apps and the CPU, and having the ability to break the isolation poses enormous security threats.
This is a brutally technical issue (more than any typical malware or ransomware). Sophos Naked Security has written a pretty thorough, somewhat technical article on the topic. You can find it here:
There are three vulnerabilities currently associated with Meltdown and Spectre. Here’s the breakdown.
Meltdown – CVE-2017-5754
Of course, we need to move beyond the technical explanations and answer the expected question of, “what the heck should we do?” We are telling our clients the following:
- The issue is very real. Although (as of this writing) there are currently no known exploits (hacks) written against these vulnerabilities, but there most certainly will be.
- All machines are at risk. Of more serious concern are hosted environments where hardware/CPU resources are shared amongst many virtual machines (likely yours plus someone else’s).
- Requires access to the machine. To exploit these vulnerabilities does require access through direct access (probably unlikely), or via malware or some nefarious application (much more likely). Similar to ransomware or other forms of malware, it is vitally important that users don’t click, download or visit websites that contain malware. This is all about user education.
- Make sure all of your systems antivirus (AV) software is up-to-date. There is a bit of a gotcha in this area… Because of the nature of the fixes the software/OS vendors have or will be rolling out, it is critically important that your AV is “prepared” to function once patched. Most major AV vendors have or very soon will have pushed the required updates to support the patching from Microsoft and others. You can get the status of your AV vendor here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0
- Update and patch your systems. Of course, this may take some time, and in some cases, they may not yet be available. But, begin the process.
- There is some debate around which chips are vulnerable and which are not. All Intel, some AMD, mixed bag of ARM, and IBM chips.. Don’t wait for the dust to settle. Plan your update and patching processes now.
- Most updates/patches already available or that will be available in the coming days will likely only address the Meltdown vulnerability. The “fix” for Spectre is still a work in progress.
- Updates and patches will be multi-faceted. Operating systems will have to be patched, some –imbedded applications (like web browsers), 3rd-party applications, as well there may be some firmware updates required. Unfortunately, there isn’t a one-size fits all here. You need to understand your environment to develop the plan.
- Monitor the progress on all sides of this issue. One of the groups involved in the discovery of the flaws have built a website that is a great collection of all things Meltdown/Spectre. Here’s the site: https://meltdownattack.com/
- Talk with and confirm fixes within your hosted environments. As previously stated, the initial targets of any malware/hacks using these vulnerabilities will likely be hosted environments. Here’s a bit from AWS: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
- Yes, there is a chance that these patches will slow systems. But, falling victim to a Meltdown or Spectre hack may be MUCH, MUCH worse. And, yes, you may have to eventually replace some hardware or find additional resources if systems slow to a point of business interruption.
Maybe most concerning, as of today, it is very likely you would never know someone has used the exploit to gain access to your systems/kernel. This means a hacker could sit, unhindered, for extended periods of time pulling sensitive data from your systems.
The Meltdown and Spectre vulnerabilities will most definitely be a focus of IT and security departments for the foreseeable future. By the end of 2018 we will be discussing the true impact and costs associated with them.