Spectre and Meltdown: In plain English

In January details emerged of a new security risk. Known as Meltdown and Spectre, the two vulnerabilities, if exploited, would enable hackers to steal data from processors used in computers, mobile devices and cloud computing.

 

Key Points:

  • Spectre and Meltdown are different to the vulnerabilities we often hear about because they are hardware based, rather than software
  • These are information disclosure attacks that could be used to leak sensitive information
  • Remediating these vulnerabilities will be a significant and ongoing task
  • Patched systems will see some performance impact (the actual performance impact to a given system will vary depending on several factors)
  • Initial CPU firmware updates caused major stability issues on some systems
  • Malicious JavaScript is one of the key attack vectors
  • Attacks using these specific vulnerabilities can be difficult to detect

 

What it is

Unlike most vulnerabilities, Meltdown and Spectre are related to hardware (and not software). They affect some of the biggest selling microchips sold over the past two decades, including those from Intel, Qualcomm and some manufactured by AMD and Arm – which means pretty much every device you’ve ever heard of will be affected.

Meltdown is a relatively simple flaw. It breaks the most fundamental isolation between user applications and the operating system, which means a malicious program could access the memory, and thus also the secrets, of other programs and the operating system.

Spectre is a more complex flaw. It breaks the isolation between different applications, allowing an attacker to trick error-free programs into leaking otherwise confidential information.

In both cases, hackers could potentially develop malicious code to exploit the vulnerabilities and steal data. One of the key attack vectors for this is malicious JavaScript executed through the web browser.

 

How to respond

These vulnerabilities are complex and not easy to fix. No one manufacturer alone can fix the problem, so chip manufacturers, software developers and device manufacturers (including HP, Microsoft, Apple, Google and Amazon) will have to work together on long-term solutions. As a result, patches are being released by multiple parties, creating some confusion about how to resolve the problem.

Mitigation essentially involves patching multiple components:

  • Operating Systems
  • Virtualization/Cloud Platform
  • Applications and Browsers
  • CPU firmware (beware of known defective updates)

Note that Microsoft has advised products currently out of both mainstream and extended support will not receive updates to address these vulnerabilities, and therefore they would need to be upgraded or decommissioned.

Patches released in mid-January are not a panacea, and the problem is expected to be around for some time. Spectre, in particular, is hard to fix and it may be impossible to defend against it entirely in the long term.

There have been some concerns about the performance of Spectre and Meltdown vulnerability patches – in some cases performance has been cut by 30%. This could be a real issue for some environments and may increase the amount of capacity required to run some workloads. Performance impacts can vary based on several factors such as hardware, workload, operating system, etc

Another issue to be aware of is the initial CPU firmware/updates caused major stability problems and other side effects and were subsequently withdrawn by vendors. At present, Intel is still working on resolving the bugs and releasing new microcode/firmware.

 

Sundata Recommends:
  1. Ensuring you have vulnerability/patch management and good security practices in place
  2. Performing an assessment of all devices and systems to identify which are vulnerable and whether the required software/firmware updates are available
  3. Creating and executing a remediation plan that includes testing all software/firmware updates for any issues before rolling them out
  4. Upgrading/replacing systems that cannot be patched/mitigated against these vulnerabilities
  5. Monitoring advisory bulletins from vendors for further updates and known issues

 

Why does it matter?

Until now, IT pros charged with cyber security defence have focussed primarily on software vulnerabilities – for example, hackers using malware to exploit flaws in software and apps. But attention is now turning to the potential to exploit flaws in hardware.

Hardware hacking and cyber security is still in its infancy. But the issue is likely to grow in importance in coming years, with the Internet of Things and growing numbers of embedded devices in all walks of life, from critical infrastructure through to cars and consumer goods.

 

Further reading:

 

Sundata can assist you in addressing the Spectre and Meltdown vulnerabilities.

Contact Us to find out how.

Share this:

Comments are closed.