As you’ve likely heard by now, there are some problems with Intel, AMD, and ARM processors. Called Meltdown and Spectre, the discovered attack possibilities are rather severe, as they impact pretty much every technical device on the network or in your house (PCs, laptops, tablets, phones, etc.). Here’s a breakdown of all the things you need to know.
As you’ve likely heard by now, there are some problems with Intel, AMD, and ARM processors. Called Meltdown and Spectre, the discovered attack possibilities are rather severe, as they impact pretty much every technical device on the network or in your house (PCs, laptops, tablets, phones, etc.).
Here’s a breakdown of all the things you need to know. As things change, or new information becomes available, this article will be updated.
The key thing to remember is not to panic, as the sky isn’t about to come crashing down. The situation is one that centers on information disclosure, not code execution (a far more damning issue to deal with).
[ Learn about top security certifications: Who they’re for, what they cost, and which you need .| Get the latest from CSO by signing up for our newsletters .]
While Meltdown and Spectre are serious, a majority of organizations (and users for that matter) will only need to apply patches as normal and follow their usual patching policies. There is a stronger sense of urgency if the organization is in a unique situation (e.g. cloud providers, government contractors, finance), but that’s a case-by-case assessment.
Meltdown and Spectre are the names given to three different variants of possible side-channel attacks against processor design choices. Meltdown and Spectre are not bugs, all they’re doing is abusing the normal function of Intel, AMD, and ARM processors.
To put it another way, Spectre could be used by an attacker (unprivileged, logged-in to a system) to obtain information from the kernel. Or, a root user on a guest VM can obtain information from the host kernel. Thing is, the process is slow. According to Google, kernel memory can be read at rate of 1500 to 2000 bytes per second, so it’s only possible to get about 130 to 173 MB of data daily.
Yet, what makes Spectre so risky is the harsh reality that programs following best practices when it comes to data safety checks „actually increase the attack surface and may make applications more susceptible to Spectre,“ the researchers note.
A solid technical overview has been provided by Google. Also, the researchers themselves published comprehensive papers on Spectre and Meltdown, which are available via their website.
The US-CERT Advisory is available as well, ignore the advice to replace all of your hardware.
Variant 1: CVE-2017-5753
Variant 2: CVE-2017-5715
Variant 3: CVE-2017-5754
Meltdown and Spectre were discovered by three groups independently. The name that will jump out instantly to most is Google, or Project Zero’s Jann Horn.
After Google, Meltdown was discovered by Werner Haas and Thomas Prescher of Cyberus Technology; as well as Daniel Gruss, Moritz Lipp, Stefan Mangard, and Michael Schwarz at Graz University of Technology.
Spectre was discovered by Project Zero, and Paul Kocher in collaboration with Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61).
The researchers also acknowledge Anders Fogh for conversations during Black Hat USA and Europe in 2016, which ultimately led to the discovery of Meltdown.
Meltdown is easy to exploit, and the researchers suggest that users running vulnerable processors avoid working with sensitive information until proper mitigations can be applied. Spectre is harder to exploit, but it’s also harder to mitigate. As one researcher put it: „[Spectre] will haunt us for quite some time.“
The researchers say that other than Intel Itanium and Intel Atom before 2013, every processor since 1995 is affected by Meltdown. The researchers tested Meltdown on Intel processors going back to 2011, and all of them were vulnerable. As things stand, it’s still unclear if AMD and ARM processors are vulnerable to Meltdown.
Cloud providers using Intel CPUs and Zen PV without patches are vulnerable to Meltdown, as are providers without real hardware virtualization – relying on shared kernel or containers (Docker, LXC, OpenVZ).
Spectre on the other hand affects almost every system on the planet. As mentioned, the issue extends to desktops, laptops, tablets, smartphones, and servers. This includes Intel, AMD, and ARM processors.
Unlikely, the issue isn’t about improper design or development. Meltdown and Spectre are abusing normal and expected processor operations. However, Intel may be forced to do something, but only time will tell on that front.
Patches have been released, and for the most part some were available before Meltdown and Spectre were disclosed.
Microsoft is the big one, as there are some requirements. While Redmond has released patches for Windows and Windows Server, as well as Internet Explorer, Edge, and SQL Server they’re only going to be served up if the anti-Virus on the system is updated as well and sets a necessary registry key.
AMD has stated that they’re not vulnerable to Meltdown (Variant 3), and that when it comes to Spectre, there is „near zero risk of exploitation“ of Variant 2, and Variant 1 is resolved by software and OS updates.
ARM released a whitepaper and technical details, identifying that they were vulnerable to Spectre (Variants 1 & 2), and only one processor was vulnerable to Meltdown (Variant 3). Future ARM processors will be resilient to attacks or allow mitigation though kernel patches.
NVIDIA said they believe their GPU hardware is immune to Meltdown and Spectre, however they are updating GPU drivers to help mitigate the CPU issue.
„As for our SoCs with ARM CPUs, we have analyzed them to determine which are affected and are preparing appropriate mitigations,“ the statement said.
Intel says they plan to have updates for released for „more than 90 percent of processor products introduced within the past five years.“ This is good news, but those with older systems seem to be out of luck, which could complicate things in the enterprise as far as legacy systems are concerned.
Mozilla said they were able to confirm browser-based techniques to obtain information, and are investigating the best ways to mitigate Spectre and Meltdown attacks on their browser. The full extent of such attacks remains under investigation.
