Two critical CPU vulnerabilities, named Meltdown and Spectre, were disclosed to the public on January 3, 2018, leading to a slew of questions, patches, and fear. The nature of this security threat is categorically different than most. When you hear about malware, ransomware, and viruses, these names refer to programs that are only dangerous when they are installed on your system. Meltdown and Spectre refer to intrinsic vulnerabilities that would allow hackers to steal sensitive data from the memory of your computer including passwords and credit card information.
The design flaw lies in your Central Processing Unit (CPU), an integral component of desktops, laptops, servers, and mobile devices. Initial reports cited Intel chips as the source of the vulnerability, which would have meant many mobile devices were secure, but now it is clear ARM and AMD processors are also impacted. Everyone with a CPU made after 1995 should be aware of these vulnerabilities in order to protect themselves accordingly.
How Hackers Can Exploit Meltdown and Spectre
Modern processors perform “speculative execution,” a protocol designed to increase CPU speed. Since Pentium Pro was released in 1995, CPUs have “guessed” the instructions they will receive next; they begin to execute as if they have been asked when they haven’t. When the CPU guesses correctly (95% of the time), time is saved, and everything proceeds normally, but when a guess is incorrect, speculative executions must be erased. In these cases, the CPU works quickly to erase its mistake but does not completely eradicate the order, leaving data from half-executed commands in a temporary cache, vulnerable to theft.
Hackers can code normal user processes to perform speculative executions before any security checks can be raised and systematically pull data from memory. Although anyone pull is small, systematic abuse can lead to a total memory dump, allowing nefarious programs to copy all kernel memory including sensitive information.
There are currently three documented ways to abuse speculative execution:
- Variant 1, or CVE-2017-5753: bounds check bypass, codename Spectre 1
- Variant 2, or CVE-2017-5715: branch target injection, codename Spectre 2
- Variant 3, or CVE-2017-5754: rogue data cache load, codename Meltdown
When critics say that Intel is more vulnerable than AMD or ARM, they mean that Intel is vulnerable to Meltdown, when AMD and ARM are not. However, all three are vulnerable to Spectre.
How to Keep Your System Secure
Despite the rapid response, many businesses are wondering about the security of their data and whether any further action needs to be taken. We have good news for our clients: we were protecting you the entire time.
Exploiting Meltdown and Spectre requires infiltration beyond the network layer to influence speculative execution and retrieve from the temporary cache. This isn’t possible if you have strong endpoint protection, in which case these vulnerabilities would never have posed a problem.
All of our managed service clients receive essential security features such as network monitoring, zero-day threat protection, endpoint security, email security, firewall management, patch management and backup/disaster recovery management. Intuition Security+ includes additional security features designed to keep hackers from breaching or manipulating the network including single sign-on and multi-factor authentication, URL monitoring, user training and security policy creation. Intuition Security+ provides additional protection from the penetration of your outer defenses, thereby preventing any abuse of speculative execution.
What to Expect Now
One month after disclosure, patches have been released by Windows, Linux, and Apple to mitigate Meltdown and Spectre vulnerabilities. Many of these patches have led to decreased performance and other issues, particularly in older units, as much as 20% in processors from 2015 or older. Worsening the issue is how individual processors organize speculative executions, which mandates unique fixes for individual chips and antivirus suites. A Windows patch for Spectre 2 was halted because it “bricked” some CPUs rendering the machines temporarily unusable, for example. Further discovery has revealed that the issue was caused by incompatibility with some antivirus software suites. Microsoft is working with vendors to fix the fix and is only installing the patch on machines with approved AV.
As Operating Systems like Windows and Linux respond, future patches should restore some of the hit to performance, streamline, and enable fixes for older CPUs. Red Hat chief ARM architect, Jon Masters, explained to Wired: “There certainly is a performance impact, but what we had to do is kind of use the big hammer initially to mitigate, and then we can go back to iterate and refine. There’s potential for improving these fixes.”
We recommend some skepticism moving forward. Wait 12 hours before installing new updates to give OSes the time to expose any compatibility issues. Then install. Performance will improve as companies streamline the patch.