Meltown and Spectre (Natascha Eibl)
09.1.2018

While the global workforce was just getting ready to start the New Year, the researchers revealed news of two new critical issues in nearly all modern microprocessors, called Meltdown and Spectre. In layman’s terms, this involves nearly all computing devices manufactured in the last 20 years, used by both enterprises and end-users, ranging from computers, servers, mobile devices to cloud services, and virtualization platforms. What, if anything, can you do, to keep safe(r)?

On January 3, 2018, researchers revealed news of two new critical modern microprocessor vulnerabilities, manufactured by Intel, AMD, and ARM. The vulnerabilities, named Meltdown and Spectre, have been confirmed on CPUs manufactured since year 2011, and are potentially present in CPUs manufactured since 1995. Those processors can be found in most of today’s workstations, laptops, servers, and mobile devices as well as cloud infrastructure and virtualization platforms.

The Meltdown and Spectre vulnerabilities allow attackers to access device memory, which is normally reserved for operating system kernel or memory reserved by another well-behaving application. The malicious application can gain access to critical data, such as private crypto keys, passwords, etc.

Who is affected and how can the vulnerabilities be exploited?

From what we know so far, the vulnerabilities affect enterprises and individuals using devices containing chips from Intel, AMD, or ARM – in short, just about everyone.

Vulnerability

Vendor

Consequences

Meltdown

Intel

Malicious application can gain arbitrary access to device’s memory, regardless of the operating system

Spectre

Intel, AMD, ARM

Malicious application can gain arbitrary access to another, well-behaved application’s memory

To exploit the vulnerabilities, the malicious actor must be able to execute code on the target device.

Meltdown in action

 

 

 

 

A PoC for the Spectre vulnerability already exists, showing how a malicious JavaScript can read an un-patched web browser’s memory.

How do I protect myself from the vulnerabilities?

We strongly urge both end users and system administrators to apply the operating systems and application patches as soon as possible. As the vulnerabilities affect a large number of devices and complex IT environments, we do not foresee all devices being patched any time in the near future. We also encourage enterprises to proactively follow activities in their IT environments by establishing incident detection and prevention systems. This is the only way to properly detect and react to security incidents and limit business damages.

A list of vendor fixes and notices

Most of the leading IT vendors have already issued official security notices, including security patches, which mitigate the Meltdown and Spectre vulnerabilities.

Most operating system, cloud solutions, and virtualization environments’ vendors have also issued patches that mitigate the Meltdown vulnerability. The patches have been known to introduce some additional latency.

The major web browser vendors have released new versions of the browsers, which mitigate at least some parts of the Spectre vulnerability, but due to the issue complexity, we do not foresee the issue to be fully resolved any time soon.

Intel has issued a notice that they would be releasing an update for up to 90% of the affected CPUs by January 15. AMD and ARM have also issued notices regarding their CPUs’ vulnerability status:

What risk do the Meltdown and Spectre vulnerabilities pose to your environment and what can you do about it?

If you have any questions regarding protecting your environments against the Meltdown and Spectre vulnerabilities or some other questions regarding the protection of your IT environment against security threats, do not hesitate to contact our security experts.

CONTACT US