Meltdown and Spectre CPU Flaws Impact All Major CPUs

A recent flaw disclosed by Google Project Zero has the potential to impact all major Central Processing Units (CPUs), including those from Intel, AMD and ARM, exposing almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system to exploitation. This flaw has existed in many Intel CPU’s since 1995.

These hardware related vulnerabilities have been categorised into two attack types, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which has been shown to allow attackers to steal sensitive data as it is  being processed on a vulnerable computer.

Most public and private cloud providers utilise environments which share hardware and as these issues impact on the smallest of devices such as IOT and mobile phones, these attack methods have a global impact if not remediated.

Please note these  vulnerabilities require local code execution to be exploited. If an existing vulnerability can be exploited or the systems provides remote access (GUI or shell),  malicious code may be executed on the system providing access to sensitive data.

 

The Issue

The vulnerabilities “Meltdown and Spectre”, allow a malicious individual or software to access sensitive information held within memory via a flaw in Intel and other microprocessors.
This vulnerability affects systems utilising Intel processors since 1995, including Windows, Unix and more recently Macintosh.
As computing environments often share processors and memory, this issue exposes systems using these processor, but the issue is of higher risk where different users/companies utilise common/virtualised infrastructure, where vulnerable systems are used in automation systems (critical infrastructure) or where a large number of commodity devices are statistically not upgraded (smart phones, IOT devices).
Both attacks take advantage of a feature in chips known as “speculative execution,” a technique used by most modern CPUs to optimise performance.

 

Meltdown Attack Research

The first issue, Meltdown (paper), allows attackers to read not only kernel memory but also the entire physical memory of the target machines, and therefore all secrets of other programs and the operating system.

Spectre Attack Research

The second problem, Spectre (paper), is not as easy to patch and will exist for some time to come since this issue requires changes to processor architecture to be resolved.

 

What You Should Do

Many vendors have security patches available for one or both of these attacks.

  • Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be available on the January 9, 2018 patch Tuesday .
  • MacOS — Apple had already fixed most of the security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations. Apple has released the iOS 11.2.2 update and macOS 10.13.2 update to help mitigate against the Meltdown and Spectre flaws.
  • Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
  • Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update.  Other users have to wait for the device hardware manufacturers to release a compatible security update.
  • Cloud Providers — Google, Amazon/AWS and Azure have patched or are in the process of patching.

Patch and Update References

Bios updates

Amazon/AWS

Azure

Google

VMWare

Microsoft

Aruba

Dell

NetApp

Cisco

PaloAlto

 

Mobile Device Testings Results

Image: TechCrunch

 

Browsers

Chrome

Since this exploit can be executed through the website, Chrome users can turn on Site Isolation feature on their devices to mitigate these flaws.
Here’s how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
  • Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
  • Look for Strict Site Isolation, then click the box labeled Enable.
  • Once done, hit Relaunch Now to relaunch your Chrome browser.

There is no single fix for both the attacks since each requires protection independently.

Mozilla FireFox

Mozilla began updating its current Firefox 57

Internet Explorer

Microsoft will modify both its Internet Explorer and new Edge browsers.

 

Windows PCs

To ensure you PC is protected, go to Settings > Update & security to check and see if the security fix is waiting in your update queue. If not, click on Update history or View installed update history to see if it was already installed.

Depending on when you last updated Windows 10, the hotfix might have one of a variety of different names, but you’re looking for Security Update for Windows (KB4056892).

 

Apple TV

Apple was able to deploy fixes into its December software update for the Apple TV. tvOS 11.2, released on Dec. 4, includes a number of fixes. It’s possible your Apple TV has automatically updated its software, but if not, you’ll want to go to Settings > System > Software Updates and pick Update Software.

Leave a Reply

Your email address will not be published. Required fields are marked *

...
Loading