A recent flaw disclosed by Google Project Zero has the potential to impact all major Central Processing Units (CPUs), including those from Intel, AMD and ARM, exposing almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system to exploitation. This flaw has existed in many Intel CPU’s since 1995.
These hardware related vulnerabilities have been categorised into two attack types, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which has been shown to allow attackers to steal sensitive data as it is being processed on a vulnerable computer.
Most public and private cloud providers utilise environments which share hardware and as these issues impact on the smallest of devices such as IOT and mobile phones, these attack methods have a global impact if not remediated.
Please note these vulnerabilities require local code execution to be exploited. If an existing vulnerability can be exploited or the systems provides remote access (GUI or shell), malicious code may be executed on the system providing access to sensitive data.
This vulnerability affects systems utilising Intel processors since 1995, including Windows, Unix and more recently Macintosh.
As computing environments often share processors and memory, this issue exposes systems using these processor, but the issue is of higher risk where different users/companies utilise common/virtualised infrastructure, where vulnerable systems are used in automation systems (critical infrastructure) or where a large number of commodity devices are statistically not upgraded (smart phones, IOT devices).
Meltdown Attack Research
Spectre Attack Research
What You Should Do
Many vendors have security patches available for one or both of these attacks.
- Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be available on the January 9, 2018 patch Tuesday .
- MacOS — Apple had already fixed most of the security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations. Apple has released the iOS 11.2.2 update and macOS 10.13.2 update to help mitigate against the Meltdown and Spectre flaws.
- Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
- Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update. Other users have to wait for the device hardware manufacturers to release a compatible security update.
- Cloud Providers — Google, Amazon/AWS and Azure have patched or are in the process of patching.
Patch and Update References
Mobile Device Testings Results
- Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
- Look for Strict Site Isolation, then click the box labeled Enable.
- Once done, hit Relaunch Now to relaunch your Chrome browser.
There is no single fix for both the attacks since each requires protection independently.
To ensure you PC is protected, go to Settings > Update & security to check and see if the security fix is waiting in your update queue. If not, click on Update history or View installed update history to see if it was already installed.
Depending on when you last updated Windows 10, the hotfix might have one of a variety of different names, but you’re looking for Security Update for Windows (KB4056892).
Apple was able to deploy fixes into its December software update for the Apple TV. tvOS 11.2, released on Dec. 4, includes a number of fixes. It’s possible your Apple TV has automatically updated its software, but if not, you’ll want to go to Settings > System > Software Updates and pick Update Software.