(Note: This post has been updated to reflect progress made by Intel.)
It’s been a tumultuous start to the year due to Meltdown and Spectre, two enormous IT security vulnerabilities. The dust is settling, and we are starting to get a clear picture of how to move forward.
In early January, several independent groups of security researchers unveiled flaws that could allow hackers to exploit vulnerabilities in virtually every kind of computer processor operating inside your company: PCs, servers and all manner of mobile devices, from all vendors and almost every operating system.
Yes, it’s as bad as that sounds. One of the researchers at Graz University of Technology in Austria called it “probably one of the worst CPU bugs ever found.”
Patchy patches
Some patches were released almost right away. Within a week, makers of operating systems and browsers, including Microsoft and Apple, all shipped updates. Here is a complete list of official information and security advisories from the exceptionally long list of affected or involved companies.
Unfortunately, the success of the patches has been, well, patchy. We’ll get into more of it below, but the short of it is this: you are generally advised to update operating systems (with some caveats about Windows; see below) as well as web browsers and other applications, but hold off on applying any firmware updates to Intel chips.
UPDATE: As of March 15, Intel has released microcode updates for all Intel products launched in the past five years that require protection, and they seem to be operating well.
Understanding the problem
The fix for this will take some time. Meltdown and Spectre both are due to design flaws in the very architecture of CPUs from companies such as Intel, AMD and ARM — the way chips carry out instructions.
The researchers were able to create proof-of-concept exploits that can read the memory content of a computer without permission, including passwords and sensitive data stored on the system.
But Meltdown and Spectre are slightly different. Here’s how, according to the researchers:
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
“Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”
So while the Meltdown vulnerability “basically melts security boundaries which are normally enforced by the hardware”, Spectre is due to “speculative execution”. Also, because Spectre is not easy to fix, “it will haunt us for quite some time.”
Ominously, neither type of exploit is traceable. You can’t detect whether a malicious actor used them against you. As such, no one knows if Meltdown and Spectre have ever been abused to steal information.
Let’s look at how each exploit could affect your systems.
Meltdown
This exploit is a potential issue for every desktop, laptop, and cloud computer running any Intel processor since 1995 (except Intel Itanium and Intel Atom processors before 2013). Researchers have only tested Meltdown on Intel processor generations released as early as 2011. Although it’s unclear whether AMD processors are affected, ARM says some of theirs are. In addition, Meltdown affects any cloud providers that use Intel CPUs and Xen PV as virtualization without having patches applied, and cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ.
However, what patches have been released do not address the core vulnerability. So, while these steps will protect users for now, it certainly raises the prospect that malicious actors will find new ways to exploit fundamental flaws in CPU architecture.
Spectre
Although Spectre is harder to exploit than Meltdown, it’s also harder to mitigate.
Spectre affects almost every system, including cloud servers and smartphones. As the researchers note, “All modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.”
Hackers could exploit Spectre via web browser. Even something like malvertising can first attack an employee’s browser, then steal session cookies or other credentials, and use it to infiltrate your network.
Browser vendors have already shipped patches, or will soon. Ensure you install these.
Patch carefully
Intel’s initial firmware updates to address Spectre caused system instability, reboots, and the potential data loss or corruption. In fact, Intel now explicitly advises you to not install the buggy Spectre CPU firmware updates. Instead, wait for new patches to become available once Intel partners have tested them. (Intel is making some progress on that front. UPDATE: All Intel products launched in the past five years that require protection now have patches.) In case you did deploy the firmware update, Microsoft released an optional emergency Windows patch that disables it if you’re running into performance issues.
However, Microsoft’s Windows patches have had their own issues, too. Some have caused some older AMD-based PCs to crash, for instance. There is an issue with some “incompatible anti-virus applications”, so Microsoft has not pushed the patch to systems with known anti-virus issues. According to Microsoft, the updates could actually brick a PC. As Microsoft warned, “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key.”
These patches make fundamental changes to the functions of a CPU kernal—the central part of an operating system that manages the operations of the computer and the hardware. So proceed with caution, thoroughly testing updates before rolling them out broadly.
Also, older, unsupported operating systems like Windows XP won’t be getting patches at all. Most mobile devices more than a few years old are also out of luck.
Silver linings in the Cloud
Major public cloud providers, like Amazon Web Services, Google and Microsoft, moved very quickly to patch systems. Google began its efforts to mitigate threats as early as June 2017, since its own Project Zero team is one of the research teams credit with identifying Meltdown and Spectre. (Bloomberg offers excellent background on how four separate groups of security researchers identified the vulnerabilities in parallel.)
As for Microsoft, it said it has patched “the majority” of its Azure cloud infrastructure against Meltdown and Spectre. Some customers may need to reboot VMs in order to apply the patch (Microsoft has sent notifications if you’re affected).
Just the beginning?
Unfortunately, these kinds of hardware exploits that target fundamental aspects of CPUs may be on the rise. A former Intel engineer and hardware security trainer explained in one article that because software has improved a lot over the past decade or so, the attention of security researchers and hackers alike is shifting down the stack.
If anything, Meltdown and Spectre are yet another reminder to keep on top of patches and security monitoring. Your users are still at risk from the same malware, ransomware, phishing as before. Companies should monitor for these exploits (or work with a service provider that will), because hackers could use them as vehicles to gain access to your company systems, and then exploit Spectre or Meltdown.
One hopes that this latest news does not signal worse to come in 2018, but clearly vigilance and preparedness are still a requirement of doing business.
UPDATE: Going forward, Intel announced that it has redesigned parts of its processor architecture to introduce partitioning, which it says are like “protective walls” between applications and user privilege levels. Those changes will begin in the second half of 2018 with its next generation Intel® Xeon® Scalable processors (“Cascade Lake”) as well as 8th Generation Intel® Core™ processors.