Cyber Security training from QA

Meltdown and Spectre - What you need to know

In this blog QA's Director of Cyber Security, Richard Beck, looks at the recent Meltdown and Spectre exploits and how these affect you and your business.


Richard Beck | 5 January 2018

The Meltdown & Spectre exploits were discovered by Google, which warns that an attacker could use them to steal sensitive or confidential information, including passwords. The first wave of patches has already started to go out for Microsoft's Windows 10, Apple's MacOS, Linux, Android. The most immediate consequence of all of this will come from applying the security patches. Some devices will see a performance dip, but do not let that put you of applying the patch.

Meltdown (CVE-2017-5754)

Meltdown impacts the isolation between user applications and the operating system. This exploit allows a program to access the memory, and the isolated 'secrets', of other applications and fundamentally the operating system.

If you have a vulnerable processor and run an unpatched operating system, sensitive information could be exposed. This applies to home, business as well as cloud infrastructure services.

Spectre (CVE-2017-5753 and CVE-2017-5715)

Spectre impacts the isolation between different applications. It exploits the error-free application best practice process, into leaking their secrets. Spectre is harder to exploit than Meltdown and harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

 

Q & A

Am I affected by these vulnerabilities?

  • Most certainly, yes. Although this is a genuine challenge for businesses, not only to deploy patches, but the impact of a slower processors may have on expected productivity.

    •  

    Can I detect Meltdown or Spectre exploitation?

  • Unlikely at this time for most organisations, as the exploitation does not leave typical traces in traditional log files.

    •  

    Can my antivirus detect or block this attack?

  • While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.

    •  

    What can be leaked?

  • If your system is affected, it's plausible that the exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.

    •  

    Are there any known instances of Meltdown or Spectre in the wild outside of the research community?

  • Not at this time.

    •  

    Is there a workaround/fix?

  • There are patches against Meltdown for Linux, Windows, and Mac OS. You should apply these patches ASAP or as and when new patches are released.

    •  

    Which systems are affected by Meltdown?

  • Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). At the moment, it is not entirely clear to the extent ARM and AMD processors are also affected by Meltdown which impact mobile and tablet devices.

    •  

    Which systems are affected by Spectre?

  • Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, Spectre has been verified on Intel, AMD, and ARM processors.

    •  

    Which cloud providers are affected by Meltdown?

  • Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Notwithstanding those cloud providers without genuine hardware virtualisation, e.g. using containers that share one kernel (Docker, LXC, or OpenVZ) are also affected.

    •  

    What is the difference between Meltdown and Spectre?

  • Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.

    •  

    Why is it called Meltdown?

  • The bug basically melts security boundaries which are normally enforced by the hardware.

    •  

    Why is it called Spectre?

  • The name is based on the root cause, speculative execution.

    •  

    Vendor Patch Guidance

    Intel

    Security Advisory  

    Microsoft

    Security Guidance

    Amazon

    Security Bulletin

    ARM

    Security Update

    Google

    Project Zero Blog

    Mitre

    CVE-2017-5715   /    CVE-2017-5753    /     CVE-2017-5754

    Red Hat

    Vulnerability Response

    Suse

    Vulnerability Response

    Apple

    Vulnerability Response

     

    More information

    At QA we have developed the most comprehensive end-to-end Cyber Security training portfolio providing training for the whole organisation, from end user to executive board level courses as well as advanced programmes for security professionals.

    Visit qa.com/cyber for more information.

     

    Related blogs

    2017 Cyber Retrospective

    NHS Cyber attack

    What should you be doing to protect yourself against WannaCry Ransomware?

    10 practical Cyber security tips for your business

    Cyber Futures

    To catch a phish

    How secure is your password?

     

    Richard Beck

    Richard Beck

    Director of Cyber Security

    Richard Beck (CISSP, CISM, CISA) is Director of Cyber Security at QA, responsible for the entire Cyber Security portfolio across the four QA divisions. He works with customers to build effective and successful security training solutions tailored for business needs. Richard has over 15 years' experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for four years at Arqiva, who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts at CPP, GEC, Pearson and the Royal Air Force. Richard sits on a number of security advisory panels including IBM, BCS and EC-Council and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). Richard is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
    Talk to our learning experts

    Talk to our team of learning experts

    Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

    Get in touch with our learning experts to talk about how we can help.