The Meltdown & Spectre exploits were discovered by Google, which warns that an attacker could use them to steal sensitive or confidential information, including passwords. The first wave of patches has already started to go out for Microsoft's Windows 10, Apple's MacOS, Linux, Android. The most immediate consequence of all of this will come from applying the security patches. Some devices will see a performance dip, but do not let that put you of applying the patch.

Meltdown (CVE-2017-5754)

Meltdown impacts the isolation between user applications and the operating system. This exploit allows a program to access the memory, and the isolated 'secrets', of other applications and fundamentally the operating system.

If you have a vulnerable processor and run an unpatched operating system, sensitive information could be exposed. This applies to home, business as well as cloud infrastructure services.

Spectre (CVE-2017-5753 and CVE-2017-5715)

Spectre impacts the isolation between different applications. It exploits the error-free application best practice process, into leaking their secrets. Spectre is harder to exploit than Meltdown and harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

 

Q & A

Am I affected by these vulnerabilities?

 

  • Most certainly, yes. Although this is a genuine challenge for businesses, not only to deploy patches, but the impact of a slower processors may have on expected productivity.

 

 

Can I detect Meltdown or Spectre exploitation?

 

  • Unlikely at this time for most organisations, as the exploitation does not leave typical traces in traditional log files.

 

 

Can my antivirus detect or block this attack?

 

  • While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.

 

 

What can be leaked?

 

  • If your system is affected, it's plausible that the exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.

 

 

Are there any known instances of Meltdown or Spectre in the wild outside of the research community?

 

  • Not at this time.

 

 

Is there a workaround/fix?

 

  • There are patches against Meltdown for Linux, Windows, and Mac OS. You should apply these patches ASAP or as and when new patches are released.

 

 

Which systems are affected by Meltdown?

 

  • Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). At the moment, it is not entirely clear to the extent ARM and AMD processors are also affected by Meltdown which impact mobile and tablet devices.

 

 

Which systems are affected by Spectre?

 

  • Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, Spectre has been verified on Intel, AMD, and ARM processors.

 

 

Which cloud providers are affected by Meltdown?

 

  • Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Notwithstanding those cloud providers without genuine hardware virtualisation, e.g. using containers that share one kernel (Docker, LXC, or OpenVZ) are also affected.

 

 

What is the difference between Meltdown and Spectre?

 

  • Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.

 

 

Why is it called Meltdown?

 

  • The bug basically melts security boundaries which are normally enforced by the hardware.

 

 

Why is it called Spectre?

 

  • The name is based on the root cause, speculative execution.

 

 

Vendor Patch Guidance

Intel

 

Security Advisory  

 

Microsoft

 

Security Guidance

 

Amazon

 

Security Bulletin

 

ARM

 

Security Update

 

Google

 

Project Zero Blog

 

Mitre

 

CVE-2017-5715   /    CVE-2017-5753    /     CVE-2017-5754

 

Red Hat

 

Vulnerability Response

 

Suse

 

Vulnerability Response

 

Apple

 

Vulnerability Response

 

 

More information

At QA we have developed the most comprehensive end-to-end Cyber Security training portfolio providing training for the whole organisation, from end user to executive board level courses as well as advanced programmes for security professionals.

Visit qa.com/cyber for more information.

 

Related blogs

2017 Cyber Retrospective

NHS Cyber attack

What should you be doing to protect yourself against WannaCry Ransomware?

10 practical Cyber security tips for your business

Cyber Futures

To catch a phish

How secure is your password?

Comments

Be the first to comment!

Add a comment

Related Articles