In the last week, two new security exploits have come to public attention. These were discovered within the last year, even though they've existed for a lot longer than that, and are commonly referred to as Meltdown and Spectre.
These bugs exploit critical vulnerabilities in modern processors and potentially allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Systems at risk include personal computers, mobile devices, and devices hosted in the cloud.
Meltdown
Meltdown breaks through, or ‘melts’ the basic isolation between user applications and the operating system. This attack allows a program to access the previously assumed isolated memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. There are already some software patches against Meltdown, with more due.
Meltdown was discovered and reported by teams from Google, Cyberus Technology and the Graz University of Technology.
Spectre
Spectre breaks through the isolation between different applications. It potentially allows an attacker to trick programs into leaking their secrets.
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
Spectre was discovered and reported by Google and Paul Kocher.
Q & A
Can my antivirus detect or block this attack?
We always recommend keeping an up to date anti-virus solution on both your servers and personal computers, and that advice does not change. However, unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications, so it may not be possible for anti-virus solutions to fully protect from these particular exploits. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
Am I affected by the bugs?
As it affects most devices with modern processors, more than likely, yes. In the coming weeks, manufacturers are likely to release tools to check if your device is affected.
With Meltdown, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). Researchers successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, they have only verified Meltdown on Intel processors and it is unclear whether ARM and AMD processors are also affected by Meltdown
With Spectre, almost every system is affected: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. Researchers have verified Spectre on Intel, AMD, and ARM processors.
If you have a support contract with us, we are already working with your cloud providers to help mitigate any issues. If you don't, contact us for assistance.
Is there a workaround/fix?
Patches are gradually becoming available for browsers, operating systems and hardware microcode to help mitigate the bugs. If you are using Windows, keep checking Windows Update. If you are using a Mac, check the App Store for updates. If you have a cloud server without a support contract, contact us for assistance.
If you are using a third party anti-virus solution, make sure they are compatible with any updates, or it may block your update from being downloaded (see the anti-virus vendors website for more information).
This is a big task for the manufacturers to correct so may take some time. There is likely to be some hit on performance of the devices when patches are applied, though it is not clear at this stage how big that hit may be.
Why is it called Meltdown?
The bug basically ‘melts’ security boundaries which are normally enforced by the hardware.
Why is it called Spectre?
The name is based on the root cause, ‘speculative execution’.
What are CVE-2017-5753 and CVE-2017-5715?
CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
What is the CVE-2017-5754?
CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
Is there more technical information about Meltdown and Spectre?
There is a blog entry from Google Ground Zero and information on the dedicated websites at meltdownattack.com and spectreattack.com.
Where can I get help
If you need help, advice or assistance, you can contact us.