Meet 2018’s First Major Security Blunder: Meltdown and Spectre

Meet 2018’s First Major Security Blunder: Meltdown and Spectre

It only took a few days into the new year for a major security vulnerability that threatens all modern processors to be discovered.

The vulnerability, if exploited, exposes your files and passwords to cybercriminals. The attack methods for exploiting the processor vulnerability are called Meltdown and Spectre.

Here’s what you need to know about the flaw affecting nearly everybody’s devices.

The Hardware Vulnerability

The flaw in the processors comes down to one of the actions it routinely performs: speculative execution. Speculative execution improves performance on a machine by not strictly following the order in which tasks need to be performed by the processor. Instead, it first predicts the calculations it will need to do and then solves calculations in advance, parallel to each other. This results in the processor performing the chain of commands much faster than if it had performed each task in order.

So, what’s the issue? Tom McKay and Alex Cranz from Gizmodo provide a good explanation:

“There’s a serious flaw in the way modern processors are hardcoded to use speculative execution—they don’t check permissions correctly and leak information about speculative commands that don’t end up being run. Whoops. 

As a result, user programs can possibly steal glimpses at protected parts of the kernel memory. That’s memory dedicated to the most essential core components of an operating system and their interactions with system hardware, and it’s supposed to be isolated from user processes at all times to prevent such glimpses from happening. Everything from passwords to stored files could be compromised as a result.”

Meltdown and Spectre represent two different types of attacks that can be used by cybercriminals to take advantage of the exploit. Researchers from Graz University of Technology explain how each works:

“Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.” 

“Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”

Unfortunately, there isn’t anything you can do to fix the issue itself, though device manufacturers and processor companies are working together to find a solution.

Who’s Affected?

If your device uses Intel, AMD or ARM — which nearly all computers, servers, IoT and mobile devices do — it is at risk of being compromised by a Meltdown and/or Spectre attack.

Don’t panic yet, though. No one has immediate access to your passwords or data because of these vulnerabilities. Malware still needs to be installed on your device to exploit the vulnerabilities in the processors. Researchers, chipmakers and software companies all say there are no known examples of hackers using these weaknesses to attack a computer. 

Since most servers are affected by the flaw, you should also be thinking about the safety of the data you store in the cloud. Amazon and Google – the largest cloud providers — have patched their infrastructure as of 1/4/2018. The companies that use their infrastructure will still need to patch the servers they run on the platform.

What to Do

There is no way to fix the vulnerabilities via hardware changes. Every vendor, from Apple to Microsoft to Mozilla and Google, has developed or are working to develop software patches for these hardware vulnerabilities. Hardware includes, but is not limited to: desktops, laptops, tablets, servers and smartphones. Standard security practices remain your best defense: do not install unknown or unnecessary software, be on the lookout for phishing emails and avoid visiting non-work-related websites. However, if you are still using unsupported Operating Systems such as Windows XP, Windows Server 2003 or macOS versions before the current High Sierra, your systems will likely not be patched and remain vulnerable. Plan to upgrade your systems ASAP.

You may see an increase in phishing attempts trying to prey on the concern generated by this story, so please do not take direction from any other source except your official technical support communication.

Contact Switchfast Technologies for an IT Assessment or to learn how you may be affected.

Written by Nik Vargas