When we think of security vulnerabilities, we usually think about coding flaws in operating systems or software applications. If someone mentions hardware security, our first thought is protecting systems from physical access. Less frequently do we have to deal with security issues in our computers’ hardware components, but today we’re confronted with not one but two such security weaknesses that afflict a wide range of processors – the chips at the heart of our computing devices, from smartphones to servers, that are responsible for carrying out and executing the commands from the software and the other hardware components.
In the past few days, news has emerged about two separate processor security flaws that are being called, respectively, Meltdown and Spectre. This is a serious problem because between the two of them, it affects a huge proportion of the computers and devices that are in use today all over the world.
Which devices are affected?
The first thing to understand about these vulnerabilities is that, although software vendors such as Microsoft, Apple, and Google are issuing patches for them, these are not operating system vulnerabilities. Thus, no OS is safe from them if it’s running on a computer or device built on one of the affected processors.
Meltdown is currently believed to impact only processors made by Intel – but that is of little comfort since it includes millions of processors. Although AMD has reportedly been gaining in market share recently (and Meltdown may in fact cause that to increase more), Intel had from 60 to 80 percent of the market share for most of the last decade, so a majority of the PCs and servers out there came with those proud little “Intel Inside” stickers.
Note that there are a few types of Intel processors that are currently thought not to be affected; these include Itanium chips (used primarily in servers) and Atom processors (for low powered devices) made before 2013. Unfortunately, most of our computers are running the much more popular x86 processors that are affected.
But even if you own no devices built on Intel processors, you’re not off the hook. Spectre is far less discriminating; it affects pretty much all modern processors, most notably those made by AMD – Intel’s biggest and only significant rival in the PC space – and the ARM processors that power billions of devices, including mobile phones, tablets, and embedded systems in many of the rapidly-proliferating Internet of Things (IoT) devices.
Macs, which once upon a time used PowerPC processors, switched to Intel processors in 2006, and iOS devices run on ARM chips, as do Samsung’s phones and tablets and those made by most vendors. Popular Exynos and Snapdragon processors are ARM-based Systems-on-Chip (SoCs).
And then there are the popular cloud services such as Microsoft Azure, Amazon AWS, and Google Cloud. These run on vast numbers of servers in huge data centers distributed across the globe, and those servers have processors that may be vulnerable to Meltdown and Spectre exploits.
This means everyone from small and medium-sized business owners to the cloud data center managers (and all those company IT professionals in between) will need to contend with this new threat and ensure that their machines are protected against it.
How serious is the threat?
In a word, very. It’s not only the sheer number of machines and devices affected that make Meltdown/Spectre such big news. It’s also the nature of the threat that they pose if and when hackers create exploits for them. As of this writing, only proof of concept code is known to have been created by researchers, with no reports of exploits “in the wild.” However, there is little doubt that, since the word is now out about these vulnerabilities, attackers will be scrambling to take advantage of them before vulnerable systems can be patched. That could have severe results for individuals and organizations.
Security researchers are calling this one of the worst CPU vulnerabilities ever discovered. Meltdown, in particular, makes it easy for attackers to access and capture sensitive information such as passwords, credit card numbers, and personal data in the system memory. Meltdown enables attackers to bypass the protections that normally prevent applications from accessing information that resides in locations in memory. Spectre works differently but with the same result: it makes applications disclose data that is supposed to be in protected kernel memory.
How do we fix it?
The good news is that Intel reacted quickly to issue software and firmware updates to mitigate the problem that causes Meltdown. Microsoft, Apple, and Linux distros have made patches available to address the Meltdown vulnerability on desktop and laptop machines running their operating systems. The situation is so serious that Microsoft released an out-of-band update for Windows on January 3 instead of sticking with the regular Patch Tuesday schedule.
The fix for Meltdown is called kernel page table isolation (KPTI), based on a mitigation for a previous, less serious vulnerability, that was called KAISER. The KPTI fix completely separates the user-space and kernel-space page tables (the data structures used by virtual memory to store mapping information that links virtual memory addresses to physical addresses).
The bad news is that some of these patches may cause problems and conflict with some third party anti-virus software. Some sources are also saying that some machines, especially those running older Intel processors (pre-Skylake) may experience some significant performance slowdown after the updates are applied. Some estimates of expected slowdown range from 5 to 30 percent.
Spectre is more difficult to fix, but fortunately it’s also more difficult for attackers to exploit. Patches being released now mitigate the problem rather than actually fixing it.
Google has issued a patch for Chromebooks, and the latest security updates are designed to protect Pixel and Nexus smartphone users from the Spectre issue. It will be up to vendors of other phones and tablets to create patches for their devices, and wireless carriers to distribute updates to their customers, so it may take a while for all mobile devices to be patched. (On a personal note, this is why I never engage in financial transactions, online banking, or send sensitive data via my phone; I always wait until I can do it via my PC because vulnerability updates for phones tend to lag behind).
Microsoft, Amazon, and Google are all patching the servers in their cloud data centers. However, Infrastructure as a Service (IaaS) customers will also need to patch the operating systems in their virtual machines that run on those cloud services in order to be fully protected.
What did they know and when did they know it?
A processor flaw that leaves literally billions of devices open to attacks with such far-reaching implications is worrisome in itself. But one of the most controversial aspects of this story is the reports that the major tech companies have known about the security issues for months and kept it from the public. Researchers discovered and have been investigating the vulnerabilities, and there are indications that Google, Intel, Microsoft, and Linux distributors have been working on solutions for some time.
Although some news reports are making this sound like a conspiracy, it’s actually standard operating procedure to keep quiet about serious security issues until there is an update to patch it. This makes sense – after all, if your front door lock was broken, you wouldn’t want someone to broadcast that to the world before you had a chance to get it fixed. Tech companies prefer to announce a vulnerability only when they can also announce the availability of the fix.
The British news outlet The Register is getting the credit – or blame – for bringing Spectre and Meltdown to the attention of the world before the tech giants were ready. The Register broke the story on January 2, sending software and hardware companies into a frantic rush to get patches out and make statements to the press, making for a less-than-happy new year across the IT security spectrum.
This article represents what’s known at the time of writing (January 4), but it’s a quickly-evolving story with new information coming in all the time, so stay tuned (and stayed patched) as we learn more about these vulnerabilities are no doubt are just the beginning of a steam of security issues that we’ll face in 2018.
As with every vulnerability out there, the most important thing IT pros (and small and medium-sized business users) can do to protect their networks is to make sure to apply any patches as they become available. GFI LanGuard is the perfect tool for all your patch management needs and has now been updated to also include the Meltdown Microsoft patch.
Please note that since there has been reports of incompatibilities with AV application you might not be able to see the patch before your AV is also updated. As with any updates, you should deploy in your test environment and ensure there are no unanticipated issues, then proceed to deploy in your production environment.
For customers running Apple macOS, version 10.13.2 is available, which patches the Meltdown vulnerability. Earlier versions of macOS will need to be updated to 10.13.2 to ensure the vulnerability is patched. Google’s latest version of Android also contains patches for the Meltdown vulnerability.