Meltdown and Spectre Advice

What are Meltdown and Spectre?

Ten years ago, and since, Information Technology Security Professionals developed methods to read the kernel memory of each assigned user account on a computer processor sold by a number of chip vendors.

These developers are not hackers nor criminals, they are researchers working in world government agencies, academia and computer companies.

These are called ‘Meltdown’ and ‘Spectre’.

Meltdown allows a programme to access the memory, and the private (encrypted or not) information of other programmes and the computer’s operating system.

No computer is safe including those that are used in the dark web.
Law enforcement, policing and security agencies can deploy Meltdown and Spectre.

Meltdown affects only devices with Intel chips

Spectre allows unfettered access to the protected memory of other applications since it over rides access permissions that exist in all computing devices. 

You might sometimes see a message such as “you are not authorised” or “you do not have permission” or “access denied, protected files”. 

Spectre can access Intel, AMD and ARM chips, including mobile phones, which ones are yet to be named.

The knowledge of Meltdown and Spectre escaped into the wider world and possibly in to the hands of hackers and criminals.

Now the bad guys may obtain sensitive data, such as passwords.

Deploying Spectre requires a substantial amount of processing power and money, which small time criminals do not have. However rogue nation states, and global criminal gangs have the resources.

Processors including laptops, desktops, hardware in data centres, smart photocopiers, embedded CPU loggers in factories and other production centres, Internet connected devices such as home systems, smart televisions, Google, Apple and Amazon home systems may be vulnerable to Meltdown and/or Spectre. Vendors are working on (or have already released) patches to try and fix the issue.

The problem is they have patches for Meltdown and only one of two Spectre vulnerabilities

While there is currently no indication that the vulnerabilities are being actively exploited by cyber crooks, you must patch all of your devices as soon as the vendor releases them.

There are also patches required for all web browsers. 

Firmware patches from the vendors of all the affected hardware are being released.

You must make sure every device you use for personal, for work or in an automated situation has been patched or hardened via firmware. 

Some anti-virus applications are currently not compatible with the security update that was released for Windows operating systems on 3rd January 2018. 

You will have to check your antivirus software and supplier. 

Some users will have to wait until their anti-virus software has been updated to apply this Windows security update. Microsoft have released guidance for Windows IT Professional clients and servers.

Deployment of certain patches potentially can cause performance slowdowns. 

Vendors have indicated that in most cases they see negligible impact, however performance will vary by device. No one knows and therefore you should monitor your CPU speed after the patch is installed.

If you do not patch the consequences are unknown

For everyday users, the impact of applying these patches is unlikely to be noticeable. 

Organisations should apply patches when available from the affected companies. These should be implemented within 48 hours of release for extreme risk security vulnerabilities.

Advice for owners and customers of cloud services

Applying the patches may possibly have a performance impact on processing capability. 

Customers of Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) should have their environments patched by their service provider. Customers should check the website of the provider to confirm that the relevant patches have been applied.

Customers of Infrastructure-as-a-Service (IaaS) will need to apply the relevant patches to their IaaS instances.

Should you be operating at near maximum processing capacity, then you must consider upgrading capacity or managing it to minimise the potential impact of patching.

Agencies are determining the implications for cloud services listed on the Certified Cloud Services List (CCSL). 


Vulnerability Information

Google Project Zero 

https://googleprojectzero.blogspot.com.au/2018/01/reading-privileged-memory-with-side.html

Vulnerability websites 

https://meltdownattack.com, https://spectreattack.com

CVE sites 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715, http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753, http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754

US-CERT 

https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities

Processor Vendor Information

AMD 

https://www.amd.com/en/corporate/speculative-execution

ARM 

https://developer.arm.com/support/security-update

Intel 

https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/

Operating System Information

Android 

https://source.android.com/security/bulletin/2018-01-01

Apple 

https://support.apple.com/en-us/HT208394

Microsoft 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180002

RedHat

https://access.redhat.com/security/vulnerabilities/speculativeexecution

Suse 

https://www.suse.com/support/kb/doc/?id=7022512

Ubuntu 

https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/

Web Browser Information

Google Chrome 

https://www.chromium.org/Home/chromium-security/ssca

Microsoft Edge and Internet Explorer

https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/

Mozilla Firefox

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

Virtualisation Software Information

Citrix 

https://support.citrix.com/article/CTX231399

VMWare 

https://www.vmware.com/security/advisories/VMSA-2018-0002.html

Xen 

https://xenbits.xen.org/xsa/advisory-254.html

Cloud Service Provider Information

Amazon 

https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

Azure 

https://support.microsoft.com/en-au/help/4073235/cloud-protections-speculative-execution-side-channel-vulnerabilities

Google 

https://support.google.com/faqs/answer/7622138  


 
Kevin Beck, Associate, nem Australasia.jpg

Author: Kevin Beck, Associate, nem Australasia

This article is based on research and opinion available in the public domain.