Meltdown and Spectre Advice
What are Meltdown and Spectre?
Ten years ago, and since, Information Technology Security Professionals developed methods to read the kernel memory of each assigned user account on a computer processor sold by a number of chip vendors.
These developers are not hackers nor criminals, they are researchers working in world government agencies, academia and computer companies.
These are called ‘Meltdown’ and ‘Spectre’.
Meltdown allows a programme to access the memory, and the private (encrypted or not) information of other programmes and the computer’s operating system.
No computer is safe including those that are used in the dark web.
Law enforcement, policing and security agencies can deploy Meltdown and Spectre.
Meltdown affects only devices with Intel chips
Spectre allows unfettered access to the protected memory of other applications since it over rides access permissions that exist in all computing devices.
You might sometimes see a message such as “you are not authorised” or “you do not have permission” or “access denied, protected files”.
Spectre can access Intel, AMD and ARM chips, including mobile phones, which ones are yet to be named.
The knowledge of Meltdown and Spectre escaped into the wider world and possibly in to the hands of hackers and criminals.
Now the bad guys may obtain sensitive data, such as passwords.
Deploying Spectre requires a substantial amount of processing power and money, which small time criminals do not have. However rogue nation states, and global criminal gangs have the resources.
Processors including laptops, desktops, hardware in data centres, smart photocopiers, embedded CPU loggers in factories and other production centres, Internet connected devices such as home systems, smart televisions, Google, Apple and Amazon home systems may be vulnerable to Meltdown and/or Spectre. Vendors are working on (or have already released) patches to try and fix the issue.
The problem is they have patches for Meltdown and only one of two Spectre vulnerabilities
While there is currently no indication that the vulnerabilities are being actively exploited by cyber crooks, you must patch all of your devices as soon as the vendor releases them.
There are also patches required for all web browsers.
Firmware patches from the vendors of all the affected hardware are being released.
You must make sure every device you use for personal, for work or in an automated situation has been patched or hardened via firmware.
Some anti-virus applications are currently not compatible with the security update that was released for Windows operating systems on 3rd January 2018.
You will have to check your antivirus software and supplier.
Deployment of certain patches potentially can cause performance slowdowns.
Vendors have indicated that in most cases they see negligible impact, however performance will vary by device. No one knows and therefore you should monitor your CPU speed after the patch is installed.
If you do not patch the consequences are unknown
For everyday users, the impact of applying these patches is unlikely to be noticeable.
Organisations should apply patches when available from the affected companies. These should be implemented within 48 hours of release for extreme risk security vulnerabilities.
Advice for owners and customers of cloud services
Applying the patches may possibly have a performance impact on processing capability.
Customers of Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) should have their environments patched by their service provider. Customers should check the website of the provider to confirm that the relevant patches have been applied.
Customers of Infrastructure-as-a-Service (IaaS) will need to apply the relevant patches to their IaaS instances.
Should you be operating at near maximum processing capacity, then you must consider upgrading capacity or managing it to minimise the potential impact of patching.
Agencies are determining the implications for cloud services listed on the Certified Cloud Services List (CCSL).
Google Project Zero
Processor Vendor Information
Operating System Information
Web Browser Information
Microsoft Edge and Internet Explorer
Virtualisation Software Information
Cloud Service Provider Information
Author: Kevin Beck, Associate, nem Australasia
This article is based on research and opinion available in the public domain.