Update

Spectre and Meltdown: What you need to know going forward

You're likely affected by these issues in some way, so don't ignore them. At the same time, it's important to remember the world is not ending.

meltdown spectre
Project Zero

Update:

Please note, Microsoft has suspended Windows security updates related to this issue on systems with older AMD CPUs, after a documentation mix-up led to the systems being unable to boot after patches were applied.

Support forum posts are centered mostly on older Sempron and Athlon chips, the largest thread on the issue has more than 150 responses so far.

"Microsoft has reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates," Microsoft said in an advisory.

In order to "prevent AMD customers from getting into an unbootable state," Microsoft said, OS giant has temporarily paused sending the following Windows updates to devices with impacted AMD processors:

  • January 3, 2018—KB4056897 (Security-only update)
  • January 9, 2018—KB4056894 (Monthly Rollup)
  • January 3, 2018—KB4056888 (OS Build 10586.1356)
  • January 3, 2018—KB4056892 (OS Build 16299.192)
  • January 3, 2018—KB4056891 (OS Build 15063.850)
  • January 3, 2018—KB4056890 (OS Build 14393.2007)
  • January 3, 2018—KB4056898 (Security-only update)
  • January 3, 2018—KB4056893 (OS Build 10240.17735)
  • January 9, 2018—KB4056895 (Monthly Rollup)


What you need to know about Meltdown & Spectre:

As you've likely heard by now, there are some problems with Intel, AMD, and ARM processors. Called Meltdown and Spectre, the discovered attack possibilities are rather severe, as they impact pretty much every technical device on the network or in your house (PCs, laptops, tablets, phones, etc.).

Here's a breakdown of all the things you need to know. As things change, or new information becomes available, this article will be updated.

The key thing to remember is not to panic, as the sky isn't about to come crashing down. The situation is one that centers on information disclosure, not code execution (a far more damning issue to deal with).

While Meltdown and Spectre are serious, a majority of organizations (and users for that matter) will only need to apply patches as normal and follow their usual patching policies. There is a stronger sense of urgency if the organization is in a unique situation (e.g. cloud providers, government contractors, finance), but that's a case-by-case assessment.

What are Meltdown and Spectre?

Meltdown and Spectre are the names given to three different variants of possible side-channel attacks against processor design choices. Meltdown and Spectre are not bugs, all they're doing is abusing the normal function of Intel, AMD, and ARM processors.

Variants 1 and 2 (Spectre) – according to the researchers who discovered it – "breaks the isolation between different applications."

To put it another way, Spectre could be used by an attacker (unprivileged, logged-in to a system) to obtain information from the kernel. Or, a root user on a guest VM can obtain information from the host kernel. Thing is, the process is slow. According to Google, kernel memory can be read at rate of 1500 to 2000 bytes per second, so it's only possible to get about 130 to 173 MB of data daily.

Yet, what makes Spectre so risky is the harsh reality that programs following best practices when it comes to data safety checks "actually increase the attack surface and may make applications more susceptible to Spectre," the researchers note.

Variant 3 (Meltdown) – according to the researchers who discovered it – "breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system."

A solid technical overview has been provided by Google. Also, the researchers themselves published comprehensive papers on Spectre and Meltdown, which are available via their website.

The CERT Advisory is available as well, but ignore the advice to replace all of your hardware.

Variant 1: CVE-2017-5753

Variant 2: CVE-2017-5715

Variant 3: CVE-2017-5754

Who discovered Meltdown and Spectre?

Meltdown and Spectre were discovered by three groups independently. The name that will jump out instantly to most is Google, or Project Zero's Jann Horn.

After Google, Meltdown was discovered by Werner Haas and Thomas Prescher of Cyberus Technology; as well as Daniel Gruss, Moritz Lipp, Stefan Mangard, and Michael Schwarz at Graz University of Technology.

Spectre was discovered by Project Zero, and Paul Kocher in collaboration with Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61).

The researchers also acknowledge Anders Fogh for conversations during Black Hat USA and Europe in 2016, which ultimately led to the discovery of Meltdown.

How easy is this to exploit?

Meltdown is easy to exploit, and the researchers suggest that users running vulnerable processors avoid working with sensitive information until proper mitigations can be applied. Spectre is harder to exploit, but it's also harder to mitigate. As one researcher put it: "[Spectre] will haunt us for quite some time."

What is the scope of Spectre and Meltdown?

The researchers say that other than Intel Itanium and Intel Atom before 2013, every processor since 1995 is affected by Meltdown. The researchers tested Meltdown on Intel processors going back to 2011, and all of them were vulnerable. As things stand, it's still unclear if AMD and ARM processors are vulnerable to Meltdown.

Cloud providers using Intel CPUs and Zen PV without patches are vulnerable to Meltdown, as are providers without real hardware virtualization – relying on shared kernel or containers (Docker, LXC, OpenVZ).

Spectre on the other hand affects almost every system on the planet. As mentioned, the issue extends to desktops, laptops, tablets, smartphones, and servers. This includes Intel, AMD, and ARM processors.

Will there be a recall of CPUs?

It's unlikely that there will be a recall as the issue isn't about improper design or development. Meltdown and Spectre are abusing normal and expected processor operations. However, Intel may be forced to do something, but only time will tell on that front.

Is there a fix?

Patches have been released, and for the most part some were available before Meltdown and Spectre were disclosed.

Microsoft is the big one, as there are some requirements. While Redmond has released patches for Windows and Windows Server, as well as Internet Explorer, Edge, and SQL Server they're only going to be served up if the antivirus on the system is updated as well and sets a necessary registry key.

Note: Microsoft has stated that unless this registry key is set, users of Windows 10, Windows 8.1, Windows Server 2012 R2 and Windows Server 2016 not get the Meltdown / Spectre patches, as well as "any subsequent security updates."

So far (as of 04-JAN-2018), Avast, Kaspersky, ESET, Symantec, and F-Secure have updated to set the proper registry key. Sophos plans to push updates before the end of the week. McAfee says they're working on a fix, as are several others. Kevin Beaumont, a noted security expert, is keeping track of the antivirus vendors and their patch cycles.

AMD has stated that they're not vulnerable to Meltdown (Variant 3), and that when it comes to Spectre, there is "near zero risk of exploitation" of Variant 2, and Variant 1 is resolved by software and OS updates.

ARM released a whitepaper and technical details, identifying that they were vulnerable to Spectre (Variants 1 & 2), and only one processor was vulnerable to Meltdown (Variant 3). Future ARM processors will be resilient to attacks or allow mitigation though kernel patches.

NVIDIA said they believe their GPU hardware is immune to Meltdown and Spectre, however they are updating GPU drivers to help mitigate the CPU issue.

"As for our SoCs with ARM CPUs, we have analyzed them to determine which are affected and are preparing appropriate mitigations," the statement said.

Intel says they plan to have updates for released for "more than 90 percent of processor products introduced within the past five years." This is good news, but those with older systems seem to be out of luck, which could complicate things in the enterprise as far as legacy systems are concerned.

Mozilla said they were able to confirm browser-based techniques to obtain information, and are investigating the best ways to mitigate Spectre and Meltdown attacks on their browser. The full extent of such attacks remains under investigation. [Update: Firefox 57.0.4 was released on 04-JAN-2018. It contains mitigations for Spectre and Meltdown.]

Google Chrome will release fixes on or around January 23 in version 64, which will mitigate against browser-based attempts.

VMware has released a security advisory related to Meltdown and Spectre, informing customers that the remediation documented has been present in VMWare Cloud on AWS since December.

Xen also released an advisory, noting that all versions are affected. Meltdown can be mitigated by running guests in HVM or PVH mode. There are no mitigations for Spectre.

Microsoft said that a majority of Azure infrastructure has already been patched, customers that hadn't yet received the proper fixes will have them before the week is out. Amazon said all of their EC2 fleet would be patched before the end of the week as well. Like Microsoft, Amazon started pushing patches before disclosure.

I've heard there will be performance issues, is that true?

Yes, and no. There will be some performance impacts, but the majority of people won't notice them. It really depends on what the system is doing. Benchmarks at Phronix have shown some considerable performance impacts, but far less than the 30-percent being blasted out in some circles.

Google says there is little to no impact. "There has been speculation that the deployment of KPTI causes significant performance slowdowns," Google wrote in an update on Meltdown.

"In our own testing, we have found that microbenchmarks can show an exaggerated impact. Of course, Google recommends thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact."

The videos below, provided by the researchers, show Meltdown in action.






NEW! Download the Winter 2018 issue of Security Smart