Salted Hash Ep 17: Spectre and Meltdown, a vehicle that no one is using

This week, Salted Hash is joined by our new Staff Writer, J.M. Porup, to talk about some recent developments related to Spectre and Meltdown

Welcome to another episode of Salted Hash. This week, Salted Hash is joined by our new Staff Writer, J.M. Porup, to talk about some recent developments related to Spectre and Meltdown, including patch fixes, future mitigations, and a curious (false) rumor about malware leveraging the three flaws.

The melted Spectre of a Meltdown:

Just as people were returning to work after the holiday, word started to spread about vulnerabilities named Spectre and Meltdown. Salted Hash was one of the first to report on the issues, which you can see here. To briefly recap:

"Meltdown and Spectre are the names given to three different variants of possible side-channel attacks against processor design choices. Meltdown and Spectre are not bugs, all they're doing is abusing the normal function of Intel, AMD, and ARM processors."

It was a mess, and even though vendors patched as quickly and as much as possible, things didn't go perfectly. Just before the end of January, Intel reported problems with their patch meant to address Spectre variant 2 (CVE 2017-5715 Branch Target Injection). As a result, Microsoft rushed out-of-band patches that disabled Intel's mitigation, as some customers were instability and data loss.

Spectre-proof processors:

On June 30, during an earnings call, AMD CEO Lisa Su said the company has "included changes in our future processor cores, starting with our Zen 2 design, to further address potential Spectre-like exploits."

Zen 2 chips were introduced during CES earlier this year, and are expected to hit the market in 2019. It isn't clear of the Zen+ chips from AMD – arriving in April 2018 – have similar mitigations. Likely not.

On January 28, Linus Torvalds reported that Linux 4.15 had Spectre fixed built-in, but added "it is worth pointing out that it's not like we're ‘done’ with spectre/meltdown."

"There is more work pending (arm, spectre-v1, misc details), and perhaps equally importantly, to actually get the biggest fix for the indirect branch mitigations, you need not just the kernel updates, you need to have a compiler with support for the ‘retpoline’ indirect branch model."

Malware using Spectre and Meltdown? No, it isn't.

On January 23, AV-TEST posted an image reporting 119 observed samples that appear to be related to Spectre and Meltdown. The problem is, it wasn't until after the FUD started to spread in some circles that the full details were known. These 119 samples were mostly proof-of-concepts (POCs) created by researchers. So they're not actual attacks, in fact – Spectre and Meltdown are vehicles, they're not the payload.

Martijn Grooten at Virus Bulletin said it best:

"AV-Test confirms that it believes that at least the majority of these samples are proof-of-concepts rather than actual malware. Indeed, on looking up some of these samples on VirusTotal (which is likely to have been the original source of most of them), I found that the submitted files had names such as 'MeltdownTest.exe', 'Spectre.exe' and 'intelcve.exe' – suggesting that the authors of these files didn't feel the need to hide their intentions."

"Moreover, malware spotted in the wild typically uses one or more packing layers to make analysis and detection a lot harder. Though anti-virus products aren't powerless against such packers, and the presence of some packers may be a reason in itself to block the file, it is likely that a scan for a particular piece of code, such as that for Meltdown or Spectre, wouldn't detect it inside a packed file. The absence of such packing layers from the samples in question is another reason to believe that most of them weren't written with genuine malicious intentions."

Happy listening, and please, send feedback or suggestions for future topics to us. We'd love to hear from you.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)