Welcome to 2018 by Meltdown and Spectre.

Share on facebook
Share on google
Share on twitter
Share on linkedin

The first week of January for those of us in information security has been met with meetings discussing patches and reading up on a security flaw that has existed since 1995. With most devices made in the last 20 years affected, it is fair to say, this pretty much affects every organisation in some way or form. Unless your organization predominantly uses the Raspberry Pi as an alternative to enterprise hardware of course (Raspberry Pi released a statement explaining why the microcomputer isn’t affected).

The vulnerabilities in question are called Meltdown and Spectre.They affect devices powered by Intel, AMD, or ARM cores. As these are the market leaders in the processor making business, it is no surprise that there will most likely not be a recall of what is essentially defective equipment. To put this into perspective, had such a situation occurred in the car industry, for example, drivers would’ve been advised to return their car to the nearest dealer with a global recall on the cards. Apple, Google, Microsoft and other tech giants have released updates for a pair of serious security flaws present in most modern computers, smartphones, tablets and mobile devices. As the vulnerabilities impact fundamental aspects of how mainstream processors manage and silo data and replacing them with chips that correct these flaws still may be the best option, realistically this will not happen.

Meltdown

Meltdown is a name given to an exploitation technique known as CVE-2017–5754 or “rogue data cache load.” The Meltdown technique can enable a user process to read kernel memory. Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Why is it called Meltdown?

The vulnerability basically melts security boundaries which are normally enforced by the hardware.

Spectre

Spectre is a name covering two different exploitation techniques known as CVE-2017–5753 or “bounds check bypass,” and CVE-2017–5715 or “branch target injection.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call. Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Which systems are affected by Spectre?

Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable.

Can I find a more technical explanation of the vulnerabilities?

Yes, there is an academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.

Will my antivirus protect me?

You can check if your antivirus is patch compatible with the list that has been compiled by Security Researcher, Kevin Beaumont available here.

I want to read more!

Check out:

  1. Meltdown in a nutshell by Manish Kumar.
  2. System calls have been more expensive with Meltdown. How to avoid them by Denis Anikin.
  3. Follow Daniel Kirschner who covered Spectre on Day 6 of his 30 Days of learning series.
  4. We enjoyed Robert Merkel explanation for non programmers of Meltdown and Spectre.

Credits

Meltdown was independently discovered and reported by three teams:

Spectre was independently discovered and reported by two people:

Stephen Chapendama, www.BantuTech.com