The first week of January for those of us in information security has been met with meetings discussing patches and reading up on a security flaw that has existed since 1995. With most devices made in the last 20 years affected, it is fair to say, this pretty much affects every organisation in some way or form. Unless your organization predominantly uses the Raspberry Pi as an alternative to enterprise hardware of course (Raspberry Pi released a statement explaining why the microcomputer isn’t affected).
The vulnerabilities in question are called Meltdown and Spectre.They affect devices powered by Intel, AMD, or ARM cores. As these are the market leaders in the processor making business, it is no surprise that there will most likely not be a recall of what is essentially defective equipment. To put this into perspective, had such a situation occurred in the car industry, for example, drivers would’ve been advised to return their car to the nearest dealer with a global recall on the cards. Apple, Google, Microsoft and other tech giants have released updates for a pair of serious security flaws present in most modern computers, smartphones, tablets and mobile devices. As the vulnerabilities impact fundamental aspects of how mainstream processors manage and silo data and replacing them with chips that correct these flaws still may be the best option, realistically this will not happen.
Meltdown is a name given to an exploitation technique known as CVE-2017–5754 or “rogue data cache load.” The Meltdown technique can enable a user process to read kernel memory. Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Why is it called Meltdown?
The vulnerability basically melts security boundaries which are normally enforced by the hardware.
Spectre is a name covering two different exploitation techniques known as CVE-2017–5753 or “bounds check bypass,” and CVE-2017–5715 or “branch target injection.” These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call. Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable.
Can I find a more technical explanation of the vulnerabilities?
Will my antivirus protect me?
I want to read more!
- Meltdown in a nutshell by Manish Kumar.
- System calls have been more expensive with Meltdown. How to avoid them by Denis Anikin.
- Follow Daniel Kirschner who covered Spectre on Day 6 of his 30 Days of learning series.
- We enjoyed Robert Merkel explanation for non programmers of Meltdown and Spectre.
Meltdown was independently discovered and reported by three teams:
- Jann Horn (Google Project Zero),
- Werner Haas, Thomas Prescher (Cyberus Technology),
- Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz(Graz University of Technology)
Spectre was independently discovered and reported by two people:
- Jann Horn (Google Project Zero) and
- Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)
Stephen Chapendama, www.BantuTech.com