There are two new vulnerabilities called Meltdown and Spectre with the latter affecting nearly every device in the world. That’s billions of devices.
Meltdown and Spectre have been known vulnerabilities for quite some time, but research teams had been under embargo. Details began to trickle out yesterday, and as a result of that trickle, there was a lot of speculation that led to many inaccurate assumptions about the full extent of the vulnerabilities and who and what was affected.
Yesterday was not the planned public disclosure day which highlights the difficulty in coordinating multiparty research disclosure.
The Meltdown vulnerability only affects Intel CPU’s. Intel opted for performance over security by allowing a program to read kernel data that’s in memory to include passwords and other sensitive information.
Meltdown allows an attacker to bypass the isolation between user applications and the operating system in virtual memory (stored on your hard drive) and RAM (physical memory). Personal computers and cloud infrastructure are affected by Meltdown. As far as cloud infrastructure goes, if you use Amazon Web Services, Google Cloud, Microsoft Azure and any other cloud company the uses Intel CPU’s and Xen PV, you can expect maintenance messages alerting you of planned downtime.
Meltdown was discovered by Jann Horn of Google’s Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology, and Daniel Grus, Moritz Lipp, Stefan Mangard, and Michael Schwarz of Graz University of Technology.
Tom Lendacky, an AMD software engineer, had this to say about the Meltdown “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.
Disable page table isolation by default on AMD processors by not setting the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI is set.”
Spectre affects nearly every device on planet earth and allows programs to access and read the memory locations of other programs that can contain any information that particular program uses. If the program is a browser, it can include which websites you’re visiting, how tabs you have open, and credentials.
Specifically, Spectre allows an attacker to trick an application into leaking data even if the developers used best practices when creating their software. Following best practices can also lead to an increased attacker surface making more data available to attackers. Spectre is the hardest of the two vulnerabilities to exploit, but also the most difficult to fix.
Spectre is a design flaw that can only be fixed in the upcoming generation of CPU’s and on.
Spectre was reported by Jann Horn of Google’s Project Zero, Paul Kocker in collaboration with Daniel Genkin of the University of Pennsylvania and the University of Maryland, Mike Hamburg of Rambus, Moritz Lipp of the Graz University of Technology, and Yuval Yarom of the University of Adelaide and Data61.
A proof-of-concept has been developed by a Ph.D. student at Vrije Universiteit Amsterdam that exploits Meltdown.
— brainsmoke (@brainsmoke) January 3, 2018
Intel released a statement addressing the inaccuracies of reports.
“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.”
AMD and ARM also released statements concerning their products but didn’t directly address the plethora of inaccurate information.