This week the public was informed of two major vulnerabilities (nicknamed: Meltdown & Spectre) that could potentially affect processors designed by Intel, AMD and ARM used in the majority of PCs, Macs and smartphones. [1]
Although it is not known if the flaws have been exploited by cybercriminals yet, because of the widespread impact of these vulnerabilities we have decided to provide a brief summary about what these vulnerabilities are, what their impact is, as well as what the resolution entails.
Spectre & Meltdown:
What is it?
“Meltdown” is currently thought to primarily affect Intel processors manufactured since 1995, which could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory. Essentially, an architectural error in processor design that allows any application (such as a web page, or document) to read memory that is not supposed to be able to access. With ARM (such as the processor in your mobile phone) and AMD processors, an application can read the memory of any other application. With Intel, an application can read any memory.
What is its potential impact?
For Intel processors; any website you visit, any application you run, or any document you open can be used to read parts of your computer memory it’s not supposed to be able to access. This can include your passwords and encryption keys. This means that opening a bad website could potentially immediately compromise your system. This includes all Apple computers since 2006 with intel processors and 98% of PCs running Windows (this is the worst bug in the history of the modern computer era). With AMD & ARM; kernel memory, where keys and passwords are kept is still safe, but applications can read the memory of other applications such as your e-mail client, Excel, VM, etc. According to information provided so far, it supposedly much more difficult to execute this attack on these platforms.
How to protect your desktop / laptop / servers from Meltdown?
Make sure you have the latest security patches and updates installed for your operating systems. {UPDATE Jan/10: Microsoft has announced that you will need to update your anti-virus before installing the latest security patch because of conflicts.}
Windows OS: The update is available for Windows 10, Windows Server 2016, Windows 7 and Windows 8.1, it is available to download through your Windows Update, or directly through Microsoft’s website here: https://www.catalog.update.microsoft.com/Search.aspx?q=windows+security+update+2018
Mac OS: Macs running the latest update of High Sierra (10.13.2) already have the fix in place. Check to see that you have the latest operating system installed. If you have an older machine that is unable to upgrade to the latest operating system, you may still be at risk. This includes Macs older than 2009 will not be able to patched.[6]
Linux OS: Linux kernel developers have a set of patches named kernel page-table isolation (KPTI) to be released in kernel 4.15 in early 2018.[5] For now a fix has been released as a backport in kernel 4.14.11 which can be found here https://lwn.net/Articles/742622/
NOTE: Possible slowdowns as result of new patches. Some have warned that the latest operating system patches could slow the performance of these processors by 30%. Intel said in a statement, denying that fixes would slow down computers based on the company’s chips. “Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”[2].
What this means, is that typical user task should be unaffected. Although there are concerns regarding CPU intensive process like server virtualization and encoding tasks being slowed down.
How to protect your smartphones and tablets from Spectre?
Make sure you have the latest operating systems installed.
Android OS: The newest Android phones are in much better shape than older ones. Google’s latest security patch, which was released in December, “includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors.” [5]
If you have an older Android device that does not receive updates anymore, a hacker could potentially trick an otherwise safe app on your phone into handing over your personal info such as passwords and encryption keys. However, they would need access to your unlocked phone as Spectre is unlikely to be implemented or triggered remotely. [5]
iOS (Apple): Apple has recently announced that their iOS devices are affected as well, despite their iOS devices running off of Apples own processors. iPhones, iPads, and iTouch devices upgraded to the latest iOS 11 update (11.2) already have the fix in place, check to see that you have the latest update to be protected. [6] However there are still many older iOS devices out there that will not be able to update to the latest operating systems. These include iOS devices older than the iPhone5s, and iPad 4.
Conclusions
As long as you are able to update your operating systems to latest versions, you should be protected from the Meltdown vulnerability. The Spectre vulnerability is much harder to exploit, but also much harder to fix. As a result, there is no fix out there yet, but it is also much more unlikely to affect you.
Best practice is to always make sure your operating systems are up to date, as this will protect you from the vast majority of risks.
For more information regarding the Meltdown and Spectre vulnerabilities take a look at the sources for this article below:
1.) CERT: CPU hardware vulnerable to side-channel attacks - https://www.kb.cert.org/vuls/id/584653
2.) The Guardian: Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers - https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw
3.) Wikipedia: Meltdown (security vulnerability) -https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
4.) PC World: Meltdown and Spectre FAQ: Fix for Intel CPU flaws could slow down PCs and Macs - https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html
5.) PC World: How the Spectre CPU flaw affects phones and tablets - https://www.pcworld.com/article/3245790/mobile/spectre-cpu-faq-phones-tablets-ios-android.html
6.) Computer Weekly: Apple confirms all devices affected by Meltdown and Spectre - http://www.computerweekly.com/news/450432679/Apple-confirms-all-devices-affected-by-Meltdown-and-Spectre
