Last Wednesday, researchers from Google’s Project Zero and various universities released two potentially earth-shattering vulnerabilities with Intel processors. The attacks, named Meltdown and Spectre, allow for a given process to steal information from memory. Meltdown allows for a process to access privileged memory it normally shouldn’t have access to. Spectre, on the other hand, allows memory from one application to access the protected memory of other applications on the same machine. While variants of Spectre have been extended to AMD and ARM chips, both attacks primarily affect Intel CPUs. Reportedly, almost all CPUs Intel manufactured since 1995 are affected. While Intel and other companies have released patches, users report these fixes can slow performance by as much as 30%.

Meltdown (CVE-2017-5754)

Meltdown functions by exploiting a race condition common in CPUs. This condition, called speculative execution, means that the CPU guesses what instructions to execute before actually getting to them in the code. If successful, the CPUs see a performance boost. If not, the CPU goes back to the fork (where the CPU starts the speculative execution), throws out the guesswork, and proceeds normally. While vendors have relied on this for years in order to see performance boost, it raises the possibility of the CPU executing an instruction before realizing that the application does not have the privileges to actually execute that code. Further, this aspect means that the system can load sensitive data, despite it never appearing to the application or end user. If an attacker can leverage this property, they can read parts of memory they should never have access to and read sensitive data.

Spectre (CVE-2017-5753 and CVE-2017-5715)

While similar to Meltdown in execution, Spectre actually refers to a class of vulnerabilities. With the weaknesses of speculative execution, the Spectre attack process can manipulate an application into revealing its data. Contrast this to Meltdown, which allows the attacker to read privileged memory. The general attack process is based on four precepts:

1. Branch execution can be trained to reliability hit or miss
2. You can time hits and misses reliably as well
3. Combining #1 and #2 means you can develop exploits for them. The initial paper disclosure formulates a Javascript exploit as a proof-of-concept.
4. The paper generalizes the above to any non-functional state of a machine.

So we know the problems with Meltdown and Spectre. What do we do?

While vendors are rolling out patches for these issues at the OS level, users report the fixes slow down their systems by as much as 30%. This indicates that the immediate patches sent out disable speculative execution at the OS level. While this may change in the future, we recommend applying these patches as part of your normal change management practice.

Microsoft fixed this for Windows in KB4056892. Apple reports that High Sierra 10.13.2, rolled out last month, includes a fix for OSX; 11.2 does the same for iOS.

Update 1/9/2018: Apple confirms another iOS patch, 11.2.2, also mitigates aspects of Spectre.

Google has pushed out fixes for Chromebooks (applied automatically) and for Android (on January 5th). However, third-party Android phones may take a little longer to update due to QA processes.

If you use Chrome, Tom’s Hardware reports a quick fix that may help:

1. Navigate to chrome://flags/#enable-site-per-process in your address bar
2. Search for “Strict Site Isolation” and enable it
3. Hit “Relaunch Now”

In general, at this point, apply all patches as per normal and you should be okay.

More Reading

• The Guardian
• Wired
• Ars Technica

Secure Compliance Solutions LLC (SCS) provides a wide range of cybersecurity consulting and managed security services to small and medium sized businesses (SMB) and government agencies, fortifying their Information Security and Data Privacy programs. SCS works with its clients to tailor and implement industry-proven frameworks and standards to meet compliance goals and drive consistent security operations. We raise awareness of current security trends and risks to prepare personnel to recognize and defend against potential security issues. We implement technical solutions and controls to minimize data risks and liabilities. Our Managed Security Service provides “constant watch” against both internal and external cyber threats and attacks. At SCS, we promote a strategy of readiness and resilience that facilitates business risk mitigation and enables dynamic response capabilities to keep your business up and running.