Jan 04 2018

Everything You Need to Know About the Meltdown and Spectre Exploits

Design flaws in modern processors could allow malicious actors to access devices’ memory and sensitive information. Agency IT security leaders should take heed.

Security researchers have released details on two vulnerabilities that affect the microprocessors running in virtually all modern computing devices, and technology companies are scrambling to patch them.

The vulnerabilities, dubbed “Meltdown” and “Spectre,” appear to affect the processors of IntelAMD and ARM Holdings to varying degrees. The bugs potentially extend to nearly all devices that are powered by those chipsets, including laptops, desktop PCs, smartphones and servers that run cloud services. There are software patches being put in place to protect against Meltdown, but Spectre will prove more difficult to address since it will require redesigning processors.

The exploits, the result of long-standing design flaws in chipsets, could allow malicious actors to access or steal sensitive data from devices or servers. However, as The Wall Street Journal notes, to take advantage of the vulnerabilities, hackers must run software on the CPUs of the devices they are targeting.

The U.S. Computer Emergency Readiness Team, a cybersecurity response center inside the Department of Homeland Security, said late Wednesday that it was aware of the two vulnerabilities. It encouraged users and system administrators to contact their software vendors for ways to patch them. CERT said it is not aware of any “active exploitation” of the bugs.

Meanwhile, technology companies say they are working to patch the vulnerabilities via software updates. Researchers from Google’s Project Zero security research group say in a blog post that they discovered the vulnerabilities last year and reported them to Intel, AMD and ARM in June 2017.

As Google says in a separate blog post, a Project Zero researcher, Jann Horn, “demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible.” For example, Google says, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications.

Mike Chapple, associate teaching professor of IT, analytics and operations at the University of Notre Dame, says the major issue with both of the vulnerabilities is that they allow an attacker to access arbitrary memory locations. This means that if an attacker can manage to run code on a system, he or she can access any of the information being processed on that system.

“This is a particularly significant issue when different users share the same hardware, such as in a cloud computing environment,” Chapple adds. “However, the impact isn’t limited to the cloud. It exists even on desktop computers and mobile devices used by a single person. If an attacker tricks you into running their software, that software can read the sensitive information used by other applications, such as the passwords stored in your browser, and report them back to the attacker.”

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

What Is the Meltdown Vulnerability?

The differences between the two vulnerabilities are important to distinguish. “What actually happens with these flaws is different and what you do about them is different,” Paul Kocher, a researcher who was a key member of a team of researchers at tech companies such as Google and Rambus, and in academia that discovered the flaws, tells The New York Times.

According to an explainer page published by the researchers, Meltdown “breaks the most fundamental isolation between user applications and the operating system.” This then “allows a program to access the memory, and thus also the secrets, of other programs and the operating system.”

“If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information,” the FAQ reads. “This applies both to personal computers as well as cloud infrastructure.”

Desktops, laptops and cloud computers may be affected by Meltdown, according to the researchers. “More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013),” the FAQ says. “We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.”

The Times notes that Meltdown is a particular problem for cloud servers run by Microsoft, Google, Amazon Web Services and others. The newspaper reports:

To take advantage of Meltdown, hackers could rent space on a cloud service, just like any other business customer. Once they were on the service, the flaw would allow them to grab information like passwords from other customers. That is a major threat to the way cloud-computing systems operate. Cloud services often share machines among many customers — and it is uncommon for, say, a single server to be dedicated to a single customer. Though security tools and protocols are intended to separate customers’ data, the recently discovered chip flaws would allow bad actors to circumvent these protections.

How Does the Spectre Vulnerability Differ from Meltdown?

As for Spectre, it “breaks the isolation between different applications,” the researchers say, which then “allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”

The researchers say that “almost every system” is affected by Spectre, including desktops, laptops, cloud servers and smartphones. “More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable,” they say. “In particular, we have verified Spectre on Intel, AMD and ARM processors.”

What is the main difference between the two?

“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory,” according to the researchers. “Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate, the researchers say. However, it is possible to prevent specific known exploits based on Spectre through software patches, they add.

The Journal reports:

In the case of Spectre, the flaw is so deeply embedded in the way modern chips are designed that while some patches can stop known exploits, fully fixing it will require redesigning computer chips and then replacing those currently in use, according to a federally funded cybersecurity center at Carnegie Mellon University.

Daniel Gruss, from the Graz University of Technology, was one of the researchers who uncovered the bugs. He tells Forbes that Spectre can trick a hypervisor — the software that manages virtual machines in a cloud — into leaking data. Gruss says he believes a hack using Spectre can run in JavaScript. “This means that you would only have to navigate to an attacker-controlled website,” he says.

Meltdown is relatively easy to fix, according to Chapple, who notes that there are already patches available for Linux, Windows and Mac OS operating systems. However, Chapple says Spectre is going to be “a much more difficult challenge because it exploits core hardware functionality.”

“Truly fixing this problem will require the replacement of vulnerable hardware, which will be expensive and take a long time,” he says. “There are some patches available to protect software packages against this vulnerability, but those are only partial fixes. We’re going to be haunted by Spectre and future variants for many years to come.”

Tech Companies Respond to Meltdown and Spectre

Although the vulnerabilities were first noticed last year, they were kept out of public view, as is often with cybersecurity exploits, so that affected companies could work on fixes. However, news of the exploits started to leak on Tuesday when various news websites, including The Register, posted details on the Meltdown exploit. Researchers released papers on the exploits on Wednesday, earlier than they had expected, and tech companies then worked to respond, the Times reports.

Intel notes in a statement that other processors besides its own are affected, contrary to early reports on the bugs.

“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industrywide approach to resolve this issue promptly and constructively,” the company says. “Intel has begun providing software and firmware updates to mitigate these exploits.”

Contrary to some reports, the company says, any performance impacts from the patches “are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

Intel says it had planned to disclose the vulnerabilities next week along with other vendors when more software and firmware updates will be available, but made an earlier statement to correct what it says were inaccurate media reports.

“Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company’s statement reads. “Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.”

On Jan. 4, Intel issued a new statement that says it has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems “immune” from both exploits. “By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years,”  the company says.  “In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.” Intel says in a separate Jan. 4 statement that the patches tech companies are issuing to fix the bugs are not seriously impacting users’ impacting performance and that any hiccups in performance “will be mitigated over time.”

Further, the Times reports: “An Intel vice president, Donald Parker, is adamant that the company’s chips will not need to be replaced. He said that with software patches and ‘firmware updates’ — a way of updating code on the chip itself — Intel and other companies could ‘mitigate the issues.’” 

According to Axios, Microsoft has updated Windows 10 with a patch for the issue and also is making updates available for Windows 7 and Windows 8.

“We’re aware of this industrywide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers,” Microsoft said in a statement.

Microsoft adds that the company is “in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”

Google has issued a statement noting that it has already taken measures to address the vulnerabilities. The company has “updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.”

AMD issued a statement to Axios that says that “the threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near-zero risk to AMD processors at this time.”

ARM says in a statement to Axios that it is “working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors.” It says its Cortex-M processors, “which are pervasive in low-power, connected [Internet of Things] devices, are not impacted.” ARM says it is encouraging its silicon chipset partners “to implement the software mitigations developed if their chips are impacted.”

Other tech companies are rushing out fixes for the exploits. The Times reports:

The worldwide community of coders that oversees the open-source Linux operating system, which runs about 30 percent of computer servers worldwide, has already posted a patch for that operating system. Apple had a partial fix for the problem and is expected to have an additional update.

Apple confirmed in an online support document on its website that all Mac systems and iOS devices are affected by the exploit, but it says “there are no known exploits impacting customers at this time.” 

“Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown,” the company says. “Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.” 

​This article was updated Jan. 5 to reflect new developments. 

Garvin Grullón

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.