Publicly disclosed yesterday by Google Project Zero, these chip-level security flaws potentially impact all major CPUs, including those from AMD, ARM, and Intel. These vulnerabilities can be exploited by a malicious software to steal any data which is currently processed on the computer, regardless of its current privileges. This data includes secretes stored in the memory of other programs, such as passwords, and personal and sensitive information. For example, if you are using your browser to send instant messages, or editing personal photos with an image editor, then these may potentially be available for an adversary to steal. These Critical bugs are threatening almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system. Any untested device should be considered vulnerable.
Independent researchers who reported these vulnerabilities before the public disclosure came up with two different attacks dubbed “Meltdown” and “Spectre”. Meltdown attack (CVE-2017-5754) allows any user process to read the entire kernel memory of the machine it executes on, including all physical memory mapped in the kernel region, by completely overcoming memory isolation. Spectre attack (CVE-2017-5753 and CVE-2017-5715) tricks the processor into speculatively executing instructions sequences that should not have executed during correct program execution. By carefully choosing actions, a threat actor could be able to leak information from within the victim’s memory address space. In Short – although both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of the memory, while Spectre steals data from the memory of other applications running on a machine. Whilst Meltdown reportedly affects only intel-maid chips with x86 architecture, Spectre affects chips made by ARM, AMD as well as Intel.
These attacks also threaten cloud devices and networks. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers. Therefore, it is important that mitigations are also implied on cloud devices outside the organization’s physical network.
There are no public reports on known Meltdown or Spectre exploitations so far. However, these vulnerabilities are so major and the potential damage if rightly exploited is so severe, these aspects are sure to compel to hackers and threat actors looking for a sure to win attack method.
Mitigations and Future Impact
There are currently available patches that protect against Meltdown. Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018. Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space. Comments in the source code have been redacted to obfuscate the issue. Other operating systems, such as Apple’s 64-bit macOS, will also need to be updated. Apple has used x86/x64 processors since switching the Mac to Intel in 2006. That means every modern Mac is affected by Meltdown. Reportedly, the latest versions of macOS High Sierra appears to contain fixes for Meltdown. However, Apple have yet to publish an official comment. The flaw is in the Intel x86-64 hardware. It has to be fixed in software at the OS level, or by physically replacing the processor to a new processor without the design blunder.
Spectre is not easy to patch and will stay unresolved for quite some time since this issue requires changes to processor architecture in order to fully mitigate.
These published OS patches are the best solution available right now, patch patch patch as quickly as you can. However, until the processor vendors fully design and evaluate mitigations, there are other methods to reduce the attack risk.
Since this exploit can be executed through the website, we also recommend using browsers that can mitigate these issues. Chrome’s Site Isolation feature, for example, can.
Here’s how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
- Copy “chrome://flags/#enable-site-per-process” and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
- Look for Strict Site Isolation, then click the box labelled Enable.
- Once done, hit Relaunch Now to relaunch your Chrome browser.
In the ever-changing world of security, the strongest defence against adversaries is staying agile, always follow basic security recommendations like avoiding sketchy links from unknown sources. Total protection from all possible attacks is an elusive goal, but security awareness and taking appropriate precautions, can defiantly minimize the risk.
Responses to the critical issues from the processors vendors and OS manufacturers are available in the following links:
|Intel||Security Advisory / Newsroom|
|Project Zero Blog|
|MITRE||CVE-2017-5715 / CVE-2017-5753 / CVE-2017-5754|
|Red Hat||Vulnerability Response|