Just fresh into the New Year, microprocessor architecture flaws have been reported by researchers from Google's Project Zero team, the Graz University of Technology in Vienna, the University of Pennsylvania, the University of Adelaide in Australia, and various security companies.
Within the first few days of 2018, Microsoft, Linux, Google and Apple started rolling out patches addressing design flaws in processor chips that security researchers named Meltdown and Spectre.
Here’s what you need to know about these flaws and their impact.
What are Meltdown and Spectre?
Meltdown, designated as CVE-2017-5754, can enable hackers to gain privileged access to parts of a computer’s memory used by an application/program and the operating system (OS). Meltdown affects Intel processors.
Spectre, designated as CVE-2017-5753 and CVE-2017-5715, can allow attackers to steal information leaked in the kernel/cached files or data stored in the memory of running programs, such as credentials (passwords, login keys, etc.). Spectre reportedly affects processors from Intel, Advanced Micro Devices (AMD), and Advanced RISC Machine (ARM).
Modern processors are designed to perform “speculative execution.” This means it can “speculate” the functions that are expected to run, and by queueing up these speculations in advance, they can process data more efficiently and execute applications/software faster.
It’s an industry technique used to optimize the processor’s performance. But this technique also permits access to data that are normally isolated. An attacker, therefore, can send an exploit that would find a way to get into this data.
Because these vulnerabilities take advantage of a basic process used by all modern CPUs to help speed up requests, attackers can exploit the timing of various instructions so they can see the information – whether it’s proprietary corporate data or sensitive personal information.
What’s their impact?
Intel processors built since 1995 are reportedly affected by Meltdown, while Spectre affects devices running on Intel, AMD, and ARM processors. Meltdown is related to how privileges can be escalated, while Spectre entails access to sensitive data that may be stored on the application’s memory space.
The potential impact is far-reaching: Desktops, laptops, and smartphones running on vulnerable processors can be exposed to unauthorized access and information theft. Cloud computing, virtual environments, and multi-user servers - also used in data centers and enterprise environments - running these processors are also impacted.
It’s also worth noting that the patches that have been released for Windows and Linux OSs can reportedly result in system performance slowdown from 5% to 30%, depending on the workload.
Google’s Project Zero has proof-of-concept (PoCs) exploits that work against certain software. Thankfully, Intel and Google reported that they have not yet seen attacks actively exploiting these vulnerabilities so far.
Are they fixed already?
Microsoft issued a security bulletin and advisory ahead of their monthly patch cycle to address these vulnerabilities in Windows 10. Updates/fixes for Windows 7 and 8 were deployed on the January Patch Tuesday on January 9. Microsoft also issued recommendations and best practices for clients and servers.
Google has published mitigations on the infrastructure/products that may be affected (YouTube, Google Ads, Chrome, etc.). They also released a Security Patch Level (SPL) for Android covering updates that can further limit attacks that may exploit Meltdown and Spectre. A separate security update for Android was also released on January 5. Note that patching on Android is fragmented, so users need to notify their OEMs for their availability. Nexus and Pixel devices can automatically download the update.
Apple’s macOS has been reportedly patched in version 10.13.2, while 64-bit ARM kernels were also updated. VMWare also issued its own advisory. Mozilla, whose team confirmed that browser-based attacks may be possible, addressed the vulnerabilities with Firefox 57.
Trend Micro says it's highly advisable for everyone to install the emergency patch as soon as it is made available from the respective vendors.