Meltdown & Spectra Bugs Explained
Security vulnerabilities continue to make headlines, but these two are huge. Here's what you need to know.
- What the heck is it?: Intel Processors have a fatal design flaw that allows attackers to steal information from the memory (RAM).
- What should you do? Don't panic, Microsoft and other operating system vendors have released updates. You will need to make sure and run windows, OSx, Linux updates in order to get these.
Chatter ensued (initial details were leaked), but on Wednesday security researchers officially disclosed details surrounding two critical vulnerabilities affecting Intel, AMD, and ARM processors (CPUs).
Nicknamed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), these bugs allow malicious programs to steal data from the memory (RAM) of other programs, putting a wide variety of sensitive information such as passwords, crypto-keys, and files at risk.
Meltdown (CVE-2017-5754) - (Source - Barkly)
- Can be exploited to: Read the contents of private kernel memory from an unprivileged user process.
- Processors affected: All out-of-order Intel processors released since 1995 with the exception of Itanium and pre-2013 Atoms. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.
- Fixes: Workaround patches have been released for Windows and Linux (in the latter case with KAISER/KPTI, which results in a "non-negligible" hit to performance). Apple's macOS has been patched since version 10.13.2, and iOS since version 11.2. According to Intel, Meltdown can be mitigated by OS updates with no additional firmware updates necessary.
Note: Windows Server admins must enable the kernel-user space splitting feature once the update is installed. Amazon has issued updates to its AWS Linux guest kernels and Microsoft is rolling out fixes to Azure, as well. A good list of vendor advisories and updates is available here.
For more details on Meltdown, see the technical whitepaper.
Spectre (CVE-2017-5753, CVE-2017-5715) - (Source - Barkly)
- Can be exploited to: Extract information from other running processes (ex: stealing login cookies from browsers).
- Processors affected: Intel, ARM, and AMD processors are all reportedly affected to some degree. See this post for more specifics.
- Fixes: Experts have universally described Spectre as being tougher to patch than Meltdown, though thankfully it is more difficult to practically exploit, too. According to researchers, the most likely exploitation of Spectre would be using JavaScript (say in a malicious ad) to leak information, session keys, etc. cached in the browser. Mozilla, Google, and Microsoft have all issued browser updates to make that scenario exponentially more difficult, though not impossible. Experts also recommend turning on site isolation in Chrome and Firefox as extra precautions.
Apple has issued Spectre mitigations in iOS 11.2.2, and the macOS High Sierra 10.13.2 supplemental update.
Processor makers, themselves, have said they will be issuing microcode updates to address Spectre. Intel has released new Linux Processor microcode data files that can be used to add mitigations without having to perform a BIOS update, though some issues have been reported with Broadwell and Haswell CPUs. A microcode update from AMD addressing CVE-2017-5715 is also available now, and the company says it will be introducing additional fixes starting with Ryzen and EPYC processors.
It's also worth noting Google has announced a new technique for mitigating Spectre it's calling Retpoline.
For more details on Spectre, see the technical whitepaper.