Spectre and Meltdown: The Facts


Spectre & Meltdown By Aleksander Gorkowienko and Michael Shuff | 09 February 2018

 

What are they?

Two flaws, known by the names Spectre and Meltdown can be used to expose sensitive system data, potentially impacting everything from phones to our personal computers and big servers. They aren't unique to one particular chipmaker or device. These flaws affect a large number of processors released in the past two decades, including those manufactured by Intel, Advanced Micro Devices (AMD), and ARM — but it's still primarily an Intel problem.

Why are they a threat?

Spectre and Meltdown exploit major chip security flaws. Malicious code could be designed that way to steal information from the deepest, most protected part of a computer's operating system, known as the kernel. The flaws defeat the computer’s ability to isolate untrusted programs from accessing other processes on the computer or the deepest layers of the computer's operating system where it’s most sensitive secrets are kept. With this type of attack, any hacker who could run code on a target computer could break the isolation around a low-privilege program to access secrets buried in the computer's kernel such as private files, passwords, or cryptographic keys. What makes the story worse, the malicious code could be running even in a web browser! Supported Operating Systems (OSes) technology, such as Windows 10, macOS, Linux, as well as many other pieces of software, are also compromised.

How common is it?

The flaws, named Meltdown and Spectre, were discovered by security researchers at Google’s Project Zero in conjunction with academic and industry researchers from several countries. Combined they affect virtually every modern computer, including smartphones, tablets and PCs – [Ed: everything with a chip in it!] - from all vendors and running almost any operating system. Surprisingly, all of Intel microprocessors made from 1995 are affected it seems with few exceptions. [Source:  Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers, The Guardian.]

Is there a financial impact?

None so far reported as a result of successful exploits. The real cost at the moment seems to be patching. Lots of vulnerabilities require large-scale patches, however, Meltdown and Spectre are unique in that they involve overhauls of both standard operating system software and much rarer updates to the firmware and microcode that coordinate and control hardware. These updates can potentially degrade overall system performance, particularly in older generation silicon. The patches for the security flaws can also result in higher-than-expected reboot rates in some types of processor, creating a further headache for the IT help desk.

Can you defend against it?

Yes. Intel and Arm say both exploits can be patched with software updates from them and operating system makers over the coming days and weeks. It is quite possible that your operating system has been automatically patched already. At the same time, it is possible that the arrival on the scene of Spectre and Meltdown could open a Pandora’s Box of future chip-level exploits; however, we don’t believe that it’s time to be carried away on a tide of speculation. We should wait for more evidence that these flaws and others like them represent a serious threat.

Can I check if I am in danger?

There is a certain probability that you are so it’s good to check. You can test it yourself as there are plenty of tools verifying those vulnerabilities. Check these sample links:

https://react-etc.net/entry/javascript-spectre-meltdown-vulnerability-check-for-browsers

https://www.ashampoo.com/en/usd/pin/1304/security-software/spectre-meltdown-cpu-checker

What should you do if it happens to you?

Patch your systems. There are scary stories that Intel's fix could slow the performance of some devices by 30 percent or more, but these are really rare cases. Most users, though, won't see much of an impact, perhaps as little as 2 percent [Source:  CNET], so patching is definitely recommended. If you think that you may have been the victim of a Spectre or Meltdown attack that has compromised your data, call in 7Safe’s Cyber Security Incident Response (CSIR) team. Last but not least: do not forget to backup your precious data before applying the patch!

Who can best deal with it?

7Safe’s experts can advise you on the most appropriate patching regime and at the same time carry out necessary forensic checks. Meltdown is easier to patch against than Spectre, due to Spectre-related attacks exploiting a fundamental design flaw in modern processors. Because of the difficulty in addressing Spectre, the patches generally mitigate the risk from attacks, rather than blocking them altogether. The nature of the Spectre variant 2 flaw means that fixes to guard against possible attacks can also slow down computers in certain circumstances. We can review your systems and tell you which of them are likely to be worst affected by applying the Spectre fix.

What 7Safe’s expert says:

First, let’s not panic. Spectre and Meltdown are two-decade-old vulnerabilities. For all we know they may have been used throughout that time by State actors to compromise network computers. The fact is, we will never know for sure. It is more sensible to patch where practical and move on. It is good to remember that the best remedy is prevention. In order to protect yourself, first of all, do not use any software coming from untrusted sources and refrain from navigating suspicious websites.”  [7Safe Cyber Expert] .

"Spectre and Meltdown exploit major chip security flaws. Malicious code could be designed that way to steal information from the deepest, most protected part of a computer's operating system, known as the kernel."

« BACK

« Back