Another batch of security vulnerabilities has swept the world – and this time, very little is certain.
Spectre and Meltdown were disclosed on Jan. 3. Both flaws are present in many modern CPUs and have the potential to leak sensitive data.
They are among the most widespread vulnerabilities in history, affecting billions of systems worldwide.
When a massive vulnerability is found, vendors normally issue a patch, administrators apply the patch, and the world moves on.
This is not the case with Spectre and Meltdown.
Simple questions – such as what systems are vulnerable and how can I fix this – have been met with vague and conflicting responses.
Even the patches issued to resolve the flaws have sparked greater confusion and controversy.
Below, we hope to give you answers.
What are Spectre and Meltdown?
Spectre and Meltdown are security vulnerabilities present in most modern computer processors.
Three main variants exist. They are associated with the following Common Vulnerabilities and Exposures (CVE) numbers:
- Spectre – Variant 1 – CVE-2017-5753 – Bounds check bypass
- Spectre – Variant 2 – CVE-2017-5715 – Branch target injection
- Meltdown – Variant 3 – CVE-2017-5754 – Rouge data cache load
In short, the flaws can allow an attacker to bypass data access controls and steal sensitive information – including data from the kernel or other applications on the system.
Important note: the following description is a broad simplification of the vulnerabilities. For an iron-clad, technical analysis, check the resources at the end of this post.
Both Spectre and Meltdown are flaws in the way CPUs process data.
Modern chips use many techniques to accelerate processing speeds. One is speculative execution. Another is out-of-order execution.
In both techniques, a processor can execute instructions before knowing if permission has been granted to do so. Some of the resulting data is then stored in the CPU’s cache.
If the processor later determines the instructions were not permitted, it will undo them and revert to a prior state. However, the CPU’s cache is not reverted.
A cache timing attack can reveal this data – data that is potentially sensitive and for which access has been denied.
For Meltdown, an exploit can allow an adversary to read arbitrary kernel-memory locations, including personal data and passwords.
For Spectre, an exploit can allow an adversary to read memory assigned to other processes and also the kernel.
What is under threat?
Spectre and Meltdown threaten the confidentiality of data – or “C” of the infosec C.I.A. triad. Neither flaw allows attackers to alter or prevent access to data.
However, attacks that exploit Spectre and Meltdown can easily reveal information that can be used to harm data’s integrity or availability. Once someone steals an administrator’s password, all bets are off.
In one scenario, the flaws can potentially allow attackers in a virtual machine hosted on a cloud server to retrieve data from other virtual machines on the server. Scary.
What is the risk?
The current risk level posed by Spectre and Meltdown is low – but that is expected change.
Researchers have demonstrated exploitation of the flaws in theory and in practice. Exploits have not been seen in the wild – yet.
Some attacks are said to require running code on a target system – others are allegedly capable of using malicious websites to attack visitors through their web browsers.
The flaws are present in billions of devices worldwide. It’s safe to assume that cyber criminals are working hard to develop exploits.
What systems are vulnerable?
The answer to this question has been obscured by conflicting reports.
Most modern CPUs are impacted by at least one variant of Spectre or Meltdown.
You should assume any system with a CPU – from your smartphone to your cloud server – is vulnerable unless you have explicitly verified otherwise.
Nearly every Intel microprocessor made since 1995 is affected by Spectre and Meltdown. Intel’s list is here, and there are a few exceptions (Intel Itanium and Intel Atom before 2013).
Most AMD processors are susceptible to Spectre. All are immune to Meltdown.
This is despite AMD’s initial misleading claim:
“AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.”
The company has since acknowledged this is not true. The company has not yet published a comprehensive list of vulnerable processors.
Most ARM processors are susceptible to Spectre, and a few are affected by Meltdown. ARM’s list is here.
All iPhones, iPads, and modern Mac devices are affected by Meltdown and/or Spectre, according to a statement from Apple. Apple Watches are not affected.
Operating Systems and Browsers
All operating systems and web browsers must be patched to protect against the flaws. Most major platforms have issued updates or steps to mitigate.
Check this list of security advisories from dozens of vendors to see if an update is available for your system.
How can I fix Spectre and Meltdown?
One option is to replace all vulnerable hardware with new systems that are immune to the flaws. However, this suggestion is laughably impractical. The scope of the problem is too massive.
The best answer is to apply patches as they become available – but carefully.
Patches Inflict Damage and Confusion
Patch problems have opened on multiple fronts.
Intel’s problems began when it rushed to begin firmware patches on Jan. 4, the day after the vulnerabilities were announced.
Reports surfaced of some systems becoming unstable and frequently rebooting after a patch was applied. Initial reports limited the problem to several older chips. Intel later confirmed newer chips are impacted also.
Patch problems also rose from Microsoft. Reports surfaced that Windows updates for certain AMD processors had bricked the devices, rendering them unable to boot.
Microsoft blamed the problem on an error in AMD’s documentation and pulled the patches (new patches are now available).
On another front, Microsoft also said some anti-virus products are not compatible with the new Windows patches. AV vendors have to update their software before users can install the patches – or any other Windows security updates in the future.
You Should Patch Anyway
Exploits of the flaws have yet to be observed in the wild, but they are coming – guaranteed.
Even with a broken and confusing patch process, you need to patch your operating systems, browsers, and chip firmware – with a few caveats.
Factors to consider:
- Patches may slow processing speeds – Since Spectre and Meltdown were born of overzealous chip acceleration, some of the fixes are likely to slow processing speeds.
Reports range from a slowdown of 5% to 30% with older systems seeing greater impact.
Some analysts suggest the slowdowns caused by initial patches may improve over time as the fixes are refined, particularly in cloud environments.
- Some patches are bad – As mentioned above, some patches broke and weakened systems. They cannot be trusted.
However, the alternative is to leave your system vulnerable. Even if you pursue alternate means of mitigation, ignoring patches is never a good idea.
- You must prioritize and test – Carefully test new patches on non-critical systems before deploying them more broadly.
Some systems – such as those used for banking and other sensitive tasks – are higher-value targets for attackers and should therefore be prioritized.
You must also balance this priority with the reports of patches drastically slowing and destabilizing systems. You do not want to turn a server into a brick in the name of saving it from Spectre.
What Comes Next?
The Meltdown vulnerability is easier to patch against than Spectre. The latter is likely to haunt us for years to come.
Spectre is best thought of as an entire class of vulnerabilities, rather than a single, specific flaw, according to some analysts.
The problem is widespread and difficult to address, with few good solutions available.
We will likely see new cyberattacks that exploit Spectre flaws very soon – and potentially for years to come – even as vendors continue to issue fixes against it.
Yesterday, Intel CEO Brian Krzanich claimed the company will release product changes “that will directly address the Spectre and Meltdown threats in hardware” later this year.
Given the chaos surrounding these flaws, don’t bet on it.
Meltdown and Spectre – via Graz University of Technology
Meltdown – Technical whitepaper
Spectre – Technical whitepaper
Reading privileged memory with a side-channel – Google Project Zero
Chip Manufacturers’ Statements: