It's only the first week of 2018, and we are already hearing about one of the biggest security flaws in history. News has emerged about two exploits - Spectre and Meltdown - which affect nearly every computer on earth. The newly disclosed vulnerabilities are devastating because they affect the vast majority of Central Processing Units (CPUs). These include not only processors made by Intel - the largest CPU manufacturer on earth - but also the majority of CPU manufacturers.
The nature of the security flaw means that Android smartphones and tablets, iPads and iPhones, Apple Mac computers, Windows PCs - and even Linux machines - can be exploited using the flaws. The CPU flaws could be leveraged by cybercriminals to steal personal data such as logins, passwords, credit card details, and many other kinds of sensitive data.
The savage security flaws were discovered by researchers working at Google’s Project Zero. The vital analysis was undertaken in cooperation with academic and industry specialists from around the globe. A paper published this week by those researchers explains both security flaws in detail:
“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
“This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
“Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.”
The security flaws affect processors made by Intel, AMD, and ARM. This means they affect nearly every machine currently in circulation. What’s more, the nature of the flaws means that there is no way to tell if they are being, or have been, exploited. To make things worse, antivirus and malware detectors are not designed to pick up on these kinds of exploits. “Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications,” the blog post comments.
Apple Mac has come forward to admit that Mac OS X desktop computers and laptops, iPhones, iPads, and even AppleTV devices are vulnerable. Patches for Meltdown have already been issued by the firm. Spectre, however, is tougher to mitigate against and has not yet been adequately patched. Thankfully, it is believed that Spectre is a tougher target to exploit.
Apple claims that no exploits have been discovered attacking their devices in the wild. However, the nature of the vulnerabilities makes it hard to definitively confirm this. All we know at the moment is that the flaws exist and can be exploited unless they are patched. From the paper:
“Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.”
“Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.”
The nightmare doesn’t end there, either. Security patches being issued to protect machines from possible exploits are expected to slow machines down. It is unclear exactly what the performance reduction might be, but it is being reported that it could be anything up to a 30% downgrade from current speeds. Ryan Smith from Anandtech.com explains:
"Following up on the point about mitigating Meltdown, it’s not clear what the full performance impact of this will be. Individual operations and workloads could potentially be upwards of 30% slower, but it heavily depends on how often a task is context switching to the kernel. I expect the average real-world impact to be less, particularly for desktop users. However, server users and their unique-but-narrowly-focused workloads could be much more affected if they're particularly unlucky.
Meanwhile, the performance impact of Spectre mitigations is even less understood, in part because efforts to mitigate Spectre are ongoing. Based on what the hardware vendors have published, the impact should be minimal. But besides the need for empirical testing, that could change if Spectre requires more dramatic mitigation efforts."
As these vulnerabilities affect just about every CPU sold in the last 10 years, the only solution appears to be: either accept a reduction in computing speeds or switch out the old CPU for a new one. For most people - including firms that have hundreds if not thousands of machines - new CPUs are not going to be an immediate option. This makes it likely that just about everyone one can expect some sort of performance hit.
According to Intel, any slowdowns will be “workload-dependent.” In layman's terms, this basically means that newer chipsets based on Skylake or newer architecture will likely not suffer from speed loss too much. Older CPUs, on the other hand, are likely to be hit harder by having to run the extra firmware.
How Does it Work?
The newly disclosed hardware flaws allow apps and programs to discover the contents of protected kernel memory areas. This means that hackers can fool applications into parting with secret information. The flaws can also be used to attack virtual machines, which when penetrated allow hackers to gain access to the physical memory of the host machine.
The critical flaws could also allow hackers to steal encryption keys, which also get stored in memory. This means that services intended to keep data secure, and secure messaging services, could become compromised. It also means that encryption keys held by password managers could become accessible while the program is open and the keys are stored in temporary RAM.
In fact, the list of possible vulnerabilities resulting from these flaws - if left unchecked - is almost endless. Pretty much any software running on machines with flawed CPU chipsets could be compromised. Only apps that don't save keys and passwords to the affected parts of memory are secure. It is for this reason, that it is so important to patch the flaws quickly.
Although Intel, AMD, and Apple, have been quick to claim that there are no exploits currently in circulation, it seems more than likely that hackers will quickly learn to take advantage. Dan Guido, chief executive of cybersecurity firm Trail of Bits, is convinced it won’t take long:
“Exploits for these bugs will be added to hackers’ standard toolkits.”
Chrome is just one example of software that can be attacked using these horrific flaws. A blog post by Chromium explains why Google will be releasing an update for Chrome on January 23. In the meantime, users can protect themselves using an experimental feature called Site Isolation:
Chrome allows users to enable an optional feature called Site Isolation which mitigates exploitation of these vulnerabilities. With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process. Read more about Site Isolation, including some known issues, and how to enable it via enterprise policies or via chrome://flags.”
Am I Affected?
The answer to this question is almost certainly a yes. Most devices are affected, so you will need to get the appropriate security patches as soon as they are made available. For this reason, it is likely that you will need to get updates from Intel, AMD or ARM, depending on what chips are in your devices. Individuals and businesses alike are advised to seek advice from their Operating System manufacturer. Customers of Windows Server VM should look at the advice released by Microsoft here.
What To Do
Depending on what devices you have, you will need to make sure you get all the most recent software updates. CPU manufacturers are in the process of releasing firmware updates, so, as mentioned, you must be sure to get those as soon as you can.
Android users must update their devices. The good news is that Android devices with the latest security update are protected. However, it is likely that further updates will be necessary: so keep an eye open for patches and accept them as soon as they are made available.
If you have installed the latest iOS version 11.2, then you should be protected. OS X has also had patches for Meltdown and more for Spectre are expected soon. In addition, Apple announced yesterday that: "in the coming days we plan to release mitigations in Safari to help defend against Spectre”.
Mozilla has already released two near-term fixes for Firefox and is expected to release further patches later in January. Windows 10 users can expect automatic updates today (January 5), with Windows 7 and 8 expected to receive updates next Tuesday. It is not yet clear if Windows XP users will get a patch (as was the case during last year’s Mirai outbreak).
Finally, because the exploits are related to Kernel-level access, antivirus and malware software developers may also need to update their libraries to work alongside the new patches. For this reason, you may also need to update your antivirus software.
Remember: this news has only just been announced, so the best thing to do is keep yourself informed as more details about your particular platform become available. If in doubt, approach your manufacturer or the point of sale for your particular devices.
Title image credit: From the Spectre and Meltdown blog.
Image credits: ouh_desire/Shutterstock.com, Nor Gal/Shuttestock.com, Kite_rin/Shutterstock.com, welcomia/Shutterstock.com, yavyav/Shutterstock.com, Pavel Ignatov/Shutterstock.com