Stewart Twynham cuts through some of the noise and hype to present an executive summary on the Meltdown and Spectre vulnerabilities.
It had the makings of a great movie and could have been the IT industry’s finest hour. Instead, The Register broke the news embargo a week early to highlight frustrations in the Linux community about an update that was slowing servers to a crawl.
The Register’s rebellious scoop forced everyone’s hand. Patches weren’t ready, cloud service providers hadn’t been informed, half the world’s anti-virus wasn’t compatible and Intel’s shareholders weren’t happy.
Early last year, several independent groups coincidentally discovered two serious flaws in modern processors - the brains inside billions of devices from computers and servers to smartphones and tablets. Since then, software and hardware giants have been working flat out in secret to find solutions.
There are two named vulnerabilities - Meltdown and Spectre. Spectre comes in two variants, which means three bugs overall. They work in different ways and one variant of Spectre may prove particularly hard to mitigate.
Meltdown is known to affect at least Intel, Apple and ARM devices, whilst Spectre affects Intel, AMD, Apple, ARM, IBM and Qualcomm devices. Most high performance processors produced since 1995 are affected in some way.
These are among the most serious vulnerabilities ever discovered, especially as so many devices are affected by virtue of their hardware. Attackers could potentially read data, passwords and encryption keys from just about any computer made in the past 20 years.
However, the sky is not falling. This is not a remote attack per se, you need to be able to run malicious software on the device first. The most immediate concerns are:
- Multi-tenanted cloud environments, where company A can read company B’s data using the Meltdown flaw.
- If you browse to a malicious website, session information can be stolen and access gained to any websites you are currently logged into (e.g. online banking) using Spectre.
There is no simple fix
The flaws discovered are hard-wired into the chips and cannot be repaired. Manufacturers are working to stop exploits from being successfully run. In most cases this requires a combination of firmware updates for the processor, patches for the operating system, updates to applications such as browsers and anti-virus software - and sometimes a change in user behaviour.
Malware is already being detected in the wild. The indicators that tell users and security experts that these attacks are taking place are almost non-existent, but variations of the malicious code extracts that proved such attacks are possible published last week have already been spotted in the wild by AlienVault. We have also seen several people asking forums for help to get this code working.
Patching is a nightmare
Early patches exist for:
- Apple iPhone 5s onwards, iPad and Apple TV, Microsoft Surface and Android devices
- Microsoft Windows 7 and Server 2008 onwards, various Linux distributions (CentOS, Red Hat, Fedora and Ubuntu) and Apple MacOS High Sierra.
- Amazon, Azure and Google clouds
IBM’s Unix-based operating system, AIX, will not be fully patched until mid February.
In the rush to get patches out the door there have been many issues. Microsoft had to disable some Windows updates that were found to be incompatible with anti-virus software (which needs a full update, not just the signature) and also crashed AMD-powered machines.
Both Red Hat and Microsoft have reported performance issues, with Red Hat suggesting computers could experience a 2-20% performance hit as a result of its security updates.
More disruption will follow
Because the underlying flaws are still there and because these are early, untested patches - expect more updates in the future. In addition, the Google Project Zero blog lists nine avenues of future research which could lead to yet more vulnerabilities being discovered.
Older, unsupported devices won’t be patched.
Windows XP, Windows Server 2003 and older smartphones and tablets that are no longer supported won’t be patched - unless there is a disruptive attack (like WannaCry) and manufacturers decide to act.
Businesses could be liable under GDPR
The Information Commissioner’s Office recognises that patching is not straightforward and down to individual businesses, but has also made it clear that if businesses are not patched, then they would expect “significant mitigations to be in place and well understood”.
Ten things you can do right now
1. Check with suppliers that you are fully patched - including firmware updates, the hypervisor and your own instances (which may be down to you).
2. If you run any untrusted software e.g. code uploaded by clients, you must check if any additional mitigations are needed.
General good advice
3. Avoid clicking on unsolicited links in e-mails in order to help keep away from malicious websites.
4. Only download or install software from trusted sources.
5. Always log out of websites as soon as you’ve finished rather than leaving them open in another tab. Better still, keep your work computer for work only - buy a cheap tablet or laptop for casual surfing or the kids.
6. Ensure you are backing up your data regularly, and perform a fresh backup before you start patching.
Patch your systems
7. Patch your systems as updates become available. Business users should test patches first or plan for downtime. Remember that most operating system patches also require fresh firmware and updated Anti-Virus and applications to be fully effective.
8. Users should heed any additional security recommendations made alongside patches e.g. turning on Site Isolation in Chrome.
Businesses with patching issues
9. Still running outdated/unsupported operating systems? Make upgrading your priority. Even if these machines don’t house important information, they can be easily exploited to open a path into your most critical systems.
10. Choosing to hold off patching? You need to put well documented mitigations in place, review the status of patches and your mitigations regularly - and record these reviews.