The Spectre of Meltdown: What you need to know

cyber security
istock_dragonimages_cs
Share this content

Stewart Twynham cuts through some of the noise and hype to present an executive summary on the Meltdown and Spectre vulnerabilities.

It had the makings of a great movie and could have been the IT industry’s finest hour. Instead, The Register broke the news embargo a week early to highlight frustrations in the Linux community about an update that was slowing servers to a crawl.

The Register’s rebellious scoop forced everyone’s hand. Patches weren’t ready, cloud service providers hadn’t been informed, half the world’s anti-virus wasn’t compatible and Intel’s shareholders weren’t happy.

What happened

Early last year, several independent groups coincidentally discovered two serious flaws in modern processors - the brains inside billions of devices from computers and servers to smartphones and tablets. Since then, software and hardware giants have been working flat out in secret to find solutions.

There are two named vulnerabilities - Meltdown and Spectre. Spectre comes in two variants, which means three bugs overall. They work in different ways and one variant of Spectre may prove particularly hard to mitigate.

Meltdown is known to affect at least Intel, Apple and ARM devices, whilst Spectre affects Intel, AMD, Apple, ARM, IBM and Qualcomm devices. Most high performance processors produced since 1995 are affected in some way.

Serious flaws

These are among the most serious vulnerabilities ever discovered, especially as so many devices are affected by virtue of their hardware. Attackers could potentially read data, passwords and encryption keys from just about any computer made in the past 20 years.

However, the sky is not falling. This is not a remote attack per se, you need to be able to run malicious software on the device first. The most immediate concerns are:

  • Multi-tenanted cloud environments, where company A can read company B’s data using the Meltdown flaw.
  • If you browse to a malicious website, session information can be stolen and access gained to any websites you are currently logged into (e.g. online banking) using Spectre.

There is no simple fix

The flaws discovered are hard-wired into the chips and cannot be repaired. Manufacturers are working to stop exploits from being successfully run. In most cases this requires a combination of firmware updates for the processor, patches for the operating system, updates to applications such as browsers and anti-virus software - and sometimes a change in user behaviour.

Malware is already being detected in the wild. The indicators that tell users and security experts that these attacks are taking place are almost non-existent, but variations of the malicious code extracts that proved such attacks are possible published last week have already been spotted in the wild by AlienVault. We have also seen several people asking forums for help to get this code working.

Patching is a nightmare

Early patches exist for:

  • Apple iPhone 5s onwards, iPad and Apple TV, Microsoft Surface and Android devices
  • Microsoft Windows 7 and Server 2008 onwards, various Linux distributions (CentOS, Red Hat, Fedora and Ubuntu) and Apple MacOS High Sierra.
  • Amazon, Azure and Google clouds

IBM’s Unix-based operating system, AIX, will not be fully patched until mid February.

In the rush to get patches out the door there have been many issues. Microsoft had to disable some Windows updates that were found to be incompatible with anti-virus software (which needs a full update, not just the signature) and also crashed AMD-powered machines.

Both Red Hat and Microsoft have reported performance issues, with Red Hat suggesting computers could experience a 2-20% performance hit as a result of its security updates.

More disruption will follow

Because the underlying flaws are still there and because these are early, untested patches - expect more updates in the future. In addition, the Google Project Zero blog lists nine avenues of future research which could lead to yet more vulnerabilities being discovered.

Older, unsupported devices won’t be patched.

Windows XP, Windows Server 2003 and older smartphones and tablets that are no longer supported won’t be patched - unless there is a disruptive attack (like WannaCry) and manufacturers decide to act.

Businesses could be liable under GDPR

The Information Commissioner’s Office recognises that patching is not straightforward and down to individual businesses, but has also made it clear that if businesses are not patched, then they would expect “significant mitigations to be in place and well understood”.

Ten things you can do right now

Cloud users

1.      Check with suppliers that you are fully patched - including firmware updates, the hypervisor and your own instances (which may be down to you).

2.      If you run any untrusted software e.g. code uploaded by clients, you must check if any additional mitigations are needed.

General good advice

3.      Avoid clicking on unsolicited links in e-mails in order to help keep away from malicious websites.

4.      Only download or install software from trusted sources.

5.      Always log out of websites as soon as you’ve finished rather than leaving them open in another tab.  Better still, keep your work computer for work only - buy a cheap tablet or laptop for casual surfing or the kids.

6.      Ensure you are backing up your data regularly, and perform a fresh backup before you start patching.

Patch your systems

7.      Patch your systems as updates become available. Business users should test patches first or plan for downtime. Remember that most operating system patches also require fresh firmware and updated Anti-Virus and applications to be fully effective.

8.      Users should heed any additional security recommendations made alongside patches e.g. turning on Site Isolation in Chrome.

Businesses with patching issues

9.      Still running outdated/unsupported operating systems? Make upgrading your priority. Even if these machines don’t house important information, they can be easily exploited to open a path into your most critical systems.

10.   Choosing to hold off patching? You need to put well documented mitigations in place, review the status of patches and your mitigations regularly - and record these reviews.

About Stewart Twynham

About Stewart Twynham

Stewart Twynham is an experienced information security expert and AccountingWEB contributor. He recently founded the independent cyber-security consultancy Brandfire (https://brnd.fr/) to help businesses in Scotland tackle these issues.

Replies

Please login or register to join the discussion.

avatar
11th Jan 2018 10:56

Perhaps it's time to ditch and go back to the drawing board with something new.

Thanks (0)
avatar
By Ammie
11th Jan 2018 11:39

Wonder how MTD serving applications would cope with such news.
Just goes to prove the more complex life gets the more dangerous a compromise becomes. I suppose its down to the affected to deal with it! A nightmare in the making. Warning shots have already been heard at NHS, Talk Talk and Sky.
I am not old school and like progression but maybe, just maybe, we are over stretching ourselves just a tad.
Sometimes simple is best.
The IT boys are rubbing their hands with glee!! Remember the millennium bug that didn't happen? Many a buck was earned investigating a non event.

Thanks (0)
avatar
to Ammie
11th Jan 2018 11:57

What a lot of IT people are forgetting is that not everybody has "technical ability or knowhow" and many aren't even interested. We are becoming a world of "high techies" and "low techies". The compromise is no more.

Thanks (0)
avatar
11th Jan 2018 12:03

Will I need to upgrade my abacus ?

Thanks (0)
avatar
to Paul.Chillman
13th Jan 2018 13:58

I recommend adding a Malteser to each row as an early warning meltdown indicator, otherwise you risk getting your fingers burnt!

Thanks (0)
avatar
By taxinfo
11th Jan 2018 13:17

Yes, Microsoft have issued/are issing Windows patches to help with this BUT, if your antivirus program isn't "compatible" (by their definition), then you won't be able to download/install ANY more MS patches or updates.

Many/most major AV providers are up to speed but some are not.

If you want to find out if your AV program is compatible then you should open your registry editor ("regedit") and see of this key is installed.....

HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Data="0x00000000”

If so then you should get all MS updates and patches for your system.

Thanks (0)
avatar
11th Jan 2018 23:02

Perhaps if computer people, on their £500k pa received via a ltd company and DR scheme, actually programmed the damn things so they perhaps maybe actually worked - everything would be fine.

Instead, "updates" just move icons around and change colour schemes.

If computer people had any responsibilty for the number of chargeable hours that get wasted by their incompetence - they'd be bankrupt even before the 2019 DR rules come knocking.

All we get is "security issue" this, "update" that, you need to be aware of another one of our failings.

Collectively, you can't even build and code the machines you built and coded. Oh dear.

Still - it generates revenue lower down the IT chain. Along with planned obscelescence, I guess that's the plan.

Thanks (1)
avatar
12th Jan 2018 06:44

My computer crashed a couple of days ago whilst downloading Microsoft updates. It's fixed now but I had a very worrying 48 hours whilst it was being sorted out. My IT guy said that he was dealing with several other customers who had experienced the exact same problem. Our reliance on IT is making us all very vulnerable and the race to go digital should be halted now until such time as it can be made safer and more secure.

Thanks (0)
avatar
to anthonystorey
13th Jan 2018 17:38

anthonystorey wrote:

My computer crashed a couple of days ago whilst downloading Microsoft updates. It's fixed now but I had a very worrying 48 hours whilst it was being sorted out. My IT guy said that he was dealing with several other customers who had experienced the exact same problem. Our reliance on IT is making us all very vulnerable and the race to go digital should be halted now until such time as it can be made safer and more secure.


Windows 10 by any chance?
Thanks (0)
avatar
12th Jan 2018 14:16

Got as far as paragraph 4 ; then went into meltdown.

Thanks (0)