UPDATE:
Meltdown and Spectre are critical security flaws in Intel chips, but recently 18 or so similar problems have been found in AMD chips. As Intel produces 77% of the world’s computer processors and AMD the other 22%, this means basically that virtually all computers in the world, especially older ones, are now at risk.
Like Meltdown and Spectre, these reside in the most secure area of the computer where encryption keys and passwords are stored. It’s also the place where the computer checks to see if no malware is running, so any hack is likely to be undetectable. So even the fact that no exploits still have been found beyond those created as proof-of-concept tests is not that reassuring.
Most of these flaws require administrative access to be used, which means that the computer will already have to have been successfully infected by malware to be reached by a hacker, but the potential for damage due to the place of power these flaws operate from is great. The AMD processors affected are the Ryzen line, used in desktop and laptop devices, and also EPYC chips in servers. But whereas researchers were given 6 months to study the information about Meltdown and Spectre, with Google even convening a team of university researchers to release the details, the news about AMD came literally overnight.
In a highly unusual move, the discover of the new vulnerabilities, an Israeli computer security firm called CT-Labs, released the news less than 24 hours after the flaws were discovered. However, the company claims that releasing the information to the vendor and users on day zero – without any technical details of how they operate – was “a better way”.
These new flaws fall into 4 categories:
- MasterKey, which allows the computer to be compromised during booting up giving attackers total control over what programs run during startup
- Ryzenfall allows malware to take over the secure part of the processor in laptops and desktops, including passwords and encryption keys,
- Fallout breaks down the barriers between sealed-off memory sections in EPYC servers, thus enabling network credentials to be stolen
- Chimera affects desk- and laptops uses both a hardware and firmware flaw to install malware, including keyloggers to see everything the user is doing.
These exploits can’t destroy or alter data but they can steal it and open doors for malware for further attacks. While hardware flaws can’t be fixed but only replaced, firmware can. However, just like with Meltdown and Spectre, it may take months. CT-Labs has set up a website to explain the vulnerabilities and their response.
Current status of Meltdown and Spectre
Progress is slow, but some is being made against these Intel and Arm chip flaws, although Microsoft had to disable their patches for Spectre after finding they could cause further problems. A website devoted to Meltdown and Spectre has also been set up. Microsoft has also set up a webpage with the latest information on how to protect Windows machines. Google has set up its own page to answer questions about the flaw.
One thing to note is that when computers are patched, they will likely run slower – maybe by as much as 30%. This is because Spectre is based on the chip preparing data “speculatively” – that is, in case the user wants to do what the chip thinks he or she will do next.
In any case, SWCP will keep abreast of the developments and inform you right here of further news.
Original Post
The new year has brought with it two new words that all computer users will be hearing a lot. “Meltdown” and “Spectre” are the names given to two new security attacks that exploit features buried in the hearts of most computer hardware. Unlike most exploits, these do not threaten specific operating systems like Windows or MacOS, or applications like Outlook or Word or Firefox. Rather, these attacks threaten almost any software running on any operating system on any computer type (including phones and tablets). Windows, Linux, and Macs are all at risk, however.
Meltdown
The good news (if there is any) is that Meltdown, while easier for bad guys to utilize, is also easier to patch. It has to be fixed in the OS, not individual applications, so your next Windows or Linux update will contain the fixes. MacOS’s current version already contains the fixes.
The downside of the Meltdown fix is that it introduces a performance penalty for “certain workloads”. Without going into too much technical detail, the kind of computing that will be most impacted is that which does a lot of input/output of data. Gamers, spreadsheet cowboys, online shoppers, and power emailers will be largely unaffected. IT admins who run web-, email-, database-, and file-servers will have to consider the impacts of the fixes and whether to apply them in every case. In some situations additional computing resources will have to be added to handle the same workloads as before.
Currently, anti-virus software is throwing a wrinkle into this update on Windows servers. Most 3rd-party anti-virus software is incompatible with the Meltdown fix, so on Windows servers the fix will not be enabled if 3rd-party A/V is installed, until that A/V is updated and sets a specific registry key to show that it is ready.
Most of the large cloud providers are frantically updating the servers that customers’ virtual machines run on. Some customers will also need to update their own software which runs in those clouds as well, and some won’t. When in doubt, update. But, check with your cloud provider first because if you update before the patches are fully ready, you may need to update again later.
The Meltdown bug primarily only affects Intel chips and a couple of specific models of other companies’ chips. Notably, Intel’s only significant CPU competitor, AMD, is immune to this particular problem.
Spectre
The Spectre bug is is much harder to fix, and will require changes to all levels of software and hardware to completely eradicate. Thankfully, it is also more difficult to exploit the Spectre bug, so the urgency to fix it is not as intense. The need to fix is great, but the timeline will be weeks and months, rather than days.
The most vulnerable environment is the web browser. Proofs of concept exist for malicious code delivered by a web page that can use the Spectre techniques to pilfer private data from other parts of the web browser, such as saved passwords and credit card numbers. Spectre-related fixes will be rolling out for OSes and application software for months to come.
What should we do to protect ourselves from these new threats? The best advice is to apply the software updates available for your devices and application software as they become available. Especially check that your Chrome, Firefox, Edge, and Safari are up-to-date.
At SWCP, we are working with our software vendors to apply patches and upgrades to our systems as quickly as possible. We strive to make these updates with as little impact to customer services as we can manage. We look forward to many late-night reboots in our near future.
The Dangers of Monoculture
An interesting aspect to the Meltdown bug is that it primarily only affects Intel chips. The fix is “easy” to make, but incurs significant performance degradation for certain server workloads. This leads one to wonder about the dangers of monoculture.
In biology, monocultures are vulnerable to being completely wiped out by a single disease or event. Biodiversity makes an ecology much more resilient to these challenges.
It is estimated that Intel owns over 90% of the datacenter CPU market. This event, which affects essentially all Intel CPUs made in at least the past decade, should serve as a wake-up call. If a single “disease” such as this bug can impact humanity’s entire electronic infrastructure, imagine the fallout if another hardware bug is found which can’t be quickly fixed in software.
Also, there are computers that will never get updates to fix this bug, and they will remain vulnerable, humming away inside society’s infrastructure awaiting exploit.
Resources
The web site for your vendor is the best place to check for updates for your computer, phone, tablet, or software.
In the tech press, Ars Technica has accurate “big-picture” reporting about the various impacts of these bugs. The Register has also done great reporting on this issue. Wired also has a good general overview of the flaws and what is being done to fix them as well. The Google Project Zero disclosure has a technical explanation of the bugs. This post from ds9a.nl has a technical description that is meant to explain the problem to relatively technical people who are not steeped in security research or CPU architecture.
Bookmark this page, and check back often for the latest developments in this story.