Research

Quick rundown of the Meltdown and Spectre vulnerabilities


Yesterday, news broke about two new vulnerabilities, dubbed “Meltdown” and “Spectre”. The vulnerabilities are present in CPU chips produced by Intel, AMD, and ARM. To give you an understanding of the scope of the problem, almost every computing device you own – desktop computer, laptop computer, tablet computer, and even cell phone – relies on one of these chips. The “Meltdown” vulnerability is present only in Intel chips, while the “Spectre” vulnerability is present in all three chipsets.

The vulnerabilities are different in attack vectors, but the end result is nearly identical. “Meltdown” takes advantage of a privilege escalation flaw in the Intel chip, which allows access to sensitive memory locations. “Spectre” works by getting CPUs to run a set of instructions, which ultimately gives access to sensitive memory locations.

Folks, this is about as bad as things can get. When memory can be read, the end result is that anything residing in memory can be copied and used by an adversary. Think credentials for your most sensitive and valuable accounts – banking, financial, medical, password manager – all of that, and more, is vulnerable.

These vulnerabilities cannot be patched, as they reside inside the CPU itself – this is a design flaw. If you read the solution section of yesterday’s CERT update, you’ll see that the only way to remove the vulnerability is to replace your chip.

Operating system and software vendors will be releasing software patches to try and lessen the threat posed by these vulnerabilities. However, the threat cannot be removed completely without a basic, fundamental change to CPU architecture by chip manufacturers. These patches will most likely cause a performance slowdown for impacted systems, although there is some disagreement on the degree to which impacted systems will be slowed down by these patches.

I suggest the following steps for you to follow:

1 – immediately install any patches released by your operating system vendor (Windows, Apple MacOs and iphone IOS), Android, etc.)

2 – immediately install any patches released for any web browser you use (Chrome, Firefox, Safari, Microsoft’s Internet Explorer or Edge), or make recommended changes to your web browser’s configuration. For example, Google Chrome has released a recommendation to enable “Strict Site Isolation”. Other web browsers may offer similar recommendations as a temporary fix, until they can push an updated version of the web browser. This leads us to…

3 – immediately upgrade your web browser when a newer version is released

4 – immediately install any software patch released for any piece of software you have on your system

5 – install and use an ad blocker on your web browser. You have lots of choices here, such as AdBlock, AdBlock Plus, uBlock Origin.

Tip of the hat to Daniel Miessler (@DanielMiessler on Twitter) for his excellent writeup (found here) which helped make sense of a lot of this for me!

UPDATES1.5.2018 – Added recommendation to use an ad blocker with your web browser.
Modified recommendation #2 to include making changes to existing web browser configuration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s