Computer News & Safety – Harry Waldron Rotating Header Image

January 4th, 2018:

Security – ISC shares PATCH NOW warning for Spectre and Meltdown vulnerabilities

The ISC recommends a “PATCH NOW” implementation of vendor security updates — related to new processor design vulnerabilities, where unencrypted data, passwords, or other sensitive information might be exposed. This is a more general design flaw in the way modern CPUs buffer & transfer information within the CPU. 

Hardware & cloud vendors are quickly responding with early fixes for the worst and most exploitable aspects of these 2 serious vulnerabilities to the most immediate design threats (with likely more detailed fixes in future).  Some performance impacts may occur with restricting CPU addressability and predictive processing.  Currently there are NO known “in-the-wild” exploits, but the vulnerabilities could be weaponized into exploits in future days ahead. Just as in a home, one should patch the roof before the storms arrive. 

https://isc.sans.edu/forums/diary/Spectre+and+Meltdown+What+You+Need+to+Know+Right+Now/23193/

By now, you’ve heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre. The only common platform that seems unaffected as of the current moment are iPhone/iPads.  This bug is probably worth its name and logo considering the pervasive nature of the vulnerability. At its core, both involve kernel issues that can lead to leaking running memory outside the current process which can involve compromises of system confidentiality (think encryption keys, passwords, PII/NPI in memory, etc). Contrary to some initial reporting, this is NOT just an Intel bug, it affects AMD and ARM processors as well. These could even be used in cloud / virtualized environments to leak memory outside the running virtual machine.

It involves a flaw in “speculative execution” common in these processors where, in the right conditions, code can trick the processor in leaking data returned from other applications.

Below are advisories of most of the relevant companies. The patches should be considered preliminary to protect against the most obvious paths to this vulnerability, but future patches are likely planned to deal with the potential significant performance hits from these patches and for better mitigation coverage. Spectre, in particular, will require follow-on patching. Due to the nature of these patches, reboots will be required. So in the short term, patch and reboot everything.

The good news is patches are out for almost everything (Microsoft has moved up their monthly patching up a week to today, more on that in a different post). The bad news is, Spectre, in particular can’t be completely mitigated by patching as it seems it will require a hardware fix. The good news is that Spectre is harder to exploit.

So while the advice is “patch now“, the problem we will be grappling with is the performance hits (this will be brutal for cloud vendors especially if it’s on the scale of 30%) and the follow-on disruptive patching this will require in the coming months.