STATEMENT REGARDING “SPECTRE” AND “MELTDOWN” VULNERABILITIES

9th January 2018

On 3/1/2018 (last week) news broke in the media of two security vulnerabilities which will impact almost every computing device in active use today. Named “Spectre” and “Meltdown”, the vulnerabilities arise because of design flaws in CPUs from Intel, AMD, Qualcomm and ARM which have existed for decades – and they’re important because they allow access to information in memory that should be out of reach, whether that’s passwords, keys or other data.

The vulnerabilities themselves were discovered last Summer, but have been kept under wraps whilst the vendors concerned could find a solution for them. It was believed that no-one was actively exploiting them, but early last week sample code emerged on the Internet which increased the risk of non-disclosure to a level that couldn’t be justified and the issues became public knowledge.

As the root cause of both flaws is hardware design, it’s quite possible that the true solution for them will end up requiring new CPU hardware – but that’s a long, far-reaching change to achieve (think new computers/servers/devices), and a faster remedy is essential. In response key vendors such as Microsoft, Apple & Google have worked to provide software patches in order to mitigate the exploits on their platforms (where they can), and other software vendors (whether operating system or application/browser vendors) are coming forward with patches for their products.

The result is a patchwork of approaches which is only now emerging. And because the focus of those patches is to mitigate a low-level hardware problem, issues with performance (described as anything from ‘neglible’ to ‘30%’ overhead) and compatibility are also beginning to emerge.

Whilst the industry’s response to these vulnerabilities is robust, it’s not yet coherent – it’s going to be a difficult few weeks while these issues are ironed out.

In order to get you started, here’s some additional information along with guidance from the key players you’re likely already working with:-

The Exploits

Meltdown – (CVE-2017-5754 – rogue data cache load) – this is an exploit specific to Intel CPUs going back to 2011 (and possibly to 1995) which allows user applications to reach into kernel memory (or ‘protected’ memory, a design feature which is relied on for data security and system stability) and collect information to which those applications have no right.

It’s relatively straightforward to exploit and sample exploit code is (as of 4/1/18) available on the web. However it’s reported that the hacker must have local access to the machine in order to use the exploit

Spectre – (CVE-2017-5753 -bounds check bypass, CVE-2017-5715 – branch target injection) – these exploits are so-named because they rely on a CPU queuing feature titled ‘speculative execution’ which can be abused to grant arbitrary collection of data from virtual memory which should be out of reach (principally because they are intended to be beyond security boundaries and into other apps, the kernel or an underlying hypervisor).

Spectre can be exploited by visiting a website with which includes malicious code, however it’s a vulnerability that’s described as much harder to exploit (plus also much harder patch/resolve).

It applies to Intel, AMD, Qualcomm and ARM CPUs going back up to 20 years – effectively every computing device on the planet (including smartphones) is vulnerable.

Vendor Guidance

Meltdown:

Microsoft have provided patches for many (but not all) of their operating system platforms – but note that automatic updates won’t be installed unless you (or your antivirus product) create a ‘compatibility flag’ in the registry for each device
• Windows Client:
o Windows 10 released (4/1/18) for RTM, 1511, 1607, 1703, 1709, requires “compatible antivirus” and registry key change to enable automatic update
o Windows 8.1
o Windows 7 SP1
NOTE: Some indications that patching devices with AMD Athlon X2 CPU (end-of-life in 2008) is failing and rendering those devices unusable
• Windows Server:
o Windows Server 2016 released (1607, 1709 (core))
o Windows 2012 R2 – released
o Windows 2012 – not yet available
o Windows 2008 R2 – released
o Windows 2008 – not yet available
NOTE: A list of compatible antivirus is available in a community managed list here (Trend is compatible but requires a manual registry key for auto update)
Further information from Microsoft is available here

Apple released patches for their affected product ranges during December, so customers should be covered by keeping up to date
• Apple Devices: All devices except Apple Watch are vulnerable (specifically Mac and iOS)
o iOS: patched included in v11.2
o macOS: patch included in v10.13.2
o tvOS: patch included in v11.2
Apple suggest only downloading apps from trusted sources such as the App Store

Google have confirmed that they have released patches, access to them will depend on whether you have a Google-branded device (i.e. Nexus, Pixel) or one from a partner using Googles operating systems
• Android: Patches released 5/1/2018 for ARM, Google-supported Android devices should be set to accept monthly updates for January 2018 to benefit, partner-supported devices subject to partners own scheduling
• ChromeOS: Upgrade to v63 when available

Linux
• Redhat – patches available, described here, customers encouraged to upgrade to latest kernel
• SUSE – patches available, described here
• Ubuntu – patches available 9/1/2018, described here

App-Specific patching:
• Chrome – Google suggest enabling site isolation to improve security, patch due on 23/01/18 (v63)
• SQL Server – guidance provided here

Public Cloud:
• AWS: Patch rollout on EC2 was already in progress when news broke, believed to have completed on 4/1/18. Customers directed now to patch their EC2 instances.
• Azure: Patch rollout was already in progress, now accelerating. Customer VMs now being forced into automatic reboots wef 3/1/18. Microsoft say performance impact should not be ‘noticeable’ from patch, however it is present. Further information here
• Google Cloud Platform: patched, declared secure

Spectre:

As mentioned above, patching for Spectre is more difficult – this is borne out by the limited range of patches available. However, it’s also more difficult to ‘productively’ exploit Spectre, so you may accept that the resultant risk is lower.

• Windows Client: not yet available
• Window Server: not yet available
• Apple Devices: not yet available
• Android: not yet available
• ChromeOS: not yet available
• Redhat: not yet available
• VMware: patch information available

App-Specific patching:-
• Firefox – specific mitigations released to Beta/Dev channels – https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
• Safari – patch planned

And what about responses from the chip-vendors themselves?
• Intel
• AMD
• ARM

Update – 9/1/2018: Intel CEO Brian Krzanich made statements in his speech at CES 2018 overnight that patches for 90% of its products would be available ‘within a week’

Our Recommendations

Meltdown and Spectre are significant vulnerabilities and we highly recommend that you patch for them as soon as you’re able. However, the inter-dependencies across products warrant care and testing, so consider applying the patches in a test group (with all your apps) first and then moving forward as quickly as you can whilst containing any risks.

And if you need support, we’re ready to help.