Skip to main content

Resources

Spectre and Meltdown

Spectre and Meltdown

What is it?

On January 3rd, 2018, massive security flaws affecting nearly every computer were revealed. Known as Spectre and Meltdown, these exploits have alarming repercussions that could potentially affect and change an architecture that is deeply rooted in the lives of the technological world. Originally reported by Google’s Project Zero, Spectre and Meltdown fall outside the category of many other vulnerabilities seen recently. Most vulnerabilities affect application software; however, these vulnerabilities allow programs to steal data that is processed directly from the CPU, including passwords, encryption keys, emails, and any other data.


These exploits are categorized into three variants. The first two variants are Spectre, the more dangerous of the two flaws, and the third variant is Meltdown. Spectre – the worse of two flaws – can access kernel memory or data from different applications. Meltdown can bypass the protections in place that separates the application from the operating system, allowing a program to read from the protected kernel memory, exposing the information. It is important to note that Intel specifically stated that that the exploits cannot corrupt, modify, or delete data. Meltdown and Spectre are also rated as a CVSS score of low (<2) on the scale to 0 (lowest) to 10 (highest). 

Update: CVSS score continues to evolve, and it is currently 4.7 as of 1/7/2018. 


 



When Was it Discovered and Who is Affected?

Discovered months ago, the security researchers chose to notify the affected organizations instead of the public right away. This is common when new vulnerabilities are discovered to give them time to create patches before a potential attacker can utilize it.  In this case, the joint disclosure to the public was released by reporters before the planned notification date. 


Google has noted that it believes that both Spectre and Meltdown have not been used to exploit systems in the wild. Researchers have successfully executed Meltdown on Intel processors by taking advantage of a unique process that is integrated into all processors manufactured since 1995, but other organizations have created patches to protect themselves. Researchers have also noted that the exploit is very simple to perform, and it is critical to patch the systems. Performing sensitive actions on unpatched systems can increase the risk of the information being stolen.


Spectre, on the other hand, is much harder to exploit and will be much more difficult to patch. Spectre will likely have long-lasting effects for the foreseeable future (hence the name), potentially requiring a complete redesign of CPU hardware. Spectre exploit affects Intel, AMD, and ARM processors, increasing its influence on mobile and even Internet of Things (IOT) devices (essentially any device with a chip inside).



What Can You Do?

Patches for Meltdown have been created for Apple’s MacOS and Linux kernel, and Windows is pushing out patches as soon as possible. These patches will likely not affect performance on desktops or laptops used for normal activities. Patches being applied to some enterprise applications may cause performance issues, with virtualized environments being the most affected. A patch for Spectre is not believed to be imminent.

BleepingComputer has put together a listing of known Meltdown and Spectre Vulnerability Advisories, Patches, and Updates, which you can visit here: https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/


Written by: Eric Chase
Information Security Consultant - SBS CyberSecurity, LLC


SBS Resources:

  • {Blog} Testing Software Patches is Critical: There are numerous, important components of a strong Patch Management Program; including identifying the right patches, establishing a formal schedule, deploying, and making sure your patching is effective. However, one often-overlooked, yet critical component is Patch Testing. Read more

 

Related Certifications

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Vulnerability Assessor   


Sources


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, January 4, 2018
Categories: Blog, In the News