Talk about kicking off 2018 with a bang! In the first week of the new year, several researchers reported a newly-found vulnerability in processors designed by Intel, ARM and others: one that theoretically allows hackers to read even the most secure information on any device.
Unlike the vast majority of software-based vulnerabilities reported on a regular basis, the two new finds – code-named “Meltdown” and “Spectre” – run on the level of the processors’ architecture, where instructions and information flow unencrypted between the chips’ logic units and transistors.
How do Meltdown and Spectre Work?
The kernel – the part of the operating system that coordinates data between the cache, CPU and others – serves as a go-between for your applications and your device’s physical components. In an attempt to accelerate processing speed, chips perform an optimization technique called speculative execution, whereby tasks are performed that may or may not be needed, and the unneeded tasks are discarded after the fact.
Both Meltdown and Spectre take advantage of this operation: the former by spying on data transmitted by the kernel; the latter by forcing programs to perform extra operations that trickle out confidential data little by little.
These two flaws are nearly omnipresent in today’s laptops, servers, and mobile devices; Meltdown affects every Intel processor from 1995 onwards (except Itanium and Atom pre-2013); Spectre affects almost every system, specifically verified on Intel, ARM and AMD processors.
How can hackers use them to their advantage?
It’s entirely possible (although still theoretical) that bad actors can write an application designed to run even in the most restrictive mode, reading data that not even the kernel should be permitted to access – passwords, crypto keys and anything that moves between the kernel and the device’s component parts.
For multi-user networks, it gets even worse: either flaw may give hackers permission to listen in on processes running on their common server or multiple users on a virtual machine. A hacker might rent a virtual machine, for instance, and tap all that server memory to gain access to other customers’ sensitive data.
What fixes are available?
Multiple fixes are coming in from all corners. Unfortunately, most of the patches involve cutting off the kernel from vulnerable processes, adversely affecting operating speed. A recent benchmarking exercise by Red Hat Software suggests performance hits of anywhere between one and 20 percent.
Consumer use cases – from word processing to Internet browsing to YouTube watching – are expected to experience only minimal slowdowns. Intel asserts that “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.” Cybersecurity vulnerability manager Kevin Beaumont also tweeted that “Microsoft are seeing no CPU impact to Azure instances since patching.”
The fixes vary wildly across different hardware, operating system and browser platforms. Intel – arguably the entity most affected by the news – has begun deploying patches to fix the flaws’ gaping holes, expecting to have 90 percent of affected chips patched within a week of the announcement.
Reddit user “mryiff” has put together a list of links to responses and suggested fixes, including guidance for Windows clients and servers, different antivirus products, and browsers.
Ars Technica has a concise summary outlining what Apple, Microsoft, Intel and others are doing to go toe-to-toe with Meltdown and Spectre.
And Forbes has its own comprehensive list of Spectre and Meltdown fixes.
Kevin Beaumont has also produced a spreadsheet that tracks the compatibility of Microsoft’s patches with different antivirus devices, as “some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur.”
How worried should we be?
As scary as the flaws sound to the everyday device user, many security researchers suggest that the new Spectre and Meltdown-specific software updates will be sufficient for the vast majority of affected users.
In Kevin Beaumont’s view, “the CVSS score [issued by US-CERT] is ~2, which classifies it as Low risk usually – i.e. replacing everything seems extreme (Microsoft and Amazon aren’t!).”
Read about our MFP security capabilities and other Konica Minolta security announcements that may prove helpful to you.