Meltdown and Spectre.
Hauntingly ominous names. Sorry for the puns.
Security experts are throwing around descriptions like ”catastrophic”, “absolutely massive problem”, and “devastating vulnerabilities”.
Lets break it down in very simple terms.
What is Meltdown and Spectre?
Its primarily a hardware issue with security implications.
Essentially the flaws are inside the CPU, the hardware chip that processes most commands in a computer or computational device (these chips run all sorts of devices including phones and tablets). The issue is with what is called speculative execution, which in plain language is where the CPU tries to predict the next commands it will receive and gets ready to or even executes them just in case. Due to the way the CPU gains access to the information needed to do this it has insecure access to passwords, caches and permissions and can leak this information even if the commands do not even run.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Browsers exploits are considered the most likely method by which attackers will gain access to this information maliciously and seek to use it. Consequently browsers are all being targeted for patches and updates by their developers.
How is it fixed?
That unfortunately is a multi billion dollar question. Meltdown and Spectre have far reaching implications for the internet and computing in general, hence the reason this is probably the biggest security flaw – maybe even bigger than Y2K.
There are several answers. First Chip Manufacturers (Intel and AMD) have been working with OS developers, Microsoft, Apple, Android and Linux to develop software patches to the operating system that stop the operating system exposing the security risk the hardware flaw contains. Second new chips being developed will not have this flaw (presumably). Third browser developers are al releasing or have released updates and patches for their browsers to prevent access to the flaws by malicious scripts.
What do I need to do?
Every phone, laptop and computer owner, as well as web server owners needs to ensure:
- That they have checked their device against the specific chip list, the OS for the device and run the specific patches for their device. For EVERY device you own or control, or has access to your personal or your company data on it. E.g. an employees phone or laptop they use to access your corporate email.
- That staff are aware of the danger of using unpatched devices and patch everything they own.
- That your Antivirus solution has a correct approach that works to the flaw and patches. Some OS patches wont be delivered at all and will be blocked by AV (this may change – was accurate at point of writing) and may need a registry key manually added to the device first.
We can help
We are able to provide a in place audit of all your systems and devices, laptops, phones, servers, NAS backup units, cloud and other virtual devices, and then update and patch all affected systems and devices, or if no patch is available quarantine / remove the device from all access to corporate data.
Further Reading about Meltdown and Spectre
Educate yourself on this. There is a ton of useful information out there, including:
- Meltdown/Spectre week three: World still knee-deep in something nasty
- KEEPING SPECTRE SECRET – How an industry-breaking bug stayed secret for seven months — and then leaked out
- Intel Is Trying To Fix The Biggest Problem With Its Spectre And Meltdown Patch
- Wikipedia – Spectre (security vulnerability)
- Wikipedia – Meltdown (security vulnerability)
- Microsoft: No more Windows patches at all if your AV clashes with our Meltdown fix