The "Meltdown" and "Spectre" Vulnerabilities

Why they are called the worst security flaws in history, and what you should do about them

The Situation

We haven't had significant stories of technological apocalypse since 2014, when we covered the Goto Fail and Heartbleed bugs that lit up mainstream news websites and created a bit of a panic.

A "microprocessor" may also be referred to as a processor, or CPU. It is a piece of hardware inside computers, servers, and network devices that interprets and executes software instructions, such as the Microsoft Windows operating system and your web browser in your computer, or network packet routing logic in a network router.

Just as we returned to work after New Year's 2018, we learned of another pair of "bugs", which are apparently much worse. See, Goto Fail and Heartbleed were errors in software programming in many web servers, some network devices, and Apple products that were easily fixed with software updates. Meltdown and Spectre, however, are vulnerabilities related to how computer hardware operates. Meltdown affects many, but not all devices, and can be fixed with an operating system workaround that prevents its exploit. Researchers have reported that the Spectre bug, however, cannot be fully mitigated with software alone, and it affects pretty much every last commercial and consumer electronic device in use today: servers, desktops, laptops, tablets, mobile phones, network devices, your Internet-connected A/V equipment, and anything else with a microprocessor that connects to the Internet.

So what can someone do with these vulnerabilities? In short, both of them make it so that security-related information stored in your computer, even in the deepest, protected areas, can be accessed by software running on your computer that is not supposed to be able to get it. This could mean full access to your e-mail and passwords, which could then be transferred to criminals through the Internet.

Sidebar: Meltdown and Spectre Explained (Skip)

Going back to the Intel 80286 released in 1982, microprocessors for desktop computers and mobile devices have enforced protection of program code and data from being accessed in random-access memory (RAM) by other programs running on the same computer. Here's how it works. When the computer starts up, it loads the operating system first (such as Microsoft Windows, Apple macOS, or Linux for desktop computers, or Android or iOS for mobile devices). The operating system instructs the microprocessor to set aside memory for the operating system to use. When you open an application program (such as your web browser), the operating system assigns the memory for it to use, and tells the microprocessor. The microprocessor itself keeps track of what program code (operating system or user applications) can access what areas of RAM. So the browser is allowed to use its memory, but if it tries to access the memory of the operating system, or even another application, the microprocessor will not allow it.

When a program attempts to access off-limits memory, most of the time it's because of an error or bug in the program. In Microsoft Windows, no doubt you've seen the message "This program has performed an illegal operation and will be shut down". When that happens, the "illegal operation" was an attempt by a user application to access memory owned by another application or the operating system. Likewise, when your Microsoft Windows computer completely crashes with the infamous "blue screen", this means one component of the operating system tried to access an area of the operating system it's not allowed to (there are different rings of protection even within the operating system).

Memory protection mechanisms are complicated by the fact that the operating system must perform transfers of data between programs and the operating system. For example, when you type something in to a web form in your browser to send to a web server, this information needs to be processed by your network adapter driver software, which is a component of the operating system. Bugs or flaws in how the operating system handles this process are commonly exploited by malicious software to infiltrate the operating system, including being able to modify the operating system software and take over your computer. These flaws, until now, were all fixable with software patches.

Meltdown official logo

Meltdown official logo

Meltdown allows a regular user application, in its isolated memory area, to make a specific sequence of carefully-timed program instructions that trick the processor into allowing it to see the memory of the operating system. This could reveal keys used for encryption and identification of your computer, and passwords you recently used to log in to websites or shared folders, that are supposed to be protected by the operating system. The Meltdown flaw is present in most Intel microprocessors (inside servers, desktop and laptop computers, some tablets, and some network devices), as well as a small number of mobile devices using ARM chips. The exploit is considered easy to execute. The fix to this will involve updates to the operating system of affected devices, which will redesign the way the operating system manages its memory tables, thereby mitigating this vulnerability.

Spectre official logo

Spectre official logo

Spectre is a method by which a regular user application can achieve the same thing as Meltdown does, but to view the memory of other user applications, and possibly also the operating system. So a malicious program exploiting this can see what you're typing in your web browser. What makes Spectre worse is that it is present on every microprocessor made by Intel, AMD, and ARM, which covers virtually every server and device in the world. In addition, updating the operating system cannot mitigate the vulnerability completely. Microprocessors may need to be modified, which may negatively impact performance, and software may need to be rewritten and/or recompiled at the same time. Compared to Meltdown, though, an exploit of Spectre is trickier to pull off, due to a whole host of highly technical considerations at play.

Why This was Big News

These vulnerabilities are so significant that they each have their own official logo, even though the capability for programs to access protected data in computers has existed due to other vulnerabilities or bugs in the past. What makes these ones particularly notorious, newsworthy, and worrisome are these factors:

  1. The flaw is in functionality etched into your microprocessor hardware, which would imply that it can't be fixed with a software update.
  2. Virtually every computer and device in the world is affected, meaning the entire IT industry, from software publishers, hardware manufacturers, and cloud services providers, must urgently respond.

Impact Assessment

First, a bit of good news: these flaws can't plausibly be activated on your computer or mobile device remotely by some hacker over the Internet. They can only be exploited by software actually running on your device, which is how most vulnerabilities we've dealt with in the past have worked. So, if you haven't changed anything on your computer, it's not now suddenly prone to start sending your passwords out to criminals.

If your computer does get compromised by software that intends to exploit Meltdown or Spectre, an attacker would need particular knowledge of you and what he's looking for to get anything worthwhile. And if you're prone to run unwanted or high-risk software on your computer, you're more likely to catch some malware that encrypts all your files and demands a ransom payment to restore them, because that's a much more efficiently profitable attack for a criminal to carry out. So, while these flaws introduce a novel technological threat vector, nothing has changed as far how you use (or should use) your computer.

However, it has been shown that JavaScript, which are program instructions executed within your browser to enable automated functionality on websites you visit, can exploit Spectre to access information that your browser has recently used, including passwords. This means merely visiting the wrong website, or even a reputable website that pushes ads from third-party ad farms that are not trustworthy, can enable a script to steal passwords you've recently entered into another website. This is definitely a problem that needs to be addressed, just like any kind of vulnerability that might allow this, such as a software flaw in the browser. As described below, patches for browsers have been released to prevent this.

Devices that do not access websites or download software are safe. So, even if the tiny computer that controls your refrigerator has the flaw, no malicious software is going to execute on it, so there is no need to replace it.

These flaws are hugely significant for servers running in the cloud, and here's why calling this apocalyptic wasn't so far-fetched. See, a vast amount of Internet services we use every day are hosted on virtual machines running on physical servers shared by many different companies (that is, "the cloud"). As you may remember, the Heartbleed bug of 2014 made it so a criminal could steal secret encoded information from a particular publicly-accessible virtual machine that was running the buggy software, such as a website or mail server. Other virtual machines running on the same physical server, though, are unaffected by the compromise of one through Heartbleed. But with Meltdown and Spectre, someone could conceivably sign up for an account in Microsoft Azure, Google Cloud, or Amazon Web Services, spin up a virtual machine, run exploitative software, and instantly access the most sensitive data on all the other virtual machines running on the same physical server, including back-end virtual database servers that don't connect to the Internet. If your virtual machine running in a cloud services provider's system is targeted, there is nothing you can do about it.

Note that neither of these vulnerabilities by themselves enable anyone to modify the exposed data in place, or alter the function of the compromised virtual machines. However, someone could use information found from examining protected memory of a server to then log in to the server as an administrator, and thereby do anything he wants with it.

Encrypted data is only at risk if the encryption keys are prone to exposure. So if you encrypted some sensitive data before pushing it to a virtual machine in the cloud, and that virtual machine doesn't have the encryption keys, then the data is not going to be exposed merely by a criminal gaining access to the server.

There are no reported instances of anyone successfully exploiting these flaws in an actual hostile infiltration. The flaws were reportedly discovered by three separate ethical research agencies, who exist specifically to find flaws like this and tell the companies that need to fix them. The public announcement was scheduled for January 9, 2018, but ended up being found out about a week earlier when people noticed operating system patches for Linux being pushed out. Since Linux is open-source, the changes, and the reasons for the changes, were not able to be kept in secrecy.

Industry Mitigation

In news reports, you'll usually see mention of what Microsoft, Apple, Intel, and maybe Google are doing about this. These are the biggest players in the IT world. Microsoft and Apple are responsible for the operating system software that runs Windows-based and Apple devices, respectively. Intel is the leading microprocessor manufacturer for computers and tablets. Google and Amazon Web Services (AWS), along with Microsoft and Apple, run millions of servers that are all vulnerable, hosting cloud services used by at least two billion people worldwide.

Meltdown, as mentioned, can be fixed with a software patch. Microsoft announced, on the day of disclosure, that they had already updated most of their servers to mitigate Meltdown in their cloud service, Azure. Google and Amazon did by the next day as well. The software patch, however, has been reported to slow down server performance, depending on the tasks the server performs.

But for Spectre, the fix is much more complicated. Physically replacing the microprocessors on all the servers in the cloud isn't feasible. It may be possible for the microprocessors to be reprogrammed through a microcode update (changing the programmable part of the microprocessor itself), but this could also be very time-consuming and enormously expensive. And, fixing the problem at the microprocessor level may slow down performance, require all operating system and application software to be rewritten or recompiled, or both. Whatever they plan to do, cloud services providers and microprocessor manufacturers have a tremendous amount of work ahead of them for 2018. Not only that, any manufacturer of network equipment, data storage devices, or mobile phones will have to address this. So far, the response hasn't been encouraging—operating system patches, firmware updates to computers to change how the processor operates, and planned design changes for processors to be manufactured in the future, all have failed to fully address the problem, or can be expected to degrade performance.

What You Should Do

If you're a client of J.D. Fox Micro under an IT System and Cloud Management Contract, you don't need to do anything, as you should have security best practices already in place that will address this.

For your computers and servers, and other user devices, this means, at a minimum:

  1. A system that automatically or routinely installs software patches for all your IT equipment, which will ensure operating system and browser patches are installed;
  2. Anti-malware software, particularly endpoint protection, kept up-to-date, which will increase the chance that malware attempting to exploit Spectre can be blocked from executing in the event proper patches are not in place;
  3. Techological measures and user education programs in place to prevent users from running unapproved software;
  4. A robust data backup system, particularly one that pulls data off of your production/Internet-connected network, so that you don't suffer devastation in the event the first three items in this list fail to prevent a compromise of your system resulting in data loss.

If all this is in place, you're off to a good start. But if you need help implementing the above in your business, contact J.D. Fox Micro.

The operating system vendors have all released or announced patches to redesign the memory tables and/or disrupt the timing required to exploit these flaws. In addition, patches have been released or announced for browsers, also to throw off the timing required for a malicious JavaScript applet to exploit Spectre.

For older devices, you may not be able to get operating system patches, so you need to consider how to continue using these devices, if at all.

If you are a cloud services customer, then you don't need to do anything if all you use are Software-as-a-Service applications, such as Google G Suite, Microsoft Office 365, NetSuite, QuickBooks Online, or QuickBase.

But, if you have private virtual machines hosted in Microsoft Azure, Google Cloud, Amazon Web Services, or vCloud Air, or even with a smaller provider like WestHost or Bluehost, then you should look out for advisories from your cloud services provider for anything you might need to do, in addition to installing patches within your virtual machines. For example, you might want to find out when your host server has been patched, in case you need to restart your virtual machines following the update, as Microsoft has asked its Azure customers to do.

Of course, if you run your own private cloud, then you need to patch your host servers, as well as your virtual machines, if anyone (even within your company) has access to create and run virtual machines, or even run software within virtual machines.

Again, for help with this, please contact J.D. Fox Micro.

Epilogue

What's so terrifying about this for any individual is that if someone is able to steal information from your computer with these exploits, you are unlikely to know as you would if you fall for a phishing scam or get hit by ransomware. And if this includes passwords, and someone is able to log in to sensitive accounts of yours, the results could be terrible. The possibility of this situation is why it has always been considered a good practice only to deal with sites that use secure methods for authentication beyond just passwords, such as multi-factor authentication, so that if someone does steal your password, they won't be able to get right in too easily.

If you're responsible for a company with any significant information assets (meaning, pretty much any business), these kinds of calamitous security incidents, the manner in which they can lead to the total compromise of your IT systems, and the potential for more of these in the future, indicate why it's so important to have a robust Information Security Program.