Quick Facts about Meltdown and Spectre

Meltdown and Spectre have your scratching your head? In-house HardOCP security expert, Joe Wood, has walked us through some very ugly facts about these two new attacks that were fully exposed this week.

Proof of concept source code for the Spectre and Meltdown attacks have surfaced on github today. Perusing through much of the code shows that the most egregious architecture bungle in the history of man can be accomplished with 122 lines of code according to in-house HardOCP security expert, Joe Wood. Get ready folks. Things are about to get weird in 2018.

Article Image

Quick Facts on Spectre & Meltdown

1: This is not just an Intel Architecture Problem. Spectre makes this is a general CPU architecture problem that affects all CPUs. Performance being prioritized over Security will no longer work. However, AMD is being vocal that the chances of its CPUs being heavily impacted on this is very unlikely.

Article Image

Conversely, Intel has issued a warning that just about every server chip it has made in the last 10 years is open to these attacks.

Article Image

Intel is saying that it will have updates issued by the end of the week for 90 percent of the processor products built in the last five years.

2: These flaws allow the entire contents of memory to be dumped for nearly any device that uses a CPU. Desktops, laptops, servers, mobile phones. Dumping memory exposes EVERYTHING.

3: Spectre affects ALL PROCESSORS. It exploits a fundamental design flaw in contemporary CPU architecture. There is no fix for current hardware.

4: Meltdown affects INTEL processors. It's easier to pull off the attack than Spectre but has a mitigating patch. Unfortunately, the patch is expected to affect performance significantly in certain workloads.

5: The Meltdown patch still does not address Spectre, though the criticality is largely the same.

6: To reinforce the severity of the issues these attacks could present. Imagine a threat actor making their way onto an AWS cloud server and dumping / reading the entire contents of memory for everything on that server. Think about how many companies exist on a single cloud server. The amount of sensitive data present is staggering. Passwords, Log-Ins, Personal Info, Intellectual Property, Files, SSL Keys, Databases...The list goes on.

7: Vendors don't understand the issue, with many stating Microsoft has already fixed this in an upcoming patch. Again, Meltdown can be patched. Spectre cannot. They both accomplish the same end result. Spectre is difficult to exploit, but in the hands of the right threat actor is easily doable. Once Spectre is streamlined and automated for ease of use, all bets are off.

The Bottom Line

We wish we could really say right now, but considering that most of the world is run on Intel CPUs when it comes to servers, the simple suggestion to "Replace CPU hardware," is a bit daunting, except to probably AMD and possibly Qualcomm and its new Centriq processors. As for a current anti-virus list, you can follow this well laid out spreadsheet from @GossiTheDog.

What to do with the information we have today:

Average Desktop User (Intel): At this point your best and only option is to apply the Microsoft KAISER patch when they become available. As this attack is also reported to have delivery via web-browser via .js, it may be plausible to block .js execution from the browser as well.

Average Desktop User (AMD): Hold tight. AMD is adamant that these exploits do not affect their architecture. If anything changes, we are actively tracking and will alert you.

The Gamer (Intel): Performance impact benchmarks have not been done yet, so we really have no idea how much of a performance hit your favorite video games will take. You could risk it and keep Windows from updating, but we would not recommend that currently.

The Admin: This is going to boil down to company policy. You will have to weigh the unknown vs. the known. Are the patches compatible with your AV suites? Will they cause an adverse business impact when deployed? Will performance impacts cause issues and what could they affect specifically? If it was us, we would look at critical systems and start there. Sensitive data being protected is a priority.