There is a new threat in town! Meltdown and Spectre exploit critical vulnerabilities in computer processors. They allow attackers to potentially access sensitive data held in the chip's memory that would otherwise be off limits. In this article we explain what these vulnerabilities are together with the guidence from the industry press about how to patch and fix this security issue.
While programs are typically not permitted to read data from other programs, a malicious program can exploit data stored in the memory of other running programs.
The Intel-specific vulnerability has been dubbed Meltdown, whilst the underlying chip vulnerability for is known as Spectre, it's arguably scarier as it’s rooted in fundamental processor design flaws that affect not only Intel but ARM, AMD and other chip makers. The scope of the problem is wide reaching including Desktops, Laptops, and Cloud computers can all be affected, potentially Meltdown affects every computer using an Intel processor since 1995.
Impact: The vulnerabilities, if unaddressed, could provide malicious applications with a direct passage into your machine’s kernel memory data. This is the protected part of your computer used to store sensitive material, like login credentials – usernames and passwords – and credit card information, in an unencrypted format.
What is the Risk?
On standard desktop operating systems this attack requires code to be run locally on the system and cannot be exploited remotely without user input (social engineering). On shared platforms (Cloud providers) this can be exploited by running virtual machines on the shared platform which could reveal secrets from other organisations machines. Customers using the Gladstone hosted solution will have all the recommended patches applied.
Will Gladstone products need to be patched? No. There is no change required to Gladstone products as this vulnerability is resolved through the hardware and operating system patches.
Mitgiation: Systems need patching to mitigate against this issue. All affected software and hardware vendors are releasing patches to fix the issue. There are patches against Meltdown and Spectra for Linux ,Windows, and OS X. Patches for Windows 10, Windows 7 and 8 have become available in January 2018. This issue may affect other intel chip devices, such as firewalls, load balancers and DDOS appliances, so patches will need to applied to those devices as well. There’s no word on when the patch will arrive for processors manufactured by AMD and ARM. According to industry press Google is also working on securing Chrome.
Mitigation comes at a price, the press is speculating that there’s a chance the patch could cause system performance to suffer, a degredation of 2-14%. The extent of this is dependant on the hardware and software in use and well as the type of process running.
Compromised performance or not, we’d recommend installing all recommended updates, as Meltdown and Spectre sound like they mean business. Work with your IT department to understand the implications for your business HW and Systems.
- Trusted Reviews - http://www.trustedreviews.com/news/intel-chip-problem-cpu-flaw-meltdown-spectre-vulnerability-patch-3365861
- Reuters - https://www.reuters.com/article/us-cyber-microchips/businesses-cautious-in-installing-patches-to-fix-chip-flaw-idUSKBN1EU12H
- The Register - https://www.theregister.co.uk/2018/01/10/intel_allows_that_meltdown_and_spectre_may_slow_servers_down/
- Microsoft - https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown