STATEMENT REGARDING "SPECTRE" AND "MELTDOWN" VULNERABILITIES
On 3/1/2018 (last week) news broke in the media of two security vulnerabilities which will impact almost every computing device in active use today. Named “Spectre” and “Meltdown”, the vulnerabilities arise because of design flaws in CPUs from Intel, AMD, Qualcomm and ARM which have existed for decades – and they’re important because they allow access to information in memory that should be out of reach, whether that’s passwords, keys or other data.
The vulnerabilities themselves were discovered last Summer, but have been kept under wraps whilst the vendors concerned could find a solution for them. It was believed that no-one was actively exploiting them, but early last week sample code emerged on the Internet which increased the risk of non-disclosure to a level that couldn’t be justified and the issues became public knowledge.
As the root cause of both flaws is hardware design, it’s quite possible that the true solution for them will end up requiring new CPU hardware – but that’s a long, far-reaching change to achieve (think new computers/servers/devices), and a faster remedy is essential. In response key vendors such as Microsoft, Apple & Google have worked to provide software patches in order to mitigate the exploits on their platforms (where they can), and other software vendors (whether operating system or application/browser vendors) are coming forward with patches for their products.
The result is a patchwork of approaches which is only now emerging. And because the focus of those patches is to mitigate a low-level hardware problem, issues with performance (described as anything from ‘neglible’ to ‘30%’ overhead) and compatibility are also beginning to emerge.
Whilst the industry’s response to these vulnerabilities is robust, it’s not yet coherent – it’s going to be a difficult few weeks while these issues are ironed out.
In order to get you started, here’s some additional information along with guidance from the key players you’re likely already working with:-
The Exploits
Meltdown – (CVE-2017-5754 - rogue data cache load) - this is an exploit specific to Intel CPUs going back to 2011 (and possibly to 1995) which allows user applications to reach into kernel memory (or ‘protected’ memory, a design feature which is relied on for data security and system stability) and collect information to which those applications have no right.
It’s relatively straightforward to exploit and sample exploit code is (as of 4/1/18) available on the web. However it’s reported that the hacker must have local access to the machine in order to use the exploit
Spectre – (CVE-2017-5753 -bounds check bypass, CVE-2017-5715 - branch target injection) - these exploits are so-named because they rely on a CPU queuing feature titled ‘speculative execution’ which can be abused to grant arbitrary collection of data from virtual memory which should be out of reach (principally because they are intended to be beyond security boundaries and into other apps, the kernel or an underlying hypervisor).
Spectre can be exploited by visiting a website with which includes malicious code, however it’s a vulnerability that’s described as much harder to exploit (plus also much harder patch/resolve).
It applies to Intel, AMD, Qualcomm and ARM CPUs going back up to 20 years - effectively every computing device on the planet (including smartphones) is vulnerable.
Vendor Guidance
Meltdown:
Microsoft have provided patches for many (but not all) of their operating system platforms – but note that automatic updates won’t be installed unless you (or your antivirus product) create a ‘compatibility flag’ in the registry for each device
• Windows Client:
o Windows 10 released (4/1/18) for RTM, 1511, 1607, 1703, 1709, requires “compatible antivirus” and registry key change to enable automatic update
o Windows 8.1
o Windows 7 SP1
NOTE: Some indications that patching devices with AMD Athlon X2 CPU (end-of-life in 2008) is failing and rendering those devices unusable
• Windows Server:
o Windows Server 2016 released (1607, 1709 (core))
o Windows 2012 R2 - released
o Windows 2012 – not yet available
o Windows 2008 R2 - released
o Windows 2008 – not yet available
NOTE: A list of compatible antivirus is available in a community managed list here (Trend is compatible but requires a manual registry key for auto update)
Further information from Microsoft is available here
Apple released patches for their affected product ranges during December, so customers should be covered by keeping up to date
• Apple Devices: All devices except Apple Watch are vulnerable (specifically Mac and iOS)
o iOS: patched included in v11.2
o macOS: patch included in v10.13.2
o tvOS: patch included in v11.2
Apple suggest only downloading apps from trusted sources such as the App Store
Google have confirmed that they have released patches, access to them will depend on whether you have a Google-branded device (i.e. Nexus, Pixel) or one from a partner using Googles operating systems
• Android: Patches released 5/1/2018 for ARM, Google-supported Android devices should be set to accept monthly updates for January 2018 to benefit, partner-supported devices subject to partners own scheduling
• ChromeOS: Upgrade to v63 when available
Linux
• Redhat – patches available, described here, customers encouraged to upgrade to latest kernel
• SUSE – patches available, described here
• Ubuntu – patches available 9/1/2018, described here
App-Specific patching:
• Chrome – Google suggest enabling site isolation to improve security, patch due on 23/01/18 (v63)
• SQL Server – guidance provided here
Public Cloud:
• AWS: Patch rollout on EC2 was already in progress when news broke, believed to have completed on 4/1/18. Customers directed now to patch their EC2 instances.
• Azure: Patch rollout was already in progress, now accelerating. Customer VMs now being forced into automatic reboots wef 3/1/18. Microsoft say performance impact should not be ‘noticeable’ from patch, however it is present. Further information here
• Google Cloud Platform: patched, declared secure
Spectre:
As mentioned above, patching for Spectre is more difficult – this is borne out by the limited range of patches available. However, it’s also more difficult to ‘productively’ exploit Spectre, so you may accept that the resultant risk is lower.
• Windows Client: not yet available
• Window Server: not yet available
• Apple Devices: not yet available
• Android: not yet available
• ChromeOS: not yet available
• Redhat: not yet available
• VMware: patch information available
App-Specific patching:-
• Firefox – specific mitigations released to Beta/Dev channels - https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
• Safari - patch planned
And what about responses from the chip-vendors themselves?
• Intel
• AMD
• ARM
Update – 9/1/2018: Intel CEO Brian Krzanich made statements in his speech at CES 2018 overnight that patches for 90% of its products would be available ‘within a week’
Our Recommendations
Meltdown and Spectre are significant vulnerabilities and we highly recommend that you patch for them as soon as you’re able. However, the inter-dependencies across products warrant care and testing, so consider applying the patches in a test group (with all your apps) first and then moving forward as quickly as you can whilst containing any risks.
And if you need support, we’re ready to help.
Subscribe here!
Recent Posts
Posts by tag
- technology (124)
- Security (97)
- cyber security (85)
- IT Security (81)
- Cloud (65)
- Microsoft 365 (63)
- modern technology (62)
- Managed Service (60)
- business (60)
- cloud computing (59)
- cyber attack (54)
- workplace (54)
- IT support (53)
- cloud it (53)
- Microsoft Teams (52)
- microsoft (51)
- Working from home (50)
- productivity (47)
- office (46)
- cybersecurity (44)
- office 365 (44)
- IT (41)
- Uncategorised (38)
- employees (38)
- entrustit (38)
- flexible work (36)
- Password Security (34)
- Remote (33)
- efficiency (31)
- Hosted Workspace (30)
- hosted desktop (30)
- schools (29)
- independent schools (28)
- school ict (27)
- collaboration (26)
- 2023 (25)
- Cyber (24)
- cyber privacy (22)
- public cloud (22)
- computing (21)
- email security (20)
- password (20)
- it support bournemouth (19)
- passwords (19)
- entrust (18)
- hosted applications (18)
- VoIP (17)
- cloud voip (17)
- covid19 (17)
- hacking (17)
- private cloud (17)
- data (16)
- it support dorset (16)
- teamwork (16)
- Coronavirus (15)
- GDPR (14)
- hackers (14)
- office 365 support (14)
- ransomware (14)
- IT audit (13)
- Protection (13)
- cloud cctv (13)
- covid-19 (13)
- hack (13)
- it support hampshire (13)
- management (13)
- network (13)
- Hosted Desktop and Applications (12)
- Windows Virtual Desktop (12)
- cctv (12)
- hardware (12)
- internet (12)
- it consultancy (12)
- 2020 (11)
- 2022 (11)
- hybrid cloud (11)
- internet safety (11)
- IT costs (10)
- Microsoft Planner (10)
- data breach (10)
- it consultancy bournemouth (10)
- it support southampton (10)
- it support winchester (10)
- phishing (10)
- vulnerabilities (10)
- windows (10)
- windows 10 (10)
- Backup (9)
- bitwarden (9)
- digital (9)
- it consultancy hampshire (9)
- telephony (9)
- attack (8)
- communication (8)
- desk phone (8)
- education (8)
- eu (8)
- it consultancy dorset (8)
- it consultancy southampton (8)
- msp (8)
- planning (8)
- software (8)
- staff (8)
- uk (8)
- Google (7)
- OneDrive (7)
- infrastructure (7)
- mobile (7)
- offsite backup (7)
- outsource (7)
- partnership (7)
- 2019 (6)
- Apple (6)
- Hampshire (6)
- IT Director (6)
- Skype for Business (6)
- apps (6)
- architect (6)
- child protection (6)
- cloud storage (6)
- european union (6)
- hacks (6)
- legal (6)
- legal it (6)
- mobile phones (6)
- onsite backup (6)
- password manager (6)
- remote desktop service (6)
- usecure (6)
- virus (6)
- 3d design desktop (5)
- Azure (5)
- Bournemouth (5)
- Desktop (5)
- ISO (5)
- News (5)
- Risk assessment (5)
- Windows 7 (5)
- awards (5)
- brexit (5)
- designer (5)
- personal data (5)
- resources (5)
- smartphone (5)
- website (5)
- Access Management (4)
- BYOD (4)
- Dorset (4)
- Facebook (4)
- Government (4)
- SharePoint (4)
- VPN (4)
- WannaCry (4)
- ios (4)
- law (4)
- legacy (4)
- proactive (4)
- remote learning (4)
- 2021 (3)
- 2024 (3)
- Attacks (3)
- Case Studies (3)
- General (3)
- Google Drive (3)
- Help (3)
- IP (3)
- Microsoft Forms (3)
- NHS (3)
- New Forest (3)
- Zoom (3)
- big switch off (3)
- budgets (3)
- citrix (3)
- closed cloud (3)
- ddos (3)
- digital hub (3)
- disaster recovery (3)
- guide (3)
- instagram (3)
- internet of things (3)
- meetings (3)
- sme (3)
- storage (3)
- surrey (3)
- teaching (3)
- trump (3)
- twitter (3)
- 2016 (2)
- 2018 (2)
- CAD (2)
- DR (2)
- DR planning (2)
- Environment (2)
- Firewall (2)
- Gen Z (2)
- ISBA (2)
- Local (2)
- Macs (2)
- Microsoft Copilot (2)
- PaaS (2)
- Tiva (2)
- android (2)
- artificial intelligence (2)
- award winning (2)
- bcs (2)
- broadband (2)
- camcloud (2)
- computer performance (2)
- digital transformation (2)
- downtime (2)
- dropbox (2)
- exhibition (2)
- finalist (2)
- innovation (2)
- legalex (2)
- london (2)
- macos (2)
- online meetings (2)
- organisation (2)
- paypal (2)
- predictions (2)
- president (2)
- strategy (2)
- united kingdom (2)
- us (2)
- video conferencing tools (2)
- 1998 (1)
- 5G (1)
- AI (1)
- AMD (1)
- ARM (1)
- Abbey Hill (1)
- Aldwickbury Park (1)
- BBC (1)
- BUNKERS! (1)
- Birchwood Park (1)
- Burhill (1)
- Burhill Group (1)
- Burnout (1)
- CEO (1)
- ChatGPT (1)
- Cloudtango (1)
- GPT-4 (1)
- Go Integrator (1)
- Hoebridge (1)
- Ignite 2018 (1)
- Ignite 2020 (1)
- Leaders (1)
- Loop (1)
- MFA (1)
- MSP Select 2024 (1)
- Market (1)
- May (1)
- Mr Mulligans (1)
- Multi Factor Authentication (1)
- MyAnalytics (1)
- Ninja Warrior UK (1)
- PBX (1)
- PM (1)
- Power BI (1)
- Privacy Shield (1)
- Ramsdale Park (1)
- Redbourn (1)
- Regulation (1)
- Surrey Business Awards (1)
- Sydenhams (1)
- Tech Company of the Year (1)
- The Business Magazine (1)
- Thornbury (1)
- WCry (1)
- WannaCrypt (1)
- Wifi (1)
- Wycombe Heights (1)
- acquisition (1)
- afc bournemouth (1)
- afcb (1)
- ashley madison (1)
- b2b (1)
- bandwidth (1)
- battersea (1)
- beach (1)
- big data (1)
- bloatware (1)
- blockchain (1)
- builders merchant (1)
- cambridge analytica (1)
- canada (1)
- cia (1)
- clinton (1)
- cnn (1)
- copilot (1)
- copilot pro (1)
- copyright (1)
- cryptocurrency (1)
- dark web (1)
- dns (1)
- donald (1)
- dyn (1)
- east grinstead (1)
- election (1)
- equality (1)
- executive order (1)
- farnham (1)
- fax (1)
- football (1)
- gchq (1)
- grinstead (1)
- intel (1)
- intelligence (1)
- josh widdicombe (1)
- landmarks (1)
- learning (1)
- legal technology forum (1)
- machine learning (1)
- meltdown (1)
- millennials (1)
- mirai (1)
- no-deal (1)
- onsite (1)
- paper (1)
- patisserie valerie (1)
- performance reviews (1)
- pound (1)
- premier league (1)
- procrastination (1)
- recruitment (1)
- research (1)
- serval systems (1)
- sharefile (1)
- smishing (1)
- snowden (1)
- solent (1)
- solent business awards (1)
- solentBA (1)
- spectre (1)
- sterling (1)
- storm (1)
- talktalk (1)
- trumppresident (1)
- ukitawards (1)
- united states (1)
- usa (1)
- vault 7 (1)
- vitality stadium (1)
- whatsapp (1)
- white (1)
- white house (1)
- wikileaks (1)
- wireless internet bournemouth (1)
- wireless internet southampton (1)
- women in business (1)
- xiongmai (1)
- year (1)