Meltdown and Spectre

MeltdownYou probably can’t have missed the reports about the cyber-Armageddon that are circulating today. Two very significant vulnerabilities have been found in the processor chips that are used by nearly every single computer, tablet, phone and smart toaster. This includes Mac OS X on Apple computers. Interestingly it has been reported that iPhones and iPads are NOT affected. These vulnerabilities have been given names. One is called Meltdown and the other Spectre.

I’m not going to go into any technical detail on these vulnerabilities. If you want to read the technical side you can go to the team that discovered the problems, Google’s Project Zero. There is some less technical information available on a dedicated webpage for the vulnerabilities. I’ve put in some easy to read background on this in the discussion section below.

What do you need to do about Meltdown NOW:

First of all DON’T PANIC. This is not the end-of-the-world. The situation is serious, but there are currently no active exploits out there. So keep a cool head and this can be managed successfully.

Original Text posted 4th January 2018 @ 16:30 GMT


Update 30th January 2018 @ 10:00 GMT:

Steve Gibson, a renowned security expert has created an excellent free little tool, called InSpectre for helping people to understand if they are protected or not from the two vulnerabilities. It has other useful advice there too. I would suggest you download it and run it against your Desktop/Laptop and see what your exposure is. Link to the download page is here.

https://www.grc.com/inspectre.htm

End-of-Update 2018/01/30-10:00


Update 8th January 2018 @ 10:00 GMT:

  • It has been reported that the Microsoft patches are causing problems for people using some AMD processor chips. It stops the machine from booting properly and seems to require Windows to be re-installed. If you have a PC with an AMD processor, it might be advisable to turn off Windows Update temporarily until this issue is fixed.
  • Qualcomm is another chip manufacturer, who make processors for mobile devices (e.g. – the Snapdragon processor that is used by many Android phones). They have now confirmed that their chips are also affected by these vulnerabilities.

End-of-Update 2018/01/08-10:00


Update 5th January 2018 @ 21:45 GMT:

  • Intel have advised that they are rolling out software and firmware patches to address the exploits as best possible. They expect to have 90% of the chips that were made in the last 5 years updated by the end of next week. They don’t seem to be talking about anything older than 5 years, so this might be a concern for people with older equipment.

End-of-Update 2018/01/05-21:45


Update 5th January 2018 @ 11:00 GMT:

  • What I didn’t mention yesterday was there are reports that fixing these vulnerabilities will cause the processor performance to degrade. While there will be some level of degradation, in typical workloads it shouldn’t be too noticeable. I won’t quote a percentage degree of slowdown as has been reported elsewhere, as it is purely speculation.
  • Operating Systems:
    • Microsoft have pushed out their patch for this to all platforms. As mentioned earlier some Anti-Virus vendors need to make changes before the patch can apply correctly. Keep an eye on this google doc for the current situation with the various anti-virus packages. Be sure to test the patch where possible before widespread deployment, in case there are any issues.
    • Apple Macs – MacOS patches are available.
    • Linux – patches are available.
  • Browsers:
    • Firefox – be on version 57 (currently available).
    • Chrome won’t be releasing version 64 for a few weeks, but Google advise people to enable an experimental feature called “Site Isolation” that can offer some protection against the web-based exploits but might also cause performance problems. Do the following:
      • Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
      • Look for Strict Site Isolation, then click the box labelled Enable.
      • Once done, hit Relaunch Now to relaunch your Chrome browser.
    • Internet Explorer/Edge will be updated with today’s patches from Microsoft
  • Mobile and Smart Devices:
    • The big change since the original post is that iPhones and iPads have been declared as vulnerable by Apple. Expect updates in the coming days for iOS devices.
    • Google branded Android phones/tablets will get the January 2018 patches in the next few days. Non-Google branded phones will only get updates at the discretion of the manufacturer. So please watch out for these.
    • If you have any other devices (smart fridge/kettle/thermostat/toaster, CCTV cameras, digital assistants), be sure to check their interface to see if updates come available for them.
  • Virtualisation Software:
    • VMWare have issued guidance on their affected products.
    • Citrix don’t believe they are directly affected, but have guidance for their customers as other software running on their platform may be impacted.
  • Cloud platforms:
    • Google Cloud platform has detailed advice for their clients.
    • Microsoft’s Azure platform also has information for their customers.
    • Amazon also has a detailed statement for their clients.
    • If you use some other Cloud Platform, please contact them to find out what their plans are to address these vulnerabilities.

End-of-Update 2018/01/05-11:00


I hate to say it, but you need to patch and patch everything as soon as you can. Warning: Make sure patches/fixes come from their usual sources and not by somebody sending you an e-mail with the patch. That won’t end well for you.

  • Microsoft are issuing their monthly Patch bundle today (4th January) to address Meltdown. Install it as soon as it comes available on your PCs and schedule an emergency patch for your servers ASAP. Warning: There have been reports that some Anti-Virus software may not play nicely with the Windows fixes and cause your machine to crash badly. Check this google doc for the current situation with the various anti-virus packages.
  • Firefox users make sure you are running version 57 (click the three horizontal lines and go to Help->About Firefox).
  • Chrome users need to wait for version 64 which is coming (click the three vertical dots and go to Help->About Google Chrome).
  • Apple Macs already have the patches out there, so make sure you are up-to-date.
  • If you have Linux anywhere, patches are available so update it ASAP.
  • Hopefully Android phones/tablets will get updates, so please watch out for them.
  • iPhones/iPads are currently safe from this issue.
  • If you have any other devices (smart fridge/kettle/thermostat/toaster, CCTV cameras, digital assistants), be sure to check their interface to see if updates come available for them.

I would not be at all surprised if there will be multiple patches emanating from Microsoft over the next week or two in respect to this.

I use services in the cloud, am I affected?

Absolutely. However reports are that Amazon and Microsoft are busy working away patching their infrastructure. There are a LOT of other other cloud services out there, so please check with them to see if you are in anyway exposed to these bugs.

Discussion:

When I check Twitter each morning, I normally see about 10 or 20 tweets from overnight. This morning it was hundreds of tweets. The cyber security world has gone into overdrive in the last 24 hours. I was seeing rumours of an Intel processor vulnerability circulating yesterday and then the disclosure broke overnight. It seems that they were trying to hold off until next week, in order for more work to be done on issuing fixes, but it was leaked. So now there is the scramble to get the fixes out there as fast as possible.

The Meltdown bug is poorly named, as it is not going to “melt” anything (ignore the picture I’ve used for this post I just liked the look of it ?). What it does is it breaches protections between the operating system (e.g. Windows) and Applications that are in use (e.g. Excel, Sage, etc.). The bug enables a malicious program to get at parts of the computer memory that stores sensitive information, such as passwords. Once it has this information it could send it to the bad guys. This vulnerability is relatively easy to exploit and proof of concept exploits have shown up in the wild.

The Spectre bug is not as easy to exploit as Meltdown, but it is also not as easily fixed. It works by breaking the isolation between different applications, which enables an attacker to fool normal computer programs into revealing sensitive data that they have in memory. The current discussion on this indicates that to truly protect against Spectre, hardware may need to be replaced.

We’re in for an interesting start to 2018!!! ???