Blog

Spectre and Meltdown Processor Vulnerabilities: What You Need to Know #HITsecurity

UPDATED: Jan. 5, 2018 4:30 p.m. ET

 

Publicly disclosed vulnerabilities known as Spectre and Meltdown affect many processors and operating systems in use today. According to reports, affected processors include Intel, AMD, and ARM. Also, according to reports, affected systems include Windows, Linux, Android, Chrome, iOS, and MacOS (including laptops, embedded devices, servers, clients, mobile phones, etc.).

You are encouraged to seek out guidance from the vendors of your respective systems. Many vendors, including Microsoft, have already released patches that significantly alter how their systems handle memory operations in order to protect against these disclosed vulnerabilities. Yet others are continuing to roll out such patches.

In addition, Microsoft has issued client and server guidance for IT professionals to protect against speculative execution side-channel vulnerabilities. (Please note: These pages from Microsoft also have information on a Powershell script that can be executed to confirm protections against these vulnerabilities. Additional mitigation information is also provided.)

In more detail, researchers have authored papers on Spectre (CVE-2017-5715 and CVE-2017-5053) and Meltdown (CVE-2017-5754) attacks. Proof of concept exploit code is available, which exploits these vulnerabilities. Proof of concept code is publicly available in languages including C++, JavaScript, and C. (Code can always be ported to other languages, of course. This point is mentioned to emphasize that the threat is real—i.e., the exploit code is publicly available.)

In describing the Meltdown vulnerability, researchers have characterized it as follows:

“Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. …Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer.”

Additionally, “Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary.”

On the positive side of things, the exploit code may be used to check whether or not a system is vulnerable. A demonstration of the Spectre attack on a vulnerable machine (a Linux virtual machine running on a Windows 7 platform) is as follows:

This exploit only took a few seconds to execute. Since the system is vulnerable, it outputted the following phrase: “The Magic Words are Squeamish Ossifrage.”

Finally, as a gentle reminder, Javascript exploits are available for both Spectre and Meltdown. Thus, the time to consider patching (and testing any patches, as appropriate) is now. You may also want to consider disabling or minimizing the use of JavaScript, to the extent this is feasible. Plug-ins exist to block JavaScript. (After all, client-side exploits are no fun when you are the unwitting victim.)

 

Resources:

Origin of the Magic Phrase

Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs

Microsoft Support: Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software

Microsoft Security Advisory No. ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

Mozilla Security Blog: Mitigations landing for new class of timing attack

Meltdown in Action: Dumping Memory

Meltdown demo – Spying on Passwords

Reading privileged memory with a side-channel

HCCIC: Report on Recently Publicized Widespread Processor Vulnerabilities

 

Jan. 5, 2018 4:10 p.m. ET Update:

 

I just installed the 2018-01 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4056894). Here is the result of the spectre program. As you can see, the problem has been fixed. Again, I am running a virtual Linux machine on a Windows 7 Professional SP1 x64 platform. Thus, the secret message is not read from memory with this patch in place.

Keywords: 
#HITsecurity