Blog

Spectre and Meltdown Processor Vulnerabilities: What You Need to Know #HITsecurity

UPDATED: Jan. 24, 2018 1:15 p.m. ET

 

Publicly disclosed vulnerabilities known as Spectre and Meltdown affect many processors and operating systems in use today. According to reports, affected processors include Intel, AMD, and ARM. Also, according to reports, affected systems include Windows, Linux, Android, Chrome, iOS, and MacOS (including laptops, embedded devices, servers, clients, mobile phones, etc.).

In addition, Microsoft has issued client and server guidance for IT professionals to protect against speculative execution side-channel vulnerabilities. (Please note: These pages from Microsoft also have information on a Powershell script that can be executed to confirm protections against these vulnerabilities. Additional mitigation information is also provided.)

In more detail, researchers have authored papers on Spectre (CVE-2017-5715 and CVE-2017-5053) and Meltdown (CVE-2017-5754) attacks. Proof of concept exploit code is available, which exploits these vulnerabilities. Proof of concept code is publicly available in languages including C++, JavaScript, and C. (Code can always be ported to other languages, of course. This point is mentioned to emphasize that the threat is real—i.e., the exploit code is publicly available.)

In describing the Meltdown vulnerability, researchers have characterized it as follows:

“Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. …Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer.”

Additionally, “Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary.”

On the positive side of things, the exploit code may be used to check whether or not a system is vulnerable. A demonstration of the Spectre attack on a vulnerable machine (a Linux virtual machine running on a Windows 7 platform) is as follows:

This exploit only took a few seconds to execute. Since the system is vulnerable, it outputted the following phrase: “The Magic Words are Squeamish Ossifrage.”

 

UPDATE – Jan. 24, 2018:

In a recent Intel blog post of January 22, 2018, Intel recommends that end users and vendors stop deploying the current version of its patch and wait for the new patch to be finalized. There have been reports of reboot issues, system instability, performance issues, and/or unpredictable system behavior. Otherwise, Intel advises consumers to keep their systems up to date and adhere to best practices.

 

UPDATE – January 29, 2018:

Microsoft has released an update to “back out” of the Spectre Variant 2 patch for Windows 10, Windows 10 LTSB, Windows 7, Windows 8.1, Windows Embedded Standard 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. But, for “advanced users” who would like to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry settings. (However, by the same token, below is information on an ‘out of band’ update made available by Microsoft via its update catalog.)

The update to back out of the Spectre Variant 2 update (previously issued by Microsoft) is available from the Microsoft Update Catalog (KB4078130). I applied this update to my Windows 7 machine, as I was experiencing some system problems (after applying the Spectre patch a few weeks ago). My system seemed quite slower and USB connectivity was a problem.

Microsoft’s new “fix” worked like a charm.

For comparison, here is a screenshot after I had applied the Spectre Variant 2 patch from Microsoft:

 

And, here is a screenshot after I had applied the "undo" patch from Microsoft to back out of the Spectre Variant 2 patch:

 

Now, my Windows 7 system (which is essentially a lab machine that I use for my research) is back in business. No system problems whatsoever and, most importantly, my virtual machines are running quite well.

 

Resources:

Origin of the Magic Phrase

Dell: Meltdown and Spectre Vulnerabilities

Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs

Microsoft Support: Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software

Microsoft Security Advisory No. ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

Mozilla Security Blog: Mitigations landing for new class of timing attack

Meltdown in Action: Dumping Memory

Meltdown demo – Spying on Passwords

Reading privileged memory with a side-channel

HCCIC: Report on Recently Publicized Widespread Processor Vulnerabilities

Keywords: 
#HITsecurity