Meltdown and Spectre dominate the security news and the more I delve into it, the greater the understanding of the depth and breadth this now means for the future landscape of device security.
Turns out the three variants of side-channel attacks, Meltdown and two different for Spectre, were discovered back in June of last year [2017] by researchers using speculative execution, which is where processors execute on code and then fetch and store the speculative results in cache. It’s a technique used to optimize and improve the performance of a device. What is important to note with Spectre is that it puts users at risk for information disclosure by exposing the weakness in the architecture of most processors in the market, and the breadth is vast: Intel, AMD, ARM, IBM (Power, Mainframe Z series) and Fujitsu/Oracle SPARC implementations across PCs, physical and virtual servers, smartphones, tablets, networking equipment and possibly IoT devices.
Currently there are no reported exploits in the wild.
Of the two, Meltdown is the easier one to mitigate with operating system updates. AMD processors are not affected by Meltdown. Please see below for Microsoft KBs related to Meltdown. Spectre is a bit more complex to resolve because it is a new class of attack. The two variants of Spectre both can potentially do harm like stealing logins and other user data residing on the affected device. Intel, ARM, and AMD processors are affected by Spectre. Recently, Microsoft released another emergency update to disable Intel’s microcode fix. This original update was meant to patch for variant 2 of Spectre. Unfortunately, that update had adverse effects as there were numerous reports of reboots and instability, so Microsoft issued an out of band update to disable.
Things are still evolving around Spectre and while operating system updates and browser updates are helping to patch for Spectre, it is being reported by some sources that a true fix may be an update to the hardware (processor) itself.
The following is a chart* to clarify each vulnerability:
Meltdown | Spectre | |
Allows Kernel Read | Yes | No |
Patched with KAISER/KPTI | Yes | No |
Leaks User Memory | Yes | Yes |
Executed Remotely | Sometimes | Definitely |
Likely to Impact | Kernel Integrity | Browser Memory |
Practical Attacks Against | Intel | Intel, AMD, ARM |
*Chart is courtesy of SANS/Rendition Infosec. See full presentation here.
The following is list of Microsoft Windows KBs for Meltdown:
Operating system version | Update KB | Superseded Patch |
Windows Server, version 1709 (Server Core Installation) | 4056892 | 4054517 |
Windows Server 2016 | 4056890 | 4053579 |
Windows Server 2012 R2 | 4056898 | N/A |
Windows Server 2012 | Not available | N/A |
Windows Server 2008 R2/Windows 7 SP1 | 4056897 | 4054518 |
Windows Server 2008 | Not available | N/A |
Windows 10 for 32/x64-bit Systems | 4056893 | 4053581 |
Windows 10 Version 1511 | 4056888 | 4053578 |
Windows 10 Version 1607 | 4056890 | 4053579 |
Windows 10 Version 1703 | 4056891 | 4053580 |
Windows 10 Version 1709 | 4056892 | 4054517 |
Microsoft has also recently released a cool new dashboard that uses analytics to help discover vulnerable devices and helps assess whether those devices are susceptible to Meltdown and Spectre. You can get that here.
It will be important over the next few weeks to stay on top of any breaking news around Meltdown and Spectre. Mitigation efforts should be underway in your IT organization to prevent a future zero-day attack.