security, technology

Meltdown & Spectre: A New Dawn

Meltdown and Spectre dominate the security news and the more I delve into it, the greater the understanding of the depth and breadth this now means for the future landscape of device security.

meltdown-spectre-kernel-vulnerabilityTurns out the three variants of side-channel attacks, Meltdown and two different for Spectre, were discovered back in June of last year [2017] by researchers using speculative execution, which is where processors execute on code and then fetch and store the speculative results in cache. It’s a technique used to optimize and improve the performance of a device. What is important to note with Spectre is that it puts users at risk for information disclosure by exposing the weakness in the architecture of most processors in the market, and the breadth is vast: Intel, AMD, ARM, IBM (Power, Mainframe Z series) and Fujitsu/Oracle SPARC implementations across PCs, physical and virtual servers, smartphones, tablets, networking equipment and possibly IoT devices.

Currently there are no reported exploits in the wild.

Of the two, Meltdown is the easier one to mitigate with operating system updates. AMD processors are not affected by Meltdown. Please see below for Microsoft KBs related to Meltdown. Spectre is a bit more complex to resolve because it is a new class of attack. The two variants of Spectre both can potentially do harm like stealing logins and other user data residing on the affected device. Intel, ARM, and AMD processors are affected by Spectre. Recently, Microsoft released another emergency update to disable Intel’s microcode fix. This original update was meant to patch for variant 2 of Spectre. Unfortunately, that update had adverse effects as there were numerous reports of reboots and instability, so Microsoft issued an out of band update to disable.

Things are still evolving around Spectre and while operating system updates and browser updates are helping to patch for Spectre, it is being reported by some sources that a true fix may be an update to the hardware (processor) itself.

The following is a chart* to clarify each vulnerability:

Meltdown Spectre
Allows Kernel Read Yes No
Patched with KAISER/KPTI Yes No
Leaks User Memory Yes Yes
Executed Remotely Sometimes Definitely
Likely to Impact Kernel Integrity Browser Memory
Practical Attacks Against Intel Intel, AMD, ARM
*Chart is courtesy of SANS/Rendition Infosec. See full presentation here.

The following is list of Microsoft Windows KBs for Meltdown:

Operating system version Update KB Superseded Patch
Windows Server, version 1709 (Server Core Installation) 4056892 4054517
Windows Server 2016 4056890 4053579
Windows Server 2012 R2 4056898 N/A
Windows Server 2012 Not available N/A
Windows Server 2008 R2/Windows 7 SP1 4056897 4054518
Windows Server 2008 Not available N/A
Windows 10 for 32/x64-bit Systems 4056893 4053581
Windows 10 Version 1511 4056888 4053578
Windows 10 Version 1607 4056890 4053579
Windows 10 Version 1703 4056891 4053580
Windows 10 Version 1709 4056892 4054517

Microsoft has also recently released a cool new dashboard that uses analytics to help discover vulnerable devices and helps assess whether those devices are susceptible to Meltdown and Spectre. You can get that here.

It will be important over the next few weeks to stay on top of any breaking news around Meltdown and Spectre. Mitigation efforts should be underway in your IT organization to prevent a future zero-day attack.