We are only a few days in 2018 and already our news feeds are filled with this alarming news about a huge security issue that affects all current Intel, ARM and AMD processors, regardless of the device, manufacturer and operating system it runs on. Leading operating systems like Windows, MacOS, and Linux have rolled out security updates since then, as more details are gathered to explain this problem further.
The two security attacks in question, called Meltdown and Spectre, have the capability to expose a read-protected section of a device that runs on an affected CPU (central processing unit). It is not so much a physical issue with how CPUs are built or an ordinary software bug that one may discover in software apps like Chrome. The issue lies at the core of the processor’s architecture that carries out the instructions.
A Security Flaw in Speculative Execution
Meltdown and Spectre exploits a feature in microchips known as speculative execution, a method adopted in most of today’s CPUs to improve its performance. Modern CPUs may choose to execute instructions speculatively. This is contingent upon the assumption that a given condition will be true, allowing it to execute instructions accordingly.
The processor checks these assumptions. If they are found to be valid, the execution continues. But, if the assumptions are invalid, the execution is discontinued and the right execution path can be initiated based on actual conditions.
A serious flaw found in modern processors that use speculative execution is that they don’t always verify permissions correctly and may expose data about discontinued executions. While the discontinued executions don’t change the outcome of a program, it can make changes to the processor’s deepest architectural feature.
Consequently, user programs are likely to be able to view protected area of the kernel memory (it’s a memory that resides in the core component of an operating system). This security flaw may potentially reveal concealed information such as passwords and encrypted communication. It would need an operating system-level overwrite to patch this flaw on every operating system.
What is Meltdown?
Protecting and isolating memory spaces blocks applications from accidentally breaching each other’s data or malicious software from viewing or changing data freely. Meltdown works by breaking the barrier between the user application and operating system.
It enables a program to access all system memory, which includes a memory designated in the kernel. Almost all types of devices like desktop, laptops and cloud computers are potentially susceptible to Meltdown.
What is Spectre?
Spectre is a security attack that exploits Intel, AMD, and ARM processors. Essentially, it tricks applications into revealing data that are normally sealed inside a protected memory. Patching this can be tricky and may affect people for a long time since this issue needs changes on the processor’s architecture done for it to completely mitigate.
Who can be affected by Meltdown and Spectre?
Anyone. Chips manufactured since 2011 were discovered to be susceptible to these attacks. Since Meltdown and Spectre are security flaws that exploit at an architectural level, all software programs are equally targeted, regardless if your device runs on Windows, Android, MacOS, etc. This means that desktops, laptops, servers, and smartphone can be vulnerable to this attack.
Cloud service providers are also vulnerable to Meltdown and Spectre. Both are used to further attack the hypervisors, allowing malicious users to break free from virtual machines.
What’s Been Done to Fix it?
The good news is that most companies are not leaving it to chances. Many of them are already scrambling to provide security patches for their users. Microsoft issued a patch for Windows 10 while the rest of the Windows OS versions should be patched by January 9.
Linux also released patches by establishing kernel page-table isolation to relocate the kernel and different address space. Apple informed its users that they already patched iOS 11.2 and MacOS High Sierra 10.13.2. The 10.13.3 version should fix these vulnerabilities, too. Google Pixel/Nexus devices have security patches ready. Users of other Android devices should wait for their manufacturer to issue their security patches.
How to Safeguard Against Meltdown and Spectre?
Here are steps you can take to prevent or at least mitigate this security issue:
As mentioned before, Windows already sent security patches since last week. In fact, if you have Windows 10 on your PC, then it should already download and install automatically. However, you might want to double check your computer settings to be sure. To check your PC settings:
- Right-click on the Windows icon, Click on ‘Settings’. (Similarly, you can click on the gear icon to access ‘Windows Settings’).
- Click ‘Update and Security’. Check ‘update status’ if there are any pending security update.
- If there’s none, click on the text link that says ‘View installed update history’ to check if it was installed.
- The Windows 10 update may come in different names, depending on when you last updated it. You should be seeing Security Update for Windows (KB4056892) for Windows 10 version 1709.
Security updates were also rolled out for MacBooks, iMacs, Mac Pros and Mac Minis since December 2017. To see if you need to manually update it, follow these steps:
- On the upper-left hand corner of the screen, go to the Apple menu button.
- Choose “About this Mac”. Check if you have the latest update.
- If you don’t have the current version, then go to the ‘App Store’ mobile app.
- Click on ‘Update’ to run the security update.
iPhones and iPads
You don’t have to worry if you have installed the current iOS 11.2 version on your iPhone and iPad. This version already includes a host of mitigation protection against any security loopholes uncovered by some of the Apple researchers. To update it manually:
- Go to ‘Settings’.
- Click on ‘General’, then ‘About’.
- Search for ‘Version’. See if you’re on version 11.2 or the latest.
- If it’s not, then go back to ‘Settings’, then ‘General’.
- Finally, click on ‘Software Update’ to download and install the current version.
The Google Chrome announced last year that the latest Chrome update will be on its way on January 23. This will feature some mitigations that safeguard your desktop and phone’s Chrome OS from known security attacks. You can visit this experimental security feature in Chrome — Site Isolation if you’re not inclined to wait for the next update. These are steps on how to run Site Isolation on Windows, Linux, Mac, Chrome OS, and Android:
- Copy paste this link: chrome://flags/#enable-site-per-process in the address bar of your Chrome browser.
- Find ‘Strict Site Isolation’ and click ‘Enable’ button.
- Once you save your work, click ‘Relaunch Now’, or you can save your work, close and re-open Chrome.
For Google phones such as the Nexus brand, it will automatically download the update. You only need to install it on your end. However, Android smartphones by other manufacturers and network providers, it may take some time to roll out the patch. So we suggest that you send them an email or notify on their social profiles to get their attention about this.
Mozilla, Microsoft Edge, and Internet Explorer
Mozilla announced in their blog recently that they have released Firefox 57.0.4 which includes the two timing-related mitigations to combat these recent security problems.
Microsoft made some changes to the behavior of the supported versions of Microsoft Edge and Internet Explorer 11 to protect against possible breaches on the read memory done through these security issues.
Our servers here at Vodien runs on Intel. So, it’s a must for us to perform security patches across all our servers as they could be affected, too. Our infrastructure team is working on the server patches with the highest priority and will begin to patch and schedule maintenance for the servers. We will update all our customers on the upcoming server maintenance to combat against Meltdown and Spectre attacks.