Lots of excitement today as EVERY security company is endlessly discussing Spectre and Meltdown, the exploits affecting almost all systems out there. Here is the long and short (non-technical) summary of things:
- Spectre – The name is coined from the term “speculative execution”, and the fact that it will “haunt” us for a long time to come.
- Meltdown – This name is a reference to how it operates (i.e. it “melts” or destroys the isolation protection that prevents applications from accessing random memory locations).
- Spectre (CVE-2017-5753 and CVE-2017-5715) affects almost every system with a CPU (laptops, desktops, servers, and even ARM-based devices like smartphones). Effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
- Meltdown (CVE-2017-5754) is more specific to Intel CPUs and systems running software-based virtualization like Xen PV or Docker where there is the sharing of a single host’s kernel. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information.
- Can Spectre and/or Meltdown be detected? Probably not…at least not easily. The exploitation does not leave any traces in traditional log files. It is possible (in theory) that antivirus will be able to detect / block these attacks in the future, but at the moment it is very difficult to distinguish the difference Meltdown and Spectre versus benign applications. Javascript is also capable of exploiting these vulnerabilities, so web browsing is now also a risk. However, Mozilla has released some tweaks and suggestions to harden the browser making it more difficult. Chrome will apparently be issuing a patch on Jan 23rd.
- Is there a workaround / fix? There are patches for Windows, Linux and OSX for Meltdown…a simple Google Search will find them. For Spectre, as it is quite a bit harder to mitigate, there is no patch per se (outside of CPU replacement), but hardening procedures are being worked on to prevent future exploitation. As this is all quite new, keep monitoring the security blogs for the latest updates on patches, hardening methodologies, and more information.
