Meltdown and Spectre: what you need to know

Credit to Author: Malwarebytes Labs| Date: Thu, 04 Jan 2018 15:53:24 +0000

The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753) and rogue data cache load (CVE-2017-5754)—affect all modern processors.

If you’re wondering if you could be impacted, the answer is most certainly yes.

The vulnerabilities, named named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.

The core issue stems from a design flaw that allows attackers to dump memory contents from any device (personal desktop, smartphone, cloud server, etc.) exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses next operations to perform based on previously cached iterations.

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs.

What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation. Cloud providers (Amazon, Online.net, DigitalOcean) rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.

The variant called Meltdown only impacts Intel CPUs, whereas the second set of variants called Spectre impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM and IBM.

Several Proof of Concepts (POCs) have already been made available, and a video shows a memory extraction (using a non-disclosed POC).

Mitigations

A patch for the Meltdown bug has already been rolled out on Linux, macOS, and Windows 10 Insider Edition. Unfortunately, the fix comes with significant impact on performance, although estimates of how much vary greatly.

An advisory from Microsoft recommends users to:

1. Keep computers up to date.
2. Install the applicable firmware update provided by OEM device manufacturers.

If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.

No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.

The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.

The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.

Vendor advisories:

• Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
• AMD: http://www.amd.com/en/corporate/speculative-execution
• ARM: https://developer.arm.com/support/security-update

The post Meltdown and Spectre: what you need to know appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/