{"id":10999,"date":"2018-01-04T08:10:36","date_gmt":"2018-01-04T16:10:36","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/04\/news-4770\/"},"modified":"2018-01-04T08:10:36","modified_gmt":"2018-01-04T16:10:36","slug":"news-4770","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/01\/04\/news-4770\/","title":{"rendered":"Meltdown and Spectre: what you need to know"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Thu, 04 Jan 2018 15:53:24 +0000<\/strong><\/p>\n

The Google Project Zero team, in collaboration with other academic researchers, has published information\u00a0about three variants of a\u00a0hardware bug with important ramifications. These variants\u2014branch target injection\u00a0(CVE-2017-5715<\/a>), bounds check bypass\u00a0(CVE-2017-5753<\/a>)\u00a0and rogue data cache load\u00a0(CVE-2017-5754<\/a>)\u2014affect all modern processors<\/em>.<\/p>\n

If you’re wondering if you could be impacted, the answer is most certainly yes.<\/p>\n

The vulnerabilities, named named\u00a0Meltdown<\/a>\u00a0and\u00a0Spectre<\/a>, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.<\/p>\n

The core issue stems from a design flaw that allows attackers to dump memory contents from any device (personal desktop, smartphone, cloud server, etc.) exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution<\/a>, which happens when a processor guesses next operations to perform based on previously cached iterations.<\/p>\n

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as\u00a0confirmed by the vulnerability researchers:<\/a><\/p>\n

\n

Can I detect if someone has exploited Meltdown or Spectre against me?
<\/em>Probably not. The exploitation does not leave any traces in traditional log files.<\/p>\n<\/blockquote>\n

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system\u2019s memory. Similarly, this design prevents programs from accessing memory used by other programs.<\/p>\n

What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation. Cloud providers (Amazon<\/a>,\u00a0Online.net<\/a>,\u00a0DigitalOcean<\/a>) rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.<\/p>\n

The variant called\u00a0Meltdown<\/em>\u00a0only impacts Intel CPUs, whereas the second set of variants called\u00a0Spectre\u00a0<\/em>impacts all vendors of CPUs with support of\u00a0speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM and IBM.<\/p>\n

Several Proof of Concepts (POCs) have already been made available, and a video\u00a0shows a memory extraction (using a non-disclosed POC)<\/a>.<\/p>\n

Mitigations<\/h3>\n

A patch for the Meltdown bug has already been rolled out on\u00a0Linux<\/a>,\u00a0macOS<\/a>, and\u00a0Windows 10 Insider Edition<\/a>. Unfortunately, the fix comes with significant impact on performance, although estimates of how much vary greatly.<\/p>\n

An advisory from Microsoft<\/a> recommends users to:<\/p>\n

    \n
  1. Keep computers up to date.<\/li>\n
  2. Install the applicable firmware update provided by OEM device manufacturers.<\/li>\n<\/ol>\n

    If you are having issues getting the Windows update, please refer to this article<\/a>, as Microsoft has stated some possible incompatibility issues with certain security software.<\/p>\n

    No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.<\/p>\n

    The Spectre bug\u00a0can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in\u00a0Chrome<\/a>. Mozilla is rolling out a Firefox patch\u00a0to mitigate the issue while working on a long-term solution<\/a>. Microsoft is taking similar action for Edge and Internet Explorer<\/a>.<\/p>\n

    The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.<\/p>\n

    Vendor advisories:<\/p>\n