Just last week, we were looking back at the most significant hacks and attacks of 2017, and wondering what lay ahead for 2018. Well, wonder no more.
Security researchers have discovered two major design flaws in Intel processor chips that affect millions of devices—in fact, nearly every Intel chip produced since 2010 is at risk.
Intel’s response indicates that there will be no physical recall or replacement of their products, just a software patch.
Sources told The Register that Intel, AMD, and Arm were warned of these security holes back in June last year.
And in retrospect, Intel executives have been acting accordingly. Last month, Intel CEO Brian Krzanich sold $250,000 worth of Intel stock—the maximum amount he legally could let go of as CEO. Following that news, Intel is now being eyed for securities investigation.
No Ipswitch products are affected by the bug, for the record.
How Meltdown and Spectre Work
Meltdown can be exploited by normal programs to read the contents of private kernel memory, whereas Spectre allows, among other things, user-mode applications to extract information from other processes running on the same system. Spectre can also be used to extract information from its own processes.
You can watch the Meltdown flaw in action spying on passwords in the below video fromwww.spectreattack.com below, scary stuff.
That site also has extensive technical documentation on the attacks, for those looking for a detailed breakdown. For those less technically inclined, this twitter thread from security researcher Joe Fitz is a terrific analogy:
Here's my layman's not-totally-accurate-but-gets-the-point-across story about how #meltdown & #spectre type attacks work:— Joe Fitz (@securelyfitz) January 4, 2018
Let's say you go to a library that has a 'special collection' you're not allowed access to, but you want to to read one of the books. 1/10
The exploits are potentially even worse for virtualized environments, such as public clouds, where it could be possible for a guest VM to access the host machine’s physical memory to steal data from other customer’s virtual machines.
While it was initially thought that only Intel chipsets were affected, it turns out that certain Arm and AMD processors are also at risk, though to a lesser degree.
Basically, these flaws exist
Patches Are Here... But Could Cost Performance
Linux, Microsoft, and Apple have all acted swiftly to curb the impact of the Meltdown bug with workaround patches that separate the kernel’s memory from user memory with Kernel Page Table Isolation (KPTI). Unfortunately, this solution increases the kernel’s overhead, which could cause performance to slow down anywhere from 5-30 percent. The performance hit varies, depending on processor model and workload. Casual users and gamers, for instance, won’t see much difference—benchmark tests put the impact on those systems within the margin of error. However, database benchmarks showed a marked decline.
Ipswitch customers can use WhatsUp Gold to monitor CPU performance before and after patching, with the ability to alert on a given threshold.
Amazon, Google, and Microsoft have all pushed updates to their public clouds to protect customers from the Meltdown vulnerability.
The Spectre bug, on the other hand, is a harder fix. So far, there have been no sufficient software patches to fix the bug, and security researchers told the New York Times that a fix could require a full redesign of the processors.
The Bottom Line
As Edward Snowden put it, "When your computer asks you to apply updates this month, don’t click 'not now.'"
Honestly, the best advice we can give right now is to wait for patches and install any OS or security updates as soon as possible. Multiple vendors have created software patches to mitigate against these hardware vulnerabilities. You should review the information from the vendors and apply the patches accordingly. We also recommend testing out the patches in a test environment before applying to the production environment as issues (e.g. performance, system crashes) have been discussed in advisories.
For the Spectre bug to be exploited, bad guys will first need to run malicious code on your browser, or get you to download malicious software, so, as always, make sure your adblockers and antivirus are enabled, consider running site isolation in your browser and watch out for phishing emails.