Security researchers discovered that there are security bugs in the kernel of nearly every computer system that is capable of being exposed and exploited referred to Meltdown and Spectre. Outside of the software residing on a computer, the problem resides on the CPU itself. As an article published by TechCrunch.com explains:
In modern architectures, there are inviolable spaces where data passes through in raw, unencrypted form, such as inside the kernel, the most central software unit in the architecture, or in system memory carefully set aside from other applications. This data has powerful protections to prevent it from being interfered with or even observed by other processes and applications. Meltdown and Spectre are two techniques researchers have discovered that circumvent those protections, exposing nearly any data the computer processes, such as passwords, proprietary information, or encrypted communications.
There are essentially two functions that are being exploited. First, the processor caches previously performed actions or instructions performed by a program. The purpose of this is to improve performance in the future as it is expected that what a program did once it will do again. By having it cached it is able to execute faster.
Second, processors are designed to allow multiple programs to run at the same time or in parallel. To improve performance, processors perform speculative execution. Speculative execution – to keep it simple – enables a processor to execute commands or programs without all the information, but with enough confidence to launch. Think of it as getting a head-start and if it turns out to be wrong it simply stops. To ensure confidentiality between parallel running programs, engineers built in isolation to prevent one program from seeing what the other program is doing. For example, a web-browser is designed to allow multiple webpages to run in parallel (including multiple ads on a page), but prevent each respective page from seeing or knowing about the other. Both Meltdown and Spectre exploit these functions.
Meltdown
Meltdown primarily exploits the memory cache in Intel processors. It allows a normal program to read the operating system’s private memory, which a normal program should not be allowed to do. While the processor does check to see if an invalid memory access occurred, it performs the check after the initial execution that pulls from the cache. Thus resulting data loss, even if the full execution never occurs.
While web-based attacks using JavaScript are possible, a successful Meltdown attack requires local access to the target system in order to execute code. As such, either a hacker with remote access to the local system with sufficient privileges or an authorized user is necessary to successfully carry-out the attack.
Spectre
Spectre is more difficult to exploit, but also more dangerous as it can be executed via web exploit (such as malvertising). It exploits not only Intel processors, but AMD and ARM as well. Specter more or less tricks programs, including web-browsers, into accidentally revealing information that would not normally be accessible. It leaks the victim’s information via a side channel to the hacker. The danger from Spectre is magnified due to the functionality and volume of advertisements on websites. A malicious ad hosting Spectre JavaScript code could break the isolation barriers browsers use to keep different websites or ads from reading information in another website or ad.
It is important to note that these flaws and exploits are purely proof-of-concept. They have not been observed in the wild; there is no weaponized version at this time. However, as history has shown, proof-of-concept attacks – once publicized – are quickly operationalized by bad actors.
Who is vulnerable?
Every device that uses Intel, AMD, or AMR processors – which is nearly every networked device from computers to mobile phones to some baby monitors.
Impact Assessment
There is significant risk of confidential data loss. In the case of Spectre, in which it may exploit web-browsing, any information input or viewed in a browser could be compromised; ranging from credentials to chat messages to proprietary information on internal corporate webpages.
In the case of Meltdown, the risk is less as local access appears to be required. Nevertheless, if a bad-actor gains local access to the system, much more confidential data would likely be at risk as well as additional exploitation beyond Meltdown would be possible.
Mitigation Recommendations
· Patch all systems for critical vulnerabilities; Microsoft has released a number of security updates in related to Meltdown and Spectre (Note: the updates have some compatibility issues with various software. Please refer to this note from Microsoft.
· Install and use Ad-blockers in browsers
· Update web-browser software
The difficulty in applying the patches and updating the CPU is that they may significantly affect system performance. IT and Information Security leaders should thoroughly test the updates beforehand and determine if this is the right course of action for their organization.
Sources
https://www.lawfareblog.com/spectre-advertising-meltdown-what-you-need-know
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
