As you are probably aware, Meltdown and Spectre are two kernel side-channel attacks that are affecting an unprecedented range of computing devices and systems running AMD, ARM and Intel processors. The vulnerabilities allow attackers to steal sensitive data from the system memory by taking advantage of the way processors are designed to work.
To improve efficiency, processors are designed to use speculative execution, which means that they queue up a few probable operations to execute given input from the user. Basically, the processors speculate and use probability to guess which decision the user will make next to save time and improve performance.
Use InSpectre to Check Your System
Gibson Research Corporation released a tidy little program called InSpectre, which allows users to see how vulnerable they are to both exploits, and offers actionable next steps to help you protect your system.
Applications, Operating Systems and Firmware all need to be updated.
Intel Knew About It Months Ago
On June 1st, Jann Horn from Google Project Zero wrote an email to Intel, AMD and ARM about the exploit that would become Spectre (the harder one to fix), and warned them not to share the information too quickly.
Scrambling to figure out the impact of the exploit discovered by Horn, Intel, Google, AMD and ARM researchers dug in and realized that the damage from Spectre would snowball into major problems for everything: applications, operating systems, firmware and processors across billions of devices.
On December 3rd, a researcher named Michael Schwarz from Graz University of Technology contacted Intel. Having found the epic vulnerability with his colleagues Moritz Lipp, Stefan Mangard and Daniel Gruss, Schwarz was surprised to learn that the company knew about it and had been working on patches and fixes for months and did not want anyone to know about it yet.
On December 18th, legendary programmer Linus Torvalds merged a patch that altered the way the open-source Linux kernel interacts with x86 processors a day after releasing the latest kernel, which is unusual.
For the patch, Linux listed all x86 processors as vulnerable, including ADM processors.
On December 26th, an email was posted to the public Linux kernel listserve by AMD engineer Tom Lendacky who explained why AMD chips wouldn’t need this patch, which seemed like a burdensome anomaly in that it was both unusual in nature and appeared to slow down systems.
Lendacky wrote that the micro architecture did not allow memory references, including speculative references that would leave higher privileged data vulnerable when running in a lower privileged mode when access would end up in a page fault.
This email set off a chain reaction of rumors on Twitter and a benchmark posted by researchers on the PostgreSQL listserve found a 17 percent decline in performance: speculative memory was officially an issue, and the Linux patch slowed down systems by nearly a fifth.
Eventually The Register broke the story on January 2nd, and the next day a kernel researcher who goes by the name “brainsmoke” found the bug and posted the results of his work on Twitter. (Image courtesy of brainsmoke and Twitter.)
New Patches for Spectre and Meltdown
Most of the tech giants were able to get a handle on the vulnerabilities prior to public notice.
NVIDIA released a security bulletin with security and driver updates, though they claim their GPU hardware is not vulnerable.
Google released their Retpoline fix for Spectre, and the patch for Chrome will be available on January 23rd. As a temporary solution, Google recommends turning on site isolation. If you have the latest version of Android, Google claims that you are ok. If you have an older device that won’t let you update, then you’re out of luck. Their complete list of their products with vulnerabilities is posted and up to date.
Oracle just release a Critical Patch Update Advisory with 237 patches and reports that malicious attacks are occurring successfully on systems without updated and installed patches.
|
Intel |
|
|
ARM |
|
|
AMD |
|
|
RISC-V |
|
|
NVIDIA |
|
|
Microsoft |
Security Guidance / Information regarding anti-virus software / Azure Blog / Windows (Client) / Windows (Server) |
|
Amazon |
|
|
|
|
|
Android |
|
|
Apple |
|
|
Lenovo |
|
|
IBM |
|
|
Dell |
|
|
Hewlett Packard Enterprise |
|
|
HP Inc. |
|
|
Huawei |
|
|
Synology |
|
|
Cisco |
|
|
F5 |
|
|
Mozilla |
|
|
Red Hat |
|
|
Debian |
|
|
Ubuntu |
|
|
SUSE |
|
|
Fedora |
|
|
Qubes |
|
|
Fortinet |
|
|
NetApp |
|
|
LLVM |
Spectre (Variant #2) Patch / Review __builtin_load_no_speculate / Review llvm.nospeculateload |
|
CERT |
|
|
MITRE |
|
|
VMWare |
|
|
Citrix |
|
|
Xen |
|
|
Qualcomm |
|
|
Wind River |
|
|
Acer |
|
|
ASUS |
PC information and advisory.Motherboard information and advisory (separate links) |
|
Dell/Dell EMC |
|
|
Fujitsu |
|
|
Getac |
|
|
Gigabyte |
|
|
MSI |
|
|
Panasonic |
|
|
Quanta |
|
|
Super Micro |
|
|
Toshiba |
|
|
Wiwynn |
A Word About Windows and Anti-Virus Software and Intel Microcode
Cyber Security expert Kevin Beaumont made a list of compatible antivirus software, which you can access here.
There are tons of anti-virus software protecting millions upon millions of computing devices and systems, and the majority of them are compatible with Windows patches.
However, many anti-virus programs may be expired or no longer updated. These anti-virus programs should be deleted in favor of built-in protection in Windows 8.1 and Windows 10.
There are many semi-disgruntled anti-virus software providers who lobby regulators to crack down on Microsoft’s practice of breaking anti-virus software with integrated security protections baked into Windows OS, but blocking Windows patches now and in the future, will leave your system vulnerable.
It isn’t just computers and computing devices that are being affected. Industrial systems are running into driver compatibility issues with Microsoft’s prescribed Meltdown fixes. Microsoft is advising people running industrial systems to hold off on deploying their updates and fixes until they can resolve the incompatibility issues, leaving industrial systems vulnerable to malicious attacks.
Microsoft also pulled out their AMD systems patch last week after some machines were unable to reboot after installing them.
The patch has since been fixed and is available for the majority of AMD systems, minus some of the older ones.
Intel released a microcode updates that gave operating systems a few extra tricks to protect against Spectre. This microcode update ended up crashing a few systems.
Do not install Intel’s microcode update on systems with Broadwell and Haswell processors.
Be sure to check if the firmware update from your system and/or motherboard vendor did not include the new microcode. If they did, do not install the update.
Bottom Line
If this doesn’t open a huge cultural conversation about the inherent danger posed by hyper-centralized systems, nothing will. Fortunately, it looks like it is getting some attention from California Senator Jerry McNerney, who wrote a scathing letter to the CEOs of Intel, ARM and AMD.
With technology and growth, it seems like the more we centralize and automate, the more vulnerable our personal information becomes. Not to mention the information contained in industrial systems, which are still currently exposed.