By now you may have heard about two new major vulnerabilities – Meltdown and Spectre – that have been discovered by a collective of security research groups from Google’s Project Zero team, Graz University of Technology, University of Pennsylvania, University of Maryland, Rambus, University of Adelaide and Data61.
Meltdown and Spectre exploit critical vulnerabilities in modern processors (CPUs). These exploits allow programs to steal data that is being processed on a computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. Secrets like your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre not only effect personal computers, but also mobile devices and cloud environments (Amazon, Azure, Google, etc.). Depending on the cloud provider's infrastructure, these exploits potentially could steal data from other customers.
What is Meltdown and Spectre?
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system (Google Project Zero, Graz University of Technology).
If your computer has a vulnerable processor (CPU) and the operating system is unpatched, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. These best practices increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches (Google Project Zero, Graz, University of Technology).
We just wanted to let all our clients know that testing and releasing these patches are the highest priority of Hilltop’s Security team. Hilltop has already started testing these patches to make sure they do not cause any issues in any of our client’s networks. Hilltop will automatically release these patches to all client’s networks and/or systems ASAP.
Questions & Answers
Am I affected by Meltdown and Spectre?
Why is it called Meltdown?
The vulnerability melts security boundaries which are normally enforced by the hardware.
Why is it called Spectre?
The name is based on the root cause (not James Bond) "speculative execution." As it is not easy to fix, it will haunt us for quite some time.
What information can be leaked?
If your system is affected the exploit can read the memory contents of your computer. This may include stored passwords, personal photos, emails, instant messages and even business-critical documents.
Can my antivirus detect or block Meltdown and Spectre?
Not currently. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular safe applications. However, your antivirus may detect malware that takes advantage of the Meltdown and Spectre exploit, after they become known.
Can I detect if someone has exploited Meltdown or Spectre against me?
Unfortunately, no the exploitation does not leave any traces in traditional log files.
Is Meltdown or Spectre being used by hackers right now?
At this time no one has seen or knows if Meltdown or Spectre is being used by hackers in the public.
What systems are affected by Meltdown?
Desktops, Laptops, and Cloud computers could be affected by Meltdown. Every Intel processor since 1995 are affected by Meltdown. Currently, Meltdown has only been verified on Intel processors. At this time, it is unverified whether AMD and ARM processors are also affected by Meltdown.
What systems are affected by Spectre?
Desktops, Laptops, Cloud Servers, as well as Smartphones. Almost every system is affected by Spectre. Spectre has been verified on Intel, AMD, and ARM processors.
Is there a workaround/fix?
Yes, there are patches against Meltdown for Linux, Windows, and OS X. Hilltop will automatically release these patches to all client’s networks and/or systems ASAP.
What cloud providers are affected by Meltdown?
Any cloud providers that use Intel CPUs and Xen PV as virtualization without having patches applied. Cloud providers without real hardware virtualization are also affected.
What is the difference between Meltdown and Spectre?
Meltdown allows applications to gain access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory (Google Project Zero, Graz University of Technology).
What is Hilltop doing to protect me information?
Hilltop is working on testing the available patches for all client’s systems and networks. This will make sure that these patches do not cause issues or downtime in any client’s day-to-day operations. Once all patches have been approved they will automatically be applied to all MSP clients.
How do I know Hilltop has applied the patch to my system?
Hilltop will provide a “Patch Completion" email to list point of contact on your account.
What about that computers with Spectre, can my computer’s CPUs be patched?
Hilltop will work to apply any software vendor patches that help mitigate Spectre. Unfortunately, there are no patches for CPUs, just software. Hilltop will replace any hardware once a replacement CPU is designed without this vulnerability. Please note that redesigning a CPU may take years to accomplish.
Going forward what can I expect from Hilltop on these vulnerabilities?
Hilltop will continue to monitor these (and all known vulnerabilities) and apply patches/updates once they are available to all MSP clients.
If you have any questions regarding Meltdown, Spectre or any other cybersecurity concerns, please contact Hilltop Consultants Inc.
More information (links):