This week, a pair of vulnerabilities broke basic security for practically all computers. That’s not an overstatement. Revelations about Meltdown and Spectre have wreaked digital havoc and left a critical mass of confusion in their wake. Not only are they terrifically complex vulnerabilities, the fixes that do exist have come in patchwork fashion. With most computing devices made in the last two decades at risk, it’s worth taking stock of how the clean-up efforts are going.
Part of the pandemonium over addressing these vulnerabilities stems from the necessary involvement of multiple players. Processor manufacturers like Intel, AMD, Qualcomm, and ARM are working with the hardware companies that incorporate their chips, as well as the software companies that actually run code on them to add protections. Intel can’t single-handedly patch the problem, because third-party companies implement its processors differently across the tech industry. As a result, groups like Microsoft, Apple, Google, Amazon, and the Linux Project have all been interacting and collaborating with researchers and the processor makers to push out fixes.
So how’s it going so far? Better, at least, than it seemed at first. The United States Computer Emergency Readiness Team and others initially believed that the only way to protect against Meltdown and Spectre would be total hardware replacement. The vulnerabilities impact fundamental aspects of how mainstream processors manage and silo data, and replacing them with chips that correct these flaws still may be the best bet for high-security environments. In general, though, replacing basically every processor ever simply isn’t going to happen. CERT now recommends “apply updates” as the solution for Meltdown and Spectre.
What are Meltdown and Spectre?
Meltdown, designated as CVE-2017-5754, can enable hackers to gain privileged access to parts of a computer’s memory used by an application/program and the operating system (OS). Meltdown allows any application to access all system memory, including memory allocated for the kernel. Mitigation for this vulnerability will require operating system patches and potentially firmware updates. Patches for this vulnerability may have a performance impact on systems. So far, only Intel chips have been shown to be vulnerable.
Spectre, designated as CVE-2017-5753 and CVE-2017-5715, can allow attackers to steal information leaked in the kernel/cached files or data stored in the memory of running programs, such as credentials (passwords, login keys, etc.). This vulnerability may require changes to processor architecture in order to fully mitigate. According to Google Project Zero, this vulnerability impacts Intel, AMD, and ARM chips.
Modern processors are designed to perform “speculative execution.” This means it can “speculate” the functions that are expected to run, and by queuing these speculations in advance, they can process data more efficiently and execute applications/software faster. It’s an industry technique used to optimize processor performance. However, this technique permits access to normally isolated data, possibly allowing an attacker to send an exploit that can access the data.
What’s the impact?
Intel processors built since 1995 are reportedly affected by Meltdown, while Spectre affects devices running on Intel, AMD, and ARM processors. Meltdown is related to the way privileges can be escalated, while Spectre entails access to sensitive data that may be stored on the application’s memory space.
The potential impact is far-reaching: Desktops, laptops, and smartphones running on vulnerable processors can be exposed to unauthorized access and information theft. Cloud-computing, virtual environments, multiuser servers—also used in data centers and enterprise environments—running these processors are also impacted.
It’s also worth noting that the patches that have been released for Windows and Linux OSs can reportedly reduce system performance by five to 30 percent, depending on the workload.
Google’s Project Zero has proof-of-concept (PoCs) exploits that work against certain software. Thankfully, Intel and Google reported they have not yet seen attacks actively exploiting these vulnerabilities so far.
So, who has patched?
Companies, if they haven’t already, are rushing to release the aforementioned “mitigations” against possible attacks that could exploit Meltdown or Spectre (a helpful patch list can be found on the Computer Emergency Response Team site). Why mitigations? Well, because the patches and updates mitigate the risk — but might not remove it completely.
Microsoft, on Jan. 3, released an update for devices running Windows 10 that was downloaded and installed automatically.
Google, for its part, issued a lengthy blog post on the same day detailing all the steps it had taken to protect users against both Spectre (Variant 1 and 2) and (Variant 3). While a lot of that work happened behind the scenes, there are still some actions you need to take yourself. For example, you should definitely enable site isolation on Chrome.
Android devices with the most recent security updates are also protected from the above mentioned variants.
Apple was a little late to the customer-facing party, but on Jan. 4 made it clear that it is indeed paying attention. Specifically, the company said that — just like with its competitors — its products are at risk. That includes “all Mac systems and iOS devices,” to be exact.
But wait, there’s good news! Patches to help defend against Meltdown were released in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and Spectre-focused patches for Safari should be hitting “in the coming days.”
What do I need to do?
Meltdown and Spectre are the real deal, and rightly have security professionals concerned. However, at this time there are plenty of things you can do to protect yourself that don’t involve buying a new computer.
Security researcher Matt Tait writes that, at least when it comes to Meltdown, typical computer users can mostly breathe easy. First and foremost, make sure your system is up to date. Download any and all patches for your operating system and browser of choice.
But, because more updates are coming down the pike, you’re not done. Be on the lookout for any and all future security releases and make sure to install them immediately. Don’t pull the classic “remind me later” bit.
And what about Spectre? This one is a little trickier.
“Spectre is harder to exploit than Meltdown, but it is also harder to mitigate,” explain the researchers behind the discovery. “However, it is possible to prevent specific known exploits based on Spectre through software patches.”
In other words, while nothing is perfect, much of the same advice applies as with Meltdown: update, update, update.
Which, well, has always been good advice.