The first week of the new year was characterized by the appearance of two major flaws in processors, the so-called Meltdown and Spectre announced by Google ProjectZero in this post, which afflict most of computers and devices in use today. The impact has been outstanding in terms of media coverage, and the topic has been the subject of discussion not just among IT professionals.
Meltdown and Spectre briefly
Meltdown and Spectre are two distinct vulnerabilities that affect computer processors: not just servers, laptops and desktops but also micro-computers, specialized computers and IoT devices. They were discovered by four different research teams who reported them to CPU manufacturers, several months prior the publication of the news; but these vulnerabilities are not new, in fact they have existed for decades. No computer with a processor produced in the last 20 years is to be considered immune and safe; a dedicated tool for Linux and BSD is available and provides information on the system status, and a similar tool for Windows exists too.
We are not aware of known attacks: antivirus can detect the code responsible for an attack, but not the vulnerability itself.
Meltdown (CVE-2017-5754) only applies to Intel processors and essentially allows the attacker to overcome the security barriers that normally prevent applications to access information that resides in memory; this way an attacker can retrieve personal information such as passwords, credit card numbers, personal data and anything else in the system's memory. The exploitation attack is about the way in which the execution of “out of order” instructions is handled and bypasses the protection of memory by exploiting a privilege escalation vulnerability that is typical of Intel processors.
Spectre (CVE-2017-5753 and CVE-2017-5715) instead is a vulnerability that affects AMD, ARM and Intel processors and concerns speculative execution.
Speculative execution is an optimization technique adopted by modern processors where some instructions are performed in advance to the request, speculating on the fact that it is more convenient, in some cases, to perform a work before the request and present it to the request itself that does not execute it in full after. It’s a probability thing.
There are no reports at the moment of attacks based on Spectre and Meltdown, although malware samples that seem to exploit (or try to exploit) the vulnerabilities discussed here have been detected, as if they were proof-of-concepts.
Although respondents promptly responded to the threat as soon as there was public disclosure, early release and lacking in-depth testing of updates led to numerous practical problems for users.
In fact, problems have been reported after the installation of published patches, such as error messages, logon problems and random reboots. A less serious problem but not so painless concerns degraded performance as a result of an increase in the use of processor resources (although some users report that the problem disappears over time).
Compatibility problems arose between Windows and some antivirus, resolved with a temporary solution that refers to registry keys, unfortunately an operation not for all users (ie home users).
Intel has recommended OEMs, Cloud providers, hardware vendors, software developers, and end users to stop developing current versions.
Microsoft initially suspended the distribution of AMD system updates after a BSOD has occurred during the boot process on systems equipped with certain AMD chipsets. On January 18, however, Microsoft announced the delivery of updates for AMD systems with Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, Windows 10 and 1709.
On January 29, Microsoft released an “out-of-band” set of patches that disable the Intel patch for Specter (Specter 3, a variant) because it made the system so unstable that it could even cause data loss or corruption on some systems. HP and Dell have also temporarily stopped the release of BIOS updates containing such Intel patch. Windows 10 Fall Creators Update (version 1709) released on January 31 resolved the problem KB4056892 previously caused by a previous attempt to fix vulnerability exploits regarding Specter and Meltdown.
The dilemma of whether to update or not has been further complicated by the fact that different kind of patches were available and distributed not by a single body (or a small number to refer to) but by many institutions. There are updates for the Windows, MacOS and Linux operating systems, web browser updates, general program updates, updates for UEFI firmware and BIOS updates for vulnerable processor systems.
Both AMD and Intel work together with operating systems developers and hardware vendors to create patches patches, but the IT segment seems not to be fully aware of who is responsible for creating and deploying patches, and in the case how and what to install.
At this address you can consult a schematic page that summarizes all available updates.
The communication strategy
Specter and Meltdown created a lot of confusion between professionals and home and business users. In terms of image it has been a complete failure, especially for a giant like Intel, in addition to creating the legal prerequisites for hiding the existence of vulnerabilities for months, compared to when they were advised by researchers. CEOs of companies such as Intel, AMD, ARM, Amazon, Apple, Google and Microsoft have been aware of this at least as early as June 2017, and for this they’ve been formally heard by members of the American parliament.
Not a few security experts harshly criticized the non observance of standard vulnerability disclosure practices, as smaller companies (including Cloud providers and security solution developers) have not been promptly informed by the vendors.
Some believed that everything was patchy, from the secrecy about the release of faulty patches to the chaos and subsequent confusion within the industry and amongst customers.
The web is bloated with discussions about how vendors should have dealt with these risks differently. One thing that seems everybody agrees upon is that the architecture of the instruction set (ISA) that acts as an interface between hardware and software must be reviewed with stricter security rules.
Recently Intel announced the release of fixed and updated patches and that new CPUs will have additional security systems integrated. AMD and ARM too agree with the idea of “security by design” while designing processors, something which already happens with software, and a tighter collaboration with OEMs and operating system developers.
Communication methods will be revised in order to avoid the chaos generated in the first weeks of January, which saw the presence of conflicting information and no real point of reference.
We don’t have witnessed any attack based on Meltdown or Spectre at the moment, but security experts are not positive on the topic and some vendors have already observed samples of malware working at a lower level, which is a possible clue.