On 4 January 2018, news broke concerning a pair of CPU vulnerabilities seemingly affecting pretty much all computers. The security flaws, named Meltdown & Spectre, were discovered by security researchers at Google’s Project Zero, and found in processors designed by Intel, AMD and ARM.

Meltdown exploits side effects of out-of-order (‘speculative’) execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords.1

Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary.2

Revelations about Meltdown and Spectre have caused havoc and left a critical mass of confusion in their wake. Not only are they complex vulnerabilities, the fixes that do exist have come in patchwork fashion. Also there is no single fix for the Meltdown and Spectre attack variants; each requires protection independently.

What does it actually mean for you?

Our advice is avoid trying to understand the intricacies of it all, as you’ll go stir crazy. It’s a processor problem. So replace your processor, and in the meantime make sure you apply the OS, software and  firmware patches appropriate to you to help mitigate this class of vulnerability.

Additional info

Some useful additional info/links:

Google Security Blog says:

  • Variant 1 (CVE-2017-5753), “bounds check bypass.” This vulnerability affects specific sequences within compiled applications, which must be addressed on a per-binary basis.
  • Variant 2 (CVE-2017-5715), “branch target injection”. This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software mitigation technique called “Retpoline” to binaries where concern about information leakage is present. This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed.
  • Variant 3 (CVE-2017-5754), “rogue data cache load.” This may require patching the system’s operating system. For Linux there is a patchset called KPTI (Kernel Page Table Isolation) that helps mitigate Variant 3. Other operating systems may implement similar protections – check with your vendor for specifics.

We recommend reading their Summary/Mitigation table.

Forbes has created a list of fixes.

Here are the technical  papers:

  1. https://meltdownattack.com/meltdown.pdf
  2. https://spectreattack.com/spectre.pdf

Keep your business secure with Secarma

We believe that the security of your critical networks and data is key to your organisation’s success. Whatever your sector, whatever your size, our mission is to help you to seize the competitive advantages of providing your clients with security, compliance, and reliability.

See how Secarma can help

Latest

ledgeredge trading corporate bonds cybersecurity fintech

vISM Case Study: Working in Close Partnership with LedgerEdge

Secarma and LedgerEdge have developed an ongoing consultancy-based cybersecurity partnership, workin...

Cybersecurity Misconceptions

At Secarma, we're passionate about security. That's why, as part of Cybersecurity Awareness Month 20...

Cybersecurity Events in the Capital

Over the past month or so, the Secarma team have been very busy with cybersecurity events. From the ...