08/01/2018

"Meltdown" and "Spectre": researchers discover severe CPU bugs

"Meltdown" and "Spectre": researchers discover severe CPU bugs SMB Security

Researcher Anders Fogh of G DATA Advanced Analytics laid the groundwork for the discovery of the CPU vulnerabilities which became known as “Meltdown” and “Spectre”, when he blogged about the possibility of abusing speculative execution in order to read kernel memory in user mode. He blogged about the topic as early as July 2017, writing about his view on the affair 

Although his blog post was not picked up by media at the time, Fogh’s work was subsequently quoted by both Google Project Zero, who published an extensive analysis of both vulnerabilities, as well as by the academic research team that independently discovered the issues.

Implications

The problem takes on a different and even more disturbing turn when considering that vulnerable CPUs are not only used in desktop PCs and servers. Smartphones and tablets can also be affected, as Google and Apple already confirmed – although the vulnerabilities cannot be exploited as easily on those devices. Networked devices such as healthcare machinery, IoT gateways, cars and critical infrastructure will also often contain vulnerable CPUs, with no easy way to update affected products. Due to the nature of the flaw, however, software updates alone may not do the trick – CPU microcode may need to be updated as well. For software or hardware that is no longer supported by the vendor, purchasing a new CPU or even an entirely new device may be required. Retrofitting a solution for legacy hardware is often either not possible or prohibitively expensive.

What do Spectre and Meltdown do?

By abusing a CPU design concept called speculative execution, malicious software can access privileged on the affected machine. The concept was originally designed to improve performance trying to load certain information before it is actually requested by a process. In a worst-case scenario, this would enable attackers to steal passwords and other sensitive data. While Spectre and Meltdown certainly harbour some risks for home users, the flaws are especially dangerous for operators of cloud services, who rely on servers that use susceptible hardware. The risk here is in the veritably large attack surface this offers and which potentially affects millions of customers and their data. For example, a malicious individual might purchase a regular subscription for a cloud service and use that legal access to the servers to steal data from other paying customers. Microsoft and Apple rushed to update their operating systems, with other platforms such as Linux and Android following suit.

G DATA customers remain protected

To address the vulnerability and to make sure that their solutions cannot be exploited to use either Spectre or Meltdown, Microsoft has already deployed mitigation fixes. Antivirus vendors were asked to confirm whether or not their solutions are compatible with the update by setting a specific registry key. G DATA’s solutions are compatible with the Microsoft update. To ensure that the Microsoft update is applied, make sure that Windows updates are enabled. No further action on the user’s part is required. No reinstallation of the G DATA software is necessary.

Taking further action

For enterprises, the avalanche of operating system and application patches that was triggered by the discovery of the vulnerabilities once again underlines the importance of a comprehensive patch management concept. Only by keeping track of the status of software versions and available patches can businesses ensure they close the window of opportunity for hackers to exploit vulnerabilities. By combining patch management with well-thought-out hardware and software support lifecycles, administrators can harden their IT infrastructure and improve information security.

Update: January 10, 2018, 11:30 - Patch Chaos, Performance & Compatibility

There is a degree of confusion and contempt around the situation with the Meltdown and Spectre vulnerabilities.
Yesterday, reports surfaced that Microsoft had pulled the mitigation update for certain systems. The reason for this was that some AMD chips displayed a different behavior in practice than was expected. According to Microsoft, the documentation provided did not match the hardware's actual behavior, which resulted in systems becoming unbootable in some cases. For this reason, Microsoft has stopped distributing the update to the affected systems.   
Last week, Microsoft approached AV vendors - including G DATA - and asked them to confirm whether or not their security solutions were compatible with the security update. If a solution was compatible, each vendor was to confirm this by creating a specific entry in the system database (registry). If this entry is missing, the update is not installed. The aim of this strategy is to restore security while preventing outages or other issues in certain systems. G DATA has reacted and confirmed that all solutions are compatible. Therefore nothing stands in the way of installing the update.
The solutions tested for compatibility are: G DATA AntiVirus, G DATA InteretSecurity, G DATA TotalSecurity, G DATA AntiVirus Business, G DATA ClientSecurity, G DATA EndpointProtection, (including Linux Web/MailSecurity Gateway) G DATA AntiVirus for Mac and G DATA InternetSecurity for Android. 

The situation is even more complex for mobile devices. If an Android device is not part of Google's own range of Pixel or Nexus devices, the other manufacturers need to provide updates. However, in the past, the heavily fragmented Android world has had an exceedlingly poor track record when it comes to distributing security critical updates, which are sometimes deployed with a delay of several months; every vendor needs to develop, test and distribute their own updates. This problem has plagued the android realm for a long time. Owners of older devices are mostly left behind, because many vendors are more interested in selling new devices rather than having to support older ones.

The reason for all this, however, remains an issue that is rooted in the hardware itself. Companies such as Microsoft or Apple can only work around the problem, but won't be able to fix it. This is where Intel needs to step in. The company has already promised to provide a firmware/microcode update for CPUs that were built in and after 2013 which will resolve the security issue. The updates come at a cost in performance, though, the extent of which can vary greatly from being "barely noticable" all the way up to performance drops in the two-digit percentage.

Update: January 23, 2018, 10:30 - Intel revokes microcode update

Intel has announced that they revoked one of the microcode updates which was supposed to address one of the "Spectre" attack scenarios. Further updates are therefore likely going to be delayed. The update in question has caused some systems to reboot at random, which may cause data loss. This again shows that things like microcode updates cannot be rushed under any circumstances in order to prevent further negative consequences.