A serious flaw has been discovered that affects almost every CPU manufactured in the last two decades. The flaw allows malicious software to steal data it's not supposed to have access to. The implications are huge!
There are actually two different flaws in play here. The first has been called “Meltdown”. Meltdown allows programs to access memory belonging to the underlying operating system. This breaks the fundamental isolation that’s supposed to exist between applications and the operating system. This affects all modern Intel processes from the last decade.
The second flaw is called “Spectre”. This allows one program to access the memory belonging to another unrelated program. Again, this is a fundamental isolation that operating systems are supposed to provide. This affects all Intel, ARM and AMD processors manufactured since around 1995.
In essence, these flaws mean that if an attacker/hacker can find a way to execute code on your computer, the code cannot be contained anymore. No software or system in existence can protect you. This affects all types of computers — laptops, desktops, tablets, phones, servers and even the cloud. In a shared computing environment such as Amazon Web Services, a customer that is breached which shares the same computing resources as you could result in you getting breached.
Microsoft will be releasing emergency patches in due course for Meltdown, but there is talk of a possible significant performance penalty of up to 30% as a result. If that’s the case, then low-end PCs and high-end virtualisation will be the big losers. Even so, what’s to stop malicious software reversing this patch and then exploiting the CPU flaw? There is currently no fix for Spectre.
I’ve been blogging for some time now about the importance of having a comprehensive arsenal of complementary security systems to protect yourself from malware, data breaches and the like. This is currently the only line of defense you have to protect your systems from this major security flaw. It better be a strong one!
If there’s any good news in this, it has been confirmed that the flaws only allows read access. Data cannot be changed in any way. The bad news – it’s impossible to detect if you have been compromised.
It will not be long before malware targets these vulnerabilities. Proof of concepts have already been validated. A detailed article is here: https://spectreattack.com/spec…. In theory, this vulnerability can be exploited to open other attack vectors, such as adding a rootkit to an operating system, bypassing all security and allowing anything to be done to the computer.
In terms of IT security, this is the most dangerous and severe situation I’ve ever encountered. I don’t believe the full impact can be understood at this early stage. The OS architecture we take for granted which keeps processes, virtual machines and containers in isolated “boxes” can no longer be trusted.
I will update this blog with more information as it comes to hand.
UPDATE 5 January 2018: Microsoft has released a patch for Windows. However, they conflict with many antivirus programs. Most AV vendors still yet to release an update compatible with the MS patch.
UPDATE 8 January 2018: A CPU microcode update is also required. Vendors will release BIOS updates in due course.
While waiting for patches, you can mitigate your risk by following the usual security best practices Limit access to only known and trusted users; install only well-vetted, trusted applications; visit only reputable web sites with minimal obtrusive advertising and content pulled-in from other sources; and if feasible, turn off JavaScript in your browser.
UPDATE 27 March 2018: Almost 3 months since this issue became public. What a disaster it’s been, especially for Intel. The first patch they released was buggy and later withdrawn. Consequently, Microsoft disabled their initial patch. There’s still no patch available which fully addresses the issue at hand. At the end of the day, this is going to be a long term problem that will only be mitigated by newer CPUs which don’t exist yet. Good security practices are currently the only line of defense.