2018 begins with a meltdown
If you are interested in why this critical vulnerability only has a 2 (out of 10) CVSS rating, check out our analysis here!
There were several predictions in 2017 about a huge surge in cyber-security related issues – whether in forms of actual attacks or in discoveries of major flaws and bugs that pose a major threat for businesses and individuals alike.
2018 began with a major meltdown.
A huge security flaw has been discovered in processors produced by Intel, AMD and ARM, targeting a technology that has been in use since 1995. Due the flaw being hardware-specific, almost any operating system is affected. This means that a large range of devices – from smartphones and tablets to computers and cloud servers are also at risk of attacks, data breaches and sensitive information theft.
The CPU manufacturers are aware of this. Their clients, such as Google, Microsoft and Apple are working on appropriate solutions for their operating systems, and the manufacturers planned to go public after they deployed the necessary patches – on the 9th of January. Now, due to some media outlets releasing information about the vulnerability prematurely, they are rushing to push out the patches earlier.
Where is the flaw?
Speculative execution. This technology allows a processor to predict which calculations it could do in parallel instead of sequentially – this is done to save time, which wastes some power but significantly increases processing speed and allows tasks to be completed more quickly. OK, but what’s the problem with this? – you might ask. The problem is that the processors do not check permissions correctly while making these calculations – which can contain sensitive data – which gives an opportunity for malicious applications to obtain data they normally should not have access to, e.g. from kernel space.
Put simply: the exposure of sensitive data in the processor was thought to be non-existent – this was the most fundamental isolation between user applications and operating systems. Speculative execution gives attackers the possibility to get data that doesn’t belong to their process by abusing CPU caches.
Put even more simply: The Spectre and Meltdown vulnerabilities allow a hacker to gain your credit card details or passwords through malware or malicious sites – if you use an unpatched device.
Ok, so Spectre and Meltdown. Difference?
Meltdown, as its name implies, melts down the – assumed – hard barrier between user applications and operation systems. This allows programs to access the memory of other programs and the operating system itself.
- Bad news: Meltdown is easier to exploit.
- Good news: It is also easier to fix.
Ont he other hand, Spectre breaks the isolation between different applications – allowing attackers to trick programs into leaking sensitive data.
- Bad news: It is much more difficult to mitigate and fix.
- Good news: It is more difficult to exploit, too.
Am I at risk as an individual?
In short: yes, you are. Even if you’re careful about security and store your sensitive data – such as login details – in a password manager or similar, the data can be accessed via the CPU’s internal memory by exploiting speculative execution. Even if you are more thoughtful and back up your data to a cloud service, your data is still at risk!
And my data in a cloud?
I’ll bring up a quick quote here, usually told as a joke in IT world, but in this case it is more than serious: “There is no cloud, only someone else’s computer.”
By taking advantage of Meltdown, hackers can, for example, rent a space on a cloud service – and once on the service, the flaw would allow them to grab information (like login details) from other customers.
Cloud services usually share machines among many users (multitenancy) which turns Meltdown into a major threat – even if the cloud service providers apply various security tools and protocols that are intended to separate different user data, the newly-discovered CPU flaw will allow hackers to find a way around.
How do I protect myself?
Patch, patch, patch! The security updates are being rolled out now continuously – make sure you update your operating systems on all your devices today and in the coming days.
For example, Google has posted a list of affected products and status of the security updates here.
Chromebook users with older versions will have to install an update, while the Chrome browser will receive a patch on January 23rd.
Updates are on their way for Apple products as well, if not deployed already.
For clouds, service providers such as Amazon Web services, Google Cloud Platform and Microsoft Azure are already patching their servers in their data centers – this may result in some downtime in their service.
While the patches and fixes apply only a „band-aid on the injury” – it should be sufficient to avoid data exposure. Full protection from Meltdown and Spectre will come only by replacing the vulnerable CPU hardware.