Open in app

Sign in

Write

Sign in

Spectre & Meltdown Processor Vulnerabilities: What You Need to Know

Isaiah Sarju
Revis Solutions Blog
Published in
7 min readJan 27, 2018

Spectre and Meltdown are confusing. Let’s clarify what’s going on.

What happened

In early January of 2018 two separate vulnerabilities were made public: Spectre and Meltdown. Actually Meltdown is a single vulnerability (CVE-2017–5754) and Spectre is a set of two vulnerabilities (CVE-2017–5753, CVE-2017–5715). And that’s where the confusion begins.

Let’s clear up a few things with a TL;DR:

  1. Spectre and Meltdown are vulnerabilities that take advantage of modern CPU design flaws.
  2. These vulnerabilities allow an attacker to read data from system memory. This is what the computer is thinking about, such as passwords, bank information, and sensitive documents.
  3. They are bad vulnerabilities, but there are some simple technical and behavioral steps you can take to protect yourself: Update your system and web browsers, limit browsing to reputable sites, and protect yourself online by only visiting HTTPS websites or using a VPN.

Do I need to be scared?

No — but do be wary. It’s important to keep things in perspective. It seems like we learn about a new vulnerability every other week. For non-technical and technical folks alike this can be overwhelming. And the media coverage doesn’t help. It makes it seem as if the sky is always falling.

One of the first things you have to learn as a security practitioner is that the sky is always falling, somewhere. But it might not be falling on you. And even if it is, you may be able to move a little to the right and miss all of the debris. That is to say: security is scary if we don’t approach it with a level head. Spectre and Meltdown are no different.

Yes, they are critical vulnerabilities, but let’s take a second to understand what they mean for the everyday user.

A deeper look at the issues

We’re going to delve a bit deeper and understand why Spectre and Meltdown are critical issues.

The first important aspect that Spectre and Meltdown share is the consequence of successful exploitation. If an attacker can exploit these issues she can read sensitive, privileged areas of memory (e.g. system passwords and secret encryption keys) and the memory of running programs (e.g. what you’re doing in your browser or your instant messaging application). This means she will have access to everything you are doing on your computer.

The second aspect is that Spectre and Meltdown require local access. An adversary needs to be on your system. An attacker with network access, such as being on the same wi-fi as you, does not inherently doom your system to exploitation. However, there are three main ways of “getting on your system” that you need to be aware of. An attacker can get her code onto your system:

  1. Traffic Injection: By injecting traffic into an insecure, non-HTTPS web browsing session.
  2. Infected Sites: By loading her code on a malicious site that gets executed if that site is loaded.
  3. Malicious Downloads: By infecting a downloaded file with malicious code.

A defense in depth approach

In information security we have to assume that some part of a system has failed or will fail. We should not depend on a single mechanism to keep us safe (e.g. our network firewall or our antivirus). What if we go to a malicious site, making our network firewall irrelevant? Or what if a malicious program is so new that antivirus doesn’t pick up on it?

Approaching security from a defense in depth perspective gives us multiple opportunities to stop a potential attack, or notice an attack that is in progress. Let’s take the three example attack vectors listed above and learn how to we could protect ourselves against Spectre and Meltdown:

Traffic Injection

Both Spectre and Meltdown can use JavaScript to perform exploitation. JavaScript is used in most modern websites (such as Medium) and is not inherently bad. JavaScript allows programmers to design slick animations and extend site functionality beyond what is offered by HTML. But like most technology, an attacker can use this functionality for harm.

For an attacker to exploit these vulnerabilities with JavaScript she first has to get her code onto your system. She could do this by injecting traffic into an insecure web browsing session. We won’t go into the nitty gritty of this right now — but the key takeaway is that if you’re on an untrusted network (e.g. coffee shop wifi), an attacker can inject her code into your unprotected traffic. You can protect your traffic by only browsing HTTPS websites and by using a VPN.

HTTPS encrypts your traffic between your browser and the webserver you’re connecting to. It causes your information to appear as unintelligible traffic to a would-be-attacker. And more importantly, for these specific vulnerabilities, if your traffic is modified your browser will warn you. You can mandate that your browser only go to HTTPS sites using the HTTPS Everywhere browser plugin. You will no longer be able to visit non-HTTPS websites. To go to an unencrypted site, you’ll be forced to open another browser without the HTTPS Everywhere plugin — and consciously think about whether you still want to visit the site.

HTTPS Everywhere is not a panacea — it only protects traffic that’s generated by your browser. But our systems are constantly connecting to the internet (for updates, for syncing apps, etc.). To protect all of your traffic from modification use a VPN such as NordVPN or Private Internet Access.

If an attacker cannot modify your internet traffic, she cannot attack you directly by trying to inject malicious code into your network traffic. But she can, however, create malicious sites that will attack you if you unwittingly arrive at them.

Infected Sites

A malicious or infected site can host JavaScript code that will attack your system. The first step to avoid this type of attack is to be vigilant and avoid unreputable websites. There is rarely anything offered truly for free, so avoid pirated movie streaming services and other sites that offer services that seem too good to be true.

But even reputable sites can serve malicious JavaScript code. A good example is ad content, which is commonly loaded from third parties. The reputable site does not have direct control over the ad site’s JavaScript content, and much of this content may even be loaded in the background, without affecting what you see on the page. If the ad site is compromised, the user may unknowingly run malicious JavaScript code. To protect against this, consider setting up Quad9 as your system’s DNS server. DNS servers turn domain names (e.g. medium.com or revisolutions.com) into IP addresses (e.g. 104.16.123.127 or 198.49.23.144) which route the actual traffic through the Web. Quad9 will not allow traffic to domain names that are known to be malicious. To set this up follow the instructions here.

For the extra paranoid, or those with questionable internet browsing habits, consider using a JavaScript blocking extension such as NoScript for Firefox or JavaScript Blocker for Chrome

By now we’ve blocked malicious code from being injected into our network traffic and taken steps to browse the Internet more safely. An attacker can still get past these protections by attacking the most vulnerable aspect of any computer system: the human behind the keyboard.

Malicious Downloads

True to a defense in depth mindset, we have to consider ourselves as a potential attack vector. We can take all of technical steps we want to protect ourselves from potential attacks, but if we open attachments without thought, or download “free” software from a file sharing site, all of that work can be voided in an instant.

To defend against this final attack vector we have to take more behavioral actions, instead of technical actions. First, we need to be in the habit of updating our systems and programs when prompted — stop clicking the “Remind me Later” button! Microsoft and Mac have already released patches that mitigate some of Meltdown and Spectre. (Microsoft may actually force reboot your computer for critical updates — potentially at very inconvenient times, so do it on your own terms!).

Second, we need to be constantly vigilant of what emails we’re opening, especially those with attachments. Don’t download attachments from unsolicited emails. Open attachments in a web based reader such Google Docs, which allows you to see and even edit content without ever downloading the file to your local hard drive. Additionally, download software from reputable sources such as your system’s official app store. Avoid “free” programs, music, or movies from unverified sources or file sharing sites.

If you’re still suspicious of a file, it never hurts to upload it to a free scanning tool such as VirusTotal to scan it for known malware.

With the risks from these three attack vectors mitigated or reduced, we are in much better shape than when we started.

Non-technical takeaways

Spectre and Meltdown have sent shockwaves through the security industry and caused confusion among non-technical technology users (and some security professionals for that matter).

Indeed, these attacks are not to be taken lightly. If an attacker executes her code on your system she can read all data in memory, compromising any information that you’ve accessed recently (e.g. system passwords, bank details, open files). But we can take steps to decrease successful exploitation: keeping our systems and programs updated, protecting our internet traffic from modification, and staying wary of the sites that we visit and the files that we download.

UPDATE: I’ve written a follow-up article to this that focuses on the technical aspects of these vulnerabilities.

Security
Spectre
Meltdown
Information Security
Computers

--

--

Isaiah Sarju
Revis Solutions Blog

Written by Isaiah Sarju

53 Followers
Editor for

I think about security. A lot. @isaiahsarju. https://www.revissolutions.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams