Meltdown & Spectre CPU Vulnerabilities — The Facts in Brief
This week has seen something unusual happen — CPU vulnerabilities, usually newsworthy largely in the infosec world, have hit mainstream news. The vulnerabilities, dubbed Meltdown and Spectre, which affect Intel, AMD and ARM chips, are serious, allowing programs to read the contents of memory used by other users programs — this will have many questioning the security of cloud hosting platforms.
For example, Intel chips affected by the Meltdown bug could allow malicious websites to read private or sensitive information from the user’s computer.
Similarly, on cloud platforms a user running a virtual machine hosted on Intel hardware could access memory from other customers’ virtual machines — both VMware and Xen have issues patches to address this issue, and cloud providers have been scrambling to apply patches issued by chip manufacturers. Unfortunately, the Intel fix is thought to degrade performance, and may have a significant for some workloads.
The Meltdown bug, which only affects Intel chips, is rather simple to exploit, as a PhD student at Vrije Universiteit in Amsterdam demonstrated:
The Spectre bug, which affects Intel, AMD and ARM chips, is more difficult to exploit, and AMD has played down the threat in a recent security advisory.
Meltdown: What to Do
Both Meltdown and Spectre can be addressed by software patches:
Intel CPUs: By the end of the week, Intel expects to have released patches for all CPUs introduced within the past 5 years — check with your system vendor for the appropriate updates
AMD CPUs: AMD has issued a response stating that they are not affected by Meltdown
Cloud Platforms: Amazon, Google and Microsoft’s Azure have all applied patches
Windows: Microsoft took the step of issuing an out-of-band patch on 03-Jan —Windows users should prioritise updating their systems
Linux: Red Hat has issues patches, with other distributions expected to follow
Apple: The most recent versions of iOS and macOS already contain mitigations, and further patches are expected soon
Web Browsers: The latest versions of Firefox, Internet Explorer and Edge all contain a fix, and Google will be issuing a patch later this month
Spectre: What to Do
While software patches are coming in fast for the Meltdown bug, and some will include mitigations for some Spectre variants, comprehensive patches are not expected any time soon for Spectre — the most effective mitigations will come through hardware redesign.
Ionx Solutions
Ionx Solutions is a leading provider of file integrity monitoring software. Verisys can detect unauthorized changes across your enterprise, providing data integrity assurance, and compliance solutions for PCI DSS and SOX.
Editors Note: Put a WEBGAP between you and the malware with a browser isolation technology or by leveraging a remote browser service.
