Overview of Meltdown and Spectre vulnerabilities

Both the Meltdown and Spectre vulnerabilities are basically design flaws in most modern CPUs (manufactured in the last decade or so). Some initial reports indicated that the vulnerabilities were specific to Intel CPUs but it’s now confirmed that other CPUs are impacted (AMD, ARM, etc.). The root issue is the way that memory is segmented between kernel space and user space; basically, keeping user-level access away from kernel-level memory.  The primary risk is that rouge applications can gain access to protected areas of memory that may contain sensitive data like passwords, encryption keys, PII / ePHI, etc.  Because these are hardware vulnerabilities in the CPU, they are not operating system (Windows, Mac OSX, Linux, etc) specific.

Meltdown

Meltdown breaks this segmentation between the user application and the operating system, potentially allowing user level applications unauthorized access to kernel level memory.

Spectre

Spectre is similar to Meltdown but breaks the segmentation between the applications.  One possible use case would be the browser allowing one website (controlled by the attacker) to gain access to the data from a different website (e.g., bank, VPN portal, etc.).  The Spectre vulnerability is harder to exploit but is also harder to mitigate.

What is the risk?

Since both vulnerabilities affect the way that kernel memory is protected from user applications, the primary risk is for a rouge application (malware) to gain unauthorized access to data in protected memory.

What should I do?

  • Make certain to install any legitimate hardware, operating system or application updates as soon as feasible (e.g., once they have passed your internal testing process).
  • Make certain that Microsoft isn’t blocking your access to these (and all future) updates based on your antivirus software (a list of impacted antivirus products is available here).
  • Make certain that your antivirus software is up to date. Both vulnerabilities require an attacker to leverage malware to exploit.

Other semi-random notes

  • Microsoft has released updates to mitigate these vulnerabilities but is blocking these and all future updates for users whose antivirus does not set a registry key.
  • Microsoft has paused the release of updates to devices with AMD chipsets because the updates leave some systems unbootable.
  • Raspberry Pi is no vulnerable to Meltdown or Spectre.
  • I suspect that the impact on IoT devices will be severe, as many (most?) of these devices are deployed and rarely if ever updated AND often have carte blanche access to the network.

Links

Leave a Reply