Scottish ethical hacker weighs in on ‘Spectre’ and ‘Meltdown’ chip vulnerabilities

spectreThe security flaws dubbed ‘Spectre’ and ‘Meltdown’ could allow hackers to steal data from almost all types of devices through vulnerabilities in Intel, AMD and ARM chips, the central processing units used across a huge number of devices, including smartphones, laptops and servers.

Gerry Grant, chief ethical hacker at the Scottish Business Resilience Centre and manager of Curious Frank Cyber Services, said: “The key thing that everyone should be doing with real urgency is to ensure their devices have the latest security updates installed. It can be far too easy to put this off, but these updates potentially contain the vital mechanisms to protect against these vulnerabilities.

“This stops criminals accessing potentially sensitive information, however without these updates installed devices can be left open to be exploited through these recently discovered potential security flaws.

“What is important to note with these flaws is they affect a vast range of devices regardless of the brand.

“It is not just personal devices that should be considered either – online storage facilities such as the cloud are also potentially subject to these flaws. The best thing to do is to check your provider has done the necessary security patches and always risk assess the information you are storing on these systems. Don’t save anything on cloud systems that you wouldn’t want hacked.”

Apple, Google, Microsoft and other tech giants have released updates for the flaws. Krebs on Security also provides a rundown on the threat.

“The Meltdown bug affects every Intel processor shipped since 1995 (with the exception of Intel Itanium and Intel Atom before 2013), although researchers said the flaw could impact other chip makers. Spectre is a far more wide-ranging and troublesome flaw, impacting desktops, laptops, cloud servers and smartphones from a variety of vendors. However, according to Google researchers, Spectre also is considerably more difficult to exploit.

“In short, if it has a computer chip in it, it’s likely affected by one or both of the flaws. For now, there don’t appear to be any signs that attackers are exploiting either to steal data from users. But researchers warn that the weaknesses could be exploited via Javascript — meaning it might not be long before we see attacks that leverage the vulnerabilities being stitched into hacked or malicious Web sites.”

Microsoft this week released emergency updates to address Meltdown and Spectre in its various Windows operating systems. But the software giant reports that the updates aren’t playing nice with many antivirus products; the fix apparently is causing the dreaded “blue screen of death” (BSOD) for some antivirus users. In response, Microsoft has asked antivirus vendors who have updated their products to avoid the BSOD crash issue to install a special key in the Windows registry. That way, Windows Update can tell whether it’s safe to download and install the patch.

But not all antivirus products have been able to do this yet, which means many Windows users likely will not be able to download this patch immediately. If you run Windows Update and it does not list a patch made available on Jan 3, 2018, it’s likely your antivirus software is not yet compatible with this patch.

Google has issued updates to address the vulnerabilities on devices powered by its Android operating system. Meanwhile, Apple has said that all iOS and Mac systems are vulnerable to Meltdown and Spectre, and that it has already released “mitigations” in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. The Apple Watch is not impacted. Patches to address this flaw in Linux systems were released last month.

Many readers appear concerned about the potential performance impact that applying these fixes may have on their devices, but my sense is that most of these concerns are probably overblown for regular end users. Forgoing security fixes over possible performance concerns doesn’t seem like a great idea considering the seriousness of these bugs. What’s more, the good folks at benchmarking site Tom’s Hardware say their preliminary tests indicate that there is “little to no performance regression in most desktop workloads” as a result of applying available fixes.

Meltdownattack.com has a full list of vendor advisories. The academic paper on Meltdown is here (PDF); the paper for Spectre can be found at this link (PDF). Additionally, Google has published a highly technical analysis of both attacks. Cyberus Technology has their own blog post about the threats.