If you’re into IT security or are a business owner, you’ve undoubtedly heard about Spectre and Meltdown. These are two newly discovered vulnerabilities in accessing your computers and servers on any network. Instead of reacting and being the first to market with information on these exploits, we’ve chosen to fully investigate them since there aren’t any real fixes yet.
In fact, Microsoft® issued an Emergency Windows® update to disable Intel’s “buggy” Spectre fixes as reported in a recent post by The Verge.
All IT companies, consultants, and manufacturers are scrambling to get ahead of these issues, but these exploits are still unraveling and recent fixes by chip makers like Intel are creating more problems with their updates. We need to be patient on first understanding everything about the exploit and second, what we can do to protect against these and future exploits like these.
What are Spectre and Meltdown?
The labels Spectre and Meltdown are nicknames for two major security flaws discovered in almost all CPUs (Central Processing Units).
Meltdown is a security flaw discovered in all Intel processors that allows access to the processor’s protected memory. This prevents applications from interfering with other data or from malicious software (malware) from being able to see or have the ability to modify the data in memory.
Spectre affects Intel, AMD®, and ARM processors. What this means is that almost every PC, phone, tablet, and gadget is affected. Its method is a bit different than Meltdown as it tricks software into disclosing information that would normally be secure. And since it works on many more different types of chipsets, it’s going to be much harder to develop a fix. In a word, Spectre is more difficult to exploit, but it’s harder to protect.
Not only have security researchers named these flaws, but they’ve created icons or logos for them. If you would like to read more about the details on both Meltdown and Spectre, you can find the full security research report here. It’s very detailed with what these exploits can do and gives some examples.
Here are some things you may not know about Meltdown and Spectre:
- Meltdown exploits a feature in Intel chips that were designed in the 1990s.
- What is now called Meltdown was discovered by a team of 3 young researchers at the University of Graz in Austria in December of 2017.
- Just a few months earlier, a hacker from Google’s elite team of “bug hunters”, Jann Horn, discovered Spectre.
- Although the flaw resided in the processors for almost two decades, there were a total of 4 independent teams that discovered these exploits within a few months of each other.
- Some important methods have been created to solve the current problems of Meltdown and Spectre, but a fix is still years away.
9 Things You Need to Know About Your Business' Vulnerability
Ok, maybe all of that is still a little too technical for you, is a lot to consider, and you’re asking yourself what does this all mean to me. Or, what am I supposed to do? Well, we’ve made it easier to understand, what you can learn about what happened, and if it affects you as a consumer or business owner.
1. This is real. No, this is not a test.
Between the two of them, Meltdown and Spectre take advantage of exploits and vulnerabilities in almost all processors. These flaws allow software the ability to steal data in which a computer or device has access to. Most software is designed to see its own data but not the data of other applications in memory. If written correctly malware could be designed to use the exploits of Meltdown and Spectre to have access to the protected information in the memory stored by other applications. This could be a password application on your browser or your personal information, photos, email, private messages, and even business documents. Are you sitting down? This is pretty serious.
2. Everyone is affected by this vulnerability. Yes, that means you!
Meltdown and Spectre works on PCs, mobile phones, and anything stored in the cloud. Oh yes, the same cloud you are using as another place to access vital business information. Depending on your cloud provider's infrastructure, it may be possible to access all your data from you or your customers. These possibilities are scary.
3. This exploit makes almost every device and computer vulnerable.
Information that can be leaked is at the core of the devices processor, not on an outdated Operating System or a glitch in software as we have seen in other exploits in the past. If your system is affected, the proof-of-concept exploit experts say they can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
4. Desktop, Laptop, and Cloud computers may also be affected by Meltdown.
Meltdown affects every Intel processor since 1995 (except Intel Itanium and Intel Atom before 2013). So far, to date, Meltdown was tested to successfully work on Intel processors released as far back as 2011. It’s not clear yet if Meltdown has any impact on AMD processors, but some ARM processors are affected by this exploit. Are you ready to forget all of your technology and go back to a Palm Pilot and flip phone? Well, we’re not even sure if that will work. Dial-up modems may not even be safe.
5. Spectre extends even farther than Meltdown and has larger ramifications.
Now let’s add Spectre to Meltdown, and this indeed affects just about every device that has a processor in it. Desktops, laptops, cloud servers, and smartphones too.
6. How can these exploits have any effect on information stored in The Cloud?
Cloud providers that are currently using Intel-based processors for servers and virtual devices such as Xen PV may not have applied current security patches. You should check with your cloud providers right away for confirming they’re up to date on all fixes. Also, those cloud providers that rely strictly on virtual devices use containers that share a common kernel like Docker, LXC, or OpenVZ which are all affected by these exploits.
7. What are the basic differences between Meltdown and Spectre?
They both exploit memory to get access to what used to be secure information. Meltdown accesses arbitrary system memory. Spectre exploits and tricks other applications to provide access to information that is usually stored securely in their memory.
8. Is this issue industry-wide?
Intel has made a point of educating everyone that these security flaws are singling them out. This is much different than a recent post we did on: The Biggest Security Mistake? It's Probably Not What You Think. In fact, Michael Knight, president and CTO of Encore Technology Group, Greenville, S.C. summarized the global impact of these security flaws when compared to software exploits by stating, "This is significantly different because it's a critical hardware flaw, not a software flaw," said Knight. "The scale is massive."
9. What can you do to help yourself?
Although this paints a pretty dreary picture, all is not lost. You have to believe that there are a lot of smart people and the leading tech companies working feverishly to fix these issues. Start by looking online to see current updates and what steps you can take to ensure your web browsers and devices are patched and up to date. Don’t go with the first patch you see. Make sure you read reviews from others that have used the patch successfully. Ask your IT provider what they are doing to ensure they install applicable firmware updates provided by your OEM device manufacturer as soon as they’re released. Additionally, look at existing equipment on the edge of replacement. Some of your devices that are already strained from a processing perspective will feel the most pain once this patch is applied. The industry is already seeing that the current fixes are slowing down processors, here’s an interesting read from Forbes.com: Meltdown Fixes Will Slow Intel Computer – Here’s All The Proof You Need.
At AIS we want to make sure that our customers are the most informed business consumers around. It’s important to us to share information like this on a regular basis. Not reactive educational content but thoughtful content. If information like this is something you want to keep abreast of, then subscribe to our blog using the form on the upper right of this page.
If you want to take a deeper dive and are interested in an objective look at your vulnerabilities, then contact one of our IT Subject Matter Experts (SMEs) and request a FREE IT risk assessment by clicking on the image below and let’s start a conversation today.