Spectre and Meltdown: How Did This Happen?
Andrew Wheeler posted on January 18, 2018 | 2784 views

As you are probably aware, Meltdown and Spectre are two kernel side-channel attacks that are affecting an unprecedented range of computing devices and systems running AMD, ARM and Intel processors. The vulnerabilities allow attackers to steal sensitive data from the system memory by taking advantage of the way processors are designed to work.

Fun fact: Meltdown and Spectre logos were created by Natascha Eibl.
Fun fact: Meltdown and Spectre logos were created by Natascha Eibl.

To improve efficiency, processors are designed to use speculative execution, which means that they queue up a few probable operations to execute given input from the user. Basically, the processors speculate and use probability to guess which decision the user will make next to save time and improve performance.

Use InSpectre to Check Your System

Gibson Research Corporation released a tidy little program called InSpectre, which allows users to see how vulnerable they are to both exploits, and offers actionable next steps to help you protect your system.

Applications, Operating Systems and Firmware all need to be updated.

Demo from researchers using Meltdown to see a system’s passwords. (Video courtesy of Michael Schwarz and YouTube.)

Intel Knew About It Months Ago

On June 1st, Jann Horn from Google Project Zero wrote an email to Intel, AMD and ARM about the exploit that would become Spectre (the harder one to fix), and warned them not to share the information too quickly.

Scrambling to figure out the impact of the exploit discovered by Horn, Intel, Google, AMD and ARM researchers dug in and realized that the damage from Spectre would snowball into major problems for everything: applications, operating systems, firmware and processors across billions of devices.

On December 3rd, a researcher named Michael Schwarz from Graz University of Technology contacted Intel. Having found the epic vulnerability with his colleagues Moritz Lipp, Stefan Mangard and Daniel Gruss, Schwarz was surprised to learn that the company knew about it and had been working on patches and fixes for months and did not want anyone to know about it yet.

On December 18th, legendary programmer Linus Torvalds merged a patch that altered the way the open-source Linux kernel interacts with x86 processors a day after releasing the latest kernel, which is unusual.

For the patch, Linux listed all x86 processors as vulnerable, including ADM processors.

On December 26th, an email was posted to the public Linux kernel listserve by AMD engineer Tom Lendacky who explained why AMD chips wouldn’t need this patch, which seemed like a burdensome anomaly in that it was both unusual in nature and appeared to slow down systems.

Lendacky wrote that the micro architecture did not allow memory references, including speculative references that would leave higher privileged data vulnerable when running in a lower privileged mode when access would end up in a page fault.

This email set off a chain reaction of rumors on Twitter and a benchmark posted by researchers on the PostgreSQL listserve found a 17 percent decline in performance: speculative memory was officially an issue, and the Linux patch slowed down systems by nearly a fifth.

Eventually The Register broke the story on January 2nd, and the next day a kernel researcher who goes by the name “brainsmoke” found the bug and posted the results of his work on Twitter. (Image courtesy of brainsmoke and Twitter.)

New Patches for Spectre and Meltdown

Most of the tech giants were able to get a handle on the vulnerabilities prior to public notice.

NVIDIA released a security bulletin with security and driver updates, though they claim their GPU hardware is not vulnerable.

Google released their Retpoline fix for Spectre, and the patch for Chrome will be available on January 23rd. As a temporary solution, Google recommends turning on site isolation. If you have the latest version of Android, Google claims that you are ok. If you have an older device that won’t let you update, then you’re out of luck. Their complete list of their products with vulnerabilities is posted and up to date.

Oracle just release a Critical Patch Update Advisory with 237 patches and reports that malicious attacks are occurring successfully on systems without updated and installed patches.

 

Intel

 Security Advisory    /     Newsroom    /     Whitepaper

ARM

 Security Update

AMD

 Security Information

RISC-V

 Blog

NVIDIA

 Security Bulletin   /    Product Security

Microsoft

 Security Guidance    /     Information regarding anti-virus software    /     Azure Blog    /     Windows (Client)    /     Windows (Server)

Amazon

 Security Bulletin

Google

 Project Zero Blog    /     Need to know

Android

 Security Bulletin

Apple

 Apple Support

Lenovo

 Security Advisory

IBM

 Blog

Dell

 Knowledge Base   /    Knowledge Base (Server)

Hewlett Packard Enterprise

 Vulnerability Alert

HP Inc.

 Security Bulletin

Huawei

 Security Notice

Synology

 Security Advisory

Cisco

 Security Advisory

F5

 Security Advisory

Mozilla

 Security Blog

Red Hat

 Vulnerability Response   /    Performance Impacts

Debian

 Security Tracker

Ubuntu

 Knowledge Base

SUSE

 Vulnerability Response

Fedora

 Kernel update

Qubes

 Announcement

Fortinet

 Advisory

NetApp

 Advisory

LLVM

 Spectre (Variant #2) Patch   /    Review __builtin_load_no_speculate   /    Review llvm.nospeculateload

CERT

 Vulnerability Note

MITRE

 CVE-2017-5715   /    CVE-2017-5753    /     CVE-2017-5754

VMWare

 Security Advisory   /    Blog

Citrix

 Security Bulletin   /    Security Bulletin (XenServer)

Xen

 Security Advisory (XSA-254)   /    FAQ

Qualcomm

Press Release

 Wind River

Security Advisory

Acer

Information and advisory

ASUS

PC information and advisory.Motherboard information and advisory (separate links)

Dell/Dell EMC

Dell support. Dell EMC support.

Fujitsu

Security and support

Getac

Security and support

Gigabyte

Security and support

MSI

Security and support

Panasonic

Security and support

Quanta

Security and support

Super Micro

Security and support

Toshiba

Security and support

Wiwynn

Security and support

 

A Word About Windows and Anti-Virus Software and Intel Microcode

Cyber Security expert Kevin Beaumont made a list of compatible antivirus software, which you can access here.

There are tons of anti-virus software protecting millions upon millions of computing devices and systems, and the majority of them are compatible with Windows patches.

However, many anti-virus programs may be expired or no longer updated. These anti-virus programs should be deleted in favor of built-in protection in Windows 8.1 and Windows 10.

There are many semi-disgruntled anti-virus software providers who lobby regulators to crack down on Microsoft’s practice of breaking anti-virus software with integrated security protections baked into Windows OS, but blocking Windows patches now and in the future, will leave your system vulnerable.

It isn’t just computers and computing devices that are being affected. Industrial systems are running into driver compatibility issues with Microsoft’s prescribed Meltdown fixes. Microsoft is advising people running industrial systems to hold off on deploying their updates and fixes until they can resolve the incompatibility issues, leaving industrial systems vulnerable to malicious attacks.

Microsoft also pulled out their AMD systems patch last week after some machines were unable to reboot after installing them.

The patch has since been fixed and is available for the majority of AMD systems, minus some of the older ones.

Intel released a microcode updates that gave operating systems a few extra tricks to protect against Spectre. This microcode update ended up crashing a few systems.

Do not install Intel’s microcode update on systems with Broadwell and Haswell processors.

Be sure to check if the firmware update from your system and/or motherboard vendor did not include the new microcode. If they did, do not install the update.

Bottom Line

If this doesn’t open a huge cultural conversation about the inherent danger posed by hyper-centralized systems, nothing will. Fortunately, it looks like it is getting some attention from California Senator Jerry McNerney, who wrote a scathing letter to the CEOs of Intel, ARM and AMD.

With technology and growth, it seems like the more we centralize and automate, the more vulnerable our personal information becomes. Not to mention the information contained in industrial systems, which are still currently exposed.


Recommended For You