Fundamentally programs are not able to eavesdrop on each other, this is a security protection designed to prevent, for example, the Candy Crush app from accessing my banking app. With Meltdown or Spectre this is entirely possible and can lead to any program stealing photos, emails, passwords or (in the cloud) another company’s data.
Almost every device is vulnerable – phones, laptops, desktops, servers, even cloud computing services.
- Meltdown affects Intel & a small set of ARM
- Spectre affects Intel, AMD & ARM
With so many devices vulnerable, it is no shock that this has caused a media storm with tremendous pressure to patch immediately and prevent against attackers from all over the globe.
But the attacker has to already be on my machine to launch the attack, right?
This doesn’t mean don’t patch, you should immediately work this into your patch management cycle. What it does mean is that you have a little bit of time up your sleeve to make sure you patch it once, patch it right. If you have AMD you may not even have a choice, as Microsoft has paused their patching for some AMD CPU’s due to systems not being able to boot after updating.
In total 3 patches are required for total remediation.
1. Meltdown: CVE-2017-5754 – Rogue data cache load
2. Spectre: CVE-2017-5753 – Bounds check bypass
3. Spectre: CVE-2017-5715 – Branch target injection
For items 1 & 2:
Linux – Update through the package manager and reboot
All major Linux distributions have pushed updates to their package managers and should be applied in the same way all security updates are applied.
Windows – Update your AV, run automatic updates and reboot
Due to some antivirus programs performing unsupported calls into kernel memory the patches may cause blue screen of death (BSOD) errors. To prevent this, Microsoft requires antiviruses programs to be up to date and is detected through a specific registry key change upon updating your antivirus. Once the key is set, automatic updates will apply the patches. If you do not use an antivirus, manually setting the registry key or installing Microsoft Security Essentials will work.
Item 3 can be trickier as it requires a microcode change. Microcode is a low-level instruction set which performs control-level register operations and may require a BIOS update to change.
Linux users can perform a microcode update after booting if the file is placed in the /etc/firmware directory. The microcode can be found here: https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcod…
Windows users will have to perform a firmware update. For the majority, this will involve navigating to your motherboard vendor’s website, downloading the firmware update and following their instructions for successful patch installation.
Please note applying these patches may cause a performance degrade for your system.
How does Meltdown work?
To understand Meltdown, we first need to understand CPU speculative execution. Speculative execution was implemented to increase CPU efficiency. The approach was simple, the less time the CPU was idle, the better – and it worked. In speculative execution the CPU “guesses” which branch will finish first, jumps ahead and pre-executes those instructions, keeping itself busy and when correctly guessed, saving time.
Meltdown works by abusing the “jump ahead” execution. When pre-execution is not chosen the register and memory contents are discarded. However, the cached memory contents are kept in the cache. The meltdown attack works by having pre-execution store sensitive memory data in the cache and then accessing it.
How does Spectre work?
Spectre takes advantage of the same flaw Meltdown does; cached contents not being removed when pre-execution is discarded. However, Spectre is able to do it in a more reliable and targeted manner whilst compromising a wider range of CPU’s and being harder to patch.
Spectre achieves this through leveraging conditional branch mispredictions and misprediction of the targets of indirect branches to trick the CPU into reliably performing pre-execution on the malicious code. With this reliability, combined with leveraging mispredictions, Spectre is able to have a broad range of side channel attacks leading to exposure of sensitive data.
Furthermore, Spectre is harder to patch as it requires modifications to the CPU architecture itself.
How can I check if I am vulnerable to Meltdown/Spectre?
Microsoft has supplied a PowerShell script for windows users to check whether they are vulnerable. The following commands will allow you to run the script and check whether you are vulnerable.
Save-Module -Name SpeculationControl -Path WINDOWSPATH
Install-Module -Name SpeculationControl
*If required – Modify execution policy:
Import the module:
Import-Module -Name -SpeculationControl
Run the module:
Reset the execution policy:
This can also be run via SCCM.
Stéphane Lesimple has released a spectre/meltdown checker script to test if a Linux distribution is vulnerable.
The script can be found here: https://github.com/speed47/spectre-meltdown-checker
And can be executed with:
How can I protect my Browser?
Internet Explorer/Edge – Microsoft has released a patch that will be automatically applied to Internet Explorer/Edge enabling browser protections. Automatic updating will apply KB4056890 to help protect against Spectre.
Chrome – Google advises to turn on a feature called “site isolation” that will load each website into its own process. This will prevent one site stealing data from another website. It can be enabled by entering the following into the URL bar and selecting Enable:
Firefox – Mozilla has implemented two timing-related mitigations to reduce the risk exposure for Spectre. The mitigations will be included in Firefox 52.6 ESR and above.