WHAT’S THE STORY?
On January 3, 2018, various media reports announced that researchers had discovered two major flaws in microprocessor design which leave the world’s laptops, desktops, servers, smartphones, other mobile devices and cloud services vulnerable to attack. Considering the nature of the vulnerabilities, it is highly unlikely that organizations will be able to detect whether a system has been successfully attacked.
Meltdown is a vulnerability affecting main microprocessor manufacturers with Advanced Micro Devices (AMD) currently being reported as unaffected. Part of the reason that this vulnerability exists is the race for microprocessor performance. To perform as fast as possible, a chip predicts which code it may need to run next. If this predictive assumption is wrong, the chip discards the operations it did not need. Remnants of the “speculative” code—which can include logins, passwords, personally identifiable information (PII) and encryption keys—remain in the memory cache at risk of exploitation. Meltdown enables attackers to execute software that can read this memory and capture the data. Meltdown is relatively easy to exploit, but patches are becoming available to remediate its effects. These patches can degrade processor speed by five to 30 percent according to reports—which will affect cost and performance.
Spectre is a flaw in the architecture of microprocessor design making processors from most, if not all, manufacturers vulnerable to attack. Fixing it is difficult and may rely on a new generation of redesigned microprocessors.
Of the two vulnerabilities, Spectre appears more serious, although it is harder to exploit. The repair for Spectre is challenging, will take the industry a long time to address completely, and the impact could be felt throughout a complete generation of CPU hardware.
WHAT DOES IT MEAN?
The information obtained from system memory can be used to conduct further attacks and expose vulnerabilities on a range of devices. Cloud services are also affected, as multiple virtual machines are often provided on a single physical machine. An attacker with a presence on a virtual machine in the cloud could theoretically use a specially crafted program to access the memory contents of other customers’ virtual machines on the same physical system. Although the performance impact is uncertain, older devices are likely to suffer most and the resultant poor performance costs may have to be absorbed by organizations. With the potential for services to be disrupted, and the difficulties of enforcing patch updates, the overall cost to businesses could be punitive.
WHAT CAN YOU DO?
Take practical steps today to protect your organization from future malware attacks that may exploit the Meltdown and Spectre vulnerabilities.
Prioritize patching, especially of virtual machine software.
Test patches for performance before deploying them to production.
Increase scrutiny of phishing e-mails that may contain attached executable files.
Regularly review performance metrics on cloud-based servers looking for unexplained performance degradation.
Conduct adequate performance testing, and add more resources as required to arrive at the desired performance level—applying operating system (OS) patches to mitigate the Meltdown attack may degrade performance.
Take a risk-based review of the unpatchable systems in your estate—given the ubiquity of microprocessors, older systems running critical functions may be most at risk.