The major CPU manufacturers and software organisations are struggling to patch the first major digital security problem of 2018 – which could affect more people around the world than any other security problem to date.
As the bug exists at a hardware level, computers running Windows, Linux and Mac OSX are all vulnerable – as well as smartphones and cloud-hosting providers.
Security researchers have found two flaws within the kernels of most modern Central Processing Units, which allows data to be compromised within the processor architecture itself. From a security point of view this is bad news. However, the fix may be worse, slowing the CPUs down by 5-30% according to some sources.
The two critical vulnerabilities, codenamed Meltdown and Spectre, act differently, but between them will affect a high percentage of the world’s digital devices.
Meltdown affects Intel processors specifically and enables user applications to access locations within kernel memory. In normal operation, by segregating and protecting memory space, applications are prevented from interfering with each other’s data. This also prevents malicious software from being able to see and modify that data. Meltdown makes this process fundamentally unreliable.
Spectre can target processors from Intel, AMD, and Arm, which puts it inside a vast array of mobile phones, embedded devices, and most modern devices a chip inside them. Unlike Meltdown, Spectre fools applications into disclosing information that would normally be inaccessible, inside protected memory. While this is a more complex attack than Meltdown, it exploits a process used across multiple chip architectures, which makes it a far more difficult issue to address.
Patches for Meltdown are already available for Windows, Linux and (kinda-sorta) for OSX. The fix makes use of Kernel Page Table Isolation (KPTI), which separates the kernel entirely from user processes. However, this fix comes at a cost.
When a program needs the computer to do something such as open a connection or write a file, it needs the kernel to do so. That requires handing control back from the user process to the kernel. Currently the kernel is virtually present (though invisible) to user processes, to make this handover as fast and efficient as possible.
By using a KPTI, the Kernel is moved to an entirely separate space, so the user process has no access whatsoever. This solves the Meltdown vulnerability, but means that switching back and forth between the kernel and user process will take more time. The impact on individual devices is difficult to estimate, it depends on what sort of tasks the machine is asked to do as well as the specific processor being used. Activities such as web browsing, office work and watching online media are unlikely to be affected, but anything which uses the processor intensively may be noticeably affected.
The bug will impact most of the leading cloud providers including Amazon EC2, Microsoft Azure, and Google Compute Engine. Both Microsoft and Amazon have warned users that maintenance and security updates will be forthcoming in the very near future.
CNET has provided a handy guide to how users can protect themselves from the exploits across Windows, Mac, Google Chrome devices, and Android phones (tl;dr version: update your software as soon as the next patch appears!)
The Spectre vulnerability is much harder to patch against, as it allows attack from other programs. The KPTI fix for Meltdown doesn’t stop Spectre attacks. It will require software to be redeveloped to defend against attacks from other programmes (yes, all software) or a new microcode update for the processor chipset. Security researcher Daniel Gruss told ZDNet that Spectre could ‘haunt us for years‘.
Updates and Outdated Hardware
Gerry Grant, the Chief Ethical Hacker at the Scottish Business Resilience Centre, told DIGIT: “The key thing that every business should be doing with real urgency, is to ensure their devices have the latest security updates installed. This stops criminals accessing potentially sensitive information.
“Without these updates, devices can be left open to exploitation through these recently discovered potential security flaws, which affect a vast range of devices, regardless of the brand.
“On top of that companies should ensure they aren’t using hardware that is reaching its end of life. These are often outdated and are an easier target to be hacked. If you have been putting off that investment, doing it sooner rather than later is the best way to protect yourself.
“It is not just personal devices that should be considered either – online storage facilities such as the cloud are also potentially subject to these flaws. The best thing to do is to check your provider has done the necessary security patches and always risk assess the information you are storing on these systems. Don’t save anything on cloud systems that you wouldn’t want hacked.”
Watch This Space…
The bottom line here is that a vast range of devices are going to be vulnerable to these threats. Fixes for Meltdown are already available and should be applied as soon as they appear. Fixes for Spectre are likely to take far longer and require a lot of hard work from the world’s hardware and software giants alike. As TechCrunch points out, the fact that so many different devices, across so many manufacturers are affected, make the idea of any kind of ‘recall’ well nigh impossible.
DIGIT will update you as the situation evolves. In the meantime – update your devices. All of them.