Dan Desko contributed to this article.
At Schneider Downs, many of our clients have been reaching out and asking for advice on how to deal with the recently reported global security vulnerabilities Meltdown and Spectre. This article discusses the weaknesses at a high level and provides our current recommendations.
The media has been covering these issues ad nauseam, and while they are serious vulnerabilities, we urge everyone to stay calm and do their research on how it may affect their systems. These are not the first significant security issues that have been released, and they certainly will not be the last.
What is the problem?
What you need to know about Meltdown and Spectre is that they are both related to issues within the CPU, the processor that powers most modern computing hardware like desktops, laptops, servers and mobile devices. This impacts physical computing systems, virtual systems and containers (e.g., Docker). In addition, those who use public cloud computing resources should be wary as it may be possible to use these vulnerabilities to view sensitive data belonging to other entities in a shared computing environment.
Through the discovered flaws it may be possible for malicious software to listen in on other legitimate and sensitive programs running on a computer, or even between virtual machines and containers running on the same hardware.
What can you do?
Keep following the security best practices and cyber hygiene you already work hard to maintain. Attackers cannot utilize these vulnerabilities if they can’t access your systems in the first place, therefore this enforces the need for strong layered defenses:
- Ensure your firewall rules have been reviewed recently;
- Monitor and review external traffic on a regular basis;
- Protect your users against phishing attacks through training and phishing mitigation software;
- Monitor unusual activity on the internal network;
- Keep antivirus software up to date;
- Ensure host based protections are optimized, and so on …
Side-channel attacks against these vulnerabilities may allow others in a multitenant environment to view your data in an unauthorized manner. If you’re utilizing a shared environment, such as a public cloud infrastructure, you’ll want to follow up with your provider to see what measures they’re taking to address these issues within their infrastructure. We’ve seen reports that major cloud platforms are taking the threat seriously, and are actively managing their environments in efforts to remediate the threats. Amazon Web Services, Google Cloud, and Microsoft Azure have all deployed patches against the Meltdown attack, and there’s no indication that the available exploits could work against any of those platforms.
Patching What You Control
These flaws were properly disclosed to the affected parties in advance, which means that hardware and software vendors like Intel, AMD, Microsoft, Amazon and others have been working to create patches to update your devices, some of which are available now.
Meltdown has been reported to be an easier issue to correct and patches are currently available for Windows, Linux and OSX that help remediate the vulnerability. Spectre is reportedly harder to remediate because it may not be feasible to fix the vulnerabilities in software and may ultimately require the replacement of the CPU hardware. However, we have seen reports noting that Intel plans to have software and firmware updates available by January 12 to address the Spectre and Meltdown vulnerabilities in 90 percent of the affected processors sold since 2013.
We recommend you follow your standard update policy for critical patches to test and implement the patches available. Ensure that you consider the impact of the patch before installing it by testing. We’ve seen reports regarding potential performance impacts.
A more detailed account of these vulnerabilities and a listing of links to vendors affected by these vulnerabilities and their updates to these matters can be found at the US CERT: https://www.kb.cert.org/vuls/id/584653
In addition, more detailed information and a number of informational FAQs can be found here: https://meltdownattack.com/
We’ll provide additional updates in subsequent articles as this situation evolves. If you have questions in the meantime, please do not hestitate to contact us.
- Spectre Attacks: Exploiting Speculative Execution - Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas , Mike Hamburg , Moritz Lipp , Stefan Mangard , Thomas Prescher , Michael Schwarz , Yuval Yarom
- Meltdown - Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg