If you follow the news at all, you have heard the names Meltdown and Spectre. The terms refer to serious computer processor flaws. And coverage of Meltdown and Spectre has not been confined to IT news site and blogs. The mainstream media has covered the story breathlessly, raising the alarm to DEFCON 1 and putting the general population in a panic thanks to these two vulnerabilities. And while the security threats are among the most severe in InfoSec history, this reaction is not helpful. It might be useful to the general public to see how the IT community is reacting to this news, and more importantly, how we are responding to it.
This is what I intend to do with this particular news update.
Just in case you need a refresher, both of these vulnerabilities were uncovered by researchers at Google Project Zero, Cyberus Technology, and numerous academic institutions like the Graz University of Technology and the University of Pennsylvania. What sets these apart from any other vulnerability is that basically every personal computer and mobile device is affected by Meltdown and Spectre in one way or another. Meltdown impacts Intel chips made as far back as 1995 and Spectre is a threat to all modern processors regardless of manufacturer.
Meltdown is described in the threat report as follows:
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
As for Spectre, the summary states the following:
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets.
While the threat is large, the tech community has been working overtime to develop patches for these two critical exploits. It would be good if the media reported on these facts as vigorously as they are in spreading the news of the dangers involved with Meltdown and Spectre.
So far here are the various responses from major tech companies to the vulnerabilities:
- Microsoft stated that they "released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services."
- Intel promised that they were working on firmware updates to be released by various OEMs.
- Linux has released security patches that specifically address both Meltdown and Spectre.
- Google has stated that they have patched Android devices and that Chrome 64, due to be released "on or around January 23," will contain mitigations to protect against exploitation.
- Apple has said "All Mac systems and iOS devices are affected," but it has "released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown."
- The US-CERT recommendation is a bit more extreme in that they state "fully removing the vulnerability requires replacing vulnerable CPU hardware."
So with all of this in mind, what does this mean for the IT community? In short, a lot. It will require vigilance from security divisions to monitor any suspicious activity that remotely appears to be related to their processors. It will also mean massive headaches for sysadmins in charge of implementing patches. As has been shown, the patches for Meltdown and Spectre are being rolled out in different intervals, which will make the update process a lengthy one (especially considering the wide range of devices affected).
Additionally, should the US-CERT solution be implemented, a large cost of both time and money will be incurred with physically replacing every piece of vulnerable CPU hardware. Considering some entities in both the public and private sectors have issues with merely keeping up with patches or practicing sound cybersecurity methods, I cannot see this suggestion being implemented for in the short term.
While vigilance is required in this current situation, staying calm and listening to InfoSec professionals is truly your only option. We are bearing the brunt of this threat as it is our job to make sure you are safe, so please listen to our advice when we give it.