Alert: Two Major Hardware Vulns -- Meltdown and Spectre -- Ensure automatic updates!
Infosec News
INFORMATION SECURITY NEWS
Special Update: MELTDOWN and SPECTRE
The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security (typically) every Tuesday. If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.
tl;dr: There are big new vulnerabilities out there, a critical one affecting virtually all Intel chips and a major one affecting virtually all chips. Automatic updates from your OS manufacturer should protect you, but will have a performance penalty of 5-30% depending on hardware and workload.
By now, you've probably heard that there are some newly discovered and extremely serious vulnerabilities in hardware affecting virtually all computers and devices. They're called "Meltdown," which affects anything running Intel chips from the last 20 years (e.g., your laptop and/or desktop computers) -- back to, but not including, Pentium, and "Spectre," which affects many more manufacturers including AMD, ARM and perhaps others (but is somewhat more obscure and possibly harder to exploit).
These exploits could allow things like stealing your data or passwords in your computer's memory by circumventing virtual memory protections. Data acquired could include passwords used for administration, banking, etc. or sensitive data in memory, like encryption keys. For people using shared cloud servers, Meltdown enables users on the same physical host machine to read your private data in memory. For example, someone could rent a VM on your host for a short amount of time and dump the memory from other VMs on the same machine. For single-user machines like workstations and laptops, code running on your local machine (e.g., apps, browser plugins, and potentially even Javascript running in a page or as part of an ad network) could perform a Meltdown attack on your data, circumventing virtual memory security measures and reading memory.
Meltdown works because of insufficient security in Intel CPUs around a feature called "speculative execution" and memory caching. In speculative execution, the CPU executes instructions you haven't yet requested in case you will request them in the future. Intel chips do not check the security of speculative execution operations until after they execute. If they violate security (or if you don't end up requesting them) the branches are "dead" and aren't used. However, the results of the operation can still be cached by the CPU and various checks can be used to recover the data that was in memory.
Demonstration code exists in the wild and it is only a matter of time before real malware uses them. There's no fix for the hardware right now, but major software vendors are pushing out (or have pushed out) updates. What you need to do is make sure that your Automatic Updates are working for Windows, Mac, Linux, etc. The downside is that the fixes will make your computer 5-30% slower, depending on what your computer does. Unfortunately, Meltdown cannot be fully fixed without new hardware from Intel (or using a CPU from an unaffected vendor, like AMD), and there may not be a good solution to Spectre.
There will certainly be more news on this in the coming days, but we will not send out an additional special alert unless there is a significant change in the situation.
For more information, see: