Bottom Line:
Researchers recently discovered two design flaws in nearly all CPUs manufactured by Intel, AMD, and ARM since 1995 that bypass system protections and potentially allow attackers to steal sensitive information from the memory of running applications. Sensitive data such as passwords, browser cookies, emails, photos, documents, etc. contained in devices (PCs, servers, iphones, ipads) that use those CPUs are all potentially at risk.
While software security patches are being deployed by vendors such as Microsoft & Apple, users and administrators are also required to install firmware updates to hardware. System performance may also be impacted by these updates.
What it is:
Meltdown eliminates the security boundaries separating the CPUs memory from user processes / applications, allowing a hacker to access the info in memory, whereas Spectre can force apps to leak info.
As an example of these exploits, an unauthorized user on an affected PC could run code on a web page that accesses the protected memory.
Its important to understand that Meltdown and Spectre represent hardware-level flaws. While vulnerabilities in software are frequently patched, the exploits found in these hardware CPU designs will require fundamental, architectural changes going forward. Although vendors can deploy configuration changes, patches, and firmware that minimize risk, total risk mitigation may not be possible in current generation of devices.
Whats been done:
Addressing and remedying this high profile situation is complex, with many moving parts. Some software security patches have had to be rolled back. Hardware firmware needs to be concurrently updated. 3rd party antivirus applications are required to be compliant / compatible with patches. PC performance may take a permanent hit to secure the system.
Receiving reports that nine of its Meltdown and Spectre security updates were sending AMD computers into an endless boot loop, Microsoft was forced to scale back its rollout. As regards firmware, Microsoft is instructing users and admins to install firmware updates from device manufacturers
Apple has reportedly patched the CPU flaws in macOS 10.13.2, addressed Meltdown in iOS 11.2, and most recently deployed 11.2.2 to close the Spectre vulnerability.
Whats still to come: Potentially degraded performance
Vendors expect that the released security patches should prevent attackers from exploiting the CPU design flaw, but its implementation prompts concerns that chip performance will be degraded as a result. Microsoft itself has stated that PCs more than 2 years old, running Windows 8 and Windows 7 PCs on 2015-era Intel Haswell or older CPUs, may experience slowdowns following the Spectre patch. (Users on PCs running Windows 10 Y2016+ Intel Skylake, Kabylake or newer CPUs will likely not observe slowdowns.)
That said, researchers believe the performance impacts are workload-dependent, not necessarily affecting the average computer user. General web browsing and other low CPU intensive processes are less likely to be impacted. However, on any work that accesses lots of small files, a user might see a 50% slowdown at worst case.
One final detail to note is that Windows PCs running antivirus software that is incompatible with the Meltdown and Spectre patches will no longer receive security updates until antivirus software is certified compatible with the patches.
Microsoft recently stated that users will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets certain registry keys.
Antivirus software from Avast, AVG, Avira, Bitdefender, ESET, F-Secure, Kaspersky, Malwarebytes, Sophos, and Symantec are all currently compatible. Users running McAfee, TrendMicro, and Webroot A/V software are expected to be eligible to receive the updates soon.
PCI Compliance Applicability
With regard to our clients and all organizations needing to adhere to PCI compliance requirements, as patches have been deployed by Microsoft and Apple, along with firmware / bios updates released by your PC / CPU / motherboard vendor, it is important conduct a risk assessment given these significant security vulnerabilities.
Per PCI DSS Section 6 requirements, reactive vulnerability remediation processes — whereby organizations wait for communication and action plans from affected vendors — are no longer sufficient. The council now requires that organizations proactively identify vulnerabilities and plan out remediation efforts based on ALL available information, including third party news, industry groups, mailing lists, etc.
PCI compliant organizations should have these steps in place to address the Meltdown and Spectre flaws:
- Vulnerability Identification: Scoping out the flaw, learning and understanding all you can from third-party sources that may not currently be known or resolved by the vendor.
- Risk Ranking: Assessing the likelihood of an attacker exploiting the vulnerabilities exposed by the flaw, as well as the flaws potential impact on your organization.
- Risk Remediation: Documented plans and processes to remediate the risks brought forth by the flaws
Lastly, stay alert to any updates or revisions to patches already issued by your software and hardware vendors. As frenetic as the Cybersecurity environment is normally, Meltdown and Spectre presented deeper, fundamental architectural issues, resulting in fluid remediation methods and ultimate outcomes.
Update: As of Jan 22, 2018
Intel just deployed fixes to its industry partners for Broadwell and Haswell platform systems, and it will make a final release available to the public once this testing has been completed. Because another update patch is pending, Intel has informed its OEMs, cloud service providers, system manufacturers, software vendors and end users to stop deployment of current versions of the fix.
Bottom line: Stay informed of daily computing news, and if you havent already updated your operating system and applied any updates from your computer maker, then do nothing until the new patch is released.
Get A Free Cyber Risk Report
Hackers don’t rest, neither should you. Identify your organization’s cybersecurity weaknesses before hackers do. Upon filling out this brief form you will be contacted by one of our representatives to generate a tailored report.
About the Author
Eric Haruki is a technology analyst with over 15 years of experience advising global category leaderssuch as Samsung, Panasonic, HP, & Ciscoonproduct and brand strategy, market competitiveness, and in areas of untapped product and distribution opportunity. He has produced both syndicated and project work, delivering forecasts, SWOT analyses, road maps, and panel survey insights to research customers around the globe. Eric has contributed to major print and television press outlets and has been a featured presenter at industry conferences. He isdriven to find insights through extensive market research and deliver concise and actionable solutions to vendors, leading ultimately to the development of valued downstream goods and services to end users.