Meltdown and Spectre Vulnerabilities
Important But Not Critical Information Disclosure Vulnerabilities
(Created: 1/5/17 Last edited: 1/5/17) [PDF Download of this document]
Researchers have discovered two critical vulnerabilities in modern processors. These vulnerabilities that primarily affects Intel and ARM processors are:
This vulnerability breaks the isolation between user applications and the operating system. A successful exploitation of this vulnerability allows a program to access the entire memory content.
This vulnerability breaks the isolation between user applications. As the result one application can access memory blocks allocated to other applications. A successful exploitation of this
Note: Meltdown and Spectre are the names of exploitation methods not the vulnerabilities, but for the sake of simplification, we use them as the names of the vulnerabilities. For more technical details, go to https://meltdownattack.com/
What Is Impacted:
All systems (e.g laptops, desktops, servers, mobile devices, network devices, and embedded systems, IoT devices) that use Intel, AMD or ARM processors.
Why Is This a Big Deal?
Attacks against both are theoretical at this point, but in near future they will occur as the researcher will soon release the exploit to the public. Also, malicious actors can't change anything on your computer and potentially damage your data; they can only READ it.
Meltdown and Spectre are hardware based vulnerabilities, so outside of purchasing a new redesigned processor, only workarounds can be put in place to stop the issue. These workarounds may potentially slow down your systems 5 to 30% depending on your processor type, operating system, and running applications.
Update: Microsoft, Apple and Amazon reported installing the patches will result in little to no significant performance reduction.
Because the vulnerabilities mentioned above are information disclosure vulnerabilities, they don’t pose the same, immediate danger like WannaCry/WanaCrypt0r or Petya/NotPetya. They have more in common with the Heartbleed event of 2014. In terms of the severity of the vulnerabilities themselves: they are important, but not critical. They are information disclosure, not code execution, vulnerabilities. The greatest area of risk is in shared-hosting scenarios. Fortunately, most cloud providers have already deployed security updates and those that haven’t are expected to do so shortly. For end-users and those managing networks, the greatest risk these vulnerabilities pose is exploitation by malware seeking to gather information like usernames and passwords from systems. What makes these vulnerabilities most notable from a risk assessment point of view is breadth of exposure. Since these potentially affect nearly every device with a modern processor, that means that full mitigation and remediation may not be possible. Older systems (like Windows XP) and devices (like older Android smartphones and IoT devices) will likely never receive fixes for these vulnerabilities. (Threat Brief by Chris Budd)
Summary: What You Need To Do
The permanent corrective action to mitigate the risk imposed by the vulnerabilities mentioned above is to replace the impacted processors. As as alternative, given taking such a corrective action is not feasible in most cases, and as the best next option to minimize the surface attack, it is recommended to take the following actions:
- Harden Your Web Browsers.
- Install Operating Systems Patches.
- Update Your NextGen AV Client.
- Ensure Your Systems are Protected by a DNS Security Solution.
- Block Unknown Software Installation.
- Install firmware updates provided by OEM device manufacturers.
- Update Commonly-Used Business Applications.
- Ensure your cloud providers patch their systems.
Important Note: It is highly recommended that you test any patch or solution mentioned in this document in a non-production environment first before a wider deployment.
What You Need To Do
1) HARDEN YOUR WEB BROWSERS
This is a crucial step in minimizing the attack surface. Complete this step as soon as possible. Make sure you upgrade all browsers on the systems. Users may use more than one browser. For Safari, FireFox and Microsoft browsers, simply install the available patches. For Chrome browser, no patch is available, apply the workaround.
- Edge and IE 11 Install Windows Updates.
- Firefox Patched in version 57.0.4.
- Chrome Will be patched in Chrome 64 (release date 1/23). Workaround is available
- Safari Patch is NOT available yet.
What To Do
- Enable Ad-blocker.
- OR - Upgrade to the latest version if it’s patched.
For Chrome Browser: (For Windows and mobile only)
- Open a new browser Tab
- In the address bar, type: chrome://flags/#enable-site-per-process
- Enable the Strict site isolation feature
- Close and re-open the browser.
Notes: Enabling this feature can impact the browser performance significantly. Test prior to making changes.
2) INSTALL OPERATING SYSTEM PATCHES
Operating systems are the most commonly used applications and will be the first target of malicious actors for developing an exploits. Patches are available now for all major operating systems. DO NOT forget about the mobile devices and home computers.
OS Patch Availability CLICK THE LINKS BELOW FOR MORE INFORMATION
- Linux Patch is available for most Linux distributions.
- iOS Patch is available in iOS 11.2
- MacOS Patch is available in MacOS 10.13.2
- Windows 10 Patch is available
- Windows 8 Patch is available
- Windows 7 SP1 Patch is available
- Win Server 2016 Patch is available
- Win Server 2008 R2 Patch is available
- Win Server 2012 R2 Patch is available
- Win Server 2008/2012 Patch is not available
- Win XP and Server 2003 Patch is not available
- Google Android Phones Patch is available. Install Updates.
- Other Android Phones Check with the vendor.
- Apple iDevices Installed iOS 11.2
What To Do: For Mobile Devices: Install the latest updates on the phone. Patches are available for Apple devices, Google Android devices and some but not all other Android devices.
What To Do: For Windows Client and Servers
- Confirm your Antivirus is compatible with Microsoft patches.
- Install required registry key (if not done by your AV solution)
- Install the patches.
- Additional steps are required for Hyper-V and Remote Desktop Services Hosts.
Microsoft released a patch for Windows 7, 8, 10, Windows Server 2008 R2, 2012 R2 and 2016. This patch will not be automatically installed on Windows systems as it can potentially crash them. After you confirm your AV solution is compatible with the patch, you need to manually install a registry key that allows the patch to be installed. Some AV solution automatically install the registry key for you. To confirm whether your AV solution is supported and whether it install the registry key for you, click HERE.
If your AV solution is compatible with the patch, but it does not automatically install the registry key for you install the registry key following this instruction.
Key= "HKEY_LOCAL_MACHINE" Subkey= "SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value Name= "cadca5fe-87d3-4b96-b7fb-a231484277cc" Type= "REG_DWORD” Data= "0x00000000”
Check Your Antivirus Compatibility With Microsoft Patch: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0
3) UPDATE YOUR NEXTGEN AV CLIENT
Traditional AV solutions will NOT be effective to detect exploits for these specific vulnerabilities, until a hash for a known exploit becomes available . Ensure you have a NextGen Antivirus (AV) solution in place, and you have the latest version of the client software installed on all machines.
4) ENSURE YOUR SYSTEMS ARE PROTECTED BY A DNS SECURITY SOLUTION.
DNS security solutions such as OpenDNS/Cisco Umbrella, Webroot, or WebTitan can be used as another layer of protection to minimize the attack surface. As mentioned before, the recently discovered vulnerabilities can be simply exploited by installing a malicious code on a website. So protecting the user by filtering malicious URL’s can significantly reduce your attack surface. DNS security solution are easy to implement and can be implemented in days.
5) BLOCK INSTALLATION OF UNKNOWN SOFTWARE
In environments with relaxed security, users have local administrator access rights on their computers and can install any applications on their systems. It is crucial to prevent users from installing unauthorized apps even as a temporary measure until all systems/applications are fully patched.
There are application whitelisting solutions as well as alternative workarounds that can be put in place to temporarily or permanently block users from installing unauthorized apps. Check with your IT vendor for more information on such solutions.
6) INSTALL FIRMWARE UPDATES PROVIDED BY OEM DEVICE MANUFACTURERS.
7) UPDATE COMMONLY-USED BUSINESS APPS
Hardware and software vendors will release firmware updates and patches for their products in coming days and weeks. Install the patches as they become available.
Patch Availability CLICK THE LINKS BELOW FOR MORE INFORMATION
- Lenovo BIOS patch will be available 1/17 - 1/26
- Dell Release date not announced
- HP Release date not announced
- NetApp No Action Required
- Fortinet Is investigating
- UCS Servers Patch is not available
- Network devices Is investigating
8) ENSURE YOUR CLOUD PROVIDERS PATCH THEIR SYSTEMS.
Users of shared-hosting (i.e. cloud) services should check with their service provider to confirm they’ve applied security updates to address these vulnerabilities.
Tools / Links
Here is a list of various useful tools and links to them:
Name / Link Description
- Intel Detection Tool Intel tool. Use to detect the security vulnerabilities.
- Microsoft Update Catalog Search, Find and Download Updates
- Microsoft Security Tools
- Microsoft Guidance to Mitigate Guide to Mitigate Spectre and Meltdown Vulnerabilities