Meltdown and Spectre Vulnerabilities

Important But Not Critical Information Disclosure Vulnerabilities

(Created: 1/5/17 Last edited: 1/5/17) [PDF Download of this document]

The Threat:

Researchers have discovered two critical vulnerabilities in modern processors. These vulnerabilities that primarily affects Intel and ARM processors are:

Meltdown:
This vulnerability breaks the isolation between user applications and the operating system. A successful exploitation of this vulnerability allows a program to access the entire memory content.

Spectre:
This vulnerability breaks the isolation between user applications. As the result one application can access memory blocks allocated to other applications. A successful exploitation of this

Note: Meltdown and Spectre are the names of exploitation methods not the vulnerabilities, but for the sake of simplification, we use them as the names of the vulnerabilities. For more technical details, go to https://meltdownattack.com/

 

 What Is Impacted:

All systems (e.g laptops, desktops, servers, mobile devices, network devices, and embedded systems, IoT devices) that use Intel, AMD or ARM processors.

 

 Why Is This a Big Deal?

Unlike most other vulnerabilities, Meltdown and Spectre are low level. As the result, the usual application and OS security controls cannot effectively detect an exploitation attempt and protect the systems against them. Also, due to the nature of the flaws in the processor architecture, a JavaScript code, that can be placed on any website, can be used to exploit these vulnerabilities. Some examples of these JavaScript codes are already available on the Internet.

 

Good News:

Attacks against both are theoretical at this point, but in near future they will occur as the researcher will soon release the exploit to the public. Also, malicious actors can't change anything on your computer and potentially damage your data; they can only READ it.

 

Bad News:

Meltdown and Spectre are hardware based vulnerabilities, so outside of purchasing a new redesigned processor, only workarounds can be put in place to stop the issue.  These workarounds may potentially slow down your systems 5 to 30% depending on your processor type, operating system, and running applications.

Update: Microsoft, Apple and Amazon reported installing the patches will result in little to no significant performance reduction.

 

Risk Assessment      

Because the vulnerabilities mentioned above are information disclosure vulnerabilities, they don’t pose the same, immediate danger like WannaCry/WanaCrypt0r or Petya/NotPetya. They have more in common with the Heartbleed event of 2014. In terms of the severity of the vulnerabilities themselves: they are important, but not critical. They are information disclosure, not code execution, vulnerabilities. The greatest area of risk is in shared-hosting scenarios. Fortunately, most cloud providers have already deployed security updates and those that haven’t are expected to do so shortly. For end-users and those managing networks, the greatest risk these vulnerabilities pose is exploitation by malware seeking to gather information like usernames and passwords from systems. What makes these vulnerabilities most notable from a risk assessment point of view is breadth of exposure. Since these potentially affect nearly every device with a modern processor, that means that full mitigation and remediation may not be possible. Older systems (like Windows XP) and devices (like older Android smartphones and IoT devices) will likely never receive fixes for these vulnerabilities. (Threat Brief by Chris Budd)

 

Summary: What You Need To Do

The permanent corrective action to mitigate the risk imposed by the vulnerabilities mentioned above is to replace the impacted processors. As as alternative, given taking such a corrective action is not feasible in most cases, and as the best next option to minimize the surface attack, it is recommended to take the following actions:

  1. Harden Your Web Browsers.
  2. Install Operating Systems Patches.
  3. Update Your NextGen AV Client.
  4. Ensure Your Systems are Protected by a DNS Security Solution.
  5. Block Unknown Software Installation.
  6. Install firmware updates provided by OEM device manufacturers.
  7. Update Commonly-Used Business Applications.
  8. Ensure your cloud providers patch their systems.

Important Note:  It is highly recommended that you test any patch or solution mentioned in this document in a non-production environment first before a wider deployment.

What You Need To Do

1) HARDEN YOUR WEB BROWSERS

This is a crucial step in minimizing the attack surface. Complete this step as soon as possible. Make sure you upgrade all browsers on the systems. Users may use more than one browser. For Safari, FireFox and Microsoft browsers, simply install the available patches. For Chrome browser, no patch is available, apply the workaround.

Patch Availability

  • Edge and IE 11    Install Windows Updates.
  • Firefox                 Patched in version 57.0.4.
  • Chrome                Will be patched in Chrome 64 (release date 1/23). Workaround is available
  • Safari                  Patch is NOT available yet.

What To Do

  • Disable Javascript.
  • Enable Ad-blocker.
  • OR - Upgrade to the latest version if it’s patched.

For Chrome Browser:   (For Windows and mobile only)

  • Open a new browser Tab
  • In the address bar, type:   chrome://flags/#enable-site-per-process
  • Enable the Strict site isolation feature
  • Close and re-open the browser.

Notes: Enabling this feature can impact the browser performance significantly. Test prior to making changes.

 

2) INSTALL OPERATING SYSTEM PATCHES

Operating systems are the most commonly used applications and will be the first target of malicious actors for developing an exploits. Patches are available now for all major operating systems. DO NOT forget about the mobile devices and home computers.

OS Patch Availability                       CLICK THE LINKS BELOW FOR MORE INFORMATION

Phones

  • Google Android Phones           Patch is available. Install Updates.
  • Other Android Phones             Check with the vendor.
  • Apple iDevices                        Installed iOS 11.2

What To Do:  For Mobile Devices: Install the latest updates on the phone. Patches are available for Apple devices, Google Android devices and some but not all other Android devices.

 What To Do:  For Windows Client and Servers

  • Confirm your Antivirus is compatible with Microsoft patches.
  • Install required registry key (if not done by your AV solution)
  • Install the patches.
  • Additional steps are required for Hyper-V and Remote Desktop Services Hosts.

Notes:

Microsoft released a patch for Windows 7, 8, 10, Windows Server 2008 R2, 2012 R2 and 2016. This patch will not be automatically installed on Windows systems as it can potentially crash them. After you confirm your AV solution is compatible with the patch, you need to manually install a registry key that allows the patch to be installed. Some AV solution automatically install the registry key for you. To confirm whether your AV solution is supported and whether it install the registry key for you, click HERE.

If your AV solution is compatible with the patch, but it does not automatically install the registry key for you install the registry key following this instruction.

Registry Key:

Key=        "HKEY_LOCAL_MACHINE"
Subkey=     "SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name= "cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type=       "REG_DWORD”
Data=       "0x00000000”

Check Your Antivirus Compatibility With Microsoft Patch: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

3) UPDATE YOUR NEXTGEN AV CLIENT

Traditional AV solutions will NOT be effective to detect exploits for these specific vulnerabilities, until a hash for a known exploit becomes available . Ensure you have a NextGen Antivirus (AV) solution in place, and you have the latest version of the client software installed on all machines.

4) ENSURE YOUR SYSTEMS ARE PROTECTED BY A DNS SECURITY SOLUTION.

DNS security solutions such as OpenDNS/Cisco Umbrella, Webroot, or WebTitan can be used as another layer of protection to minimize the attack surface. As mentioned before, the recently discovered vulnerabilities can be simply exploited by installing a malicious code on a website. So protecting the user by filtering malicious URL’s can significantly reduce your attack surface. DNS security solution are easy to implement and can be implemented in days.

5) BLOCK INSTALLATION OF UNKNOWN SOFTWARE

In environments with relaxed security, users have local administrator access rights on their computers and can install any applications on their systems. It is crucial to prevent users from installing unauthorized apps even as a temporary measure until all systems/applications are fully patched.

There are application whitelisting solutions as well as alternative workarounds that can be put in place to temporarily or permanently block users from installing unauthorized apps. Check with your IT vendor for more information on such solutions.

6) INSTALL FIRMWARE UPDATES PROVIDED BY OEM DEVICE MANUFACTURERS.

 7) UPDATE COMMONLY-USED BUSINESS APPS

Hardware and software vendors will release firmware updates and patches for their products in coming days and weeks. Install the patches as they become available.

 

Patch Availability                             CLICK THE LINKS BELOW FOR MORE INFORMATION

 

  

8) ENSURE YOUR CLOUD PROVIDERS PATCH THEIR SYSTEMS.

Users of shared-hosting (i.e. cloud) services should check with their service provider to confirm they’ve applied security updates to address these vulnerabilities.

 

Tools / Links

Here is a list of various useful tools and links to them:

Name / Link                                       Description

References