Meltdown and Spectre vulnerabilities haunting users and Tech Giants worldwide – Now the Giants have addressed the issue.
Recently, we reported about the security flaws that render the inner workings of multiple generations of Intel CPUs vulnerable to exploitation. Now there are new details available about the flaws. These flaws were identified by Google’s Project Zero team and researchers from different universities in 2017 affecting Speculative Execution feature of all modern day Intel CPUs (perhaps all processors developed in the past 20 years).
These flaws are being regarded as a ‘massive problem’ as it allows access to low-level kernel memory that is home to all essential core components of an Operating System.
Speculative Execution
Speculative execution is a technique used in modern day microprocessors in order to improve their performance. When a processor uses Speculative Execution feature it stops performing tasks sequentially and starts predicting the calculations in a sub-sequential manner to solve them in a parallel fashion resulting in enhancing the processing of chains of commands. The security flaws have been identified in the way Intel processors are hardcoded for using Speculative Execution feature.
The issue is that modern processors don’t seek permissions correctly and information about those speculative commands that are eventually not run is leaked. This allows user programs to take a peek into the protected parts of kernel memory. Kernel memory not only protects the core components of an OS but also monitors their interaction with the system hardware, which is why it is kept isolated from user processors all the time. But, due to the flaws in Intel CPUs, now user programs can get glimpses of everything from stored files to passwords.
Meltdown and Spectre
Graz University of Technology researchers have named the flaw in a group of attack methods: Meltdown and Spectre (categorized as CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). As per their findings, these flaws can be exploited by three attack methods, one if Meltdown while the other two are collectively represented as Spectre. Meltdown is capable of breaking the isolation between OS and user applications and lets a program to access memory so as to retrieve protected information about other programs and the OS. Spectre is also capable of breaking isolation between various applications and lets an attacker trick error-free programs into leaking all the secrets.
These attack methods can possibly be used by malicious cyber criminals to access the most deeply embedded inner workings of any computer through exploiting the flaws. For instance, a low-level user can gain access to kernel memory simply by running JavaScript code hosted on a website. Or, cloud services users can access other clients’ operations since the services share hardware resources. Meltdown and Spectre cannot be fixed entirely; either on the hardware level nor through a microcode update.
Needless to say that billions of computers, smartphones and cloud instances will receive impact from these flaws as cybercriminals would be sharpening their social engineering skills to exploit the security vulnerability. Although there is no incident of attacks so far researchers are of the opinion that exploitation attempts will be hard to detect. As noted by Intel CEO Brian Krzanich:
“We’ve found no instances of anybody actually executing this exploit….it’s very hard—we can’t go out and check every system out there. But when you take a look at the difficulty it is to actually go and execute this exploit—you have to get access to the systems, and then access to the memory and operating system—we’re fairly confident, given the checks we’ve done, that we haven’t been able to identify an exploit yet.”
A hardening technique called kernel page table isolation (KPTI) can help in preventing the attacks. The technique is designed solely for the purpose of improving the security of kernel memory by isolating it from user memory. Yet, this will affect the performance of a CPU; researchers claim that performance decline of up to 30% for affected processors (depending upon the model) is expected in KPTI method is used.
On the other hand, Google has patched the security flaws in its Cloud platform while some user may require to manually fix the issue.
“Google Compute Engine used VM Live Migration technology to perform host system and hypervisor updates with no user impact, no forced maintenance windows, and no mass reboots required. However, all guest operating systems and versions must be patched to protect against this new class of attack regardless of where those systems run,” said Google.
Amazon
Amazon said the company is aware of the issue recently disclosed research regarding the side-channel analysis of speculative execution on modern computer processors.
“All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications. While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin,” said Amazon.
Microsoft
Since the flaws affect all the Intel processors manufactured in the past decade, therefore, it is understandable that developers of every major platform are now frantically working on patches to fix the fault. Windows 10 has already been patched by Microsoft and patches for Windows 7 and 8 are in the pipeline.
AMD and Apple
AMD is investigating the issue while the ARM is trying to find a way to address the issue. Amazon Elastic Compute Cloud is quite secure. Apple has now confirmed that Meltdown vulnerabilities will be mitigated in its macOS 10.13.2 and iOS 11.2 updates while updates for Spectre attacks affecting Safari for iOS and macOS will be arriving soon.
Moreover, Mozilla (1), Red Hat (2), VMware (3), Cisco (4), NVIDIA (5), Rackspace (6) and Digital Ocean (7) have also confirmed the issue and working on issuing patches.