IAS Security Hero

What I'm doing about Meltdown and Spectre

Meltdown LogoSpectre LogoWhat is having a Meltdown and what does a Spectre have to do with it?

A vulnerability has been found in modern computer processors (after 2009) that allows one program to steal data from another program on the same computer. Computer programs are supposed to keep their data separate and not allow one to talk to another without permission. Think of it like this, you log into your bank in one browser tab, and then into a social media account in a second. You probably wouldn't want your banking information to be available to the second tab and accidentally post your spending habits. Not only is this a possibility, but think of your banking password itself being shared.

Should I panic about my personal computer?

In order for this vulnerability to work, someone would first need to run some malicious software on your computer. If you are patching your computer, protecting your passphrases and running anti-malware software, you aren't particularly in any more risk on your personal computer. It isn't like Heartbleed where an attacker just needs to send some crafty bits to a webserver and receive a list of passwords back.

Spectre and Meltdown can be run via your web browser. If you click on a link to a malicious site, they could cause your computer to exploit these vulnerabilities and dump your computer memory, including passwords and other information. It will be difficult for the attacker to weed through it all, but definitely not good. Make sure to update your browser (it should be doing it automatically at this point) to the latest code when it is available.

Mozilla has released some information about the issue and the Firefox browser. They have also released a new version of the software already with a workaround.

One thing to note, in order to patch your Windows machine, your anti-virus software will need to be tested as working with the patch before it is offered to you. Check with your anti-virus vendor to see if they have tested and install the patches when made available to you.

I heard this affects my phone and tablet as well!

That's correct. Your phone and tablet are computers, afterall. This vulnerability could cause one app on your phone to steal data from another. Again, a malicious person would first have to infect your mobile device with something that exploits the vulnerability. If you are updating your phone regularly, updating your apps, downloading approved apps and doing all the other normal things to protect your mobile device, you should be fine. If you regularly download apps outside of the app store, you might be putting yourself at risk.

What about that stuff in the cloud, should I panic?

Ok, this is where things get more interesting. The cloud is just a bunch of computers that some company is running for you. They take their really big, beefy, physical computers and split them into smaller virtual computers. One physical computer could be running tens or hundreds of smaller virtual computers on it. And, those virtual computers could then be rented or sold to other companies. So, if one company's virtual computer is broken into and a Meltdown or Spectre vulnerability is exploited, it could allow for that virtual computer from one company to read data from another virtual computer from a different company because they both "exist" on the same physical computer.

So, your bank, your social media, your shopping, etc, could feasibly exist somewhere on the same physical computer. Most large companies that run these type of environments (think Amazon, Google, IBM, Microsoft) have already patched their systems so that they aren't vulnerable. Some of the smaller Virtual Service Providers (VSP) will need to patch to avoid this vulnerability from being exploited.

The biggest thing to take from this question is that unless you are running a virtual environment for multiple customers, there really isn't anything you can do but wait. Check to see if the services you use are patched. There are a good number of official statements from various companies on the website dedicated to this issue.

How does this thing work?

A number of years ago some really smart people took a look at computer utilization and determined that the majority of time, computers are sitting and waiting for something to do. Processor manufacturers have been stuffing more and more cores and coprocessors and other things into chips and the software designers are having trouble utilizing it all. My mobile phone has more processing power than my 5 year old desktop computer at this point.

What these folks found is that they could have the processor try to guess at what is likely going to be asked for next and prefetch it. I often think of the character Radar from the old TV show M.A.S.H. He was always able to anticipate what Colonel Potter needed before he knew himself. The speed increase and efficiency gain is great.

This technique is called Speculative Execution, and is what Spectre is named after. Meltdown is a similar vulnerability also exploiting Speculative Execution.

Can't we just turn Speculative Execution off?

Sure, and some vendors are suggesting that . . . at a 30% efficiency cost. Speculative Execution isn't that new, and many platforms rely on it for speed of execution. Just turning it off may not be a viable solution for some applications. There are many available software patches that do mitigate the issue.

So, what am I doing about it?

First of all, I'm not panicking. Keeping a cool head and understanding the issue helps avoid costly mistakes when these issues come out.

I'm continuing to install updates on all of my computing devices. If an update is available and verifiable, I install it. It is part of my daily routine and I stick with it. For my virtual environments that I run at work, I evaluate the risk of what is running there and then schedule patching accordingly.

For my virtual servers I run at other providers, I contact the provider and determine if they are patched or not. I evaluate the risk of the data that I'm storing on those VSPs and see if it is sensitive enough to move while the VSP is patching.

For my data on cloud services (Google, Facebook, banking, etc.), I do the same thing. If the data is sensitive enough that an unlikely attack like this might steal it, maybe I shouldn't be storing it on a cloud service to begin with.

Here's another link to a great blog entry from Security Wonks on this vuln.

And of course, xkcd has a nice comic on it.

Good luck!