Protecting Your Organization’s Computers Against Meltdown and Spectre
Whenever a new cybersecurity vulnerability is publicly revealed, a new version often springs to life based on the original cybersecurity vulnerability.
This is true in the case of the “Meltdown” and “Spectre”, cybersecurity vulnerabilities that were publicly disclosed by researchers at Google Project Zero (GPZ) last January.
Meltdown, also known as Variant 3, is a cybersecurity vulnerability that “melts” the security boundaries typically established by the hardware, affecting desktops, laptops and cloud computers. Spectre, collective term for Variant 1 and Variant 2, is a cybersecurity vulnerability that allows a cyberattacker to force a CPU to reveal its data.
Modern-day CPUs such as Intel, AMD, and ARM are vulnerable to varying degrees to the cybersecurity vulnerabilities of both Meltdown and Spectre.
Ecosystem partners of many of the CPU makers, including Microsoft, have issued security updates solving the security vulnerabilities of the original Meltdown and Spectre.
New Versions of Meltdown and Spectre
Last May 21, Google Project Zeroand Microsoft’s Security Response Center (MSRC)researchers publicly disclosed two new security vulnerabilities that are related to the original Meltdown and Spectre. Both these two new security vulnerabilities allow an attacker to obtain access to sensitive information on affected computers.
One of the new security vulnerabilities that’s related to the original Meltdown and Spectre is officially assigned by the name CVE-2018-3640. It’s also known by other names such as Variant 3a and Rogue System Register Read (RSRE). In Variant 3a, an attacker with local access may speculatively read system parameters via side-channel analysis and obtain sensitive information.
The other new security vulnerability that’s related to the original Meltdown and Spectre is officially assigned by the name CVE-2018-3639. It’s also called Variant 4 and Speculative Store Bypass (SSB). Variant 4 allows an attacker to read older memory values in a CPU’s stack or other memory locations.
Leading provider of open source solutions Red Hat uses an everyday coffee shop analogy to explain Variant 4 or Speculative Store Bypass.
Let’s say a group of coworker friends agreed among themselves to take turn in ordering coffee at a local coffee shop on the way to work. Whoever is assigned for the day orders coffee based on the group’s never-ending group text message chat thread where group members express their specific choice of caffeinated beverage.
Group members have the choice to change their order via the chat thread but this is rarely done. As this chat thread is rarely updated, the person assigned for the day typically orders based on the usual list.
Suppose an indecisive member changes his order in the chat thread and the person making an order already placed an order to his favorite barista. Even if the person making the order tells the barista to change the order, and the barista throws away the coffee mug with the name of the particular coworker, such personally identifiable information is still visible to anyone watching.
Variant 4 or Speculative Store Bypass, works in the same way as it allows an attacker to read older information even though this information has been updated.
CPU Makers’ Reactions to New Versions of Meltdown and Spectre
According to Intel, it has released beta security updates to operating system vendors, equipment manufacturers and other ecosystem partners that address the issue of Speculative Store Bypass Disable (SSBD) and Rogue System Register Read (RSRR).
“Variant 3a is mitigated in the same processor microcode updates as Variant 4, and Intel has released these updates in beta form to OEM system manufacturers and system software vendors,” Intel said in a statement. “They are being readied for production release, and will be delivered to consumers and IT Professionals in the coming weeks.”
CPU maker AMDrecommends checking with your operating system provider for specific guidance regarding Speculative Store Bypass Disable (SSBD).
“Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process,” AMD said in a statement. “Similarly, Linux distributors are developing operating system updates for SSB.”
CPU maker ARM, meanwhile, said that not all ARM CPUs are affected. For devices using Linux operating system, ARM said that in general, software mitigations for Variant 3a aren’t necessary, while mitigation for Variant 4 is based on “disabling a hardware feature (memory disambiguation) at boot via an implementation-defined control register.”
For devices using non-Linux operating system, ARM said mitigation for Variant 4 varies by processor micro-architecture and that “Memory disambiguation should be disabled at boot by setting the relevant control register bit”.
General Cybersecurity Best Practices Against Meltdown and Spectre
Here are some general cybersecurity best practices against Meltdown and Spectre:
- Only deploy the latest microcode and software updates for Variants 1, 2 and 3. According to Intel, the security updates deployed by leading web browser providers for Variant 1 that substantially increase the difficulty of Spectre exploitation in a web browser also mitigate the effects of Variant 4.
It’s also important to deploy only the latest security updates for added security. According to the United States Computer Emergency Readiness Team (US-CERT), previous security updates issued last January and February by Microsoft for Meltdown and Spectre for Windows 7 64-bit or Windows Server 2008 R2 64-bit operating systems on Intel processors “contain a vulnerability that could allow users and apps to read and write kernel memory, thereby gaining full control over a system”.
- Deploy microcode and software updates provided by manufacturers of servers, operating systems and motherboard providers. For Windows operating system users, this updated microcode comes in the form of Windows update.
- Keep all software up-to-date.
- Avoid suspicious links or downloads.
- The National Cybersecurity and Communications Integration Center ( NCCIC) recommends testing security updates for Meltdown and Spectre before implementation as performance impacts may vary, depending on use cases. Performance should be monitored for critical applications and services and any problems should be reported to the concerned vendor or service provider to mitigate the effect.
When you need help with keeping your servers up to date, we are a phone call away. Call today 416-920-3000and simplify your IT.