Ready for a sensational, shameless grab for attention?
Every computer, phone, and tablet made in the last two decades has a hardware vulnerability that allows would-be bad guys to steal information.
This flaw being in the hardware of all major CPU manufacturers makes remediation more difficult for everyone. So much so in fact that the United States Computer Emergency Readiness Team’s (US-CERT) initial solution was to replace CPU hardware. They’ve walked that back now, and indeed it does seem like this hardware problem can be solved using software.
It’s true. Spectre and Meltdown take advantage of a fundamental piece of high-performance computing known as Speculative Execution, which allows computers to do some tasks ahead of time to speed up processing. The Red Hat blog has a great explanation. Imagine you go to the same restaurant every day at the same time and order the same thing. Eventually the chef catches on and starts to prepare your meal before you arrive so that it’s ready as soon as you sit down. Fast and efficient. But what happens to that meal if you change your mind and order something different? It gets tossed out. The same thing happens in computing and, unfortunately for literally everyone, the place that data gets tossed isn’t secure. This allows bad guys to sniff kernel memory. You don’t get any greater access than that.
Now for Some Good News
Bad guys must already have access to your computer through some other means. Meltdown and Spectre are not vulnerabilities that facilitate unauthorized access.
Furthermore, these two exploits only allow information gathering. They can’t modify or delete your data, or add any data such as a infecting your system with a crypto-virus.
One last bit of good news; as mentioned above, the vulnerabilities can be fixed with software and many of the major players already have patches in place or are working around the clock to get patches out. Microsoft even issued a rare out-of-cycle patch, not wanting to wait for the normal second Tuesday of the month to release their fix.
Now for Some Bad News
The fix is going to slow things down. Some have speculated that fixing Speculative Execution will rob it of its performance benefits, slowing down processors by as much as 30%. However, in real-world testing on standard office tasks on desktop computers the numbers are far lower.
This exploit hits cloud providers the hardest. Because the attack is CPU-based, it’s able to bypass the normal constraints of virtualized computing. If a bad guy were to gain a foothold on a server belonging to a cloud provider, he could spy on all the software running on that server. Google, Amazon, and others are taking this very seriously.
What You Should Do
Update your phones, tablets, computers, and basically anything with a CPU as soon as an update becomes available.
If you’re a managed client of CharSec, your servers and workstations are probably already patched by the time you read this. If you have further questions or concerns, feel free to give us a call.
As always, this is the kind of stuff we’re here for.