Spectre/Meltdown Security Update
The new year has hardly begun and the world already got a wake up call from two discovered security vulnerabilities called Meltdown and Spectre. We give hands on advise to prevent your organisation from becoming a victim.
Hardware vulnerabilities in Intel, ARM and AMD processors
The vulnerabilities concern a number of hardware bugs in the processors of Intel, ARM and possibly AMD, therefore the scope of these vulnerabilities reach from desktop computers to servers and from tablets to smartphones (or anything else that uses one of the affected processors).
Normally, one of the core functionalities of a processor is to shield of specific areas of the computer’s memory. The reason for this, is to ensure that:
- User applications (like Firefox, MS Work, KeePass etc.) cannot access each others RAM memory. This is necessary to prevent, for example Firefox, from accessing your KeePass passwords;
- Those user applications are unable to reach the RAM memory used by the operating system(OS) (Linux, MacOS, Windows, etc.). This restriction is needed to ensure that the OS has control of the applications instead of the applications controlling the OS.
How are you affected by Spectre/Meltdown?
Meltdown and Spectre allow applications to bypass the above-mentioned restrictions. Two typical attack scenario’s are:
- You’re surfing over the internet and you accidentally visit a malicious website. This website now reads part of your RAM-memory and could track down sensitive information like passwords, pictures, documents etc.;
- You’re using a virtualisation platform for some type of server (VMware, Hyper-V, but also Amazon AWS or Azure). Because of the Spectre/Meltdown vulnerabilities it cannot be guaranteed that the different virtual machines are limited to their own RAM memory. Another client’s machine could read the RAM memory of your server (or any other server on the same hypervisor) for example.
How to mitigate the risks?
- Update your operating system whenever there are patches; Windows and Linux already released updates (KB4056892 for Windows and version 4.14.11 for Linux)
- Keep an eye on information coming for cloud services. Both AWS and Azure are working on updates.
A few things to keep in mind:
- Take downtime into account. In the upcoming period cloud providers will patch their systems. This could happen during the daytime.
- This is a hardware bug, because of that a software based patch is rather complex. Operating systems need to implement a specific workaround to either stop or bypass some processor optimisations that cause these vulnerabilities. Applying the updates can cause your system to operate slower as the processor is no longer optimised.
ITsec can check whether the used systems are provided with the relevant updates. Of course, we are ready to assist you in turning the risks into opportunities!
We advise on sharing this information with everybody in your organisation that is responsible for information security. If you have any questions regarding this subject, please don’t hesitate to contact us through firstname.lastname@example.org.