By Jason Ackley

2018-01-18

Industry

Meltdown and Spectre are variations on a security weakness that affects nearly every computer chip manufactured within the last two decades. The defects are so basic and widespread that researchers are calling them catastrophic.

Well, it didn’t take long for 2018 to have its first IT panic of the year. By now you have probably heard about it.

Meltdown and Spectre – the one-two punch security vulnerabilities that have shaken the industry due to their widespread impact. So severe and pervasive, they even have their own website to help explain the critical vulnerabilities in modern processors.

In a nutshell, the Meltdown and Spectre attacks allow for information leakage via a method known generically as a side-channel attack. Here’s an excellent reference article by the Google Project Zero team that discovered the issue (including some discovered, yet-to-be-documented issues). Skip this if a deep technical dive is not your thing.

It’s important to understand that while Meltdown and Spectre represent specific attacks, they also represent a newer class/style of attack that is emerging in the computer security arena. We are bound to see more similar attacks as researchers continue to poke and prod in these areas.

What is Vulnerable?

For the most part, the easy answer is – assume everything. No joke. That is how serious it is. The defects are caused not by broken software, bad JavaScript, or malware, but by underlying flaws in the architecture and of the Central Processor Units (CPUs) that have been built into just about any computing device over the past twenty years. This includes everything from desktops, laptops, and servers to smartphones and embedded device CPUs.

Are Meltdown and Spectre the same?

No. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. As a result, applications can access system memory.

On the other hand, Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion, download the abstracts [Meltdown andSpectre]. Additionally, you can find more detailed information from these industry leaders:

How can this be?

It isn’t a government conspiracy (or at least we don’t think so ... ha!), rather it is merely fundamental flaws that the entire industry, and a host of companies, made when designing performance-enhancing features for their respective chips. This feature is called ‘speculative execution’ and provided boosts in the performance of the CPU by ‘guessing’ what CPU instructions were going to be executed next, and then running them ahead of time.

In the race to be the fastest (often the main focus in the CPU market), there were several ‘bad decisions’ that were made in some of the features that produced the performance boosts. This is what fundamentally allowed the Spectre/Meltdown class of attacks to emerge.

Please note that I am not a CPU architect – in fact, I do not fault or blame any of the folks that made these decisions. Most everyone has been under difficult product release life cycles before – and this caught the entire industry and many, many companies off guard. There was not a single rogue element that would have been able to implement this across all of the companies that are impacted.

How dangerous is this really?

Depending on your ‘geek factor’, you may love the detailed reviews of the defects, or your eyes may glaze over. At the end of the day, the questions remain: How dangerous is this? How weaponized is this thing? How likely am I to encounter this in my normal computing?

The attacks so far have been considered ‘proof of concept’ attacks. But very successful.

At the same time, the ‘bad guys’ know that the best targets to attack are often the humans in the equation. And you are more likely to continue to encounter malware and ransomware due to the popularity and higher success rate of these social engineering attacks.

The danger of Spectre/Meltdown cannot be glossed over. It will impact the entire industry for many years to come as the old CPUs are cycled out and we learn to deal with the ‘new normal’ of the performance impact of the fixes.

These attacks will most likely be added to existing malware that is out there. But generally there are more successful methods that will remain the primary method of data theft.

What is the fix?

Since the Meltdown/Spectre vulnerabilities are in the underlying hardware (the CPU), there is not much that allows you to ‘fix’ this directly in current systems. You cannot install a patch on the CPU (well, perhaps some things you can, but these defects are located in areas that cannot be patched).

Thus far, the fix has been to implement protection mechanisms within the operating system that run on the computers. This is quite a bit of patching as you can imagine, and people have been working on this since last year when these defects began to emerge in the security research areas.

What does the fix cost?

Generally, there should be no direct financial cost associated with these fixes since these are industry-wide problems that are taking place.

If you have auto-updates enabled — you are most likely already up to date from your operating system vendor.

One of the challenges of this particular issue is fixing something so ‘deep’ within the computer; and there is overhead to this method. What your computer used to do with ease may require a bit more work due to the implementation overhead of these fixes.

Depending on the specific workload on your computer, you may or may not notice this increased overhead. This mainly has to do with the internals of the applications that are running on the computer as the fix impacts different system calls and functions at different rates.

If your system was previously overpowered and you generally had spare CPU cycles, you may not notice any difference. If you have a system that is older, or otherwise already near the performance envelope for the underlying hardware, you may notice more of a negative impact due to the increased overhead of these protections.

There are also many reports that are indicating the fixes can cause instability in a system that was previously stable. Check out ZDNet’s most recent article warning of problems some companies have when applying fix patches.

What can you do about this right now?

Hopefully by now you are already patched.

Most operating system vendors have been rolling out patches since early January when news of the issues began to emerge. The best thing is to check your specific OS versions, and then determine if they have rebooted to be running the patched versions.

Since the fix takes place in the software of your operating system, this would typically be from the dominant operating systems deployed – Microsoft, Linux, or Mac OS. Here’s some more detailed security OS info:

For other OS distributions, your vendor will be the best point of contact. Note that if you are running an outdated or otherwise unsupported operating system you may not see a patch! Remember to follow best practices and stay current in your software deployments.

What is the permanent fix?

Given that the current round of fixes is implemented in the software that runs on the respective CPUs, the permanent fixes are intended to repair the CPU architectures that are flawed.

While the chip companies have stated that they will have protection mechanisms built in to future products, these products will not come out quickly and it will be quite some time before we see hardware that is fully protected. Moreover, given the emerging area of computer security research on hardware side-channel attacks, we may not see the last of this style.

Additional Links and Resources

What is Codero doing?

The processor optimizations that are used in these vulnerabilities are a core design feature of most CPUs, meaning that most servers are vulnerable until specifically patched. There is no single fix for all three security vulnerabilities. Patches to protect against Meltdown and Spectre are being released from operating system vendors. Like most hosting providers, we are working with CPU vendors as patches become available to remediate these attacks.

Conclusion

It is rare that a research result fundamentally alters how computers are built and run. Meltdown and Spectre have done just that. These findings will transform hardware and software design significantly over the next decade (the next CPU hardware cycle) as designers take into account the new reality of the possibilities of data leakage via cache side-channels.

Meanwhile, the Meltdown and Spectre findings (and associated mitigations) will have extensive implications for computer users for many years to come. In the near-term, the performance impact will vary, depending on the workload and associated hardware. This may necessitate operational changes for some infrastructures.

Due to proof-of-concept browser attacks using JavaScript, desktop and laptop users are not immune either. A case can also be made that, as we further understand the complexity of the vulnerabilities, it’s almost certain that security researchers will find new exploits not covered by the current mitigations.

We're here to help
Have a question about our services? Our hosting experts are online.