Spectre and Meltdown: A Suite3 Q & A
Meltdown and Spectre have filled the news in the past few days with lots of information, some of which is highly technical and/or contradictory. Because we've received a lot of questions about these vulnerabilities, it seems to make sense to use a Q & A format to address the issues.
What are Meltdown and Spectre?
They're a pair of recently-discovered related processor vulnerabilities that leverage memory management techniques present in pretty much every modern computer processor. The vulnerabilities allow a would-be attacker to gain access to areas of protected memory that software shouldn't otherwise have access to, possibly exposing sensitive information like passwords and personal data.
How widespread are these vulnerabilities?
Quite! Meltdown is specifically related to Intel CPUs, whereas Spectre is more broad-based, affecting Intel, AMD, ARM, Qualcomm, Motorola, and other modern processor chips. In addition to desktops, laptops, and phones, cloud computing platforms such as Google and AWS (Amazon Web Services) are also running on vulnerable hardware. Being that the vulnerability is hard-coded into the chips themselves, the only complete fix would be to replace every modern computing processor made since 1995, which isn't exactly feasible.
What are the fixes and/or workarounds for Meltdown and Spectre?
There are kernel patches available for Linux, and Microsoft has released a bunch of OS updates that should protect systems from this vulnerability. Suite3 is testing those now, to make sure they won't do more harm than good.
Google (Android) and Apple (MacOS and iOS) are also working on similar updates. Also, because these vulnerabilities will affect how many popular antivirus products operate, many AV vendors (including ESET) are issuing code updates that protect the AV software itself from exploitation as well as work with the new operating system patches. More info on this is at the bottom of this article.
Basically, since affected processors contain insecure, vulnerable hardware instructions that might be exploited, the systematic response is fairly straightforward in theory: Don't use those vulnerable processor instructions! That's a touch simplistic, though it's accurate enough to illustrate the thesis of the problem and its workaround. Unfortunately because this is a hardware vulnerability, there is no firmware fix for either Meltdown or Spectre.
What should I be doing?
Staying on top of updates and patches is your best defense. This is a great time to take those laptops out of their bags, jack them into an Ethernet port, and turn them on so they can receive their security updates and new AV definitions. Though this might seem counter-intuitive ("…you want me to connect a vulnerable system to the internet NOW?"), it's better that you receive updates now before there are active exploits in the wild. If you're on-board with our automatic patching solution, we'll take care of you as we always do.
Smartphone vendors should be issuing their updates automatically as they become available for your device. Stay on top of updates available for personal equipment. If you use antivirus software other than ESET, consult with your vendor to see if you need to take any manual action.
Are there any other side-effects from Meltdown and Spectre of which I should be aware?
Some patches and updates might slow systems down, because they force the computer to do things in software that it usually does with hardware. Early tests indicate that most users won't notice a difference, though some sources out there claim that there might be as much as a 30% performance impact. That seems to be reserved for extreme cases. Server-side applications and databases will probably be impacted more than desktop, laptop, and phone operations.
We'll have to wait and see on this one. This is a figure that will likely get better over time, as developers find more efficient ways to circumvent the vulnerability.
Is there any good news?
Glad you asked! Yes. Most importantly: This is still just a vulnerability; there haven't been any viruses, malware, Trojans, ransomware attacks, or any other exploits reported so far. The vulnerabilities are also fairly difficult to exploit, both from a programmatic and resource perspective, so it might be some time before we actually see effectively compromised systems in the wild.
Also, industry-wide response to these vulnerabilities has been both excellent and ongoing. Everybody is talking to each other and devoting considerable resources to securing their software and, by extent, your information. Intel, AMD, Google, Microsoft, Apple, AV vendors, and the Linux community are in deep collaboration.
Finally, the best news might be that this is a huge wake-up call for processor manufacturers that they need to more actively participate in global security problems and can't rest on the accomplishments of their legacy code. We've hit the point with desktop, laptop, and phone processors that they're nearly as fast and efficient as we really need them to be, and now we need them to be secure. We expect the marketing for newer processors and hardware in the future to include better overall security packages, as these vulnerabilities will receive considerable attention for quite some time.
But all the news says I should panic!
There's a lot of coverage about this issue, and the media seems to be doing its usual best to spread a degree of FUD (Fear, Uncertainty, and Doubt) about the scope of and solutions to the problem. It's important to keep in mind that some of the best security minds on the planet are devoting enormous energies to solving the problems posed by these vulnerabilities. Here at Suite3, we're no slouches either, and we're devoted to staying on top of any and all developments related to these vulnerabilities.
Why are they called "Meltdown" and "Spectre"?
"Meltdown" was so named because it effectively "melts" security boundaries in memory that are supposed to be enforced by hardware.
"Spectre" gets its name from the nature of the vulnerability itself, a performance-enhancing process called "Speculative Execution", where a processor uses sophisticated algorithms to try to guess which blocks of code will be executed next. Also, because it sounds spooky.
ESET Antivirus's statement on Meltdown and Spectre:
Technical paper on Meltdown:
Technical paper on Spectre:
Google Project Zero technical article on both: